In September 2021, the Victorian Government unveiled its Cyber Security Strategy setting out the State’s cyber agenda for the next five years. The Government’s strategy is designed to deliver three core missions:
- the safe and reliable delivery of government services;
- a cyber-safe place to work, live and learn; and
- a vibrant cyber economy.
While the strategy sets the cyber agenda and creates a broad cyber security framework, the detail of how that framework will be achieved will be contained in Mission Delivery Plans which are to be released annually by Victoria’s Chief Information Security Officer. The first of these is described below. The Victorian CISO will also release an annual paper reporting on the progress of each Mission Delivery Plan. The strategy is backed by an investment of $50.8 million, which is part of the $100 million in additional funding for IT service delivery announced in Victoria’s May 2021 budget.
The 2021-2022 Mission Delivery Plan
The 2021-2022 Mission Delivery Plan outlines actions that will commence in 2021-22 in support of achieving the above three missions.
In support of the delivery of government services, the plan aims to ‘strengthen the defences of Victorian Government networks and services equal to the current and emerging threats’. This includes protecting the privacy of sensitive information held by the Victorian Government, uplifting IT services’ cyber resilience and ensuring the Victorian Government’s channels of communication are trustworthy and free from manipulation. The plan also aims to support individuals, households, businesses and community groups to connect, engage and work safely online, and to develop strategic partnerships to develop a competitive cyber sector.
Actions to be taken under the 2021-2022 Mission Delivery Plan include:
- deploying an Essential Eight (described below) status monitoring program to protect the Victorian public sector against common attacks. This mitigation system will improve risk governance of government agencies IT assets and ensure critical services are highly resistant to cyber-attacks. Suppliers will need to be cognisant of this program when supplying to government.
- improving cyber support for Victoria’s critical infrastructure and essential services especially through arrangements for sharing cyber threat intelligence. Critical infrastructure is increasingly recognised an attractive target for malicious cyber activity. The Mission Delivery Plan proposes developing an annual cyber exercise program in partnership with Victoria’s critical infrastructure owners and operators to support the continuous review of Victoria’s cyber emergency management arrangements. It also recognises a need to work collectively with critical service operators, other states and the Australian Government on issuing consistent cyber regulation and standards for critical infrastructure (although the Plan doesn’t identify how this will interact with the amendments to the Security of Critical Infrastructure Act currently before Federal Parliament);
- introducing measures to reduce the likelihood and community impact of cybercrime by supporting the delivery of a new Victorian Police Cybercrime Strategy to boost the Police capability to prevent, detect, disrupt and prosecute cybercrime affecting Victoria;
- establishing an Expert Advisory Panel to provide insight on current and future cybercrime risks, issues and response opportunities, and to identify future risk mitigation strategies. This panel will report to government on opportunities to enhance cybercrime education programs, on methods of reducing the harm associated with cybercrime and possible legislative reform opportunities to help police combat cybercrime;
- growing local capability by through an Expert Advisory Panel providing insight on current and future cyber capability uplift opportunities and digital economic growth. This panel will be charged with reporting on the skills and capabilities required to meet the cyber challenge in growth sectors, the opportunities to influence and leverage Commonwealth and state initiatives and opportunities to drive enhanced business engagement within the cyber ecosystem; and
- enhancing cyber skills development, pathways into employment and job growth. These opportunities will be created by establishing internship opportunities, continuing to support cyber skill-based university courses and training programs, boosting digital technology industry skills through the Cremorne Tech Hub and facilitating a whole of Victorian Government Cyber Certificate IV Internship Program.
How does the Victorian plan compare to Commonwealth and NSW equivalents?
With Victoria, NSW and the Australian Government all having released cyber security strategies within the last year some trends are becoming clear:
Uptake of the ‘Essential Eight’
The Australian Cyber Security Centre developed the “Essential Eight” as a mitigation strategy to help organisations protect themselves against cyber threats. The Essential Eight Maturity Model was first published in June 2017 and has been updated regularly. In February 2019, the NSW Government launched their Cyber Security Policy and adopted the Essential Eight by requiring all NSW Government agencies to address their maturity against the Essential Eight each year. It appears Victoria is set to follow NSW’s lead, with the 2021-2022 Mission Delivery Plan seeking the deployment of this policy as a baseline mitigation strategy. The measuring against these benchmarks allows for a better understanding of cyber maturity and enables a more targeted cyber security uplift.
Strategies targeted at critical infrastructure
Critical infrastructure is increasingly a focus of cyber regulation. Whilst the increased use of “Infratech” can bring vast advantages in terms of collecting insights and generating useful data, the use of technology in infrastructure assets exposes them to the ever-increasing risk of cyber-attack. Infrastructure asset owners have for a long time been acutely aware of security considerations, but now the focus is firmly on cyber-security and the steps that a far broader range of asset owners and operators (in sectors as diverse as telecommunications, food, transportation and data processing) need to take both to prepare for a cyber incident and in the event that a cyber incident actually occurs.
Seeing the opportunities as well as the threats
While cyber security strategies fundamentally seek to protect states against the growing threat of cybercrime, both the NSW and Victorian strategies seek to cast cyber security as an economic opportunity. Victoria’s first Mission Delivery Plan seeks to “leverage the state’s excellence in technology and innovation culture to position Victoria as a global leader in the growing cyber market”. Similarly, the core principles underpinning NSW’s cyber security strategy outline the goal of growing the cyber industry and allowing the cyber workforce to expand. It is clear that both States are working to position themselves to prosper in the growing digital economy and potentially see cyber expertise as a potential export or at least a competitive advantage for local industry into the future.
Increased focus on collaboration between government, industry and community
Victoria’s Mission Delivery Plan concludes that strong partnerships are essential to delivering the cyber strategy and states “effective reduction in harm from cyber-attacks requires collaboration across government, industry and the community”. This echoes the Australian Government’s Cyber Security Strategy 2020, which argued effective cyber security requires collaboration between government, business and the community. The growing need for partnerships and collaboration to combat cybercrime is explained by the Victorian Government’s statement ‘cyber risk knows no boundaries and does not adhere to jurisdictional or geographical borders’.
Where to next?
Cybersecurity is clearly front of mind for government as it seeks to tap into the efficiency gains and reduced costs offered by digitisation without compromising the integrity and availability of government services. As with all emerging threats and challenges, we will only be able to judge in the fullness of time whether the measures proposed are adequate. The Victorian Government’s initiatives under the Cyber Security Strategy will need to evolve over time as new threats emerge and new best practice measures are identified, and the annual mission delivery plans will hopefully enable Government to meet this challenge. Organisations operating in Australia, particularly those supplying to government will need to keep abreast of the different cyber developments federally and within the various states and territories.
Authors: Lesley Sutton, Mark Ferguson and Maisie Adams