The Victorian government has launched a new five-year cybersecurity strategy to build resiliency against cyber threats and ensure government information, services, and infrastructure are protected and personnel are ready should the situation arise. Under the Cyber Security Strategy released on Friday, the state government is aiming to protect sensitive citizen and other data against loss, malicious alteration, and unauthorised use, in the first instance. The strategy [PDF] explains the state also wants government services, systems, and infrastructure to be capable of bouncing back during and following "serious cyber incidents". As such, the state has a whole-of-government approach to how it will respond to threats against infrastructure, with the strategy highlighting cybersecurity capability across the public sector needs to be improved to become consistent, less fragmented, based on industry practice, and appropriate to the risk profile of each organisation. It may also see the establishment of whole-of-government subscriptions for internet security and information security services.
The Australian Signals Directorate (ASD), through its Australian Cyber Security Centre (ACSC), recommends that all organisations implement its Essential Eight controls for mitigating cyber attacks. The clue is in the name. A whole-of-government response to a long-running parliamentary inquiry, released early this month, merely "notes" the inquiry's recommendation to mandate the Essential Eight controls for all government agencies, but declines to move beyond "strongly recommending" just four of them. "The Essential Eight represents ASD's best advice on the measures an entity can take to mitigate the threat of a cyber incident and manage their risks. However, the government will consider mandating the Essential Eight when cyber security maturity has increased across entities," the response said.
In an attempt to find the direct lines of accountability within Australian government entities where cybersecurity is concerned, the Joint Committee of Public Accounts and Audit (JCPAA) on Thursday was sent running in circles like a dog chasing its tail. Australian government entities are required to comply with the Australian Signals Directorate's (ASD) Top Four mitigation strategies for cybersecurity compliance, despite there being an Essential Eight. Commonwealth entities are responsible for their own assessments against the Top Four, and as the JCPAA previously requested -- a request that was agreed to by the government -- entities are required to report on their performance and compliance annually. This annual assessment is provided to the Attorney-General's Department (AGD) and the Department of Home Affairs, through the ASD, and that data is then aggregated and anonymised before being thrown together as an overall performance report. But as Shadow Assistant Minister for Cyber Security Tim Watts has pointed out at length before, there is no mechanism that allows the individual performance of Commonwealth entities to be probed.
With the federal government earlier on Tuesday earmarking AU$1.35 billion to boost the nation's cyber capabilities, the New South Wales government has announced its intentions to stand up a sector-wide cybersecurity strategy. The state government is hoping to develop a "comprehensive, sector-wide cybersecurity strategy" and is calling for industry submissions to help shape it. "The 2020 NSW Cyber Security Strategy will ensure the NSW government continues to provide secure, trusted, and resilient services in an ever-changing and developing environment," Minister for Customer Service Victor Dominello said. "The new strategy will be delivered through an integrated approach to prevent and respond to cyber security threats and safeguard our information, assets, services, businesses, and citizens." The state government's existing strategy, a mere 20 pages long, was published in late 2018 and took a whole-of-government view on how to manage risk, borrowing the framework laid out by the National Institute of Standards and Technology (NIST).