Labor pledges to reform Canberra’s cybersecurity culture – Strategy – Security


Federal Labor has promised to “radically alter the Commonwealth’s cybersecurity culture” and “normalize” the involvement of the wider infosec community should they win the next election.

Shadow Deputy Minister for Cybersecurity Tim Watts on Thursday spoke of the need for reform of the federal government’s cybersecurity functions, which he said suffer from an accountability deficit.

He said while recent reforms, including the planned creation of cyber hubs in defence, home affairs, Australian services and the tax office, showed promise, more systemic changes were needed.

“These policy changes will be for nothing if we cannot fix the accountability culture programs within Commonwealth cybersecurity,” he told the Government Data Privacy Summit in Canberra.

Watts said there is “currently a resistance to external accountability and an instinct for secrecy within government, regardless of the context.”

He pointed to the delay in delivering the first Commonwealth Cybersecurity Posture Report, which took more than a year to materialize after it was approved by the government, as evidence.

The Australian Cyber ​​Security Center has now produced two reports, both of which confirm that the four main mandatory cybersecurity controls remain at “low levels” across government.

Watts also cited his attempts to question agencies on their compliance with Essential Eight controls as part of the Senate estimates, which resulted in uniform responses.

“If Labor wins the next Federal election and I’m lucky enough to keep my dream cybersecurity portfolio, I want to help bring about a step change in the cybersecurity culture of the Commonwealth,” he said. .

“In particular, I want to change the way government cybersecurity functions – from policymaking to information security – interact with the Australian cybersecurity ecosystem. out of the government.

“Australian cybersecurity is a national business. This requires that we draw on the different experiences and perspectives of individuals in these areas. »

Watts said he would look to “find other ways to initiate routine collaboration between the Commonwealth and the wider Australian cybersecurity ecosystem”.

He said the increased use of personnel exchanges between the ACSC, academia and industry was an “obvious starting point”, citing the experience of the National Cyber ​​Security Center (NCSC) of the UK.

Such a program was recommended by an industry panel of mostly telecommunications executives ahead of the 2020 Cybersecurity Strategy.

Watts also said there was a need to forge closer ties with private sector incident response (IR) firms to help more organizations respond to cybersecurity incidents.

“The UK’s NCSC has established a cyber incident response program to improve relationships with IR companies, establish a foundation for consistent two-way information sharing and set standards for incident response,” a- he declared.

“To promote increased collaboration between Commonwealth and private sector stakeholders, we should explore an Australian equivalent of this CCAA-led program.”

Vulnerability disclosure programs (VDPs) and bug bounty programs are other areas “where there are potentially significant gains” in a Commonwealth with a more open cyber culture.

“I also want to find ways to better normalize the involvement of the cybersecurity community outside of government in the Commonwealth cybersecurity mission,” Watts said.

“Everyone wins when Commonwealth agencies implement VDPs and we should see more of them across government.

In 2020, the Australian Signals Directorate said the government had never considered adopting a bug bounty, despite the widespread use of similar schemes in the US and UK.

The Digital Transformation Agency, in its responses to questions on notice of Senate estimates in October, said there were still no plans to introduce a centralized bug bounty program.


About Author

Comments are closed.