Labor pledges to reform Canberra's cyber security culture

Federal Labor has promised to “drive a step change in the Commonwealth’s cyber security culture” and “normalise” the involvement of the wider infosec community should it win the upcoming election.

Shadow Assistant Minister for Cyber Security Tim Watts on Thursday raised the need for reform inside the federal government’s cyber security functions, which he said suffer from an accountability deficit.

He said while recent reforms, including the planned creation of cyber hubs in Defence, Home Affairs, Services Australia and the Tax Office, were promising, more systemic changes were needed.

“These policy changes will be for naught if we can’t fix the accountability culture programs within Commonwealth cyber security,” he told the Government Data Protection Summit in Canberra.

Watts said there was “currently a resistance to external accountability and an instinct towards secrecy within government, regardless of the context”.

He pointed the delay in delivering the first Commonwealth cyber security posture report which took more than a year to materialise after it was agreed to by the government, as evidence.

The Australian Cyber Security Centre has now produced two reports, both of which confirm that the mandatory Top Four cyber security controls remains at “low levels” across government.

Watts also cited his attempts to ask agencies about their compliance with the Essential Eight controls as part of senate estimates, which resulted in uniform responses.

“If Labor wins the next federal election, and I’m lucky enough to keep my dream portfolio in cyber security, I want to help drive a step change in the Commonwealth’s cyber security culture,” he said.

“In particular, I want to change the way that the cyber security functions of government – from policy development to information security – interact with the Australian cyber security ecosystem outside of government.”

“Australia’s cyber security is a whole-of-nation endeavour. It demands that we draw on the different experiences and perspectives of individuals across these domains.”

Watts said he would look to “find more ways to kick-start routine collaboration between the Commonwealth and the broader Australia cyber security ecosystem”.

He said the greater use of staff exchanges between ACSC, academia and industry was an “obvious place to start”, pointing to the experience of the UK’s National Cyber Security Centre (NCSC).

Such a program was recommended by an industry panel of mostly telco executives ahead of the 2020 cyber security strategy.

Watts also said there was a need to forge greater ties with private sector incident response (IR) firms in order to help a greater number of organisations respond to cyber security incidents.

“The UK’s NCSC established a Cyber Incident Response scheme to enhance relationships with IR firms, build a basis for consistent bi-directional information sharing and set standards for incident response,” he said.

“To promote increased collaboration between the Commonwealth and private sector incident responders, we should be exploring an Australian equivalent of this scheme led by ACSC.”

Vulnerability disclosure programs (VDPs) and bug bounty schemes are others areas “where there are potentially significant gains” in a Commonwealth with a more open cyber culture.

“I also want to find ways to better normalise the involvement of the cyber security community outside of government in the Commonwealth’s cyber security mission,” Watts said.

“Everyone’s a winner when Commonwealth agencies implement VDPs and we should see more of it across government.

In 2020, the Australian Signals Directorate said the government had never considered adopting a bug bounty, despite the widespread use of similar programs in the US and UK governments.

The Digital Transformation Agency in answers to questions on notice from senate estimates in October said there were still no plans to introduce a centralised bug bounty program.