The recently powered-up Digital Transformation Agency could be given stronger powers of governance over cyber security in federal tech projects in the wake of the infamous ABS Census night failure.
Prime Minister Malcolm Turnbull promised heads would roll in the immediate aftermath of the very public Census Night debacle, when run-of-the-mill denial of service attacks led to the closure of the ABS website collecting census forms online, leading to millions of pissed off Australians as they battled to lodge their mandatory forms on the Census night of August 9.
To help target the right necks, the Prime Minister got his special cyber security adviser Alistair MacGibbon to review the problems with the 2016 eCensus, the ABS and IBM, the contracted technology service provider.
Mr MacGibbon’s report hit government eyes in double quick time on October 13 and was released to the public last Thursday, along with a Senate Economics Committee report into the incident.
Recommendations inside the MacGibbon report include headline grabbing initiatives such as sending senior pollies and public servants to a Cyber Boot Camp to study up on the perils of the online world learn.
The report put blame on a longstanding vendor lock-in between the ABS and IBM that lead to the ABS failing to seek ‘sufficient independent verification and oversight of critical aspects of the eCensus.’
“One of the government’s most respected agencies – the Australian Bureau of Statistics – working in collaboration with one of the technical world’s most experienced companies – IBM – couldn’t handle a predictable problem,” Mr MacGibbon’s report said.
That failure informed another not widely reported recommendation which would see the DTA take on a far greater role in co-ordinating and enforcing cyber security rigor in government tech projects, a role which up until now has been the province of the Australian Signals Directorate.
The report suggests the ASD has become overloaded as the go-to shop for agency cyber security oversight, and that regardless the ASD is not equipped to be a cyber assurance body for all federal agencies.
“ASD documents indicate that the organisation is stretched to capacity. While ASD has world-class technical experts, they are spread across many tasks and ASD has too few coordination staff to facilitate external relations,” the report said.
“Neither ASD nor the ACSC are assurance organisations, tasked with proactively engaging agencies. If asked specific questions by agencies they do their best to answer and assist,” the report said.
Enter the newly pumped-up DTA, which was handed a lot more digital project management clout when it was ‘transformed’ from the previous Digital Transformation Office earlier this year.
Mr MacGibbon recommends that in partnership with the ASD and the Department of Finance, the DTA should develop a proposal for the Digital Transformation Committee of Cabinet to create its own ‘cyber security shared services’ digital security consulting organisation.
“This would ensure security is integral to all new online service delivery proposals and facilitate partnering between agencies to draw on cyber security expertise in larger agencies with more mature capabilities,” Mr MacGibbon’s report says.
Cyber security should become a core platform of digital transformation and be ‘baked in’ to design and delivery of agency tech projects.
As a start, the reports says the ASD in conjunction with the DTA should lead a ‘sprint’ to bolster agency defences against denial of service attacks and that this initiative should serve as a pilot model for future ‘sprints’ to build cyber security capacity across the Commonwealth.
Mr MacGibbon’s proposal to bring the DTA into the agency cyber security governance game has support from Rob Fitzpatrick, chief executive officer of the Australian Information Industry Association (AIIA).
“The concept of the DTA is to manage digital transformation across all government agencies, so security one of those platform capabilities – so yes, I support the proposal,” he says.
“That said, the DTA is wise enough to know there are areas of real talent sitting inside agencies or their partners today.”
“We have got to talk about security being baked-in from the outset. The concept of security-by-design is really important.”
As a vendor advocate, Mr Fitzpatrick likes the idea of agencies taking more accountability for their tech projects, rather than their suppliers.
“The other thing (MacGibbon) is talking about is accountability. We are long past the stage where a public sector organisation can buy in third-party services and abrogate all responsibility for how a project is installed or rolled out,” he says.
“You only get good quality change if you are prepared to own it in the long term.”