Labor will drive a “step change” in the Commonwealth’s cybersecurity culture to counter the current secrecy and lack of accountability around the issue if it wins the election, shadow cybersecurity minister Tim Watts says.
Addressing the Government Data Protection Summit, Mr Watts said recent reforms around cybersecurity will be for nothing if the culture problems within Commonwealth cybersecurity aren’t addressed.
“There’s currently a resistance to external accountability and an instinct towards secrecy within government, regardless of the context,” Mr Watts said in the speech.
There is an “instinct for secrecy” within the public service which impedes accountability and collaboration, Mr Watts said.
He pointed to his attempts to ask all Commonwealth entities about their compliance with the Essential Eight, which results in uniform responses saying this would serve to “provide a heat map for vulnerabilities in government networks”.
Entities have regularly been found to have not fully implemented the Essential Eight, and the government last year said it would make them mandatory following the poor compliance.
Mr Watts received the same response when he asked entities to explain DMARC implementation, despite this being externally observable.
He also said that in the five years since a government-led committee recommended annual reports on the Commonwealth’s cyber posture to Parliament, only two have been released.
“This isn’t the behaviour of a government that welcomes the important role accountability plays in building cyber resilience,” Mr Watts said.
“This isn’t the approach of a government seeking to take a collaborative approach to those outside the organisation that shares its aims. This is the approach of a government that over time has developed an unthinking culture of secrecy and insularity.”
If Labor wins the upcoming federal election, it will work to drive a “step change” in the Commonwealth’s cybersecurity culture, Mr Watts said, with a focus on better collaboration with the private sector, vulnerability disclosure policies and bug bounties, and staff exchanges.
“I want to change the way that the cybersecurity functions of government – from policy development to information security – interact with the Australian cybersecurity ecosystem outside of government,” he said.
“On policy matters, instead of leading collaborative, co-designed policy development processes, regulation is too often imposed on stakeholders after consultation processes that too often take on the quality of a blackhole when difficult issues are confronted.
“If we were to win government, I want to find more ways to kickstart routine collaboration between the Commonwealth and the broader Australian cybersecurity ecosystem.”
A key element of this would be staff exchanges between the Australian Cyber Security Centre, academia and industry. This was recommended by the 2020 Cyber Security Strategy Industry Advisory Panel, but little progress has been made since.
Do you know more? Contact James Riley via Email.