DTA cyber advisory office to follow and implement ASD policy advice

The new Cyber Security Advisory Office (CSAO) to be established within the Digital Transformation Agency (DTA) will be an implementation body, with the Australian Signals Directorate (ASD) retaining the policy setting and threat advisory roles it currently occupies, Senate Estimates has heard.

Speaking on Tuesday, DTA First Assistant Secretary of Projects, Procurement and Assurance Peter Alexander said the role of CSAO would be to follow the guidance of ASD, and give government agencies practical advice to improve systems.

"ASD publish the cybersecurity mitigation strategies ... there are a series of mechanisms they set out for appropriate controls and defences to improve cybersecurity in agencies, I see the role of our team is to going out and helping agencies to implement them," Alexander said.

Alexander said ASD would still have responsibility for advising government and dealing with the clean-up of attacks such as the recent WannaCry worm.

"Who is responsible in the federal government for advising agencies around cyber threats? It is ASD," he said. "The Australian Signals Directorate have that role, they still have the policy role in that space, they do signals intelligence, and advise agencies of threats through a variety of means and capabilities involving Attorney-General's [Department] and others."

Announced in the Budget earlier this month, the AU$10.7 million CSAO was created as a result of the findings and recommendations handed down by the Senate Economics References Committee in November as a result of its inquiry into the Census debacle last year.

In February, ASD announced an updated mitigation strategy dubbed the Essential Eight, which advised agencies to implement application whitelisting and disable untrusted Office macros, as well as blocking Flash, Java, and web ads.

Earlier on Tuesday, newly appointed DTA CEO Gavin Slater said he was not surprised at figures giving the thumbs down to the federal government's online services.

"When you think of government there's multiple agencies, multiple websites, multiple ways citizens and businesses interact with government ... it would be a fragmented experience," he said.

Slater said this was why the agency was needed, to work towards "greater consistency and ultimately a better experience" for individuals and businesses. DTA is overseeing AU$6 billion of IT work across government.

The DTA said it is working on a comprehensive study of all government IT projects valued over AU$10 million.

The study had identified 56 separate projects as well as 294 "critical business systems" used by government departments and agencies.

Any projects found to be "high risk" would be given special oversight and made to provide more regular reports on such things as the way the projects are being managed, the technology used, and costs.

But Slater said it is not the DTA's role to "take over a whole program".

One of the projects currently being worked on is the "modernisation" of the health and aged care payments system, the committee heard.

Slater said he wants to work with small and large IT suppliers to ensure the government was getting value and delivering services effectively.

With AAP