Letter from Australia: how the government got serious on cybersecurity
CyberArk, our sponsor for PublicTechnology Cyber Week, writes about how industry and government are working together to meet Australia’s cyber challenges
When Australia’s prime minister Scott Morrison fronted a hastily convened media pack on a cold midwinter Canberra morning on 19 June, it became clear in seconds that the country’s national cybersecurity alert level had just shifted up a gear.
Flanked by defence minister senator Linda Reynolds, Morrison revealed that the Australian Cyber Security Centre was in the process of battening down the nation’s IT security hatches, not just for the federal government, but for states, councils, industry and academia as well.
It was a message that sent an immediate chill down the spine of decision makers charged with signing-off on organisational cybersecurity settings. What had sometimes been relegated to a compliance issue just became discomfortingly real, especially around threat mitigation.
The message from the very top was clear. Late passes and extensions just won’t cut it anymore. Get secured – or get rumbled.
Leading cybersecurity solution providers acknowledge there is work to be done across both the technology industry and government to rise to the country’s elevated security challenge.
Renewed commitments by both the federal government and states like New South Wales, which has earmarked $240m over four years to boost cybersecurity capability, are timely and valuable.
Providers and government must work together to defeat threats, and education and understanding are key.
Behind the Essential Eight ball
Australia’s go-to cybersecurity benchmark for government organisations and critical infrastructure remains the Australian Signals Directorate’s ‘Essential Eight’, developed specifically to harden systems against malicious intrusion and compromise.
The eight comprise a suite of strategies – including patching, application control, and the use of multi-factor authentication – to mitigate data breaches and malware attacks, and to promote the recovery of systems and data.
While it is roundly accepted that the Essential Eight are a necessary and effective security framework, actually achieving compliance is a lot harder than it sounds, which is almost certainly one of the reasons why the executive arm of the Australian government has gone on the front foot to raise awareness.
Governments have pulled together to create a highly effective response to control Covid-19. But what’s less discussed is that the sheer size of the attack surface now available to malicious actors has increased exponentially, making intrusion attempts a matter of when, rather than if.
Nobody realistically expects agencies to publicly disclose their vulnerabilities or weak spots but, at a broad level, evidence highlighting the urgent need for improvement is clear and compelling.
In May 2020, the Australian National Audit Office released a report that probed 18 government agencies – including Defence, Services Australia, Home Affairs and Tax – as to how their human resources and financial software rated against the Essential Eight maturity index.
The standout in the ANAO’s assessment of maturity of agency mitigation strategies was the need to “restrict administrative privileges” – or limiting the number of users and accounts with scaled-up access, like systems administrators or other users with high levels of technical authority.
Out of the 18 agencies assessed by the ANAO, eight were found to be non-compliant with the requirement to restrict privileged access, a figure that urgently needs to change.
As the Australian Cyber Security Centre (ACSC) prudently observes in its outline of the Essential Eight, privileged accounts – especially for administrators of networks, applications, cloud accounts and data holdings – remain a bullseye target for malicious actors. Why? Because attacks seek to abuse privileged access in order to get to what they really want. To meet this challenge, usage of privileged access management (PAM) allows attacks that compromise privileged credentials to be contained.
By proactively managing and rotating high-value ‘privileged’ credentials and limiting user access to only the information and tools needed to perform their immediate role, an attacker’s route to critical data and assets can be contained, reducing their ability to exfiltrate information or disrupt operations.
“Admin accounts are the ‘keys to the kingdom’, and adversaries use these accounts to gain full access to information and systems,” the ACSC cautions.
That risk is increasing as malicious actors – both nation state and criminal – look to sophisticated and highly personalised attacks like phishing to trick well-meaning staff into exposing their access credentials.
These collaborative times
Limiting privileged access has become critically important in the contexts of the worldwide push to work from home, coupled with the need for once-discrete organisations to collaborate for a common good.
In times of crisis, authorised access to some and the unimpeded flow of secure data needs to run smoothly between banks, supermarkets, hospitals transport providers and governments – aside from central government, Australia has eight state and territory regimes not to mention hundreds of councils.
So far governments have pulled together to create a highly effective response to control Covid-19.
But what’s less discussed is that the sheer size of the attack surface now available to malicious actors has increased exponentially, making intrusion attempts a matter of when, rather than if.
This in many ways doubles the need and utility of privileged access management solutions, especially when they can accelerate authorised access as well as tightly controlling it, eliminating the need for fudges like poor passcode management.
Used judiciously, a good PAM solution can turn information security into a productivity-boosting operational strength, as opposed to a constantly shifting compliance cost centre.
There is no magic bullet but, as public sector organisations go cloud-first and embrace persistent development through approaches like DevOps, privileged access management becomes paramount.
New measures prohibit supply of any tech used for ‘internal repression’
Consultation launched seeking feedback on risks and mitigations for systems that now underpin a wide range of ‘essential services’
Steve Barclay urges greater reporting of attacks
Former cabinet secretary Mark Sedwill has landed a non-executive role at BAE Systems