Govt defends against criticism of cyber centres

The federal government has defended itself against industry criticism that it failed to bring business in to 'co-design' its new public-private cyber threat sharing centres until the last minute.

Last week executive manager of CERT Australia Carolyn Patterson told the AISA 2016 conference the first pilot centre would be opened in Brisbane before the end of the year.

The announcement surprised many in industry, who had been told the joint centres would be co-designed between businesses and government.

Australia's cyber security minister Dan Tehan insisted to iTnews there had been “lots of informal discussion between industry and government” - despite the lack of any formal consultation - in the six months since the centres were announced.

The government has spent the past half year working through the parameters of what the centres will deal with, he said, before formal co-design talks can begin.

“It’s quite complex. Work has to be done on things like governance, potential leadership, current laws and regulations - we had to get a sense of all that so we can sit down and work within those parameters,” Tehan told iTnews.

“If you just front up and say ‘we have to work on governance’ it’s going to take a lot longer."

However, members of industry say the government has already worked out how it wants the centres to run without any discussion with businesses.

"[The government] has decided what [the centres are] already - that's not co-design," one prominent industry member told iTnews.

Tehan said he recognised “this has to be done together”.

“I look forward to getting the feedback from this process. I’m getting it early,” he said.

Inside the first meeting

The first official co-design meeting between industry and government was held last Friday in Sydney, two days after the opening date of the Brisbane pilot centre was announced.

Industry sources told iTnews the government turned up with a prepared list of 12 initiatives it is planning for the joint cyber security centres (JCSC) to undertake.

The list covers things like studying trends, training students and future experts, and creating awareness and preparation, among other things.

Tehan declined to detail to iTnews what was discussed at the meeting or who attended.

Sources told iTnews around 35 security representatives from Australia's largest businesses - many of them in the c-suite - attended the consultation.

Their response to the government's list of initiatives was to advise it not to bite off more than it could chew.

They also noted concerns about resourcing, and the ability of businesses to take a security specialist out of their day job and move them into a JCSC.

“It’s going to be a major challenge to make this work - some organisations will have completely different capabilities to others, and more [critical infrastructure] organisations won’t be able to take someone out because it will immediately deplete their capability,” one source who attended the meeting told iTnews.

Tehan said around 40 individuals would represent industry in the Brisbane centre. The government is still working out which agencies and how many resources to dedicate to the pilot.

A similarly big challenge identified by those at the meeting was how to deal with small to medium businesses who may not necessarily have much in-house security expertise, knowledge, or awareness.

“It came back to basic cyber security hygiene. One idea was to focus all our effort on one thing - like one of the ASD’s top four strategies to mitigate targeted cyber intrusions - and say everyone in Australia should be [compliant with one] by a certain time,” a source who attended the meeting said.

Tehan said the centres would evolve based on feedback from consultations like last Friday's.

“You’ve got to remember these are pilots. In doing the design work, we’re not going to say this is it, end of story. [The pilot] will be how we think it should work, but it’s only the first one we are doing.”

One early change to come out of the meeting was a tweak to the name of the program from joint cyber threat sharing centres to joint cyber security centres.

Industry said the term “threat” was too restrictive and didn’t fit its idea of the scheme.

“They wanted a broader scope to them,” Tehan confirmed.

“It basically means they now have a wider remit that being solely about threats."

More of the same?

The government is also yet to fully explain how the threat-sharing centres will differ from the similar information sharing functions offered by the likes of CERT Australia, the Australian Cyber Security Centre, or the Trusted Information Sharing Network (TISN).

The ACSC itself, in its 2016 report [pdf], said the "hype" around threat intelligence can be a "distraction from what really matters" - implementing effective technical controls.

"If you are relying on threat intelligence to respond to threats already discovered, it is too late for you and your organisation," it said.

One difference will be that rather than being located in a single site - like CERT Australia’s Brisbane centre or the ACSC Canberra office - the government will scatter the new centres in capital cities around the country.

It expects that doing so will entice more industry sectors on board by localising and personalising threat sharing.

“You look at the difference between the industry in Brisbane versus Sydney and Melbourne and Perth, that by its very nature is going to change the focus of the centres,” Tehan said.

“So for instance, you would expect the one in Perth to have a higher focus on mining compared to the financial services sector in Sydney and Melbourne."