The Federal Labor Party has promised to “radically change the Commonwealth’s cybersecurity culture” and “normalise” the involvement of the wider infosec community if they win the next election.
Shadow Assistant Minister for Cybersecurity Tim Watts on Thursday raised the need to reform the federal government’s cybersecurity functions, which he says suffer from an accountability deficit.
He said while recent reforms, including the planned creation of cyber hubs in Defence, Home Affairs, Services Australia and the Tax Office, were promising, more systemic changes were needed.
“These policy changes will be for naught if we can’t fix the accountability culture programs within Commonwealth cyber security,” he told the Government Data Protection Summit in Canberra.
Watts said there was “currently a resistance to external accountability and an instinct towards secrecy within government, regardless of the context”.
He pointed to the delay in delivering the first Commonwealth cybersecurity position report, which took more than a year to materialise after being approved by the government, as evidence.
The Australian Cyber Security Centre has now produced two reports, both confirming that the first four mandatory cyber security checks remain at “low levels” across the government.
Watts also cited his attempts to ask agencies for their compliance with Essential Eight controls as part of the Senate estimates, which led to consistent responses.
“If Labor wins the next federal election, and I’m lucky enough to keep my dream portfolio in cyber security, I want to help drive a step change in the Commonwealth’s cyber security culture,” he said.
“In particular, I want to change the way that the cyber security functions of government – from policy development to information security – interact with the Australian cyber security ecosystem outside of government.”
“Australia’s cyber security is a whole-of-nation endeavour. It demands that we draw on the different experiences and perspectives of individuals across these domains.”
Watts said he would look to “find more ways to kick-start routine collaboration between the Commonwealth and the broader Australia cyber security ecosystem”.
He said the greater use of staff exchanges between ACSC, academia and industry was an “obvious place to start”, pointing to the experience of the UK’s National Cyber Security Centre (NCSC).
One such program was recommended by an industry panel of mostly telecom executives ahead of the 2020 cybersecurity strategy.
Watts also said there was a need to forge more ties with private sector incident response (IR) companies in order to help more organisations respond to cybersecurity incidents.
“The UK’s NCSC established a Cyber Incident Response scheme to enhance relationships with IR firms, build a basis for consistent bi-directional information sharing and set standards for incident response,” he said.
“To promote increased collaboration between the Commonwealth and private sector incident responders, we should be exploring an Australian equivalent of this scheme led by ACSC.”
Vulnerability disclosure programs (VDPs) and bug bounty schemes are others areas “where there are potentially significant gains” in a Commonwealth with a more open cyber culture.
“I also want to find ways to better normalise the involvement of the cyber security community outside of government in the Commonwealth’s cyber security mission,” Watts said.
“Everyone’s a winner when Commonwealth agencies implement VDPs and we should see more of it across government.
The Digital Transformation Agency, in response to questions received from the Senate in October, said it still has no plans to implement a centralised bug bounty program.
In 2020, the Australian Communications Authority stated that the government had never considered accepting a bug bounty despite widespread use of similar programs by the US and UK governments.
