The Victorian government has outlined a significant program of work under its new cyber security strategy to uplift cyber security resilience across the public sector and boost industry opportunities.
Government services minister Danny Pearson unveiled the five-year strategy [pdf] for a 'cyber safe Victoria' on Monday to replace the now-expired strategy released back in August 2017.
It follows a $50.8 million investment in whole-of-government cyber security in this year’s budget, and specific funding for the Department of Health, Ambulance Victoria and state Parliament.
The strategy seeks to progress three core missions: the safe and reliable delivery of government services; a cyber safe place to work, live and learn; and a vibrant cyber economy.
In doing so, it expands the focus of the former strategy, which focused primarily on establishing a whole-of-government approach to tackling cyber security and uplifting internal capability.
“The Victorian government must play a key role in supporting industry and community groups to reduce their cyber risk,” the strategy states, adding the government must “lead by example”.
The strategy also takes into account the unprecedented change of the past 18 months, which the government said has “magnified cyber risks that require a strategic and coordinated response”.
Much of the detail on the government’s plans lies in the adjoining annual mission delivery plan, which has been developed by the state’s chief information security officer John O’Driscoll.
Under the first mission delivery plan [pdf], the government said it plans to “strengthen the defence of Victorian government networks and service equal to the current and emerging threat”.
“This mission will protect the confidentiality and integrity of sensitive information and support the reliable delivery of IT-dependent government services to the Victorian community,” it states.
Government services minister Danny Pearson added that this “focus on strengthening security for government online services and communications” would take place in the first year.
"This strategy re-focuses on protecting Victorian's data and government systems while growing jobs and supporting cyber businesses,” he said in a statement on Monday.
The mission delivery plan reveals that the government will ensure the IT systems it uses “implement a range of baseline information security controls”, namely the Essential Eight.
It will also require that critical services “meet a higher minimum standard, which are fit-for-purpose and highly resistant to cyber attacks”.
The government plans to improve the adoption of the Essential Eight by issuing guidance on their successful implementation and introducing an “status monitoring program”.
It also wants to make it easier for agencies to procure “Essential Eight-related goods and services” by establishing a simple procurement process.
Standing offer arrangements are similarly planned for anti-malware service providers and security operations centres for critical services.
Other actions on the roadmap include implementing domain-based message authentication reporting and conformance (DMARC) across all email services using the vic.gov.au domain.
The government is also planning a “cyber education program for government executives in critical service operations”, though this training will not extend to all staff.
With one-in-four of reports to the Australian Cyber Security Centre made by Victorians, an “expert advisory panel” will be established to tackle cybercrime.
The panel is expected to report to government on ways to “enhance cybercrime messaging and education programs”, including legislative reform opportunities for police to combat cybercrime.
Victoria Police is planning to develop a new cybercrime strategy that will also boost its capability to prevent, disrupt and prosecute cybercrime.
The government will also create a similar advisory panel to “provide insight on current and future cyber capability uplift opportunities and digital economic growth”.