The Victorian Government has called an end to the traditional agency-by-agency approach to cyber security, unveiling a whole of government strategy focussed on building resilience, rather than compliance.
The new strategy admits there there has been a shift from relatively unsophisticated lone actor cyber-attackers towards organised crime, funded political ‘hacktivists’ and even foreign governments using cyberspace as a means to infiltrate government, business, and private networks.
“The scale of incidents and disruption is unprecedented. Government is continually working to keep up – and new tools are improving our understanding of the magnitude of incidents we experience daily. The threat environment we face is increasing at all levels of government and against every system we operate,” according to the new strategy.
“While our approach to date has worked to some extent, Victorian Auditor-General reports and departmental in-house testing regularly uncover vulnerabilities that must be addressed. The time for an agency-by-agency (only) approach has passed. We need to address these risks strategically, and where it makes sense, holistically.”
“Traditional cyber security approaches have focussed on prevention controls and compliance standards. These have an important place, but it is evident that an expanded focus is needed on cyber security incident monitoring, detection, response, and recovery capabilities. This expanded concept of cyber resilience is the ability to prepare for, respond to and recover from cyber incidents and disruption.”
The strategy has been 18 months in development and has been aided and influenced by the Prime Minister and Cabinet cyber policy team that developed the Federal cyber strategy last year.
Releasing the strategy last Friday Victorian Special Minister of State, Gavin Jennings, committed the government to:
- Appoint a Chief Information Security Officer within Department of Premier and Cabinet to oversee the government response to the ongoing cyber threats and co-ordinate cross government action,
- Develop cyber emergency governance arrangements with Emergency Management Victoria, so that risks are better understood and planned for as part of ongoing work to protect government assets and services,
- Strengthen partnerships across all levels of Government and the private sector to share best practice, intelligence and insights,
- Rationalise and better co-ordinate the procurement of proven cyber security services,
- Develop a workforce plan to attract, develop and retain skilled cyber security public sector workers, and
- Present a quarterly cyber security briefing to the Victorian Secretaries Board and the State Crisis and Resilience Committee, so Government is better informed of cyber security issues and assessments
The much awaited CISO appointment is expected to be appointed next month. The new strategy comes as all State Governments have been upscaling their cyber defence policies, appointing CISO’s and looking to make cyber defence, response and mitigation a key operational KPI of agency leadership. Most states run legacy networks within and between their large delivery clusters and CIO’s privately admit these are exposed to sophisticated hackers and criminals and need to be urgently upgraded.
State CIO’s are also concerned at the lack of support they get from federal agencies, complaining that the Australian Signals Directorate is only focussed on national security threats, leaving the States largely alone to handle DDOS mitigation and the rising number of Cyber encryption attacks. This is now being partly addressed by the appointment of Alastair MacGibbon to be CEO of the Australian Cyber Security Centre. This centre is being re-established outside of the Defence precinct in Canberra, partly to enable greater civilian interaction and to bolster cross jurisdictional and private sector collaboration and coordination.
As agencies look to share more and more data to enable better front line co-ordination of responses to challenging operational areas like family violence and children protection, they are being thwarted by poor legacy networks and systems, as well as immature informational management and governance.
The big telcos and NBN have their operational centres in Melbourne and the Victorian government has aggressively pushed to build a major cyber hub centred around the Docklands precinct. This includes CSIRO’s Data61 Cybersecurity Innovation Hub, the Oceania Cyber Security Centre, the collaboration with Oxford University’s Global Cyber Security Capability Centre, and a Melbourne-based node of the Commonwealth Government’s Cyber Growth Centre.
A core issue for all government agencies has been chronic under investment in cyber security with agencies devoting an estimated two per ent of their ICT spend on security. In Israel and Singapore the estimated spend is above 10 %.