Government is losing the war against cybercrime

Four years ago, the federal government launched Australia’s Cyber Security Strategy, which was widely seen as a welcome improvement on both the prioritisation and amount of investment in Australia’s cybersecurity capabilities and overall maturity. However, over those past four years, the number of cyber attacks has continued to increase across the Australian public and private sector. We must ask ourselves: why are we losing the war against cybercrime?

In 2019, the Australian Cyber Security Centre (ACSC) responded to 427 cyber incidents affecting Commonwealth entities. According to the ACSC, these cyber attacks were aiming to steal information that included defence capabilities, research and intellectual property, and the personal information of Australian citizens and government staff.

In June this year, Prime Minister Scott Morrison highlighted the threat to our national security and economic prosperity when he announced that Australia has been subject to continued targeting and attack from a nation-state threat actor. This was not a surprise to those in industry, who have seen the increasing levels of cyber attacks against all levels of government and other sectors.

The frequency and severity of cyber attacks against the Australian public sector will continue to increase as geopolitical, economic, defence and trade tensions remain. The nature of government services require the collection of valuable information and data from citizens, which is why it is targeted by both nation-states and organised cybercriminals.

It is difficult to stop nation-state cyber attackers since they are determined and well resourced. However, we need to be doing much more to make Australia a harder target. The level of cybersecurity maturity across all levels of government in Australia is inadequate. The underinvestment in the modernisation of government technology compounds the risks presented by difficult-to-maintain legacy systems, and increases the likelihood of agencies being successfully hacked. A significant cyber attack against the government will result in interruption to essential government services and the loss of public trust.

The Australian Government has world-class cybersecurity capabilities at its disposal within the Australian Signals Directorate (ASD) and the ACSC. However, outside of these dedicated national capabilities there are huge inconsistencies in the focus or capability to protect Australian citizens’ identities and data. There is opportunity for further leadership on cybersecurity across the public sector to support the capabilities of the ACSC and ASD, and to make each agency and department a much harder target.

Cybersecurity maturity

Tabled in 2020, the Commonwealth Cyber Security Posture in 2019 Report showed clearly that federal agencies had ineffective risk management practices and remain vulnerable to cyber threats. One of the biggest shortcomings across all levels of government in Australia is the failure to implement the ACSC’s Essential Eight… a prioritised list of mitigation strategies that will protect systems against a range of cyber adversaries.

The Top Four mitigation strategies of the Essential Eight are mandatory for federal agencies. A maturity level of ‘three’ — the highest level — across the whole Essential Eight is the recommended security baseline for all organisations. This is achieved when an agency is fully aligned with the intent of the mitigation strategy. In 2019–20, findings from an Australian National Audit Office analysis of 18 government entities showed that maturity levels for most entities were significantly below the Policy 10 requirements of the Protective Security Policy Framework, ‘Safeguarding information from cyber threats’.

To help address the lack of cybersecurity maturity, the ACSC has been working hard with additional activities through the Cyber Uplift program. Yet, while some improvements have been made, they are not enough to adequately protect government services and citizen data and identities.

If you examine the tactics and tradecraft used by cyber attackers, you quickly gain an appreciation for why the Essential Eight needs to be fully implemented to a maturity level of three across all federal and state agencies. ASD and the ACSC do exactly this, and in ‘The Summary of Tradecraft Trends for 2019-20: Tactics, Techniques and Procedures Used to Target Australian Networks,’ the ACSC states that “A review of investigations performed by the ACSC has shown that implementation of ASD’s Essential Eight on victim networks would substantially reduce the risk of compromise by the adversary TTPs identified in this advisory”.

This is not a new statement — the ACSC’s analysis of the majority of cyber attacks that Australia encounters results in the same recommended mitigations year on year.

The weakest links

Balancing the right level of investment in cybersecurity and ensuring public value against the risks of cybercrime can be challenging. The federal, state and local public sectors are not spending enough to keep pace with emerging threats, and they are not spending enough on protecting essential services and citizen security. At this stage we are struggling to play catch-up, let alone get ahead.

The ability to prevent a nation state cyber attack would require too much investment for each individual agency, which is why there needs to be reliance on central government capabilities within ASD and the ACSC. However, agencies also need to prioritise what they can control and make sure they are delivering on the cybersecurity baseline recommended by these central capabilities. Otherwise they will be the weakest link in our national security.

In-built security

One of the challenges facing our public sector leaders is trying to balance the transformation of government services and at the same time protect citizen security. There is an opportunity for leaders to leverage the transformation and digitisation of services to drive an uplift in cybersecurity capability. Unfortunately, the 2020 EY Global Information Security Survey reveals that only 36% of digital transformation programs include security from the beginning.

Globally we have seen the main driver for increasing cybersecurity spend is risk reduction to address emerging threats. Federal, state and local agencies need significant increases in their cybersecurity budget to improve cyber risk management practices and become the backbone to combat cyber threats. It is time we saw a significant amount of increase in spend across the public sector, or else we may see more Australian citizens’ data and identities stolen.

A new strategy

The NSW Government’s Cyber Strategy to be released later this year will bring significant investment into Australia’s cybersecurity capability. And the recommendations outlined by the Industry Advisory Panel Report into Australia’s 2020 Cyber Security Strategy will go a long way to protecting our nation’s economy and national security.

Irrespective of the big-ticket items that are announced and funded, there is an immediate need for all levels of government to take further responsibility for protecting essential government services and citizen security.

Here are the top four things every government agency should do:

1. Fully implement the recommended ACSC Essential Eight to substantially reduce the risk of compromise by an adversary’s tactics, techniques and procedures.
2. Integrate cybersecurity capabilities into digital transformation projects as a secure-by-design principle right from the beginning.
3. Increase the level of investment in cybersecurity to keep pace with emerging threats and on protecting essential services and citizen security.
4. Agencies at all government levels should demonstrate further leadership and accountability for what they can control, and ensure they are delivering on the cybersecurity baseline recommended by ASD and the ACSC.

We must see more leadership and whole-of-government action on implementing the Essential Eight, to lift Australia’s cybersecurity maturity and make us a harder target for nation-state-sponsored cyber attackers.

Richard Bergman is EY’s Oceania Cybersecurity, Privacy and Trusted Technology Leader.

Image credit: ©stock.adobe.com/au/immimagery