Agencies need to be seasoned to fend off cyberattacks

How secure are Australia’s information systems and critical infrastructure from attack? How prepared are specific agencies to deal with the increase in digital attacks by rogue gamers?

Australian agencies are clearly aware of threats and cyberattacks attributed to foreign actors. High-profile corporate data breaches, such as those affecting Optus and Telstra, have heightened concerns.

It is a difficult environment for governments around the world. A recent US survey found that 58% of state and local government organizations were affected by ransomware in 2021, with 72% reporting that hackers encrypted their data.

Agencies such as the Department of Home Affairs, the Attorney General’s Department, the Australian Cyber ​​Security Center (part of the Australian Directorate of Signals) and the Digital Transformation Agency (DTA) are responsible for various aspects aimed at ensuring appropriate levels of cyber resilience.

Determining how well government departments deal with cyber threats will depend on a range of factors: how they strategize or play a war game about what might happen in the future, what they do to test new technologies designed to protect government infrastructure and watchdog loopholes. in government processes that need to be tightened up.

Dealing with cyberattacks

Wargaming – or scenario analysis – is a way for governments, their departments and agencies to deal with threats to national security.

Professor John Blaxland of the Australian National University said wargaming tests the strengths and vulnerabilities of systems to determine what might happen in the event of a conflict. “It’s an iterative process,” he says. “It’s like a board game with two or more players. It is an essential tool in planning.

Blaxland says the war game provides a context for examining possible decisions and how they might play out in a conflict or crisis. They allow governments and in particular their military forces to prepare in the event of physical or digital aggression.

He says wargaming is particularly effective where there are “forks in a road” – it can help authorities determine how to mitigate risk in a series of “what if” scenarios.

War games or scenario analysis look at likely scenarios, but the government needs to take other steps to improve cyber resilience. Another factor is what departments are doing to make existing systems more resilient to attack.

The DTA is participating in a pilot program of cybersecurity hubs to regulate access to the online world. But according to the Cybersecurity Industry Advisory Committee’s 2022 annual report, cyberhubs need more resources to do the job they were designed to do.

“Government systems continue to be a prime target for malicious actors,” the report said. “There have been numerous examples of attacks on infrastructure at the state and federal level, including service delivery agencies, government departments and political offices.

“The cyber hubs that have been set up to lead this, coordinated by the government’s Digital Transformation Agency, need to have more teeth and their work needs to be accelerated.”

The committee says the government has spent a lot of time focusing on what businesses need to do to strengthen their cybersecurity, but notes the government needs to make greater strides to protect itself.

“It is also important that the government make progress in strengthening its own systems and cyber defenses,” the report said.

“In asking Australians and Australian businesses to support the strategy, the government must be a model of cyber best practice in its own operations, while improving the security of the delivery of increasingly digital government services.”

Home Affairs Cybersecurity Audit

One of the ways citizens become aware of the government’s preparedness to deal with cybersecurity threats is when the Australian National Audit Office (ANAO) reviews an agency to see if it has the appropriate processes and procedures in place to manage surveillance and threat mitigation.

ANAO dove deep into the administration of the Critical Infrastructure Protection Policy and found that the Home Office had failed to ensure that all of its processes were up to date.

“The department has partially effective governance arrangements to administer the Critical Infrastructure Protection Policy,” the ANAO report said. “The implementation of critical infrastructure risk assessments and reporting has not been factored into the risk documentation.

“The effectiveness of the department’s stakeholder coordination arrangements is reduced by the lack of an engagement strategy and the provision of limited support to other critical infrastructure regulators.”

ANAO also found that the department’s performance framework dealing with critical infrastructure left something to be desired. A fairly long list of improvements appeared in the ANAO report, including statements of performance, assessment of regulatory performance, and “use of internal metrics to inform policy and regulation needing improvement” .

The ANAO even found governance arrangements less than stellar.

“The department’s critical infrastructure risk management does not represent an integrated approach to managing risk across its corporate and operational, legislative and policy functions,” the report said.

“While the ministry undertakes coordination activities with key stakeholders, including through some long-established forums, it does not have a documented stakeholder engagement strategy to identify the focus of engagement, the means by which engagement occurs or scenarios are managed, or the basis for their existence. more established information-sharing agreements with some key stakeholders than with others.


Read this manual to guidance through the four stages of the IDEA approach that Microsoft has developed: Digital Transformation Playbook: Four Elements to a Successful Strategy.

Leave a Reply