The Department of Human Services has come out on top in Canberra’s inaugural cyber war games, a result that mimics the findings of the now infamous cyber resilience audit of the federal government's three biggest agencies.
Five teams from ten agencies, including the Australian Taxation Office (ATO) and Department of Immigration and Border Protection (DIBP) as well as DHS, spent last week battling it out on a purpose-built "range" aimed at developing cyber security skills through real life scenarios.
Using a Lego smart city to represent the contest, the teams took turns attacking and defending the model’s critical infrastructure such as trains or wind turbines.
The simulation - believed to be the first and largest security training exercise of its kind to be staged at a federal level - was the brainchild of DHS chief information security officer Narelle Devine, who joined the department from the Royal Australian Navy in October last year.
DHS received the highest score at the end of the five days, narrowly beating the ATO and DIBP, which were both close to taking the lead on the final day of competition.
The result broadly aligns with the findings of a cyber resilience audit of the three agencies earlier this year, which found only DHS was compliant with all four of the Australian Signals Directorate’s mandatory threat mitigation strategies.
The ANAO defined 'cyber resilience' as agencies being able to continue providing services while deterring and responding to cyber attacks.
DHS’ team for the wargames was populated from members of its 24/7 Cyber Security Operations Centre, which was established late last year.
However, despite the results reflecting DHS dominant cyber security posture, the wargames were pitched as an opportunity to display the government's cyber capability, and for cyber specialists to train in a safe environment.
Speaking with iTnews last week, Devine said the war games were an important arena in which to build skills, despite being based on industrial control systems and the ability to defend critical national infrastructure, which is quite unlike the IT infrastructure that agencies are responsible for.
“It’s obviously a very different target set to what the department is responsible for in its day job, but from our opinion it doesn’t matter what you’re attacking or defending,” she told iTnews.
“The skills that you’re learning, and the skills that you’re demonstrating are applicable across all [domains], and we’re really trying to test not only the technical skills of the teams, but also those soft skills that sometime get missed in 'capture the flag' type activities around communication, teamwork and leadership.”
She said having events like the war games would allow relationships to be developed, and build whole-of-government cyber resilience that can “translate into real world instances where we are able to quickly communicate with each other in a really effective manner”.
“It's actually not that useful for one of us to be very good if the others aren’t, we all need to lift together,” she said.
Devine said she had been surprised by the complexity of the training facility, which means it can be reused in future years.
The department is now planning for the next event, and is considering extending an invitation it both business and the tertiary sector in future.