Threat hunting vital to interagency communication

A recent report from the Australian Cyber Security Centre (ACSC), part of the intelligence-collecting Signals Directorate, revealed it had received 76,000 cybercrime reports last financial year, up 13% from the previous period and equating to about one attack every seven minutes. Meanwhile, a string of high-profile breaches highlights the eagerness of cybercriminals to exhaust every potential avenue to steal data, disrupt operations, create risk and ultimately profit.

It’s clear that Australia is facing an increasing threat from cybercrime, and government departments are not immune to this threat. The ransomware attack on a Department of Defence communications platform is just one recent example of the threat our agencies face — agencies have a wealth of critical data that cybercriminals crave for their own nefarious means. As Australia faces a need for more secure intergovernmental data sharing in the wake of natural disasters, pandemics, and threats of conflict from abroad, there is more opportunity for holes in the defence to arise.

This leads to a dilemma for critical government agencies: how can they maintain cybersecurity while also opening up seamless communications and data-sharing channels at the same time?

The Essential Eight cybersecurity framework is currently mandated across federal government bodies. The framework provides guidance on the minimum standards for government departments, aimed at building up the collective cybersecurity.

However, a recent Australian National Audit Office (ANAO) report on finance and HR systems found only two of the 19 Commonwealth bodies assessed had achieved a sufficient maturity level. This has implications for cross-agency communications, as bodies seek to protect their own data, and ensure data coming in does so securely. Australian Public Service (APS) staff will also know well the struggle of communicating securely with other agencies, in which success varies from patchy connections to being completely unworkable. But in an emergency scenario, data sharing and communications can mean life or death.

Although Australian government departments are required to share data for better policy development and more efficient decision-making, the internal processes often hit roadblocks. With the risk of attack so high, agencies are cautious about opening a doorway, even to other departments. Operability is key for these entities, but interoperability can often fall by the wayside.

Moves have been made to streamline these channels, including the implementation of the Data Availability and Transparency Act (2022). However, government departments are already having a hard time managing their own security; taking into account and securing a larger threat surface created by data sharing is often far down the priority list.

The Commonwealth is taking steps to build up security and confidence in connectivity and remedy the flaws in the current structure. In doing so, there is an opportunity here to improve current cybersecurity measures, protect the vital services of government, and consequently improve the quality of services delivered.

Patching versus proactive threat hunting

Consistent cybersecurity across agencies regardless of the ERP or underlying IT infrastructure is vital to ensure the security of the whole of government, and protect the vital functions of government.

The ANAO Essential Eight report found patching applications was found to be one of the hardest areas to manage, with a common complaint that “patching applications’ requirements are not achievable”. The Essential Eight requires agencies to implement security patches as soon as possible, but only five met this standard. Patching, while essential to the running of many security systems, is shown to be problematic for many agencies. The time and resource implications of patching can be burdensome, requiring agencies to balance resources and security.

The significant system downtime from patching is something many government departments cannot afford. Imagine if a serious bushfire or flood occurred and Home Affairs could not log in to key communications applications to coordinate its response with state governments while it undertook a rigorous upgrade — the results could be disastrous.

Furthermore, reactive patching is less effective at meeting novel threats. Where patches are slow to meet the rapidly evolving cyberthreats, system vulnerabilities appear, and hackers will be ready to pounce.

The Essential Eight 24- to 48-hour required patch response time is unrealistic and exposes agencies to harm. Patches from vendors don’t consider bespoke and unique customisations that have been made by agencies to the underlying IT infrastructure — customisations that are vital to providing services to the public.

This reality can potentially hinder the delivery of government services and in crises may have the potential to harm interagency communications when they’re needed most.

A new focus on solving root issues, and proactively targeting threats as they appear, rather than waiting for a patch or upgrade provided by the IT vendor, is needed to combat some of these issues.

Heightened and consistent cybersecurity postures are important to maintaining governmental operations, and fostering confidence in the interoperability of government departments. Increased connectivity should be seen as an opportunity to provide better services for Australia, and respond more effectively to threats, both cyber and physical. As government agencies ramp up digital investments, cybersecurity measures must be complemented by a strategy that relies on proven expertise and understands and facilitates better data sharing.

Image credit: iStock.com/D3Damon