Op-Ed: Analysis – zero-trust consultation paper an important step for the nation

The Australian government has identified five guiding principles that will help to create and embed a zero-trust culture. While this provides a clear framework to guide future progress, there are areas where more work will be required.

Recommendations for how the principles can be further extended include:

1. Identify and manage cyber risk at an enterprise level:
This principle is designed to increase the resiliency of the Australian government’s digital landscape by ensuring cyber security risk is considered at an enterprise level.

2. Understand accountabilities and responsibilities at all levels:
This principle emphasises that clear roles and responsibilities are both a fundamental requirement to establish a zero-trust culture and key to ensuring the government increases its cyber security resilience.

VIEW ALL

3. Know and understand your most critical and sensitive technology assets:
This principle requires government entities to know and understand their most critical and sensitive technology assets. A zero-trust culture requires not only an understanding of inventory but also the context of business criticality.

4. Maintain resiliency through a comprehensive cyber strategy and uplift plans:
This principle seeks to uplift the resiliency of Australian government entities by requiring them to develop, maintain, and foster a robust cyber security strategy. Central to this is the identification of key digital assets, including critical systems and data.

5. Go beyond incident planning:
The fifth principle aims to encourage government entities to look beyond the traditional incident planning mechanisms such as standard incident response plans. They need to consider that an incident may have already occurred; however, they are yet to discover it.

Interpreting the principles

Perhaps because it’s the most concrete approach outlined, the key change for the better I see here lies in the final principle. The shift in focus away from only incident planning is representative of a trend that has been evident in the industry for some time. Organisations with a mature cyber security capability have adopted a cadence-based approach where they are actively running red teams, drilling incident responses, and doing retros. These organisations are constantly testing, assessing, and improving their people, processes, and technologies. These efforts help those organisations respond to, contain and prevent breaches.

Reading through these guiding principles more broadly, however, begs the question: “What have the departmental CIOs been doing up to this point?” While, as with any organisation, there are likely to be pockets of inefficacy, departmental CISOs have broadly been managing their risk to the extent possible within the constraints of their operational environment.

Even so, the OAIC Notifiable Data Breaches Report: January to June 2024 includes some alarming findings. Most notably, 63 data breaches were reported by the Australian government in the first half of 2024, more than the finance, education, and retail sectors.

This underscores the need for change. Breaches are inevitable; however, the Australian government should be a model for how private enterprises manage cyber security.

While the principles may seem remedial to those within the cyber community, the opportunity here is to create awareness and cultural change within the broader public sector. Awareness that allows departmental CISOs to secure funding, resources, and support for bringing security into the modern era. Importantly, it will help them embed a zero-trust culture and become that model the rest of Australia can follow.

What’s missing

While the consultation paper represents a positive step forward, there are omissions I’ve observed both in the paper itself and in the 2030 Australian Cyber Security Strategy under which the consultation paper falls. These include:

Financial governance
When the 2030 Australian Cyber Security Strategy was announced in 2023, the government committed $586.9 million to fund the strategy. This is in addition to the $2.3 billion of funding allocated to existing cyber security initiatives.

This sized budget always attracts attention, often of the undesirable type. Pink Batts, the NBN rollout, and the fraud challenges facing the NDIS all highlight the challenges of governing expenditure on the scale of billions.

Ensuring all this funding is allocated where it will have the greatest impact will be a significant challenge and should be top-of-mind for the government as it seeks to improve the national cyber security posture.

Reviewing past initiatives
Whole-of-government level cyber security initiatives are nothing new. For example, as at March 2022, Policy 10 of the Protective Security Policy Framework requires government departments to achieve maturity level two of the Essential Eight.

Unfortunately, many security leaders in both the public and private sectors readily acknowledge that aspirations of high maturity levels against the Essential Eight are elusive. Sadly, this is an assertion supported by the data.

The 2022–23 Auditor-General’s Report on Key Financial Controls of Major Entities found that not only are we well short of that target, but progress in most categories went backward in 2022–23.

Reviewing progress to date on the Essential Eight and understanding why it has been so problematic will allow valuable lessons to be captured and incorporated into new initiatives.

Ecosystem complexity
Regarding the Essential Eight, there’s a discussion to be had about the complexity of the existing cyber security ecosystem in government. The framework outlines eight fundamental controls. This is appropriate given the original intent of the framework as a baseline level of security in (mostly) Microsoft-centric networks.

Despite its foundational nature, however, the Essential Eight has evolved into the de facto measuring stick for cyber security in government. Setting aside the unfortunate difficulties in getting baseline controls in place, I suspect that higher aspirations have been elusive in part due to the complexity of the cyber security frameworks within which government departments operate.

In addition to the Essential Eight managed by the Australian Signals Directorate (ASD), departments are required to consider the Information Security Manual (ISM), also managed by the ASD, the Protective Security Policy Framework (PSPF) managed by the Department of Home Affairs, and the Cloud Security Guidelines, managed by the DTA. To varying degrees, these frameworks overlap, interact, and reference each other.

In this environment, the Essential Eight is the simplest yardstick and, therefore, the one people naturally gravitate towards. It’s my hope that any zero-trust framework adopted allows for consolidation and simplification and does not become yet another framework to be managed.

In summary

The government should be applauded for the unequivocal action it has taken since the major identity breaches of 2022 and 2023. The Privacy Legislation Amendment Bill 2022, the 2030 Australian Cyber Security Strategy, and, in this case, the zero-trust consultation mark a necessary shift in thinking around national cyber security. Collectively, these measures can move the nation beyond the basic controls of the Essential Eight and towards more sophisticated controls better matched to the modern threat landscape.

As always, however, the real challenge lies in the execution. It is my hope that the government pauses to look back before taking a tremendous leap forward.