In a move seemingly driven by heightened fears of foreign interference, Commonwealth agencies are set to undergo a sweeping audit of their internet-facing technology.
The initiative, spurred by concerns about potential threats to national security, has been mandated by Home Affairs Secretary Stephanie Foster.
In a discreet directive issued recently, Foster has instructed all federal government bodies to meticulously assess and address vulnerabilities in their online systems.
The scrutiny extends to nearly 200 entities and companies under the Commonwealth, compelling them to share detailed information on cyber threats with the Australian Signals Directorate (ASD).
This series of directives under the Protective Service Policy Framework (PSPF) marks a significant governmental intervention, reminiscent of the controversial ban on TikTok from Commonwealth devices last year.
The decision also underscores a growing apprehension within Australian authorities regarding foreign influences penetrating through digital avenues.
As the audit unfolds, the Commonwealth appears steadfast in its commitment to fortify defenses against potential cyber intrusions, framing the measures as crucial steps to safeguard national interests amidst an increasingly interconnected digital landscape.
On the same day the Secretary’s directions were issued, Home Affairs Minister Clare O’Neil also introduced a set of new measures aimed at addressing threats of foreign interference within the broader Australian community.
According to PSPF Direction 001-2024, government entities are instructed to “identify indicators of Foreign Ownership, Control or Influence (FOCI) risk concerning procurement and maintenance of technology assets, and to appropriately manage and report these risks.”
The directive further clarifies that foreign interference refers to activities conducted by or on behalf of a foreign power that are coercive, corrupting, deceptive, or clandestine, and are contrary to Australia’s sovereignty, values, and national interests.
Government entities are told to “implement a process when undertaking procurement of technology assets to identify and manage potential FOCI risks” before June next year.
In the second directive, Ms. Foster ordered a comprehensive assessment of technology assets across all internet-facing systems or services to identify those managed directly or on behalf of the entity.
Commonwealth entities were also instructed to formulate a technology security risk management plan specifically tailored for all internet-facing systems or services, integral to the entity’s broader security strategy.
Under the third directive, it is now compulsory for all Australian government entities utilising threat intelligence sharing platforms to actively exchange cyber threat information with the Australian Signals Directorate.
Palo Alto Networks head of government affairs and public policy Sarah Sloan says this is only the second time the government has used its binding directive powers, the first instance being a mandatory direction to prohibit the TikTok app on devices issued by Commonwealth departments and agencies.
She said the “stocktake”, with its focus on attack surface, “is well placed” as an activity to help the government find and secure vulnerable systems promptly.
