The remarkable intervention of the Prime Minister Scott Morrison on Friday in the mainstream cybersecurity conversation certainly had its desired effect. Through the use of the Prime Ministerial megaphone, a mainstream media spotlight was applied to cybersecurity threats like never before.
Leaving aside the geopolitical complexities of his words – Mr Morrison said Australian governments and businesses were the subject of sustained targeting by a “state-based actor”- his message was crystal clear: Check your systems, check your processes, it is time to get serious about sophisticated cybersecurity challenges.
In fact, between the PM issuing a bull-horn warning on cybersecurity and Australia’s most populace state of NSW announcing new funding of more than $240 million earmarked for cyber initiatives, cybersecurity soaked up an entire mainstream news cycle on Friday.
The Australian government has tended toward the under-stated in its pronouncements on cybersecurity. But with the Prime Minister taking to the lectern on Friday, there is no mistaking the urgency of the call to action.
The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) followed up the Prime Minister’s call to action with its own assessment. The threat environment is such that no single mitigation strategy is guaranteed to prevent cybersecurity incidents but implementing the ACSC’s Essential Eight provides baseline protection.
For public sector organisations, mandatory adherence to Essential Eight doctrine is critical, according to privileged access management specialist CyberArk’s regional director Thomas Fikentscher. But it really is a baseline, and there is a clear need that organisations invest in a better and more sophisticated understanding of the threat environment in which they exist.
It is a good time to talk about public sector cybersecurity, not least because the Prime Minister has underlined with all the authority of his office the nature of the challenge, and the response he expects as leader of the government.
InnovationAus and CyberArk have partnered to present an important webinar panel discussion on Thursday, July 16 titled Public Sector: The Cybersecurity Imperative. Presenters include the inaugural CEO of the Cyber Institute at the Australian National University (and Professor in the Practice of Cyber Security) Lesley Seebeck, digital identity and access management expert Andrew Hayes, a partner at Deloitte Australia, together with CyberArk’s Mr Fikentscher.
The Cybersecurity Imperative webinar will be moderated by InnovationAus editorial director James Riley.
“Recent events demonstrate a clear need for the public sector to take cybersecurity more seriously,” Mr Fikentscher said. “This is especially true right now.”
“The COVID-19 response has necessarily accelerated the adoption of new digital systems and processes – including some of the work-from-home technology but not limited to those changes – and now was a good time to take action and intensify efforts to step up security ,” he said.
“The trend towards automated and digitised service delivery to citizens who want to consume these services from anywhere with instant response has further complicated the cybersecurity challenge in the public sector,” Mr Fikentscher continued. “Credentials and privileges need to be used everywhere across this landscape, which has dramatically broadened the attack surface for malicious actors.”
While mandatory baseline measures play an important role, the public sector has very specific special needs in relation to cybersecurity, and the complex threat environment that exists – particularly for services delivery organisations – is not well understood.
Prof Seebeck, who is a former Chief Information and Technology Officer at the Australian Bureau of Meteorology and Chief Investment and Advisory Officer at the Digital Transformation Agency (DTA), says the ephemeral issue of trust in relation to cybersecurity is fundamental to the efficient operation of modern societies.
Major cyber incidents that we have witnessed in Australia can greatly damage trust in society, Prof Seebeck told InnovationAus in an interview last year.
“Cyber undermines trust, all the way down to the social and technological stack. If you have a low-trust society then that comes at a cost – you’re not as efficient, not as productive, you’re suspicious and you don’t build connections easily,” she said.
“We need to make sure we’re solving the problem, something that helps protect us and the future and lets us operate as a healthier society and economy.”
“We need that interdisciplinary approach. Technology alone can’t solve this – the social side needs the technology. That’s the step-change we need to have,” Prof Seebeck said.
Deloitte Australia Partner Andrew Hayes told InnovationAus that public sector organisations tended to be conservative and did not seek to embrace the ‘bleeding edge’ as early adopters for each new technology that comes along.
Rather these organisations sought to be mature adopters of tried and tested technology. In relation to cybersecurity, the public sector tended to drive improvements as part of broader transformation projects, a process that has been accelerated through first the COVID response.
That “trust imperative” has now been given a big push by the Prime Minister.
You can register for the InnovationAus/CyberArk webinar on “Public Sector: The Cybersecurity Imperative” by clicking here.
Do you know more? Contact James Riley via Email.
Tech vs people – but first we need the “tech”. Cars have to have brakes for drivers to stop and so on. That was the thinking in the 1980s with the “Orange Book” (TCSEC – Trusted Computer Systems Evaluation Criteria) and the call came for manufacturers to provide necessary system security as “C2 by ”92″ and “B2 by ’95” but what happened. Nothing- there was no real “big stick” on computer/software manufacturers and that applies even today although we do have the agreed “Common Criteria” for system security – but who knows and who cares. Given that the “roads” are unsafe in cyberspace we need to have safe and secure “cars”, to follow the analogy. There was one effort years ago with the NSA’s “Secure LINUX” with a “Mandatory Access Control (MAC)” profile but today – does anyone “setenforce=1” on a LINUX server setup? I doubt it! Oops – does any ICT professional or university IT lecturer know what that means? Yes – Government has to take on its role of protecting its citizens in cyberspace through mandating appropriate computer system security standards.