Aside from his passion for test cricket and disappointment at not getting the call to be the St George Dragons’ new NRL coach, Secretary for the Department of Home Affairs Mike Pezzullo shared a few things about the future of cybersecurity within Australia and expanded on what to expect from the nation’s 2020 Cyber Security Strategy.
Being interviewed by Alastair MacGibbon, who prior to heading up his own Australian cybersecurity megamix, CyberCX, was former Prime Minister Malcolm Turnbull’s special advisor on cyber, Pezzullo was asked where the government was at with its own cybersecurity.
Placing some of the blame on gaps in legacy systems, the complexity involved in decommissioning decades-old investments, and a large attack surface that is the Commonwealth, Pezzullo said the cybersecurity strategy would provide the opportunity to do better.
“This isn’t a silver bullet that will solve all problems, but we’re looking to consolidate at least the attack surface to better defend it; fewer hubs, so the larger players who have got the depth, they’ve got the skills, they’ve got the resources.
“In some cases, they’ve got the connectivity to the ASD (Australian Signals Directorate) in real-time. They can provide us with that threat picture that is unique to the signals authority, but also in some cases, larger departments have got more capacity,” Pezzullo explained.
He said while providing a “hard external shell” would not obviate the other work that is needed to protect the endpoint and deal with the human element of cybersecurity, it would at least block out some of the threat.
More wisdom from Mike: Australian Home Affairs thinks its IT is safe because it has a cybermoat
Pezzullo, alongside counterparts from Treasury and the Department of Industry, are all part of a strategies board that has been charged under the cybersecurity strategy with developing what he was hesitant to label as “regulation”.
“The strategies board has formed itself around this issue … we’re going to work through how we get to scale, how are we going to consolidate, and where there are known vulnerabilities because in some cases you’ve got systems that are quite old. Coding’s old, the vulnerabilities are known, but it’s not a simple matter because you’ve got to migrate,” he said.
“In some cases, taking systems down and offline to even patch creates risk.
“So how do you, with a known vulnerability, mitigate and put alternative measures in place until, over time, new investment comes through to allow you to decommission and build in a world of virtualised systems and a world where cybersecurity is frankly more built into the design of modern systems?
“While you’re waiting for that investment to flow through, you can decommission some of those older systems [but] how can you at least create a perimeter around those systems that at least block out more of the threat?”
He expects by the end of this financial year, the board will have a single cybersecurity hub strategy that maps out all of the known vulnerabilities and is a place where government can place local defences to protect all points and “harden that external shell”.
“I think the operating model for federal government cyber will need to change, because to do all of the things I’ve just suggested, you can’t just put it in a box and call it ‘cyber’ then have your network operations and your architecture and your deployment of apps over here,” Pezzullo said.
He also said certain assets and networks within government would be designated as critical infrastructure to put ASD in a position to actively defend against cyber threats.
Touching further on the strategies board and the “obligations” it determines for consumers, vendors, small businesses, large enterprises, and those involved in critical infrastructure, Pezzullo said something that “looks like a regulatory scheme”, would, by definition, have to emerge.
“Because whether it’s a function of consumer protection, consumer choice, or whether quite probably, small or medium enterprises, larger enterprises, and ultimately the very top of the commercial food chain — those larger enterprises that run critical infrastructure or assets or networks within critical infrastructure — are going to want to have confidence that the entity that they’re engaging with is accredited; is properly fit for purpose,” he said.
“How exactly we get the regulatory; how we land is the work of the next 12-18 months with the regulatory taskforce.”
Pezzullo said market and regulatory forces inevitably bring about a model that works, adding that he’s hedging on it.
“You’ve seen this in 5G where government regulation starts to set the parameters of risk [that] may or may not conform with the definition of being an appropriate vendor,” he said.
“I think cybersecurity is one of those areas we should be seriously looking at in terms of sovereign capability, especially as we think about the recovering reconstruction coming out of COVID.
“Where are the jobs going to come from, where are the new industries.”
“In four or five years’ time, you and I will be sitting here … saying the whole landscape is transformed. There’s a deeper industry, we have more weapons and tools to protect critical sectors, we’re on the front foot in terms of actively defending some of those sectors … we’ve got an innovative sector here that is a continental version of Israel or Singapore,” the secretary added.