The government's chief cyber security advisor and one of the core suppliers of federal internet gateway services have raised concerns that a shared gateway scheme is ineffective and giving agencies a false sense of security.
The federal government introduced its internet gateway reduction program in the 2009 cyber security strategy, in order to consolidate 124 internet gateways across government down to eight to reduce the risk of successful cyber attack.
Gateways would be provided through eight "lead agency gateways" - larger departments that provide and maintain the platforms to other smaller agencies. Each lead agency could choose its own underlying technology as well as hosting arrangements (as long as it is local).
The thinking was this consolidation would allow cyber security efforts to be focused on protecting a smaller number of gateways, thereby reducing the attack surface area.
But the policy is now eight years old, and to date the agency formerly administrating the program - the Finance department - has not been aggressive in forcing agencies to comply.
Agencies are required to request and be granted a formal waiver from the program not to participate, but many smaller departments are bypassing this process and simply going it alone.
In a joint committee hearing today on cyber compliance, cyber security special advisor Alastair MacGibbon said he had spoken to the program's new lead agency - the Digital Transformation Agency - about reviewing its effectiveness.
He said he had asked the DTA to assess not only the compliance issues but also whether the program should be continued at all.
"I would doubt, frankly, that it is fit for purpose today given we have a lot more mobile devices and a perimeter that is way more pervasive than it was a decade ago," MacGibbon said.
He also raised concerns that some agencies were leaning on the gateway to fully protect them from attack.
"I often fear that an agency can be lulled into a sense of security because it sits behind a gateway, or it meets compliance of the ASD top four, and therefore all is good," he said.
"I don't subscribe to that, I subscribe to constant risk and how do we reduce the likelihood of that risk being realised."
One of the lead suppliers for the gateway program, Macquarie Telecom, echoed MacGibbon's comments and said there was a danger of smaller agencies adopting a "compliance mentality" rather than one of risk management.
"If the framework is not carefully balanced and subject to oversight, there is a danger ... agencies might make the mistake of thinking that if they comply with the minimum requirements of the government simply by participating in the program ... they meet the necessary standards to be cyber secure," MacTel said in its submission to the joint committee.
While it commended the program's ability to allow smaller agencies to overcome resource issues and attain a level of compliance with the ASD top four - a firewall software update benefits all agencies sitting behind that particular gateway, for example - it said the government had not wielded a strong enough stick to get agencies to comply.
"Some agencies have simply not joined the program, despite being assigned to lead agency
groups and without specifically being granted exemptions," MacTel argued.
"The Department of Finance has seemingly not had the power and/or the willingness to compel agencies to participate in the program, which leaves some small organisations still self-supplying."
It claimed the gateway program had been a key defender in keeping agencies safe from the recent WannaCry ransomware campaign.
"IImplementation of the lead agency gateway program provided a shield across all agencies that participated in the program, including any agency that was itself not fully compliant with the top four," MacTel said.
"A key question this raises for government in relation to its own future risk is if [the ASD top four] combined with the perimeter defences of the secure internet gateway [meant] the likelihood of infection was extremely low, why is the ASD advice not being universally followed, why are not all agencies being required to comply with the lead agency gateway program, and how can this be fixed quickly?"
The comments were made as part of an inquiry into why the Australian Taxation Office and the Department of Immigration had failed to comply with the ASD's top four cyber mitigation strategies. The joint committe held its first hearing into the matter today.