ASD refuses to take backward step in wake of DTA cloud strategy - Techies Updates

Breaking News

Monday, May 14, 2018

ASD refuses to take backward step in wake of DTA cloud strategy

When you have most of the cyber talent in the public service, why should you defer to an agency without a cybersecurity team?


Despite the existence of a Secure Cloud Strategy, the Digital Transformation Agency (DTA), and a high workload, the Australians Signals Directorate (ASD) will continue to go on its merry way and certify government cloud use.

Responding to a Question on Notice by Liberal Senator Linda Reynolds from Senate Estimates, ASD said it did not agree with an assertion that its role should be diminished in keeping government clouds secure.

"ASD is not scaling back on its cloud certification and supporting industry partnerships role," the directorate said. "ASD will continue to assist cloud providers in securing government (and our nation's) information."

Simply throwing more resources at the certification problem was not a complete solution, ASD said, with agency heads needing to be able to identify and manage cybersecurity risks.

"ASD is best placed to certify cloud services through strong partnerships with industry, using ASD endorsed Information Security Registered Assessors Program (IRAP) Assessors," it said.

"Agencies remain risk owners and must conduct accreditation of all cloud services, including those certified by ASD. The DTA Secure Cloud Strategy highlighted that agencies can conduct certification activities."

In response to a question from Reynolds on whether the DTA had "deep level cyber security experts", ASD said it "employs the bulk of government cybersecurity experts".

Earlier this year, DTA's CEO Gavin Slater told Senate Estimates he wants his agency's cybersecurity team back in-house, after a machinery of government change removed them.

"We had a small cybersecurity team embedded within the DTA ... the role of that team was that when agencies were thinking about transforming the way their services are delivered digitally was to really ensure they were thinking about security, not as an afterthought but part of the key design criterion -- that was the primary role of that team," Slater said in February.

"But recently under a machinery of government change, with the centralization of the cybersecurity function under Alastair MacGibbon, that team has been logged out from the DTA."

Slater said the work the DTA does with agencies is cross-functional, and it is far easier to have people within the DTA, rather than having to ask for access to them in another arm of government.

The DTA's Secure Cloud Strategy pushed government agencies to use public cloud by default, and asked agencies to make risk-based decisions when applying cloud security; design services only for the cloud and avoid customisation; use as much of the cloud as possible; take full advantage of cloud automation practices; and monitor the health and usage of cloud services in real time.

"Agencies must design all new or modernized ICT services as cloud-native, or cloud-enabled," the strategy said.

Speaking in March, ASD director-general Mike Burgess said a lack of talented people in the cyber workforce was a secondary issue, compared to those at the head of organizations.

"Skilled people is not the critical issue here, it's the skill of the chief executive and his/her management team in identifying and managing this risk effectively and the skilled executive level that can actually work through that to ensure themselves the right thing is being done -- that for me is the real issue, not the skills shortage of bright young ladies or men who know how to configure firewalls or set up systems securely," Burgess explained.

"There's a demand for good IT people, absolutely, that's not the problem here; the problem is having the chief executives asking the right questions.

"That's not a cybersecurity skills shortage."

Appearing before the Joint Standing Committee on Trade and Investment Growth on Thursday, MacGibbon said the ASD under the leadership of Burgess will "increasingly be advising agencies where we believe they are deficient in their security".


No comments:

Post a Comment