There's been much talk, strategy, and now regulatory and legislative consultation on Australia's cyber security movement, but one area still needing clear direction is how Canberra plans to remodel its own cyber backyard: the Australian Public Service.
The government's Australian Cyber Security Strategy 2023-30 focuses on how the private sector and Australian consumers can uplift their cyber posture.
At the core of the strategy is a $600 million pledge to implement six "cyber shields" covering businesses and citizens, sovereign capabilities, safer technology development, threat-sharing and blocking, critical infrastructure, and 'a resilient region and global leadership'.
These are all noble and laudable causes, but it's important the government also uplifts the APS's cyber posture, because without a secure public service, cybercriminals have the potential to render everything else useless.
A report developed for the Minister of Finance last year, and quietly released last month under FOI, paints a picture of what the government needs to do.
The Independent Evaluation of Cyber Hubs and Cyber Uplift report laid bare the failures of the Home Affairs-led cyber hubs program to improve the government's cyber security.
These included the panel observing a "a consistent theme over the course of the evaluation that inadequate funding of cyber security by entities has impacted capacity and capability to meet minimum cyber security requirements."
To address this, the panel recommends "a commitment from government to support appropriate prioritisation of cyber security through a fund for discrete, high-impact initiatives".
These recommendations should not be forgotten or ignored in the government's plan to make Australia one of the most cyber-secure nations in the world.
It is particularly concerning as the panel conducting the review, which comprised several notable cyber security professionals, also noted "the cyber security posture across the Commonwealth requires improvement in several areas" as only 11 per cent of APS entities had reached the mandated maturity level two for all eight of the essential eight mitigation strategies.
For readers unfamiliar with the essential eight maturity model, it is a framework developed by the Australian Signals Directorate that measures an organisation's ability to do the bare minimum when it comes to cyber security.
While the essential eight are all critical components of a baseline cyber security posture, they aren't particularly onerous to achieve.
They include measures like backing up critical data, patching applications and operating systems, and multifactor authentication.
Despite this just over one-in-10 Commonwealth entities have reached this relatively low bar of the second of three maturity levels.
Failing to address this could have real-world consequences for the nation. This is not some theoretical risk.
The Australian Cyber Security Centre's latest Annual Threat Report found Commonwealth government entities reported far and away the most number of cyber incidents during 2022-2023 - almost five times more than the closest industry sector.
With the increasing scale, sophistication and severity of cyber-attacks - particularly during a period of heightened geopolitical tension - this must be addressed and should be a key priority for the new National Cyber Security Coordinator.
Imagine an attack the scale of Optus or Medibank but targeting Medicare, Services Australia, the ATO, or even Defence?
The government has laid the groundwork for the private sector and everyday citizens to improve their cyber security, but it now needs to look in its own backyard and make the much-needed investments required to remain resilient in the face of state-sponsored, activist and criminally-motivated attacks.
With support from industry, a government strategy moving through regulatory checks and changes, a new National Cyber Security Coordinator looking to make their mark, and an upcoming federal budget, the government has a real opportunity to properly fund its own cyber security for the first time.
This could be the step change we need to claw back the advantage from those who seek to do us harm from the deepest darkest corners of the internet.
- Marcus Thompson is former head of information warfare for the Australian Defence Force.
