Govt undermined by 'tick box' security culture: MacGibbon

The PM’s top cyber security adviser says Canberra is too willing to tick a box and hand off responsibility for data protection to its contractors, when it needs to stay alert to a constantly changing threat landscape.

Alastair MacGibbon

In a submission to parliament published this week, Alastair MacGibbon lamented a “prevailing ‘tick box’ compliance culture” that is leaving Commonwealth agencies vulnerable to attack.

“Agencies will consider themselves secure if they get their internal ICT area and their subcontractors to put in place and uncritically follow prescribed security procedures,” he said.

In the wake of the 2016 eCensus saga, MacGibbon argued agencies need to realise that the fallout from a high-profile attack can irreversibly damage their reputation.

He said they need to stop believing that contract clauses passing off liability to suppliers will protect them from public backlash - as the Australian Bureau of Statistics learnt the hard way.

“Many agencies have long-standing relationships with their vendors, which can lead to complacency in risk management," he said.

“Trust is good, but trust without verification is dangerous."

MacGibbon - a founding member of the Australian Federal Police’s high-tech crime centre and the former head of Canberra Uni’s Centre for Internet Safety - is on a mission to change security culture in the federal government.

He wants proactive testing of the security claims made by the government’s suppliers and subcontractors to become the norm in Canberra. His goal is to see agencies “habitually test their systems and arrangements”.

MacGibbon also suggested agencies invest in the kinds of off-the-shelf pattern recognition software in use by the e-commerce industry.

“To my knowledge this is not common practice across the Commonwealth, and yet it should be,” he said.