After mandating “essential eight” controls.
The WA government has stood up a strike team to help departments and agencies to uplift their cyber security posture after mandating the Essential Eight cyber security controls last year.
The uplift team, which sits within the Office of Digital Government’s cyber security unit, was made possible with a $25.5 million funding injection in the government’s mid-year budget review.
The funding, provided through the government’s new digital capability fund, will be used to further develop WA’s cyber security capabilities, including incident detection, response and prevention.
It is the first significant investment in cyber security since the Office of Digital Government (DGov) secured $1.8 million in the 2020-21 budget to establish a cyber security operations centre (CSOC).
Speaking to iTnews about the investment, government chief information security officer Peter Bouhlas said the new team had been created to help “agencies to understand where their weak spots are and to provide direct support”.
“It can be overwhelming, with a really long list of things to do, which [controls] to do first,” he said.
“We can help them focus on what’s the one or two or three controls they’re struggling with, and then the team can then go in and have a more targeted approach to supporting an agency.”
Addressing long-held concerns
Initially consisting of five staff, the uplift team will work on a range of different initiatives across a number of agencies, depending on where help is needed.
Around 25 staff will join the cyber security unit in total as a result of the funding, evenly split between policy and operations roles.
DGov has already used surveys to identity weak spots and other areas of concern, though agencies will also be able request help.
“We can see from the survey results and their maturity assessments where they need help,” Bouhlas said.
WA government agencies have struggled with meeting cyber security requirements for many years, as highlighted in numerous information systems reports from the state’s auditor-general.
It’s latest report, published last month, found only 50 percent of agencies met the benchmark for information security in 2021, with “no noticeable improvement from the previous year”.
“Over the last 14 years there has been little improvement in this area with only 11% increase in the number of entities since 2008,” the report said.
From SECC5 to Essential Eight
Bouhlas said much of the focus would be on implementing the Australian Cyber Security Centre’s Essential Eight controls, which has replaced the WA government construct of the SECC5.
SECC5 – or the Security and Emergency Comoittee of Cabinet (SECC) Top Five controls – were initially introduced a “warm up exercise in the lead up to a larger set of controls”.
“Five controls were much easier to talk to and acceptable by agencies to get done, so we focused on that,” he said.
The controls included patching, multi-factor authentication and privileged accounts and backups, but omitted application whitelisting.
“I didn’t think that agencies were ready for that,” Bouhlas said.
As part of the government’s new cyber security policy [pdf], released in October 2021, a new Essential Eight mandate was introduced in part due to the proliferation of cloud services.
The new policy requires agencies to reach a ‘maturity level one’ rating, one level higher than maturity level zero – the lowest level under the Essential Eight maturity model.
The ACSC reintroduced the maturity level zero rating – which signifies weaknesses in an organisation’s overall cyber posture – in a refresh of the controls last year.
“The Essential Eight for us is important because they protect us the majority of attacks that we see across WA, Australia and even globally,” Bouhlas said.
“So, if you’re not doing those and doing them effectively, anything else you are doing could be a waste of time.”
Bouhlas said this decision was made with agencies, who recognised it may result they go “back a level”.
“Unanimously, not one agency said no, we don’t want to do this. They recognised it might be difficult, it might look bad, but that there was a need to improve their cyber security capabilities.”
DGov will report to cabinet on the number of agencies that reach a maturity level one rating under the essential eight and those that don’t.
The government’s significant investment in DGov’s cyber security unit will also furnish it with a dedicate facility to house the growing team.
“People will have proper facilities to perform the roles that we expect in the modern age,” Bouhlas said.
Funding will also go towards new “tools” like a vulnerability scanner and security information and event management system (SIEM), avoiding the need for agencies to buy their own.
The team will also coordinate with vendors to help industry “understand what DGov is doing” when they engage with agencies.
“Having a central function means we’re sort of orchestrating all of WA’s cyber security industry to get on the same page,” he said.