The federal government will overhaul its shared gateway scheme to give agencies more flexibility while maintaining a universal cyber security baseline after concerns were raised about the current model.
In its long-awaited response [pdf] to the 2017 cyber security compliance inquiry released on Wednesday, the government agreed to alter the decade-old policy aimed at consolidating internet gateways to reduce the risk of successful cyber-attack.
It will “mandate a core internet gateway reduction program” for all Commonwealth entities to capture high-risk threats, but will grant agencies the freedom to deploy services that best serve their cyber security posture.
The change was recommended by the Digital Transformation Agency’s review of the secure internet gateway (SIG) scheme, which was initiated during the course of the parliamentary inquiry and also released on Wednesday.
“The PSPF [protective security policy framework] should include a core SIG requirement, mandatory for all PGPA Act [Public Governance, Performance and Accountability Act 2013] entities, to effectively mitigate priority high-risk cyber threats,” the review states.
“Beyond the core, agencies should be free to flexibly source additional security services aligned to individual operational priorities and cyber risk postures.”
The DTA said that “a small mandatory ‘SIG core’” would allow agencies “to optimise their own security arrangements, while maintaining strong whole-of-government defences”.
It comes after the review uncovered frustrations with the design of the current policy, particularly around alignment with agency needs and cost effectiveness.
“The current lead agency policy does not align well with agency needs, and inhibits market contestability,” the review states.
Under the current policy, all non-corporate government entities are required to obtain their internet connection services from an ASD-certified provider through one of nine lead agencies.
“Both agencies and SIG providers are concerned that the current program – with rigid assessments of client agencies to lead agencies and their SIG provider – limits market contestability, and procurement and contracting flexibility,” the review states.
“A coordinated SIG program offers potential for strategic whole-of-government security investments, rather than fragmented, agency-centric and vendor-driven.
“However, the current program's commercial model leads to the perverse outcome that some agencies believe they are paying for more than they need, while others get less than they require (and duplicated SIG services).”
However, just how the government will go about implementing this “will be considered as part of the government’s plan to pursue options to extend cyber security requirements to all Commonwealth entities under the PGPA,” the government’s response indicates.
‘Lacks strategic oversight’
While the remainder of the review remains under consideration by government, the DTA has made it abundantly clear what needs to happen to get the program back on track.
One of these recommendations is to hand responsibility for the program over to the Secretaries' Cyber Security Board to provide “refreshed governance”, which agencies consider essential to the “future evolution of the program”.
Many of the problems with the program – otherwise known as the internet gateway reduction program – stem from a “lack of governance and active management”.
The DTA said oversight of the program had “fallen into decline” since it was introduced in 2010, with “significantly reduced” reporting emerging after the Secretaries’ ICT Governance Board (SIGB) was culled under the 2014 smaller government agenda.
SIGB had initially governed the consolidation 124 internet gateways and provided a mechanism to monitor the transition of agencies, as well as review its ongoing effectiveness.
The impact of this lack of oversight becomes apparent when considering around 21 percent are either yet to transition to the scheme or are “unclear” (meaning the entities either did not report to the review or is not formally assigned to a lead agency).
“In reality, some agencies have opted out or simply not transitioned, adopted services in a fragmented and inconsistent manner, and approached the program from a minimalist compliance perspective rather than a strategic defence,” the review states.
The DTA also said that although the majority of agencies found the program “fit for purpose”, particularly around operational efficiencies and improved capability, consultations revealed a wide range of views on strengths and weaknesses with the scheme.
Agencies also bumped heads on security effectiveness and cost effectiveness, with many regarding the program “as a cost impost offering poor value for money”.
The effectiveness of the gateway security controls was similarly questioned by a large number of agencies.
“The security effectiveness of the program varies – some agencies benefit from services they obtain, others regard them as inadequate and duplicative,” the review states.