Where to now for cyber policy?
Cyber rules: Australia has done well, but the policy picture remains unclear
It is clear that 2018 has been a watershed year for cyber security across the public sector. The federal government cyber apparatus been substantially restructured, and the philosophical thinking that underpins cyber strategy has seen marked change.
The Australian Signals Directorate has been an agency in transition since it was announced late last year that former Telstra chief security officer Mike Burgess would return as director-general. Some of the foundational elements of the cyber frameworks the ASD oversees have similarly been put through a period of rapid change.
At least that’s what it looks like from the outside, although it is not entirely clear where the government has landed on some fairly basic philosophical questions about cyber policy.
For while the government’s cyber leaders have talked a big game about the desire for a more devolved capability based on agency-led risk management frameworks, the reality is that the Information Security Manual – the public sector cyber bible – does not reflect this.
For the most part, the ISM has remained a straight forward and strict compliance checklist. It does make for some mixed signalling. Were it not for the common goals of all the stakeholders to build and maintain a secure and safe digital ecosystem there might be reason for confusion.
It would be an overstatement to say the industry is confused by the changes, although some of it has been dramatic. But there is a recognition that public sector cyber policy has undergone sweeping realignments, and that the industry is now watching this space intently.
The role of the Australian Signals Directorate has changed quite dramatically in lead up to it becoming a statutory agency in July. It is far more involved in economy-wide outreach to the business community and the protection of the ecosystem beyond government than previously. And yet it remains at the centre of the public sector’s cyber defences.
It is fair to say that its public communications has not yet caught up with the broader remit. The significant changes don’t come with explanatory notes outside of the committee rooms of Senate estimates.
Speaking of which, both Mike Burgess and the ADS’s deputy director general Alastair MacGibbon both offered frustrated explanations of the poor cyber audit performances of several agencies.
In a nutshell, the explanation is that just because a department or agency is found to be non-compliant with the ISM checklist does not automatically mean that agency’s systems are not secure, as the particular audit does not reflect other risk mitigation actions the department or agency may have put in place.
This explanation itself raises questions. If we are no longer using the ISM as the baseline – if the ASD is in effect saying non-compliance is not necessarily a problem – then what value does an Australian National Audit Office audit against that ISM checklist have?
Independent audits of government machinery are critical to the health of our system. If our cyber leaders are saying the poor recent results of ANAO compliance audits do not tell the whole story, then what are they proposing to replace them with?
It is worth noting that the challenges faced in cyber within the Australian public service is common across our like-minded government partners across the world.
Macquarie Government has done some interesting work here, comparing the public sector cyber models across the Five Eyes intelligence sharing partners of the US, UK, Canada, New Zealand and Australia.
For all of the gnashing of teeth in this country over cyber difficulties, Australia compares well with these partners in dealing with a very familiar set of common challenges. It was a worthwhile exercise, if only because it validates just how big the challenges are, and the fact that Australia’s cyber security strategy has been effective.
Most significantly, the Australian government’s response to the critical cyber skills shortages has been in line with the responses elsewhere – in the clustering of cyber skills and resources where large agencies can securely service smaller agencies – and has been effective.
The cyber skills shortage in Australia is no worse than in our Five Eyes partner countries. That doesn’t mean it isn’t critical or make it any easier. But it does underline the strength of the government’s response.
All governments want to move toward more devolved risk-based frameworks to address cyber issues. This would enable departments and agencies maximum flexibility in the delivery of their particular government service.
It would be tough to call this a pipe dream. But it’s not reality either, because on the skills issue alone, this model is not a realistic response. The cyber skills issue – as Mike Burgess has previously noted – is not restricted to technical skills. There is a lack of cyber skills in the senior management layer as well. There must be at least some kind of baseline compliance regime that provides a baseline of assurance.
The challenge, and this was highlighted in estimates last week, is to find a monitoring regime that can more effectively assess a cyber environment that adequately and transparently audits both the mandatory compliance checklist on the one hand, and other risk mitigations on the other.
If the two most senior cyber public officials say that ANAO cyber audit result does not truly reflect how well a particular department or agency is secured, the something is not right. These transparent, published audits are important.
In the meantime, you take the good news wherever you can get it in cyber. The Australian government’s cyber environment compares well with international contemporaries.
But it is never finished, as if that needs saying.