Let’s not Push Successful Policies Aside
In an election period, the conversation naturally turns into a contest and swings between new initiatives being promoted and finger-pointing accusations of past failures. It is easy for long running successful policies to be pushed aside in the heat of the contest. Unfortunately, that can mean they wind up forgotten altogether, even after the election is over, when a new or returned government sets about the task of implementing its promises.
In cyber security, where the challenges are many and the proven solutions few, this is a dangerous trap. We need to celebrate successful policies, learn from them and even replicate them.
Macquarie recently hosted Dr Samantha Ravich to a series of private engagements and meetings in Australia. Dr Ravich is one of the world’s leading thinkers and commentators on Cyber-Enabled Economic Warfare (CEEW), was deputy security adviser to US Vice President Dick Cheney, and is vice-chair of President Trump’s National Security Advisory Council and the Congressional Solarium on Cyber-Security.
In these private meetings and discussions in Sydney, Canberra and Melbourne, two issues came up again and again. Firstly, the problem of the weakest link in cyber security for governments is greater than ever.
The weakest link.
The interconnectedness of the economy today means the easiest entry point for a bad actor into your company’s environment may not be under your direct control – it could be a related a company or agency sharing a system, a contractor supplying a crucial input within your supply chain, or even a service provider such as a public cloud company or a professional services firm.
Your supply chain will undoubtedly include businesses of all sizes, many originating from around the world. Organisations smaller than yours will face all the same complex and fast-moving cyber risks as your larger enterprise or agency, but without the same resources or specialist advice to deal with it.
Over time, these businesses become more and more connected to your enterprise or agency, accessing more and more data and systems. They are at risk of being the weakest link, increasing your threat surface and being the attack vector for a cyber-attack on your business.
The soft ‘under-belly’.
Governments are a great example – small departments and agencies share many connections with larger entities, creating the risk that one vulnerable agency is the entry point for a whole community of agencies and departments.
Macquarie identified this as the “soft under-belly” in our national cyber security policy three years ago and commissioned research into the problem, but it continues to defy easy answers.
As state actors become more active and more sophisticated, they are increasing their efforts to break into interconnected government and business systems, whether that be through supply chains or by exploiting smaller organisations to penetrate larger ones.
The second issue repeatedly raised was that just because you can’t do everything, doesn’t mean you shouldn’t do something.
Too complex <> do nothing.
Again, this is a message with particular resonance for medium sized organisations whose complex ICT environments, high levels of interconnectedness and constrained internal resources make them increasingly attractive targets.
These problems persist because they are too complex to be resolved by silver bullet solutions.
But successive Australian governments deserve credit for leading the world in “doing something” about these issues through a far-sighted policy program Macquarie Government is proud to participate in.
Reducing ‘front door’ attack vectors.
The Consolidated Gateway program arose from an assessment of the inherent weaknesses in the whole of Federal Government cyber-security stance created by there being too many “front doors”. The program reduced the pathways to the Internet by requiring agencies to share and secure internet gateways (SIG).
These consolidated gateways were required to set a common, baseline standard of security capability which benefited agencies of all sizes. Many of these capabilities were beyond the resources of smaller agencies alone. The program was conceived in 2009 and implemented over several years to 2013.
There is no doubt it has been a success, improving security and giving smaller agencies big savings through the economies of scale available across the program. The biggest problem with the program is that almost everyone forgot about it.
It has run along quietly in the background, evolving new capabilities as Macquarie Government has improved and added to the technologies sitting in the gateway, while generations of policy makers in both the public service and parliament came and went.
Thankfully, a review last year alerted many of these people to the program and the fact that it remains a core element providing strong baseline cyber security hygiene across the Commonwealth, not least to the smallest and most vulnerable.
It provides a sobering story, however, as we head into an election from where another new generation of leaders may emerge.
Let’s look in the boot first.
Before we go to the drawing board on cyber security policy, we really need to have a thorough look in the boot to be sure we haven’t already invested in building a perfectly good wheel.