Tony Chapman, NSW Chief Cyber Security Officer provides an update on the States’ cyber safety
In 2021 the acceleration of remote working and digital adoption continued, with working from home now the new normal for many Australians. With the increased need for connectivity, alongside technological advancements and an evolving threat landscape, the NSW Government’s cyber security environment changed significantly over the past 12 months.
Threat actors continued to exploit the weakest link in cyber security – the human element. Cyber Security NSW worked collaboratively across NSW, Australia and with industry to minimise these and other vulnerabilities and risks to our systems, data, and the privacy of our customers.
Our strong relationship with NSW Government clusters, agencies and councils is vital. Every piece of information shared with Cyber Security NSW can be the missing piece of the puzzle to solving a current threat faced by NSW Government. The information we are given is often used to create actionable intelligence that helps keep our systems connected, protected, and trusted.
Since its creation, Cyber Security NSW has grown substantially in size, diversity, and capabilities. We recognise that the representation of women in Australia’s cyber security sector remains lower than it should be. In 2020, the Australian Information Security Association (AISA) conducted a survey of the cyber security sector, which found women made up 18.3 per cent of the workforce. Additionally, only 13.9 per cent of workplaces reported actively integrating neurodiversity, which includes conditions such as ADHD, autism, and dyslexia.
Cyber Security NSW is committed to improving diversity through hiring staff with a variety of backgrounds and skillsets, while endeavouring to create a gender balance. We still have a long way to go, but we are proud of our progress – two-thirds of our leadership team and approximately 40 per cent of the branch are women.
NSW Government Cyber Security Strategy 2021
In 2021 we released the NSW Cyber Security Strategy (the Strategy) in collaboration with Investment NSW. This replaced the 2018 NSW Cyber Security Strategy and the NSW Cyber Industry Development Strategy to create one coherent and responsive strategy.
Cyber security is the spine of a strong digital society, providing the trusted environment needed to advance widespread digital transformation and adoption. Strong cyber capability protects the economy from losses to cybercrimes and builds the foundation to grow the emerging tech sector.
The Strategy delivers considerable economic and social benefits to NSW by ensuring we have the protections, capability, skills, and workforce to meet current and future cyber challenges. It leads our vision for NSW to become a world leader in cyber security, with Cyber Security NSW protecting, growing, and advancing our digital economy.
NSW Cyber Security Policy
Cyber Security NSW reviews and improves the NSW Cyber Security Policy (the Policy) annually. Cyber maturity scores assessed against the Policy decreased slightly from 2020 to 2021. This reflects a growing understanding among agencies and departments of how to assess maturity, and more truly represents the state of cyber security within NSW Government.
From its inception in 2018, the Policy has progressed to help ensure timely compliance and collaboration of reporting, which has contributed to NSW Government leading the nation in cyber maturity reporting.
No other state, territory or federal government department has the same strategic view of cyber security maturity that includes not only technical controls, but also people and process controls – or a detailed view of the status of whole-of-government cyber uplift.
Cyber Security NSW welcomed the release of the Compliance with the NSW Cyber Security Policy report by the Audit Office of NSW on 28 October 2021. The report made several recommendations for improving the Policy.
Their recommendations have already begun to be rolled out in the 2022 iteration of the Policy and will be fully implemented by the 2023 reporting period.
Digital Restart Fund
To combat the evolving cyber security threat landscape and to strengthen the security posture of the NSW Government, clusters and agencies have embarked on the development and implementation of cyber security uplift programs.
The NSW Government has led the country in addressing the evolving threat landscape with a critical investment for state-wide cyber security maturity uplift.
In July 2021, $US75 million was announced for small agencies, following the $US240 million announced in June 2020 for clusters across three years.
As part of the funds allocated to cyber security through the Digital Restart Fund, Cyber Security NSW received $US60 million over three years from the NSW Government to provide additional assistance in cyber security awareness activities, incident response, intelligence, training, and capability development.
Cyber Security NSW has worked with several agencies and clusters to provide support in developing cyber uplift business cases for submission to the Digital Restart Fund. This helps agencies align their uplift to priority areas and identify any potential duplication with whole-of-government services and capabilities.
Cyber security maturity uplift will not be achieved through one-off funding or within a year — it takes time and investment. Countries across the developed world are facing similar difficulties in implementing strengthened cyber security capabilities as cyber threats rapidly evolve.
Intelligence and Response
Cyber Security NSW’s work producing actionable intelligence and responding to incidents was formally recognised by the 2021 Department of Customer Service Secretary Award for Leading the Way.
While those working in cyber security for NSW Government and councils will have seen the formal disseminated intelligence, the informal knowledge-sharing that happens confidentially also makes a significant difference.
In 2021, Cyber Security NSW supported numerous cyber incident responses across agencies, departments, and councils. Using our strengths, we engaged with the affected parties early, leveraged internal capabilities, investigated in a timely manner and maintained communication throughout incidents.
For example, in January 2021 a significant incident was declared in accordance with the NSW Cyber Security Emergency Sub Plan in response to the cyber-attack on Accellion, a US-based software provider. It is estimated that some 100 organisations around the world, including global corporations, financial institutions, government departments, hospitals, and universities, were among those affected by the breach. In response to this incident, Strike Force Martine was established by the NSW Police Force and Cyber Security NSW. The lessons we learned from this attack resulted in several key policy changes across NSW Government, such as the development of statements of intent to clarify the senior decision-making processes during significant incidents.
The Cyber Threat Intelligence program, produced by Cyber Security NSW, provides proactive and targeted intelligence to warn government of likely threats, with recommended mitigation actions. This intelligence can be in the form of Alerts, Environmental Scans, Insights, Intelligence Assessments or Threat Briefings.
Through our incident response and coordination function, Cyber Security NSW ensures all reported incidents are handled quickly and effectively, with advice provided as required
Through our forensics and threat-hunting function, Cyber Security NSW provides an initial triage and investigation service to understand the scope and severity of suspected incidents prior to formal incident response engagement.
To ensure NSW Government is prepared to tackle the threat of compromised business emails, the NSW Government has introduced a Domain-based Message Authentication, Reporting and Conformance (DMARC) tool.
DMARC authentication ensures only authorised individuals can send emails using the legitimate NSW Government domain ‘nsw.gov.au’ and that our government remains a trusted sender of email communications.
DMARC has been rolled out across all NSW Government agencies, and Cyber Security NSW is in the process of expanding this offering to councils.
Cooperation with Councils
The cyber security of NSW councils remains an ongoing priority. We engage with all NSW councils on their cyber security, by:
disseminating intelligence products supporting councils in their response to actual and suspected cyber incidents providing the ‘Essentials’ cyber security training for councillors and council staff rolling out DMARC services conducting extensive and ongoing vulnerability scanning and management for councils in one case, providing operation security capability for several months to a council while they recruit a new security role, among other forms of support. We understand the key role that councils play in the day-to-day lives of NSW citizens, and we look forward to further developing this function.
Cyber Security Awareness and Training
Human error accounts for most cyber security breaches, highlighting the importance of education. There are several training and exercise initiatives being run through Cyber Security NSW to educate staff across NSW Government.
It’s no secret that phishing and spear phishing remain the most common methods used by cyber adversaries to harvest personal information and credentials to gain access to networks or distribute malicious content.
Whether you’re an Executive, a privileged user such as an IT administrator or payroll staff, or a general user, everyone is vulnerable and a potential target. That is why increased awareness must be a pillar of any cyber security framework.
To tackle the increasing threat of malicious cyber-attacks, Cyber Security NSW has developed the ‘Essentials’ training program, available to all public servants and contractors. According to the 2021 State of IT report, NSW is the only state or territory in Australia to have a mandated and rigorous cyber security training program for all staff.
Exercise as a Service
We must all be prepared to detect, respond, and recover quickly and effectively when incidents occur. The Policy acknowledges the need to increase preparedness and resilience. It requires agencies to have a current cyber incident response plan, test their plan annually and participate in cyber security exercises.
To support agencies in complying with the mandatory requirements of the Policy, Cyber Security NSW established an exercise-as-a-service function. We collaborate with agencies’ security teams to design exercises that test and improve existing plans and processes.
The exercises range from discussion-based tabletop exercises to realistic simulations that involve the analysis of artefacts in a secure environment. This further assists agencies in honing their plans and improving resilience from a first responder level right through to Executive management.
In September 2021, NSW Government departmental heads participated in Exercise Greenpatch to ensure they were prepared to respond to a significant cyber incident. The event tested each department’s procedures, including those related to decision-making and education on types of cyber incidents and potential impacts.
This followed an earlier functional exercise in April 2021, where cyber security teams from across NSW Government practised their response.
Business and Strategy
As Cyber Security NSW has expanded and faced the ever-changing environment, branch-wide recruitment has seen the onboarding of 49 new staff members in the last calendar year, bringing total strength up to 87.
During 2021, two new teams were introduced to the portfolio of Cyber Security NSW: the Risk and Assurance Advisory Services team and the Business and Strategy team.
The role of Business and Strategy is to provide support and coordination across the branch by streamlining business operations in finance, recruitment, and reporting, and developing a centralised view on strategic roadmapping and project management. With Business and Strategy, the key objectives and changing priorities across the branch are resourced, managed, and executed effectively.
Risk and Assurance Advisory Services
The Risk and Assurance Advisory Services team was established within Cyber Security NSW in February 2021. The team is split between two separate projects focusing on risk and assurance reviews.
The assurance stream has implemented a program to provide assurance reviews against the Policy. Once a review has been completed, key findings and recommendations are provided to clusters and agencies to assist with their maturity uplift.
The risk stream is developing guidance documents to assist clusters and agencies in implementing best practice cyber risk management. The aim is to ensure appropriate recognition of cyber risk in risk appetite statements and subsequent risk management activities.