Share this article on:
The Home Affairs secretary has announced three new Protective Security Directions to protect government networks from foreign interference.
Home Affairs Secretary Stephanie Foster has issued three Protective Security Directions to government agencies under the provisions of the government’s Protective Service Policy Framework.
The national cyber security coordinator, Lieutenant General Michelle McGuinness, said: “These directions support the Australian government’s commitment under the 2023–2030 Australian Cyber Security Strategy to strengthen the cyber maturity of government departments and agencies.”
Direction 001-2024 calls for all “Australian government entities” to “identify indicators of foreign ownership, control or influence risk” regarding the IT hardware used by government agencies. To that end, departments must conduct a full risk assessment of any hardware or technology concerning that “entity’s risk environment”.
Direction 002-2024 “requires Australian government entities to identify and actively manage the risks associated with vulnerable technologies they manage, including those they manage for other entities,” while Direction 003-2024 relates to the use of threat intelligence platforms.
Under that directive, all government agencies must share any threat information they receive with the Australian Signals Directorate.
Industry leaders have been broadly pleased with the new directives.
“It seems that the spate of recent breaches caused by third-party service providers and unpatched internet-facing services has caught the attention of the Department of Home Affairs,” Wayne Phillips, field chief technology officer for Asia-Pacific and Japan at SentinelOne, told Cyber Daily.
“The department is taking proactive steps to strengthen the underlying fabric of the Australian government’s security practices. It is hardening its stance on the risks associated with internet-facing cloud services to ensure proactive measures are taken to remediate risks associated with assets most likely to be targeted by attacks. Broadly speaking, they are urging governments to ’think like an attacker.’
“Most government organisations have asset and associated vulnerability management, but it seems the scope of these assessments is limited to legacy systems, are reactive, and governments are struggling to keep pace with rapidly evolving and ever-expanding cloud services. These directives also extend to third-party vendors and emphasise visibility and controls associated with foreign-owned, controlled, or influenced assets and services. The need for secure sovereign cloud services with robust systems that identify cyber security vulnerabilities across the whole of government has never been greater,” Phillips said.
Ashwin Ram, cyber security evangelist at Check Point Software Technologies, applauded the move but said that automation should play a key part in the process.
“Given some vulnerabilities, such as software vulnerabilities, are very dynamic in nature due to the many version releases, the process of asset stocktake should, where possible, be automated, enabling risk management decisions based on the most current posture of assets,” Ram said.
“To ensure Australian government entities proactively reduce the risk of vulnerable assets, the PSPF could go a step further and suggest that Australian government entities be cautious when procuring assets from manufacturers, suppliers, and providers that continually produce vulnerable technology assets.”
However, Anthony Daniel, regional director for Australia, New Zealand and the Pacific Islands at WatchGuard Technologies, said that more could be done.
“These measures announced by the federal government strengthen the overall security posture of government networks and protect sensitive information. However, to further enhance the security and risk management of technology assets, Australian government entities should consider the following additional four steps:
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.