When it comes to cyber security, the Australian Federal Government is failing. This is not hyperbole. Compared to other countries with similar levels of economic development, Australia is woefully behind.
In a world where cyber-attacks are proliferating, where whole cities being taken hostage by hackers is longer science fiction, many of our government agencies are struggling to achieve the absolute minimum.
The current approach of allowing each agency to make its own cyber decisions is not working. At the moment, many haven’t even implemented the ASD Essential Eight, a list of mitigation strategies developed by government as a minimum standard – there are 35 in total.
What’s especially unfortunate about the inability to implement the ASD Essential Eight is that these recommendations, in large part, are simple. Patching applications? Restricting administrative privilege? Multi-factor authentication? These are such fundamentally basic protections you shouldn’t be able to turn on a government computer without them.
Is it any surprise then that some of the best minds in Australian cyber security, true professionals tasked with raising Australia’s cyber posture, have resigned?
If we look to our near neighbour Singapore – and farther afield to the United States – our Federal Government’s complete lack of a cyber strategy looks even more pitiful.
In recent years, Singapore has strengthened its critical information infrastructure, developed a vibrant cybersecurity ecosystem, forged international cyber partnerships, and mobilised the business community.
In the United States, the Federal Government recently released a comprehensive cyber strategy that includes plans for building a workforce that is educated and able to respond to cyber threats. The strategy even discusses future quantum technology and touches upon public key cryptography.
These governments are enforcing a minimum standard that all agencies must meet, while our agencies struggle to simply patch applications.
Hosting national security data, personal information about millions of Australian citizens, and more, it is not exaggeration to say this is a disaster waiting to happen.
So, what changes should be made?
First and foremost, the baseline security measures outlined in the ASD Essential Eight must be implemented and should be mandated.
From there, the ideal approach would be to build on this minimum baseline of protection while at the same time eliminating ineffective approaches such as outdated anti-virus software, poorly deployed DLP or IDS solutions, glorified syslog servers (A.K.A SIEM), and the false sense of security fostered by MSSPs.
The budgets wasted on these ineffective controls should be freed up and reinvested in proactive measures to hunt down and root out adversaries within Government networks.
Good cyber security is not just about defending against attacks; we know that does not work. It’s also about going on the offense, seeking out threats, and neutralising them before they create serious harm. For this to work, you need to be able to detect attackers. Perimeter defences don’t know what threats have bypassed them or what attacks they’ve missed.
Thus, the Federal Government should implement capabilities to detect, bait and hunt down adversaries inside the network. Any motivated attacker will eventually breach a network so being able to detect and respond, as soon as possible, eliminates the attacker’s ability to cause any real damage.
While many might suggest MSSPs, SOCs or SIEMs are the answer to the Government’s woes, those agencies that have done so are drowning in logs and false positives. A new cyber minimum standard should include validation of breaches, empowering agencies with detailed investigative actions and mitigation strategies to act immediately against real threats, rather than wasting time reviewing endless logs.
The Federal Government has had over two decades to come to its senses about cyber security. From where I sit, it looks like in 2019 they are still fooling themselves about the seriousness of the threat.
Given the lack of action over the last twenty years, it seems unlikely that the Government will suddenly spring into gear, and make the changes required to keep our systems and data safe. Perhaps they will surprise us all and follow the lead of countries like Singapore and the United States, and implement a real strategy. If that happens, what is outlined above is the best approach.
Without action, a major Government breach – like that seen against the ANU – is just a matter of time.