AUSTRALIAN GOVERNMENT AND CYBER SECURITY .
BY – VATSAL LAKDAWALA
In a world where cyber attacks are multiplying, and where whole cities being taken hostage by hackers is longer science fiction, many of the government agencies are struggling to achieve the absolute minimum.The current approach of allowing each agency to make its own cyber decisions is not working. At the moment, many haven’t even implemented the Australian Signals Directorate’s Essential Eight, a list of mitigation strategies developed by government as a minimum standard – there are 35 in total.
What’s specially unfortunate about the inability to implement the ASD Essential Eight is that these recommendations, in large part, are simple. Patching applications? Restricting administrative privilege? Multi-factor authentication? These are some very basic protections without which you would not be able to turn on a government computer without them.Is it any surprise then that some of the best minds in Australian cyber security, true professionals tasked with raising Australia’s cyber posture, have resigned?
If we look to our near neighbour Singapore and farther to the US our federal government’s complete lack of a cyber strategy looks even more inadequate.In recent years, Singapore has strengthened its critical information infrastructure, developed a vibrant cybersecurity ecosystem, forged international cyber partnerships, and mobilised the business community.
In US, the government released a comprehensive cyber strategy that includes plans for building a workforce that is educated and able to respond to cyber threats. The strategy even discusses future quantum technology and touches upon public key cryptography.These governments are enforcing a minimum standard that all agencies must meet, while our agencies struggle to simply patch applications.
Hosting national security data, personal information about millions of Australian citizens, and more, it is not worse to say there is a disaster that is waiting to happen.
So, what are the changes that should be made?
First and foremost, the baseline security measures outlined in the ASD Essential Eight must be implemented and should be mandated.
From there, the ideal approach would be to build on this minimum baseline of protection while at the same time eliminating ineffective approaches such as outdated anti-virus software, poorly deployed data loss prevention (DLP) or intrusion detection system (IDS) solutions, glorified systems logging protocol servers in the form of Siem (security information and events management) systems, and the false sense of security fostered by managed security service providers .
The budgets wasted on these ineffective controls should be freed up and reinvested in proactive measures to hunt down and root out adversaries within government networks.
Good cyber security is not just about defending against attacks; we know that does not work. It’s also about going on the offense, seeking out threats, and neutralising them before they create serious harm. For this to work, you need to be able to detect attackers. Perimeter defences don’t know what threats have bypassed them or what attacks they’ve missed.
Thus, the federal government should implement capabilities to detect, bait and hunt down adversaries inside the network. Any motivated attacker will eventually breach a network so being able to detect and respond, as soon as possible, eliminates the attacker’s ability to cause any real damage.While many might suggest MSSPs, security operations centres or Siem systems are the answer to the government’s woes, those agencies that have done so are drowning in logs and false positives. A new cyber minimum standard should include validation of breaches, empowering agencies with detailed investigative actions and mitigation strategies to act immediately against real threats, rather than wasting time reviewing endless logs.
The federal government has had over two decades to come to its senses about cyber security. From where I sit, it looks like in 2020 they are still fooling themselves about the seriousness of the threat. Given the lack of action over the past 20 years, it seems unlikely that the government will suddenly spring into gear, and make the changes required to keep our systems and data safe.
Perhaps they will surprise us all and follow the lead of countries like Singapore and the US and implement a real strategy. If that happens, what is outlined above is the best approach.Without action, a major government breach – like that seen against the Australian National University and Toll Group – is just a matter of time.