The federal government’s top tech security watchdog has warned federal agencies they need to start shifting legacy software and infrastructure systems onto more resilient cloud platforms or risk having them collapse in a vulnerable heap.
Delivering the keynote address at the Amazon Web Services Public Sector Summit in Canberra, Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon cautioned that the amount of pressure on public sector technology to perform had “radically and dramatically increased” over the past year, with the Census incident providing a critical “point of inflection” for how to deal with a new cyber security reality.
“We have to invest in migrating legacy apps,” said MacGibbon, who now heads up the Australian Cyber Security Centre. “We play a Jenga game where we are adding layer upon layer, legacy app upon legacy app.”“Wannacry was essentially a patching problem. If patches are done for us that’s a good thing.”
The cyber tzar’s wake up call comes as multiple large agencies including Tax and the Department of Human Services set about major core systems renewals that will touch most of the Australian population.
Referencing the Census incident, MacGibbon said “the public expects us to do this better”.
However he cautioned that merely adopting ‘compliance’ based security culture would no longer cut it at a practical and political level because the core thinking on digital risk had shifted profoundly over the last year.
MacGibbon referenced the Census incident, foreign cyber interference in the US election campaign and the recent ‘Wannacry’ malicious software outbreak as key pivot points.
The overhang of legacy vulnerabilities, especially manual security fixes, was what crippled much of the infrastructure that Wannacry hit, a situation that MacGibbon said had sent “shivers” through government and industry.
“Wannacry was essentially a patching problem. If patches are done for us that’s a good thing,” MacGibbon said.
Smaller and medium-sized agencies are of particular concern to cyber security authorities because of an acute skills shortage around technology and IT security.
MacGibbon cautioned that although agency risk cannot be outsourced, “any platform that can be run professionally for us is a good thing. If it’s a globally tested platform we get the wisdom of the globe, the crowd.”
What agencies needed to do, he said, was focus on resilience and risk mitigation rather than using cyber risk as a reason not to do things.
“Our risk aversion as a government actually increases our risk. We accrete risk because we fail to move as fast as we could. We accrete risk because … we think that just by being compliant, we are reducing risk,” MacGibbon said.
“Those things do not actually work.”