The new boss of the Australian Signals Directorate has come down hard on Federal agency chiefs who don’t put strong cyber risk management strategies in place.
ASD director Mike Burgess told a Senate committee that it wasn’t a cyber skill shortage holding back management of cyber risk in government departments
“Skilled people is not the critical issue here,” Mr Burgess told the committee.
“It’s the skill of the chief executive and his or her management team in identifying and managing this risk effectively and the skill at the executive level that can actually help work through that to ensure themselves the right things were being done.”
“That for me is where the real issue is.” Mr Burgess said this was a worldwide problem affecting business and government.
Mr Burgess was responding to questions from the Senate’s Finance and Public Administration References Committee inquiry into digital delivery of government services, which has already put itself into extra time. It was to report by December 4 but now has until May 14 to report and has extended submission taking and hearings.
The dressing down of mandarins errant in their cyber security risk strategies came after committee chair Senator Jenny McAllister asked Mr Burgess whether there was oversight of the adequacy of risk management across the Federal government.
Mr Burgess said the only mechanism he was aware of was the Australian National Audit Office. Senator McAllister then asked whether security was being designed into government systems in a uniform manner.
“I have no evidence to suggest that is happening uniformly across government at the moment,” Mr Burgess said.
He said that too often the responsibility for digital security was left to IT staff, or the IT service provider.
“That not the case,” he said. “This is clearly a matter that heads of government departments need to engage with, and in my experience both in the private sector and government those that do (engage with risk management) actually do identify and manage the risk effectively. But they still need help.”
“The best thing that can happen is that the chief executive of the department actually engages with this risk, and understands what’s important to their particular department or business so they can truly know what services they have that must be online and what threats face them, what risks they carry, and what information they have,” he said.
Good leaders could educate themselves enough to carry out cyber risk management properly and there did not need to be a new management layer installed to handle the problem, he said.
Mr Burgess was Telstra’s chief information security officer before landing the top gig at ASD in December last year.
Mr Burgess came into the job with broad experience of ASD matters having between deputy director of what was then called the Defence Signals Directorate before going to Telstra in early 2013. DSD was renamed ASD in May 2013.
ASD has made a submission to the inquiry.
Earlier in his time before the committee, Mr Burgess described the ASD which goes by the motto ‘reveal their secrets, protect our own’s role as both ‘poacher and gamekeeper.’
“We were born after the Second World War … to do the good things to intercept military communications. At the same time other people could do that to Australia so we should protect our communications.’
As digital communications have grown, so has ASD’s role changed from just radio and fixed line signal intercepts to being full blown, 21st century cyber player.
“Out of that you have an organisation that has both an intelligence and a security capability,” Mr Burgess told the committee.
“If we are really good at doing foreign signals intelligence which includes hacking of computers and the collection of foreign intelligence we should use those skill sets to make sure the Australians we serve can’t suffer the same problems,” he said.
The nation’s chief cyber advisor Alastair MacGibbon also appeared before the committee having made a submission through the Office of the Cyber Security Special Adviser.
Mr MacGibbon told the committee his office had previously sat inside Prime Minister and Cabinet but now sat partly inside the ASD and partly in Home Affairs.
“The role has been changed but the advice remains the same,” said Mr MacGibbon who has now become a deputy director general of ASD. In that capacity he is head of the Australian Cyber Security Centre which is operational cyber security arm of the government.
On the Home Affairs side, Mr MacGibbon said he was more involved in cyber security policy and coordination across government.