Article

Cyber security within government systems

As threat actors and malicious attackers continue to escalate their attacks on the public sector, government cyber security is becoming more critical than ever. But what do those  measures look like in practice?

Australia’s government sector is rapidly undergoing digital transformation, which brings enormous advantages to agencies and the public. Among those is the opportunity to look afresh at cyber security arrangements and ensure they are still fit for purpose in the face of the rapidly evolving threat landscape.

With growing cyber threats from both within and beyond our borders, the government is seeking to develop a  cyber security framework and toolkit that can be used across all its departments and agencies.

How does cyber security fit into government work?

As of 2020, there were 1,311 Government bodies operating across Australia, with millions of individuals, businesses and organisations depending on them for their day-to-day operations and tasks. This interdependence means that even a single point of vulnerability could result in large swathes of the entire government network being compromised, potentially causing large-scale disruptions at even a national level. To make sure the government network stays secured, there needs to be some common framework of cyber security standards and practices in place across all bodies, agencies and departments.

How big is the cyber risk?

According to the Government’s Australian Cyber Security Centre (ACSC), threats can range from foreign state-sponsored cyber espionage, cyber attacks that seek to disrupt critical infrastructure, to petty criminals using government records to defraud, or steal individual identities. According to the ACSC Threat Report, over the period of 1 July 2019 to 30 June 2020, the ACSC responded to 2,266 cyber security incidents and received 59,806 cyber crime reports at an average of 164 cyber crime reports per day, or one report every 10 minutes.

The cyber threat landscape is massive and spans many jurisdictions. Cyber security is not just a technical ICT challenge. Many government bodies work interdependently, but share information.  This includes sensitive areas like defence and policing. That is why having a common cyber security and policy framework that applies to all government organisations is essential.

As the ICT environments become more powerful and cyber bad actors gain access to ever more sophisticated tools, the demand for finite cyber security skills becomes ever greater, This is especially challenging for independent government agencies competing for a highly sought after specialist workforce.

What action is the government taking?

The good news for government and private enterprises alike is that the mega trend toward cloud infrastructure and SaaS applications means they can avail themselves of the latest in cyber security technologies and practices these as-a-Service ICT models provide without having to compete for the scarce highly specialised resources. The ACSC pointed to this in its guidance to government agencies seeking to acquire cloud services. The guide begins by saying agencies considering a move to a cloud service should start by asking themselves the question; what is the risk of NOT moving to cloud.

The government has already published cyber security guidelines for various industries and government bodies. For example, any SaaS solution provider that serves the government must undertake gateway certification by the Australian Signals Directorate (ASD) and undergo a cyber security audit by a certified Information Security Registered Assessors Program (IRAP) assessor. The provider must also demonstrate "continuing compliance" with ASD's strategies to mitigate targeted cyber intrusions, as well as meet the requirements stemming from other relevant Australian government strategies and policies. Some examples include alignment with the Australian government's secure cloud strategy, whole-of-government hosting strategy, and cyber security strategy.

The Government has a clear strategy for developing a trusted, connected and secure data and digital infrastructure. Some of the elements of that strategy include:

What this means for SaaS solution providers

In practice, this means that any SaaS solution provider serving the government will need to meet stringent compliance criteria and have the appropriate certifications and accreditations before they go to tender. But that is just the baseline. To position themselves as the preferred provider for the government, SaaS solution providers will need to be able to prove they can reduce the risks involved in data sovereignty, ownership and supply chains. They need to be nimble enough to continually stay current with both the threats and the technology that bad actors utilise. Set and forget hosting approaches are no longer acceptable. That means being able to offer cyber security for government data up to the PROTECTED classification by default, along with the continual uplifting of cyber security technologies and appropriate ICT data protection controls. Any candidate SaaS provider must also ensure government services are efficient, cost-effective, and be able to implement secure communication links for transfer of data across facilities. They also need to offer the provision of cross-department coordination by providing whole-of-government coordination points and reducing duplication for common services and functions.

How government agencies can securely harness SaaS

When considering a SaaS provider, government agencies need to ensure they have the relevant accreditations and cyber security standards in place. IRAP assessments are a great place to start. These assessments are carried out by qualified professional assessors to provide a comprehensive and clear assessment of a system’s security controls and compliance with Australian Government requirements to store data classified at various levels. However, maintaining the highest standards under the IRAP process requires regular reaccreditation.

Government agencies need to make sure their SaaS providers regularly update their accreditations (annually or better), continually review their security practices and accountability mechanisms, and practice continuous improvement across all their functions. A SaaS provider is more than just an operator; they are a partner who will be handling sensitive data and processes for the foreseeable future. Government agencies need to do their due diligence to make sure they are up to the task.

Publish date

09 Apr 2021

Visit our Digital Transformation Hub for all the resources you need to kick start your journey

Ready to reimagine?

Complete the form to speak to an industry expert about your digital transformation needs.