Govt systems to be classed critical infrastructure under cyber reforms

Home Affairs boss reveals.

Select federal government systems and networks will be classified critical infrastructure alongside nationally significant private sector systems, Home Affairs boss Mike Pezzullo has revealed.

Pezzullo confirmed during a webinar hosted by cyber security company CyberCX on Friday that planned changes to critical infrastructure laws will also extend to some government systems.

“Certain assets and networks within government will be designated as critical infrastructure, so they’ll also be able to be actively defended by the Australian Signals Directorate,” he said.

It is the first acknowledgement that government will be recognised as a critical infrastructure sector, though whether the same rules being thrust upon private entities will apply is not yet known.

The critical infrastructure powers, which are a central plank of the 2020 cyber security strategy, aim to uplift the security and resilience of systems and ensure networks can be defended.

Last month, Home Affairs released a consultation paper detailing its proposed “enhanced regulatory framework” for critical infrastructure and systems of national significance.

The framework will extend the definition of critical infrastructure beyond electricity, gas, water and port entities covered by the Security of Critical Infrastructure Act to other sectors, including banking, health, education and food.

Pending the passage of amendments to the Act and the co-design of sector-specific standards, the government expects the new cyber security obligations to come into effect in mid-2021.

But there is no mention of government on the list of sectors the proposed reforms will apply to, despite it ranking ahead of critical infrastructure in terms of reported cyber security incidents.

Instead, the consultation paper said the government is working to “identify the most appropriate mechanisms to ensure governments are held to the same standards”.

Pressed by former national cyber security advisor and CyberCX chief strategy officer Alastair MacGibbon on why government didn’t appear on the list, Pezzullo said “it will be”.

Secure government hubs

Pezzullo also further outlined the government’s plan in the 2020 cyber security strategy to create a series of “secure hubs” to reduce the number of networks that hostile actors can target.

“We’re looking to consolidate at least the attack surface to better defend it with tighter, fewer hubs, so that the larger players … can form protected environments that ... provide a harder external shell,” he said.

“It doesn’t, of course, obviate the other work you’ve got to do to get protection right down to the endpoint, right down to the device, right down also to the human practices, which … are in some cases more important.”

He said larger agencies were well placed to lead this work as they “have the depth, have the skills, have the resources, [and] in some cases have the connectivity to ASD in real-time that can provide use with that threat picture … that is unique to the signal authority”.

While the government is yet to settle on the number of hubs, Pezzullo said they were expected to “dramatically reduce” the number of existing hubs and perimeters across government.

He noted that this would go beyond consolidating internet gateways, like the government did for a decade through its secure internet gateway scheme following the 2009 cyber security strategy.

“This will also be about consolidating the cyber security defences. Gateway consolidation is a necessary, but not sufficient element of a cyber security hub strategy, so it’s much more complex than gateways,” he said.

Pezzullo said a secretaries board digital group headed up Department of Social Services secretary Kathryn Campbell is currently looking to work through the issues ahead of developing “single cyber security hub strategy” before the end of the financial year.

“We’ll have mapped out all the known vulnerabilities, and where we have to place local defences and local sensors to protect right down to end point known vulnerabilities, and how we harden that external shell,” he said.

Pezzullo said he expects this will lead to a reorganisation of how cyber security interacts with other areas of government IT.

“I think the operating model for federal government cyber will need to change because … you can’t just put that in a box called cyber, and then have your network operations and your architecture and your deployment of apps and your upgrades off over here,” he said.

“So how chief information officers work with chief information security officers and how all of that works in a more aggregated fashion is something we’re working through.”