A quite fundamental shift in Australian Government cyber security policies and practices was on public display last week through Senate estimates, with revelations that the baseline rules in the Information Service Manual (ISM) may not apply in all cases.
The ISM is the cornerstone for the rules-based compliance regime that has shaped Australian public service cyber culture in recent years.
But after Alastair MacGibbon’s testimony at estimates this week, you have to wonder whether the ISM will remain in its current form.
Mr MacGibbon wears two hats in this government and carries the world’s longest job title. He is a deputy secretary and national cyber security adviser in the Department of Home Affairs, and he is also head of the Australian Cyber Security Centre and deputy director-general of the Australian Signals Directorate within the Department of Defence.
There has been a changing of the guard in government cyber policy and operations. The appointment of Angus Taylor as Minister for Law Enforcement and Cyber Security; the appointment of Mike Burgess as head of the ASD; and the appointment of Alastair MacGibbon to run the Cyber Security Centre.
These changes at the top have led very quickly to a reworking of cyber security thinking in government.
First came the accreditation of Microsoft’s Azure and Office 365 to handle government data to Protected level, despite the services having a significantly different support structure and a series of characteristics that did not appear to meet the existing ISM.
These Microsoft Protected services came with unusual caveats from the ASD, alerting potential government customers to the need for additional security controls to be in place if using the Microsoft services.
The caveats caused seriously raised eyebrows across Canberra, because at the very least they pointed to a new accreditation regime that did not match the security benchmarks that other suppliers had been required to meet.
Secondly, the government is understood to be circulating a draft version of a new ISM, albeit re-badged as the Cyber Security Manual to better signal the step-change in cyber philosophy and culture in the public service.
The ISM has been a living document to the extent that it is updated regularly.
But this is a very significant re-write.
Alastair MacGibbon’s appearance before the Senate estimates Legal and Constitutional Affairs committee last week publicly confirmed in a round-about way some market confusion about the certification of Microsoft Azure and Office 365 to Protected level.
Mr MacGibbon was responding to questions from Greens’ Senator Jordon Steele-John that sought clarification on a quote Mr MacGibbon had given to InnovationAus.com in April at the Australian Cyber Security Centre conference in Canberra.
The query concerned whether or not Microsoft personnel with access to Protected level government data would be based in Australia and whether they would have been vetted by Australian Government security authorities and carry appropriate security credentials.
This is important because the four other providers of cloud services to Protected level had to meet this requirement.
Here are three important things we learned and did not learn from Mr MacGibbon’s estimates appearance.
- No, Microsoft employees who have access to systems housing Australian Government Protected level data do not need to be located in Australia, but Mr MacGibbon is satisfied that risk has been mitigated.
- Yes, Microsoft employees who have access to Protected level data will have been cleared by the Australian Government Security Vetting Agency, but the Microsoft employees who have access to the systems on which that Protected data resides will not necessarily have been vetted – as they may be accessing the system from within Australia – although some would argue there is little distinction here.
- Yes, for the first time the Australian Government is moving from a community cloud on which only government data is held, to a public cloud in which non-government data and government data – including Protected – are held in the same hardware environment.
Each of these three points is a significant departure from the cyber benchmark that was met by the four Australian companies on the Protected ASD Certified Cloud Services list.
Mr MacGibbon was at pains to say the security standard had not changed. That is, the level of security was the same. There had been no lowering of the security expectations.
But clearly the thinking around the methodology – or at least the philosophy – for getting to that standard has changed quite substantially.
We will need to wait until it is published to see whether the new ISM – the apparently renamed Cyber Security Manual – reflects these changes from a rules-based regime to a risk management culture.
Certainly everything about the language in Mr MacGibbon’s estimates testimony is the language of mitigation. There is a lot riding on this of course, not least the hundreds of millions of dollars’ worth of government cloud services contracts that will be written over the next several years.
There is a political dimension here also. This is a government that has talked a big game about leveraging government procurement to drive industry development outcomes for sophisticated Australian technology and tech services providers.
Microsoft is the first of the hyperscale cloud providers to be given ASD certification to Protected level. AWS, Google and Salesforce are waiting in the wings.
At its core this accreditation process has applied one set of requirements to the Australian companies that successfully gained Protected certification, and a different set of requirements to Microsoft.
This is not a good look. And for all the assurances from Mr MacGibbon that the various risk vectors have been mitigated, there is nonetheless a security concern.
Can you imagine the US Government allowing access to Protected-equivalent systems by employees of an Australian-owned company, who don’t have US security credentials, and who are accessing the system from outside of the US?
Of course not.
And yet we are happy to accept this arrangement. Clearly we must know something about cyber that the US doesn’t.
We must surely be the Gold Standard if we are prepared to take on risk that the US security establishment will not.
It’s a bit messy really. Maybe a re-written manual tidies it up a bit, but really, where’s the public discourse? What’s wrong with a public discussion on this? Why must it be confined to the weirdness of an estimates hearing?
What does seem clear is that the rules-based compliance regime is dead. And so, all hail risk management. Long may she reign over us.
I leave it to Mr MacGibbon from Tuesday’s testimony in answering Senator Steele-John.
“The aim is that we reduce the risk to the Commonwealth – not bring it to zero, because the only way you can bring the risk to zero is not to do business – and increase cloud adoption through certifying providers that have met the high standards,” Mr MacGibbon said.
“So long as the risk is mitigated, I’m satisfied. I am very satisfied that the risk in relation to the particular cloud provider that you’re referring to is actually well met, and that we reduce the risk to the Commonwealth through certifying the Microsoft Azure platform.”
Clarification: An earlier version of this article referred to the Department of Homeland Security in relation to Alastair MacGibbons’ role within the Australian Government. This of course should have been written as Department of Home Affairs.