Only yesterday, Home Affairs deputy secretary Hamish Hansford was being sent spam emails from someone trying to moonlight as the Australian Border Force commissioner. Everybody is a target for potential cyber security breaches, he says.
“I was in the middle of a meeting today and [the commissioner] sent an email, allegedly, to try and help me help him find out something,” the mandarin told an audience of public servants.
Addressing a “Tech in Gov” conference in Canberra, he noted that most cybersecurity vulnerabilities occur in the space where people and technology meet.
“Particularly around human insights, human factors, human behaviours,” he said.
Hansford, who is responsible for overseeing cyber and infrastructure security and previously led the implementation of Australia’s Cyber Security Strategy 2020, shared his concerns about the current threats posed to the government.
Under current legislative requirements, all companies will be required by next month to meet a certain cyber security maturity level as per the National Institute of Standards and Technology (NIST) framework, the Essential Eight or a particular energy standard.
Hansford said all these measures gauged the level of obstacles the private sector faced, underscoring the all-hazardous nature of the operating environment and the bigger national security risk context. The past week’s disruptions caused by the CrowdStrike software update, which grounded flights and limited access to health and banking services, was a case in point.
“The network outage that we suffered last year, and then the software update that went awry in the last couple of days, attest to immediate examples of what can happen with the supply chain in an acute sense,” Hansford said.
“Understanding supply chain, understanding how networks operate, looking at contingencies, looking at business continuity planning, having an executive who would support a business continuity plan and be able to respond to any sort of incident — malicious or otherwise — understanding at a really granular level how procurement operates, who has procured, where services are deployed in companies or in government or in different areas of the economy … that is an area of immense work [and vulnerability] in critical infrastructure.”
As the person who runs Australia’s critical infrastructure regulator and speaks daily with relevant leaders during crisis and peacetime, Hansford said he was especially worried about how little long-term thinking there was in the private sector about planning for the deployment of technology and what markets could access that technology.
“[This involves] simple source procurements that then don’t have optionality down the track that actually locks people in when there are shortages, and I see more delays and more issues when something goes wrong, particularly from a security perspective,” Hansford said.
This was an area of weakness in the national risk management program concerning critical infrastructure, he added.
With respect to the policy landscape the government was attempting to navigate, Hansford said the mission has been to simplify a complex constellation of 16 interrelated protective security policies. He explained the primary goal was to ensure those in government departments and agencies who were responsible for anything in the gambit of HR, securing physical areas, or human safety could easily understand where risks overlapped with other interests.
“On the government side, we’ve driven over the last couple of months for protected security and the implementation of the protective security policy framework — an all-hazards [approach],” Hansford said.
“What we’re trying to do is inspire people to think about risk management security more generally and that is an area of work at a policy and conceptual level.”
Hansford also highlighted three protective security directions issued by Home Affairs secretary Stephanie Foster this month, which are binding for non-corporate Commonwealth entities. The directives called on agencies to undertake a technology stocktake of devices connected to the internet, protect future procurement, and adopt a more curious cyber posture.
“The first principle is to understand precisely what the technology estate is, and then put in place plans if there are high-risk applications or high-risk vendors or high-risk pieces of software. Understanding at a granular level what we’re trying to protect we feel is particularly important,” Hansford said.
“The second [directive] goes to goes to future procurement. We’ve worked … in conjunction with the Department of Finance to say ‘What are the issues surrounding foreign ownership, control and influence?’ and ‘How do we start to put in place a framework for mitigating those threats in the future procurement?’.”
“We’re finalising policy explanatory notes which say precisely what ‘high risk’ means, how to mitigate those risks in government systems and government procurement, and how we can create overall a much more secure technological estate.”
For the third directive issued by Foster, Hansford noted that after Home Affairs had locked down cybersecurity risk-preventative settings, the government was concerned with hunting for threats in partnership with ASD’s network.
“[We need to make] sure that we’re constantly challenging ourselves to not only look at what we’ve got, look at what we’re buying, but actually consistently look at where the threats are materialising and share that centrally,” he said.
The was republished from Crikey’s sister publication, The Mandarin.
