Alastair ​MacGibbon confident in Australia's devolved approach to cybersecurity

Although the cybersecurity model in place within the Australian government is different to those of its allies, Australia's special adviser to the prime minister on cyber security is confident in the direction Australia is heading.
Written by Asha Barbaschow, Contributor

In Australia, the government operates under a devolved model where departments effectively run their own respective businesses. As a result, there is not a single overarching authority that oversees cybersecurity operations, with each government department essentially left to defend themselves.

Although this model is contrary to that used by the likes of the United Kingdom, Australia's Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon is keen to give the country a chance to work out its own defence strategy before mirroring others.

"I think it's fair to say the government is always interested in looking at models offshore and seeing what our allies and friends have been doing. I spend an awful lot of time talking to our key allies at odd hours ... and we always like to look at what success looks like in other places and how it can apply," MacGibbon told ZDNet.

"But we're also very conscious of making sure that we don't just make the fatal error that government and corporates do from time to time of just uplifting someone else's good idea that works in their ecosystem and dropping it into ours and wondering why it doesn't work."

With a similar view, Australia's Minister Assisting the Prime Minister on Cyber Security Dan Tehan previously said that a centralised approach to cybersecurity is dangerous, and that it is instead preferable for departments to take care of themselves.

Tehan wants to see each individual department and agency take responsibility themselves, and said the best way to do that is to just remind them of the need to take cybersecurity "incredibly seriously".

"What we want to develop is a culture with all departments and agencies within government that they have the mechanisms in place to make sure they are as cyber-secure as they possibly can be, and if there is capability shortfalls, that they reach out to see how they can get them addressed by other agencies who can help in this regard," Tehan added.

MacGibbon said government departments are not exactly on their own, however, pointing to the Australian Signals Directorate (ASD), which he called one of the world's greatest crytographic and signals intelligence agencies.

"The ASD provides services to government to protect agencies and help them when things go wrong," he explained.

"Agencies aren't on their own; there are experts in those agencies who are part of networks, that information is propagated, we have really good standards and measures."

In his review into the 2016 Census debacle, MacGibbon advocated for the Digital Transformation Agency (DTA) to add cybersecurity to its scope in an effort to ensure cybersecurity defence is baked into the architecture of new projects undertaken by the government.

All of the recommendations MacGibbon made were accepted by the government.

"So now we see an increased capacity inside the DTA -- and that's important because baking in security architecturally and philosophically is way better than bolting it on afterwards," he explained.

In addition to the ASD, Australia's government-backed cyber ecosystem includes the Australian Cyber Security Centre, the Australian Cyber Security Growth Network, Data61, and Joint Cyber Security Centres that will operate out of Brisbane, Sydney, Melbourne, Adelaide, and Perth.

The Australian National Audit Office has also jumped on board in an auditing capacity, recently declaring the Australian Taxation Office and the Department of Immigration and Border Protection as lacking on the information security front.

"I think we're increasingly smart about how we're applying protective capabilities across agencies, but there's always more work to be done," MacGibbon said.

"I don't think we ever sit down and say 'mission accomplished', but we sit there and say 'are we better than we were yesterday and how can we be better again tomorrow'.

"This is a long haul -- but it's an urgent long haul."

In April last year, Prime Minister Malcolm Turnbull unveiled Australia's AU$240 million Cyber Security Strategy, which is aimed at defending the nation's cyber networks from organised criminals and state-sponsored attackers, and sits alongside the AU$400 million provided in the Defence White Paper for cyber activities.

According to MacGibbon, the strategy deals with how to protect not just the Australian government against cyber threats, but the Australian society as well.

"To me, the success of the strategy to date -- which I'm depressed about each day because I so fundamentally want it to run faster -- is [measured on if] the momentum is different in 2017 to the momentum in 2016," MacGibbon added.

MacGibbon said he could be a good bureaucrat and just tick off on 33 initiatives over a four-year period, but that wouldn't be a true indicator of success.

"Success of the strategy is changing an ecosystem and that's what we're trying to do," he said.

"But I can say that until we get that security, until we actually bake it into everything we do, until we actually change the ecosystem, then we won't have the trust and confidence that underpins the very economy and society that we have today.

"I say to the prime minister, to his cabinet ministers, and to anybody who will listen to me, in 2017 the stars are aligned. I've been in this space for an awfully long time, far too long, stunningly unsuccessfully, but in 2017 the mood has changed.

"If in 2017 we can't create the tipping point that self-fuels this, the strategy itself is irrelevant," he said. "If we can't take that remarkable stars-aligned-world that we have inherited or built ... for us not to seize 2017 and make it that tipping point through initiatives, then shame on us."

Editorial standards