ASD and ACSC looking beyond list compliance approach to security

The National Audit Office can make adverse findings against departments, but ASD head Mike Burgess is satisfied agencies are taking security seriously.
Written by Chris Duckett, Contributor

Alastair MacGibbon and Mike Burgess fronting Senate Estimates

In the past couple of years, the Australian National Audit Office (ANAO) has made a number of adverse findings on the cyber posture of the nation's agencies and departments.

At the start of the year, ANAO said tight deadlines lead AEC to ditch security compliance, a decision rejected by the AEC, and last year, ANAO found the Australian Taxation Office and the then-Department of Immigration and Border Protection were lacking on the information security front.

However, freshly-minted director-general of the Australian Signals Directorate (ASD) Mike Burgess told Senate Estimates on Tuesday night that taking a checklist approach to security is not always a good approach.

"Compliance with a list is not by itself good security," Burgess said. "There is no doubt [ANAO's] findings are their findings, but from that you should not necessarily draw that the heads of those departments, the agency heads, are not taking their responsibilities seriously, and they do work hard to identify and manage their security risks."

According to the ASD chief, the existence of legacy IT systems is hampering some agencies from implementing the mandated Top 4 Mitigation Strategies issued by the Signals Directorate.

"If you can't implement that because your IT systems are old and in need of investment, you can still manage that risk effectively by having other security controls in place that help you identify a problem," he said. "Anti-virus software is one such example of that, that enables you to effectively mitigate that risk whilst you can't technically implement application whitelisting at that point in time."

Also read: Infosec checklists becoming common, but they're not magic

The Top 4 was extended into the Essential 8 in February 2017, with calls to make the additional four steps mandatory in October.

Fronting Estimates in his capacity as head of the Australian Cyber Security Centre (ACSC), Alastair MacGibbon said compliance decisions are a risk management exercise.

"Frankly speaking, I doubt whether there is ever going to be a situation where everyone is able to implement all of this advice," he said. "It depends on what they are doing, whether they can, for example, patch at a time if you have an essential system that has to be up all the time.

"Then it is much harder to patch within a certain period which would be recommended -- so that becomes a risk exercise between the secretary or agency head, and the concept of this best-in-breed advice."

MacGibbon -- who, as well as running the ACSC which is set to move underneath ASD come July, reports into the Peter Dutton-led Department of Home Affairs superministry on matter of policy -- echoed previous comments that the 2016 Census failure was a wake-up call and began a maturation within the Commonwealth on the concept of risk.

"As sad as it was that the Census website failed on that evening due to denial of service attacks, it was a useful exercise for talking about risk, talking about responsibility, and talking about how to make Commonwealth services more resilient," he said.

"There's still plenty of room to grow there, and our job is to keep raising it, to have those discussions, put out good advice, and make sure that advice is implementable."

"Because you can put a pristine piece of advice out and it could be too hard to implement, thus the concept of always reviewing the types of advice we give, working not just in the public sector but with industry themselves, to reduce risk to the Commonwealth.

Related Coverage

ASD refuses to take backward step in wake of DTA cloud strategy

When you have most of the cyber talent in the public service, why should you defer to an agency without a cybersecurity team?

Microsoft gains protected-level cloud classification from ASD

Microsoft has received accreditation from the Australian Signals Directorate, allowing it to store highly classified government information up to 'protected' level on its Office 365 platform and specific Azure services.

ASD calls on government chief executives to up their cybersecurity game

The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.

Former Telstra CISO Burgess to take helm of ASD

Prime Minister Malcolm Turnbull has appointed Mike Burgess as the next director-general of the Australian Signals Directorate.

ASD to review Australia's cybersecurity and 'drive out known problems'

New Australian Signals Directorate chief Mike Burgess outlines his priorities for the restructured agency's next 12 months.

T-Mobile data breach shows importance of securing internal tools (TechRepublic)

A flaw in T-Mobile's website allowing anyone to access customer data highlights the need for internal audits and authentication.

Editorial standards