Digital Transformation Agency wants its cybersecurity team back

The DTA's CEO Gavin Slater has told Senate Estimates he 'absolutely' wants the capability back in-house, after a machinery of government change removed the cybersecurity team from his agency last year.
Written by Asha Barbaschow, Contributor
Screenshot: Asha Barbaschow/ZDNet

The Digital Transformation Agency (DTA) is in the process of helping the government move towards a more 21st Century approach to service delivery, one that is citizen-focused, centred on innovation, and making use of technology.

One such project currently being undertaken by the DTA is developing a Trusted Digital Identity Framework that is expected to sit alongside the federal government's Govpass digital identification proposition. The digital identification process requires citizen data and photographs to be stored by the government in a centralised cloud-based platform.

The DTA recently had its cybersecurity functions removed in a machinery of government change and as a result, the agency has to now head outside its walls when cross-checking even the most basic cyber-related concerns.

Facing Senate Estimates on Tuesday, DTA CEO Gavin Slater was asked what the cybersecurity capability now looked like within the agency.

"I would have described it as being strong," he said. "We had a small cybersecurity team embedded within the DTA ... the role of that team was that when agencies were thinking about transforming the way their services are delivered digitally was to really ensure they were thinking about security not as an afterthought but part of the key design criterion -- that was the primary role of that team.

"But recently under a machinery of government change, with the centralisation of the cybersecurity function under Alastair MacGibbon, that team has been mogged out from the DTA."

While Slater and his agency still have access to cyber-focused staff through the new model, it's on a "collaboration" basis.

"I wouldn't say it's weakened government's cybersecurity capability, and questions around that are for Alastair, but certainly in terms of what are the skills and capabilities we have within the DTA -- we no longer have them," Slater said.

When asked if would prefer to have kept the cyber team, Slater said "absolutely".

"It goes to the point around efficiency. A lot of the work we do with agencies around transforming the way their services are delivered, you need cross-functional teams in order to be effective in that," he explained.

"So we need people that understand how to do discovery work, we need people that understand how to do service design, how to present content, and quite frankly it's just much easier having people right there that understand the security aspects of it."

Slater joined the federal government from the National Australia Bank where he held a number of roles including CFO, COO, and group executive across a range of business areas.

Having worked on a handful of digital transformation-related work, Slater said having cross-functional teams co-located and working on things together breeds better outcomes.

"That's what agile is," he explained. "What I'm not saying, though, is ... that every single agency creates its own separate functions for security, IT, and everything else.

"I think it's horses for courses."

As touched on by Slater, the centralisation of the cybersecurity function now falls under Australia's Special Adviser to the Prime Minister on Cyber Security Alastair MacGibbon as part of his oversight of the Australian Cyber Security Centre.

In his review into the 2016 Census debacle, MacGibbon advocated for the DTA to add cybersecurity to its scope in an effort to ensure cybersecurity defence is baked into the architecture of new projects undertaken by the government.

"So now we see an increased capacity inside the DTA -- and that's important because baking in security architecturally and philosophically is way better than bolting it on afterwards," he told ZDNet last May.

Similarly, former Minister Assisting the Prime Minister on Cyber Security Dan Tehan said in 2016 that a centralised approach by government to cybersecurity is dangerous, and it is preferable for departments to take care of themselves instead.

Now shifted over to Human Services, Tehan said at the time he wanted to see each individual department and agency take responsibility themselves.

"What we want to develop is a culture with all departments and agencies within government that they have the mechanisms in place to make sure they are as cyber-secure as they possibly can be, and if there is capability shortfalls, that they reach out to see how they can get them addressed by other agencies who can help in this regard," Tehan added.


Labor concerned Coalition's DTA is evolving into an 'audit beast'

The shadow minister who would become responsible for digital transformation if Labor were to take power in the short-term has voiced his concerns over the evolution of the Digital Transformation Agency, asking for more accountability for transformation from ministers.

Australian Home Affairs thinks its IT is safe because it has a cybermoat

For a department that is focused on protecting borders, it seems virtual border protection is missing in action.

Australian decryption legislation will not undermine 'legitimate encryption': Home Affairs

Calling government proposals to seek decryption of communications a "backdoor" is a cartoon-like assumption, according to Secretary of the Department of Home Affairs Michael Pezzullo.

RBA wants banks involved in Australian government digital identity solution

Rather than including banks, the DTA has selected a pair of government departments, one responsible for the robo-debt debacle and the other dealing with consistent IT outages, and a postal service that wants voting to occur via the blockchain.

AGD stripped of AFP and ASIO to create Dutton-led enforcement superministry

The Attorney-General's Department will have its operational control for the federal police and domestic spy agency moved into a new Home Affairs ministry.

Editorial standards