Australian Signals Directorate chief Mike Burgess has confirmed a new draft of the Commonwealth’s Information Security Manual is being circulated across government under a new proposed title of Cyber Security Manual.
The discovery of the new draft document took a somewhat dramatic path through the Foreign Affairs, Defence and Trade committee at Senate Estimates last week.
Initially Mr Burgess and his cyber colleagues Alastair MacGibbon – the head of the Australian Cyber Security Centre and the National Cyber Security Adviser – both told the committee they were unaware of a new draft of the ISM being circulated across the government.
But well into the evening session of the hearing, Mr Burgess confirmed that he had “just been advised” that a new draft document was circulating for consultation, which would be completed by mid-June. InnovationAus.com reported on the existence of a draft Cyber Security Manual last week.
“I have just been advised there is a current draft of the ISM out for consultation,” Mr Burgess told the committee. “That consultation period will close in mid-June.”
“[The consultation period] is being used to collect feedback from our stakeholder group, which is government departments and industry, in terms of some of the proposed changes that are being flagged,” he said.
“It does include a proposal not yet approved or considered by Mr MacGibbon or me to change it from the Australian Government Information Security Manual to the ‘Cyber Security Manual’.”
InnovationAus.com understands the new manual represents a fundamental shift from the ISM, moving the thinking from a whole-of-government cybersecurity perspective to a whole of economy footprint.
It understood the document proposes the replacement of the current certification processes for products and services with the NIST Risk Management Framework, based on the US’ National Institute of Standards and Technology cyber assessment and authorisation practices.
Mr Burgess and Mr MacGibbon were being queried in relation to a recent ASD decision to certify Microsoft Azure and Office 365 cloud services for Protected-level data.
The decision has caused among other Protected-level cloud service providers who say Microsoft appeared to have been judged against a different set of security criteria than the Australia providers it will compete against.
While the new draft Cyber Security Manual is thought to have used the language of compliance with a risk management vernacular, Mr Burgess said other advice from the ACSC – such as the Top Four – were always about risk mitigation rather than compliance.
“…The compliance with ASD’s Top Four in our mind, in ADS’s mind, in the Information Security Manual’s mind, is actually a risk management exercise because it depends on the context of where you choose to implement application whitelisting, for example,” Mr Burgess said. “It’s a risk management exercise.”
“I have no doubt – and we have this from evidence – that when the Top Four are fully implemented it does reduce a significant amount of cyber intrusions. We have data to prove that.
“However … there is no perfect solution in security and even when you implement every control, short of shutting the business o government down, there is no perfect security. It’s a risk management exercise,” he said.
“There is no doubt that implementing the Top Four does make a difference.”
It is understood there are changes in the draft Cyber Security Manual that introduces modified controls that addresses gaps identified between the ASD’s Essential Eight and the existing ISM.
Alastair MacGibbon says the evolution of advice toward the Essential Eight (with the Top Four being the mandated component) only ever told part of the story in relation to security.
“The point is that ultimately it comes down to a risk decision and a risk management exercise by departments and department heads,” Mr MacGibbon said.
“If nothing else, the top four, the essential eight and all the other mitigation advice – ISM and other such things put out by the Cyber Security Centre and the signals directorate – help to drive a more mature discussion in the Commonwealth about risk,” he said.
“And ultimately this comes down to risk management and decisions made on how the business of government is done while trying to mitigate the risks that come from a cyber vector.”