Victorian has unveiled its long-awaited cyber security strategy – the first Australian state to do so – with an emphasis on a whole-of-government approach.
The 23-point strategy aims to keep government services and data safe from cyber threats and signals a shift to a whole-of-government plan that centres on five key priorities.
It has been a long wait. The former Liberal government first announced plans for a Victorian cyber security strategy in late 2013, but this was forgotten until it was included in the current Andrews government’s ICT Strategy announced last year.
The strategy was completed in March this year and quickly signed off by Cabinet, but was only released by the Victorian government late on Friday.
Key actions include the imminent appointment of a chief information security officer (CISO) to oversee its implementation, partnerships across all levels of government and the private sector, and quarterly cyber security briefings.
The plan is the first major government announcement on the ICT Strategy for more than a year. Special minister of state Gavin Jennings revealed the strategy late last week.
“As organised crime and others become more sophisticated in hacking and disrupting digital services, it’s crucial that government steps up to better protect against these cyber security threats,” Mr Jennings said.
“Victoria’s first ever Cyber Security Strategy will ensure we can stay ahead of the cyber criminals and develop the infrastructure, systems and processes needed to protect government services and information.”
The strategy’s overarching goal is to “uplift the cyber security capacity of the government” through five key priorities: engagement, planning, partnering, service maturity and capability.
“To deliver confidence in Victorian government ICT, and support new government digital service delivery initiatives, this strategy will apply to the whole of the Victorian public service,” the strategy said.
Victoria has had a chequered history with government IT projects, with an Ombudsman’s report in 2011 finding $1.4 billion worth of IT project overruns. Other recent debacles have included the introduction of the Myki ticketing system and the canned VicRoads registration system upgrades.
A holistic approach is needed to avoid these in the future, the strategy found.
“The threat environment we face is increasing at all levels of government and against every system we operate. While our approach to date has worked to some extent, Victorian Auditor-General reports and departmental in-house testing regularly uncover vulnerabilities that must be addressed,” it said.
“The time for an agency-by-agency approach has passed. We need to address these risks strategically, and where it makes sense, holistically.”
The cyber strategy will be run from the Department of Premier and Cabinet by the newly created CISO position, rather than from the Department of Economic Development.
Efforts to reach this whole-of-government approach include a communication and engagement program for cyber security awareness in government to be delivered in December, and establishing a baseline of current cyber security strategies every 12 months from November.
The Victorian government will also overhaul its internet security and information security services subscriptions to make them more uniform across agencies and departments.
An expert group will present quarterly cyber security briefings detailing threat assessments, vulnerabilities in departments and investment status from September.
The first major initiative will be the appointment of a CISO next month. The state’s intention to hire a CISO was announced earlier this year, with applications for the role closing at the end of July.
The strategy is an important step forward for the state and its local cyber security sector, cyber security accelerator CyRise’s CEO Scott Handsaker said.
“What I like about the strategy is that it takes a whole-of-government approach. It recognises that everyone needs to be a part of the solution if we are to effectively address the cyber security challenges that lay ahead of us,” Mr Handsaker told InnovationAus.com.
“The appointment of a CISO that will work across all departments is a great step and I am encouraged by the focus on cyber resilience.”
The strategy was developed “under guidance” of a cyber security strategy group chaired by director of government ICT strategy and policy Geoff Beggs. The group included representatives from Victoria Police, Telstra and the Commonwealth Bank, with the 13 person group comprising 11 men and two women.
The strategy acknowledges that cyber resilience needs to be improved across the Victorian public sector as a whole.
“It should be consistent, less fragmented, based on industry practice and appropriate to the risk profile of each organisation. The importance of improving cyber security maturity across the public sector has been highlighted by successive information security-related reports from the Victorian Auditor-General,” the strategy said.
It includes efforts to bring the private sector – mainly startups and SMEs – into the plan. A procurement panel to access private sector cyber services will be established by June next year, while a SME cyber security operational panel will also be created.
“The digital technology sector and innovation is a significant driving force for economic growth, productivity and competitiveness. Digital technology will drive innovation and increase the competitiveness of the state’s industries, developing advanced capabilities that will grow the economy,” the strategy said.
“Victoria must continue to adapt and innovate in an increasingly digitised society where STEM skills, digital literacy and numeracy are increasingly important.”
Victorian innovation minister Philip Dalidakis said this will benefit local tech players in the sector.
“Victoria is already a hub of digital innovation, so it makes sense that we use our existing tech knowledge and talent pool to be a hub of cyber security as well. It’s an industry that will create jobs and boost our economy and we need to be a big part of it,” Mr Dalidakis said.
But Mr Handsaker said the government needs to be doing more to open up procurement to local startups.
“We should all acknowledge that paying large bills to multinational vendors is no longer a guarantee of success when it comes to IT projects. Both the census and the ATO issues at a federal level have shown that,” he said.
“I would love to see a more innovative approach to working with local companies and startups and that starts with the procurement policies that are set in place. I’d like to see how Victorian entrepreneurs will get a genuine shot at winning some of these upcoming contracts.”
Victoria has been making major efforts to establish itself as a cyber security leader of late, attracting a number of international companies to Melbourne.
The government is also working to create a hub in Docklands, with the Good Shed now playing home to the Oceania Cyber Security Centre and the CSIRO and Data61’s Cyber Security and Innovation Hub.
The state government has also signed cyber security partnerships or agreements with Oxford University, Tel Aviv University and the Commonwealth of Virginia.
The Victorian government has been largely silent on its much-famed ICT Strategy following its big reveal in May last year. Just weeks after it was unveiled, Mr Jennings was suspended from Parliament for six months, and little attention has been placed on the strategy publicly since.
The cyber security strategy is the first major announcement to be made following the ICT Strategy’s big reveal more than 16 months later.
Despite the silence, the government quietly released a report card on the ICT strategy earlier this year, showing that most of its actions were on track or delivered. The report card showed that the cyber security strategy had already been completed by the end of May this year.
Many of the other items ticked off as completely have also not been publicly released.