Issues with smaller players not being able to meet computer security provisions inserted into contracts with larger corporations have led to calls for the government to step in and help form a partnership with industry to bring local small businesses and niche players up to scratch, said Mike Rothery, first assistance secretary of the National Security Resilience Policy, Department of Attorney-General.
Speaking at the Gartner Security and Risk Management Summit in Sydney, Rothery said that 35 interviews conducted with industry during the process of CERT Australia becoming part of the Australian Cyber Security Centre had revealed quite a paternalistic relationship existing within the IT supply chain.
Rothery said the interviews examined the role of government within the IT industry and security, and found that businesses with a high level of maturity do not look to government for assistance when it comes to the security of their own systems, with those companies well aware of the risks of doing business online and managing those risks.
"What they do look for government to do, interestingly, is to actually help them manage their own supply chain," Rothery said.
"Because what a number of large organisations said to us was: 'We're good. We're on a path, we're not there yet, it's a constant struggle, we've got to keep reinvesting in it. But our problem is that although we put cybersecurity conditions in a whole lot of our contracts with our suppliers, they're not worth a cracker — because a lot of those people that we want to contract to, actually, are not competent to manage the security of our information inside their network.'."
According to Rothery, that does not mean that large corporations want to cut SMBs adrift; rather, they want to lift the standards of those companies.
"Some of the large corporations that wanted to do business with niche providers, particularly in terms of nice software development, had in the previous decade put highfalutin requirements in the contracts that people signed, but actually have now come to the view that very few of those organisations are actually capable of fulfilling those obligations," he said. "So rather than trying to manage the risk through a risk of litigations, effectively suing people if they get it wrong, that's not the relationship that they want to have.
"What we heard in terms of what the role of government is ... 'We need to bring up those other elements of corporate Australia that have not reached that level of sophistication, but we need to do it in partnership because we know this is not something that government is necessarily the beneficiary of, we know that actually the whole of the economy is the beneficiary, and we need to do some of that heavy lifting ourselves'," he said.
The motives for the larger corporations are economic, with businesses not wanting to deal with a small number of companies that could begin to gouge prices.
As a result of the smaller businesses being seen as unable to handle corporate data securely, Rothery said that CERT Australia has noticed many major corporations change the relationship with vendors, and, rather than signing an open-ended contract and handing data over, are choosing to handle security themselves on the smaller vendor's systems — effectively reaching into vendors to create a "secure enclave" worthy of handling their information.
One example offered by Rothery of such a situation is a separate IT environment under the control of the customer, provided for the development of a product.
"[It is] basically saying: 'We like your product, we think you have a niche capability, we can see this as being a competitive advantage in the marketplace — but you are not capable of doing the security yourself. It's a big stretch to ask you to be experts of that in addition to the innovation that we are seeing in your other products. We will partner with you'," Rothery said.
Cloud maturing, but not yet ready for government
Speaking about the uptake of cloud computing services within the Australian government, Rothery said that the main pain point for agencies is not about the benefits of cloud usage, nor the environment used within those services, but rather what the environment will be in five years.
"If you are wondering why the Australian government has been probably a little bit reluctant to dive into cloud ... it's just that issue about how do we get that information to be able to access the risk, and how do we know that when we make a judgement about the risk, it will be for the life of the relationship, and that we won't find that information has migrated, contracts have changed, data warehousing has moved into third or fourth countries without actually knowing about that in advance.
"The service delivery agencies in the Commonwealth are probably the first movers — the national security agencies, often because they work in air-gapped non-internet connected systems, are probably in a luxurious position — it's still fairly early days."