There is an underlying thread in the global media coverage of the cyber security sector that we are all in constant peril, lurching from one crisis to another, always just one false step away from doom.
It doesn’t help that cyber security vendors publish report after report about horrifying breach statistics and the accelerated pace of change within an already dire threat landscape.
It is surely a worthwhile exercise to take a deep and dispassionate assessment of where the nation’s public sector cyber security apparatus, and how it compares to such infrastructure in comparable economies across the world.
Macquarie Government managing director Aidan Tudehope is recently returned from a research mission where he met with cyber policy-makers and industry representatives from the other so-called Five Eyes intelligence sharing partners in particular the United States, United Kingdom and Canada.
Specifically, Mr Tudehope was running a ruler over the different public sector cyber security regimes and comparing notes on challenges and opportunities for governments in keeping data safe, while maintaining the level of flexibility to enable the full participation in the connected economy – and the delivery of the quality of digital services that citizens have come to expect.
From an Australian perspective, the findings of the internal report produced on the back of the research tour were “pleasantly surprising,” with Australia’s public sector cyber security infrastructure standing up well to the comparisons, and the level of sophistication of the strategic policy thinking on cyber also comparing well.
“We have a set of challenges in common with Five Eyes counterparts,” Mr Tudehope said. “Cybersecurity risk is very real, and is front-and-centre in everything we do as a nation.”
“While each of the Five Eyes nations have different political dimensions and different policies and and different legacy frameworks that have prompted different thinking and different approaches, we were pleasantly surprised by how well Australia shaped up in comparison,” he said.
This is obviously not a Mission Accomplished moment. But the research underscores some fundamental truths; the challenges are largely the same as each nation combats fast moving adversaries in a sector that is characterised everywhere by a shortage of skills.
Every jurisdiction is wrestling with big complex issues, and no one has the silver bullet solution. But relative to our global partners in cyber security for government, Australia is well-placed, Mr Tudehope said.
Across all jurisdictions, Macquarie Government found legislators and public servants struggling to find that elusive balance between a ‘risk assessment/management approach’ at agency level with an underpinning mandated standards and auditing model.
This is a real issue. In a perfect world, a devolved model where agencies were free to do their own risk assessments and then do their own mitigation would enable maximum potential for government service innovation.
But in reality, departments and agencies have not been good at performing their own risk assessments and mitigations, Mr Tudehope said. Risk management frameworks are not sufficient in isolation and needed controls from which to create a minimum baseline.
This is the case in the UK which is now making a transition back from a devolved risk assessment model – with agencies making their own calls – to an increasing engagement by Cabinet Office in setting minimum standards and introducing audits.
Mr Tudehope says in the UK Government it is also creating clusters of agencies under four large, lead agencies to overcome weaknesses in assessments skills in smaller agencies.
And that is a critical issue for all jurisdictions – accessing the right skills in adequate volumes to meet the demands of government. Australia has struggled hugely with the skills challenge, Mr Tudehope said – but it’s hardly a unique experience.
“We often think in Australia that we are a small economy, a long way away, and that we simply don’t have access to the same depth of skills that other nations may have,” he said.
“But this issue manifested itself elsewhere in the world exactly as it has in Australia. Departments and agencies have struggled to get the right skills to address the security challenges that they face.”
“All of the other Five Eyes nations are also working on ways to fix that problem.”
Clustering through the appointment of lead agencies has been a common strategy, regardless of the legacy environments in place. In the US the creation of a Homeland Security super-agency has centralised resources, skills and knowledge. In turn, it has created nine clusters of agencies through which it makes these capabilities available.
The same has occurred with the Cabinet Office in the UK, which has created four lead agencies under which smaller agencies are clustered.
Canada had a single shares services model that is entirely insourced, while New Zealand also has a single shared service model, but is outsourced.
In Australia, the clustering around lead agencies has also been an effective measure in addressing the cyber skills gaps and capability shortages. This can be seen, for example, in the work that Macquarie Government does via its Secure Internet Gateway product.
Mr Tudehope says in doing the research, he spend time in the other Five Eyes nations trying to better understand where each government was prioritising its application of technology.
The most sophisticated thinkers in the cyber security policy community were focused on how to stitch together capability across three areas of the enterprise. First the end-points, like phones, laptops, servers and other devices; secondly, the inside of the network, whether it’s the WAN or LAN; and thirdly the perimeter, the firewall and gateways.
Getting these in place allowed the central agencies to focus on the investment where the dial could really be shifted on cyber security – gaining near real time visibility into activity across the government environment, and the collection of logs to allow post-event forensics.
He said cyber vendors produced a lot of noise about where the emphasis should be placed. Vendors were driving a lot of noise on end point at present, but the central agencies with the most capability were focused on how to integrate and balance these capabilities with network and perimeter.
“What that says to us is that we what are doing from a policy approach with the Australia Government’s Secure Internet Gateway, when it comes to securing government, is very well positioned against the other Five Eyes.”
“The challenge around the world is to find the balance between risk assessment within Government agencies and a robust and measurable set of mandatory baselines for cyber security,,” Mr Tudehope said.
“While there is real merit in moving to a risk-based approach, the ability of agencies to make these assessments is widely uneven and needs to be underpinned with some mandated minimum requirements and standards.”