ASD refuses to take backward step in wake of DTA cloud strategy

When you have most of the cyber talent in the public service, why should you defer to an agency without a cybersecurity team?
Written by Chris Duckett, Contributor

Despite the existence of a Secure Cloud Strategy, the Digital Transformation Agency (DTA), and a high workload, the Australians Signals Directorate (ASD) will continue to go on its merry way and certify government cloud use.

Responding to a Question on Notice by Liberal Senator Linda Reynolds from Senate Estimates, ASD said it did not agree with an assertion that its role should be diminished in keeping government clouds secure.

"ASD is not scaling back on its cloud certification and supporting industry partnerships role," the directorate said. "ASD will continue to assist cloud providers in securing government (and our nation's) information."

Simply throwing more resources at the certification problem was not a complete solution, ASD said, with agency heads needing to be able to identify and manage cybersecurity risks.

"ASD is best placed to certify cloud services through strong partnerships with industry, using ASD endorsed Information Security Registered Assessors Program (IRAP) Assessors," it said.

"Agencies remain risk owners and must conduct accreditation of all cloud services, including those certified by ASD. The DTA Secure Cloud Strategy highlighted that agencies can conduct certification activities."

In response to a question from Reynolds on whether the DTA had "deep level cybersecurity experts", ASD said it "employs the bulk of government cybersecurity experts".

Earlier this year, DTA's CEO Gavin Slater told Senate Estimates he wants his agency's cybersecurity team back in-house, after a machinery of government change removed them.

"We had a small cybersecurity team embedded within the DTA ... the role of that team was that when agencies were thinking about transforming the way their services are delivered digitally was to really ensure they were thinking about security not as an afterthought but part of the key design criterion -- that was the primary role of that team," Slater said in February.

"But recently under a machinery of government change, with the centralisation of the cybersecurity function under Alastair MacGibbon, that team has been mogged out from the DTA."

Slater said the work the DTA does with agencies is cross-functional, and it is far easier to have people within the DTA, rather than having to ask for access to them in another arm of government.

The DTA's Secure Cloud Strategy pushed government agencies to use public cloud by default, and asked agencies to make risk-based decisions when applying cloud security; design services only for the cloud and avoid customisation; use as much of the cloud as possible; take full advantage of cloud automation practices; and monitor the health and usage of cloud services in real time.

"Agencies must design all new or modernised ICT services as cloud native, or cloud-enabled," the strategy said.

Speaking in March, ASD director-general Mike Burgess said a lack of talented people in the cyberworkforce was a secondary issue, compared to those at the head of organisations.

"Skilled people is not the critical issue here, it's the skill of the chief executive and his/her management team in identifying and managing this risk effectively and the skilled executive level that can actually work through that to ensure themselves the right thing is being done -- that for me is the real issue, not the skills shortage of bright young ladies or men who know how to configure firewalls or set up systems securely," Burgess explained.

"There's a demand for good IT people, absolutely, that's not the problem here; the problem is having the chief executives asking the right questions.

"That's not a cybersecurity skills shortage."

Appearing before the Joint Standing Committee on Trade and Investment Growth on Thursday, MacGibbon said the ASD under the leadership of Burgess will "increasingly be advising agencies where we believe they are deficient in their security".

Related Coverage

Committee recommends mandating ASD's 'Essential Eight' mitigation strategies

The Joint Committee of Public Accounts and Audit wants the government to include the additional four steps in its list of mandatory infosec strategies.

Who leaked the idea of ASD spying on Australians, and why?

Mike Pezzullo's apparent thought bubble on domestic digital surveillance has been burst, but it foreshadows tense times ahead for Australia's new domestic security arrangements.

Microsoft gains protected-level cloud classification from ASD

Microsoft has received accreditation from the Australian Signals Directorate, allowing it to store highly classified government information up to 'protected' level on its Office 365 platform and specific Azure services.

ASD calls on government chief executives to up their cybersecurity game

The Australian Signals Directorate's newly minted director has rejected the idea of a cybersecurity skills shortage, highlighting rather there's a need to ensure the people at the top of government departments are aware of the threats they face.

ASD gives Dimension Data protected-level cloud certification

The multinational is the first overseas player awarded the certification from the agency responsible for foreign signals intelligence and information security in Australia.

Editorial standards