NSW cyber strategy demands government lead by example

The New South Wales government on Thursday released a refreshed cybersecurity strategy, labelling it as an important foundation in its mission to be a leader in digital initiatives and customer service.

"Increasing overall cybersecurity resilience is about ensuring the safety and security of citizens and communities online. Government is absolutely pivotal to this as part of its overall responsibility to protect its citizens," Minister for Customer Service Victor Dominello said.

"Our vision is to cement NSW as the leading state for cybersecurity in the Asia-Pacific region. We believe that NSW can become world leading centre for excellence on cybersecurity resilience jobs and innovation."

The state government's existing strategy, a mere 20 pages long, was published in late 2018 and took a whole-of-government view on how to manage risk, borrowing the framework laid out by the National Institute of Standards and Technology.

The new strategy, however, encompasses the four principles of lead by example in best practice and cyber resilience; be progressive and proactive to allow the state's cyber workforce to expand; seek opportunities to grow cyber industry commercialisation; and provide practical support to reduce barriers to business growth.

In a bid to avoid the disappointment that is the Commonwealth cybersecurity strategy, the NSW one places a focus on eating its own proverbial dog food, saying there is an opportunity for the state government and its agencies to lead by example in adopting and exceeding best practice in cybersecurity.

"We need to be accountable in adhering to and exceeding the mandatory cybersecurity requirements we set within NSW government through the NSW Cyber Security Policy," the strategy states. "To achieve this, we will establish greater accountability amongst our agencies to adhere to these requirements."

The NSW Cyber Security Policy, launched in early 2019, created new requirements for all state agencies to have "robust, risk-based cybersecurity in place".

As part of the NSW Cyber Security Policy, agencies are now required by August 31 each year to assess their maturity against the Australian Cyber Security Centre's (ACSC) Essential 8. Additionally, government agencies need to identify and report their "crown jewels" -- their critical assets -- and high and extreme risks and report against a set of mandatory requirements.

The strategy also emphasises the need for the state to be progressive and "widen the pipeline" when recruiting for cybersecurity professionals.

"Throughout our consultations, we heard loud and clear that the development of a skilled, diverse workforce will be an important part of creating a strong cybersecurity industry in NSW," the strategy states.

Cyber Security NSW, launched in May 2019 with the aim of consolidating and lifting the cyber capability of state entities, will lead the majority of the initiatives contained within the strategy. But the government will also launch the NSW Cyber Hub that will be charged with delivering programs to accelerate the growth of state cyber businesses, as well as those that maintain and attract talent.

Such examples of addressing the cybersecurity sector's skills gap, the government said, will be by providing a program to enable students to work and train in cybersecurity roles.

On commercialisation opportunities, the strategy said there is a need to create enhanced pathways for this to occur. It also said there's a need for both industry and government to share vulnerabilities in order to drive the direction of research and innovation.

There is also a need, the strategy said, to provide businesses with the tools, connections, and opportunities necessary to grow.

"We need to break down barriers by facilitating pathways for industry to better access government, potential collaboration partners, and industry networks," it said. "We also need to provide industry with the tools and knowledge needed to proactively engage with potential opportunities with reduced barriers to entry."

The strategy also points to the development of a new Bill that will require public sector and state-owned entities to report a data breach to the privacy commissioner as well as any affected individuals.

The proposed NSW mandatory notification of data breach scheme shares the same notification threshold as the Commonwealth Notifiable Data Breaches (NDB) Scheme, but differs in application and enforcement. Although the NDB scheme has coverage Australia-wide, the NSW scheme aims to fill the gap it leaves regarding state entities.

"Introduction of a mandatory scheme will improve transparency and accountability of agencies, increase citizen trust in government agency handling of data breach incidents, and provide citizens with the information needed to protect themselves following a serious data breach event," the strategy says of the scheme.

MORE FROM NSW

• NSW readies its own data breach notification scheme for state agencies
• Transport for NSW confirms data taken in Accellion breach
• NSW government sets up cyber and privacy resilience group to keep customer data safe
• NSW pledges AU$60m to create cyber 'army'
• Service NSW expecting cyber attack to set it back AU$7m in legal and investigation costs