Home Affairs’ critical infrastructure governance challenges and Risk Management within the broader IT industry
June 28, 2022
When COVID reached the shores of Australia and lockdowns descended upon our business communities, maintaining communications was essential. From an IT perspective, we all know from there the hyper-acceleration that occurred around cloud services. Work from home – WFM became a highly prized capability within all businesses. Indeed, Cytrack’s business weathered that storm by customer demand for critical communication services in the cloud, and it reformed our business in many ways, as it was for most in our industry.
Consider then, for a moment, what it would look like if we experienced an attack that degrades or disables a critical national infrastructure asset without any speedy resolution. Such as losing all our internet, or electrical power across whole cities or the country. A ‘lockdown’ pales into insignificance.
Lockdowns were terrible enough. COVID wasn’t even a Black Swan .. Nassim Taleb coined the term ‘Black Swan’ as an event outside the realm of regular expectations, with extreme impact, and, after the fact, is rendered predictable in hindsight. Taleb has expressed his irritation when asked if COVID was a Black Swan. It was predicted by himself and others; we have had 16 epidemics since 1850; on average, one pandemic each decade. In 2019, Trump’s administration, just before COVID, even carried out a pandemic simulation, “Crimson Contagion,” as a ‘viral outbreak in China’ that could kill close to 600,000 people in the US alone. COVID really should not have been ‘unexpected’.
With that experience in mind, I doubt we could comprehend the impact on us all if we experienced an actual Black Swan event on our national critical infrastructure assets. Or, for that matter, a non Black Swan event – i.e. a determined nation-state cyber-attack upon our country, something that specifically the Critical Infrastructure Bill is designed to address.
So, the question we should all like some assurance on then, is – ‘does the Department of Home Affairs as policy and regulatory lead for critical infrastructure protection coordination, have an effective approach to protecting Australia’s assets of national significance and supporting asset owners and operators to improve their resilience to attacks?’
And with our newfound interest in this matter, we should therefore be equally vested in the Auditor General’s audit report last week, finding Home Affair’s enforcement of the critical infrastructure bill has only been “partly effective”.
The report is a result of the significant expansion developed by Home Affairs for Australia’s critical infrastructure protection laws. It was one of the final acts of the previous Parliament, where the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022 was passed, which amended legislation to expand the asset types covered. The new laws protecting critical infrastructure grew from 4 to 22 asset classes across 11 sectors. The department estimates that the 168 assets currently registered as critical infrastructure will increase ten-fold because of the legislative changes in 2021.
Home Affairs pushed through these reforms because department secretary Mike Pezzullo stated we had ‘pressing cyber-attack risks’. This was despite industry calls to refine these new regulations and provide more clarity.
Back to the report, the audit picked up that 77% of measures of control effectiveness indicators did not align with enterprise-level critical infrastructure risk reporting, and 68% of policy and procedural documents to support critical infrastructure-related compliance activities were not finalised and approved.
The subject of governance around risk management and compliance is currently very topical for me. Cytrack has recently completed introducing compliance to ISO 31000 for Risk Management, ISO 37301 for Compliance Management and, in May this year, received accreditation to the ISO 9001 Quality Management System standard.
What’s apparent from this report is that Home Affairs’ enforcement of critical infrastructure protection is deficient
What’s apparent from this report is that Home Affairs’ enforcement of critical infrastructure protection is deficient, and that appears to be an issue with governance from the top. Certain fundamental aspects of the governance framework appear to not be in place, including risk assessments and reporting, and critical information flows to the policy and regulation functions on performance statements, regulatory performance assessment, and use of internal measures. Without these in place Home Affairs governance team are in danger of being a victim of Rumsfeld’s famous ‘unknown unknowns’ – those things “we don’t know we don’t know”.
Thankfully, the professional external audits acting as the third line of defence in the risk management framework have done their job and highlighted the issue. Home Affairs has accepted the Auditor-General’s seven recommendations. They say this will support the roll-out of the new critical infrastructure laws through the new dedicated Cyber and Infrastructure Security Centre established last year.
I welcome the Critical Infrastructure Bill, which received assent in April this year. It’s a crucial policy; Australia faces increasing cyber security threats to essential services and businesses. In recent years we have seen cyber-attacks on national Parliamentary networks, logistics, the medical sector and universities –to mention a few.
The bill enforces and strengthens the capability of owners and operators of systems of national significance to meet compliance with obligations such as undertaking cyber security exercises, reporting upon incidents and how to take action to reduce the risk and impact of a significant cyber-attack against those systems. The Government is establishing information sharing with relevant owners and operators to develop near real-time national threat pictures. A great initiative of this is the co-development of a playbook of response plans for a range of scenarios that provide owners and operators of systems of national significance with important information on ‘what to do’ and ‘who to call’ to keep their business (and customers) safe when facing a cyber-attack – especially when a cyber-attack is beyond their capability. So in that respect, the ongoing security and resilience of critical infrastructure become a shared responsibility – by Commonwealth and State/Territory governments and the owners and operators of the infrastructure.
As a result, those responsible entities for certain critical infrastructure assets will now have to establish, maintain, and comply with a risk management program. I believe we will begin to see the flow down of these practices of risk management as a best practice approach within the broader IT industry. Indeed, I expect to see ISO 31000 for Risk Management be adopted as the recommended framework and a more familiar standard amongst relationships in our industry.
In this lens, the sophisticated IT reseller will increasingly be able to advise customers on their IT security exposures from a risk management perspective and use best practice frameworks. Engaging with the customer will elevate to discussing aspects such as their risk appetite and the appropriate calibration of systems to mitigate those risks in line with the business appetite. Discussion on this level changes the dynamics of the IT planning exercise. That can only benefit us all as we increase our risk management sophistication. The harsh reality of underestimating risk, or failing to mitigate against it adequately, can have substantial financial and reputational consequences for both the reseller and the customer.