According to the Government’s Australian Cyber Security Centre (ACSC), threats can range from foreign state-sponsored cyber espionage, cyber attacks that seek to disrupt critical infrastructure, to petty criminals using government records to defraud, or steal individual identities. According to the ACSC Threat Report, over the period of 1 July 2019 to 30 June 2020, the ACSC responded to 2,266 cyber security incidents and received 59,806 cyber crime reports at an average of 164 cyber crime reports per day, or one report every 10 minutes.
The cyber threat landscape is massive and spans many jurisdictions. Cyber security is not just a technical ICT challenge. Many government bodies work interdependently, but share information. This includes sensitive areas like defence and policing. That is why having a common cyber security and policy framework that applies to all government organisations is essential.
As the ICT environments become more powerful and cyber bad actors gain access to ever more sophisticated tools, the demand for finite cyber security skills becomes ever greater, This is especially challenging for independent government agencies competing for a highly sought after specialist workforce.
What action is the government taking?
The good news for government and private enterprises alike is that the mega trend toward cloud infrastructure and SaaS applications means they can avail themselves of the latest in cyber security technologies and practices these as-a-Service ICT models provide without having to compete for the scarce highly specialised resources. The ACSC pointed to this in its guidance to government agencies seeking to acquire cloud services. The guide begins by saying agencies considering a move to a cloud service should start by asking themselves the question; what is the risk of NOT moving to cloud.
The government has already published cyber security guidelines for various industries and government bodies. For example, any SaaS solution provider that serves the government must undertake gateway certification by the Australian Signals Directorate (ASD) and undergo a cyber security audit by a certified Information Security Registered Assessors Program (IRAP) assessor. The provider must also demonstrate "continuing compliance" with ASD's strategies to mitigate targeted cyber intrusions, as well as meet the requirements stemming from other relevant Australian government strategies and policies. Some examples include alignment with the Australian government's secure cloud strategy, whole-of-government hosting strategy, and cyber security strategy.
The Government has a clear strategy for developing a trusted, connected and secure data and digital infrastructure. Some of the elements of that strategy include:
What this means for SaaS solution providers
In practice, this means that any SaaS solution provider serving the government will need to meet stringent compliance criteria and have the appropriate certifications and accreditations before they go to tender. But that is just the baseline. To position themselves as the preferred provider for the government, SaaS solution providers will need to be able to prove they can reduce the risks involved in data sovereignty, ownership and supply chains. They need to be nimble enough to continually stay current with both the threats and the technology that bad actors utilise. Set and forget hosting approaches are no longer acceptable. That means being able to offer cyber security for government data up to the PROTECTED classification by default, along with the continual uplifting of cyber security technologies and appropriate ICT data protection controls.
Any candidate SaaS provider must also ensure government services are efficient, cost-effective, and be able to implement secure communication links for transfer of data across facilities. They also need to offer the provision of cross-department coordination by providing whole-of-government coordination points and reducing duplication for common services and functions.
How government agencies can securely harness SaaS
When considering a SaaS provider, government agencies need to ensure they have the relevant accreditations and cyber security standards in place. IRAP assessments are a great place to start. These assessments are carried out by qualified professional assessors to provide a comprehensive and clear assessment of a system’s security controls and compliance with Australian Government requirements to store data classified at various levels. However, maintaining the highest standards under the IRAP process requires regular reaccreditation.
Government agencies need to make sure their SaaS providers regularly update their accreditations (annually or better), continually review their security practices and accountability mechanisms, and practice continuous improvement across all their functions. A SaaS provider is more than just an operator; they are a partner who will be handling sensitive data and processes for the foreseeable future. Government agencies need to do their due diligence to make sure they are up to the task.