tiero - stock.adobe.com

Australian government has failed on cyber security

The federal government’s current approach of allowing each agency to make its own cyber decisions is not working and more needs to be done to hunt down adversaries

When it comes to cyber security, the Australian Government is failing. This is not hyperbole. Compared to other countries with similar levels of economic development, Australia is woefully behind.

In a newly released Australian National Auditor’s Office (ANAO) review of financial controls, only one agency out of 18 met mandated information security guidelines.

In a world where cyber attacks are proliferating, and where whole cities being taken hostage by hackers is longer science fiction, many of our government agencies are struggling to achieve the absolute minimum.

The current approach of allowing each agency to make its own cyber decisions is not working. At the moment, many haven’t even implemented the Australian Signals Directorate’s Essential Eight, a list of mitigation strategies developed by government as a minimum standard – there are 35 in total. 

What’s especially unfortunate about the inability to implement the ASD Essential Eight is that these recommendations, in large part, are simple. Patching applications? Restricting administrative privilege? Multi-factor authentication? These are such fundamentally basic protections you shouldn’t be able to turn on a government computer without them.

Is it any surprise then that some of the best minds in Australian cyber security, true professionals tasked with raising Australia’s cyber posture, have resigned?

If we look to our near neighbour Singapore – and farther afield to the US – our federal government’s complete lack of a cyber strategy looks even more pitiful.

In recent years, Singapore has strengthened its critical information infrastructure, developed a vibrant cybersecurity ecosystem, forged international cyber partnerships, and mobilised the business community.

In the US, the federal government released a comprehensive cyber strategy that includes plans for building a workforce that is educated and able to respond to cyber threats. The strategy even discusses future quantum technology and touches upon public key cryptography.

These governments are enforcing a minimum standard that all agencies must meet, while our agencies struggle to simply patch applications.

Hosting national security data, personal information about millions of Australian citizens, and more, it is not exaggeration to say this is a disaster waiting to happen.

So, what changes should be made?

First and foremost, the baseline security measures outlined in the ASD Essential Eight must be implemented and should be mandated.

From there, the ideal approach would be to build on this minimum baseline of protection while at the same time eliminating ineffective approaches such as outdated anti-virus software, poorly deployed data loss prevention (DLP) or intrusion detection system (IDS) solutions, glorified systems logging protocol servers in the form of Siem (security information and events management) systems, and the false sense of security fostered by managed security service providers (MSSPs).

The budgets wasted on these ineffective controls should be freed up and reinvested in proactive measures to hunt down and root out adversaries within government networks.

Good cyber security is not just about defending against attacks; we know that does not work. It’s also about going on the offense, seeking out threats, and neutralising them before they create serious harm. For this to work, you need to be able to detect attackers. Perimeter defences don’t know what threats have bypassed them or what attacks they’ve missed.

Thus, the federal government should implement capabilities to detect, bait and hunt down adversaries inside the network. Any motivated attacker will eventually breach a network so being able to detect and respond, as soon as possible, eliminates the attacker’s ability to cause any real damage.

While many might suggest MSSPs, security operations centres or Siem systems are the answer to the government’s woes, those agencies that have done so are drowning in logs and false positives. A new cyber minimum standard should include validation of breaches, empowering agencies with detailed investigative actions and mitigation strategies to act immediately against real threats, rather than wasting time reviewing endless logs.

The federal government has had over two decades to come to its senses about cyber security. From where I sit, it looks like in 2020 they are still fooling themselves about the seriousness of the threat.

Given the lack of action over the past 20 years, it seems unlikely that the government will suddenly spring into gear, and make the changes required to keep our systems and data safe.

Perhaps they will surprise us all and follow the lead of countries like Singapore and the US and implement a real strategy. If that happens, what is outlined above is the best approach.

Without action, a major government breach – like that seen against the Australian National University and Toll Group – is just a matter of time.

Carlo Minassian is founder and CEO of LMNTRIX, a cyber security firm.

Read more about cyber security in Australia

  • Australia’s critical national infrastructure (CNI) is being subjected to frequent and worsening cyber attacks, the country’s prime minister, Scott Morrison, has revealed.
  • Supply chain security risks can wreak havoc if measures are not taken to deter cyber attackers from exploiting a supplier’s security gaps to target another firm.
  • VMware’s Carbon Black is planning to open a new datacentre in Australia in the first half of 2020 to support local firms bounded by regulatory and data residency requirements.

Read more on Hackers and cybercrime prevention

Data Center
Data Management