Final Report

Abstract

Australia, like the rest of the world, is undergoing significant digital transformations. The Digital Transformation Strategy 2018 – 2025 (Digital Transformation Agency, 2018) and more recent Australian Cyber Security Strategy 2020 (Department of Home Affairs, 2020) define benefits of centralised cloud hosted services especially within cybersecurity. What does Australia’s rocky history in shared services adoption and reluctance to use many available cloud services mean for realisation of these strategies? This Paper examines the success of centralised cybersecurity operations within other countries; the benefits and disadvantages of cloud services security capabilities; technologies available to centralise cybersecurity operations; and requirements for successful implementation of shared services.

Introduction

The Department of Home Affairs (DHA) recently released the Australian Cyber Security Strategy 2020 report (Department of Home Affairs, 2020). The strategy discusses implementation of secure hubs to centralise common applications and processes such as cybersecurity across government departments and agencies. The central secure hubs aim to reduce costs and risks through a reduced number of software implementations thereby reducing the number of attack surfaces. Prior to the Australian Cyber Security Strategy 2020, in 2018, the Digital Transformation Agency (DTA) published their Digital Transformation Strategy for 2018 – 2025 (Digital Transformation Agency, 2018). This strategy defines a ‘Government that’s fit for the digital age’ which includes, where practical, government organisations leveraging the benefits of cloud solutions.

Newer technologies such as Security Orchestration, Automation, and Response (SOAR) and Secure Access Service Edge (SASE) enable organisations increased threat detection and response capabilities over the traditional solutions currently in place across most government organisations (FireEye, 2017; Moran, 2018; Neiva et al., 2020). Cloud service providers leverage these technologies to further increase their capabilities using data points from their thousands of customers (MacDonald et al., 2019). Use of cloud services and the new technologies meets requirements laid out within the DTA strategy and may meet requirements for centralised secure hubs identified by the DHA strategy; however, are government organisations ready, willing, and able to adopt a centralised capability, and if so, what challenges will they face?

This Paper details the outcome of research. It includes the research methodology and findings, the challenges and future actions and research necessary to undertake the initiatives.

METHODOLOGY AND TECHNIQUES

The Project Proposal defined use of a mixture of qualitative and quantitative research. Techniques defined in the proposal for document analysis and screening included a two-stage appraisal, which involved an initial assessment of the material at a high-level for the author, publication date, publisher, and title. The second stage involved a review of the material body and determining its fit for purpose.

The relative novel nature of concepts within the research topic made sourcing information difficult. The material researched for this Paper therefore included a comprehensive literature review of academic research and grey literature on more discrete main topics of:

  • Government shared services.
  • Shared technologies in government.
  • Cloud services security.
  • Multifaceted security orchestration.

Much of the literature review did not identify information specific to Australian Government for the topics; however, additional research using Australian National Audit Office (ANAO) reports and news articles as guidance to other material provided context for the findings.

Results and Findings

SOAR and SASE for Australian Government use show considerable promise, as does centralising of operations leveraging services offered by cloud service providers. The history of trust both between Australian Government departments and agencies, and in cloud services is the main hurdle that the strategies face, but do not address.

Experiences from other countries

Finland is a leader in cybersecurity operations after directives by the Finnish Government to strengthen their capabilities (Griffith, 2018). To address concerns raised by their various departments, the government forced technology vendors and implementation partners to develop more mature, appropriate solutions.  The success in the first stage of the program of work, enabled the Finnish Government to expand capabilities as defined within their 2019 Cyber Security Strategy (Turvallisuuskomitea, 2019). In addition to centralising operations, their strategy also discusses plans to increase protection of their cyber operations through broader cooperation opportunities with the European Union. Following the success of Finland and after conducting their own research and trials, Taiwan also committed to cybersecurity centralisation and are seeing similar successful results (Huang & Li, 2018)

Technology review

Islam et al. (2019) provide a comprehensive review of the various facets and key components of security orchestration. When combined with industry best practice recommendations from FireEye (2017), and Gartner reports from MacDonald et al. (2019) and Neiva et al. (2020) today’s technology, such as SOAR and SASE, is capable and even stronger when in use across multi-discipline organisations. As highlighted by MacDonald et al. (2019) and Poppensieker and Riemenschnitter (2018), traditional hub and spoke network architecture, with mostly manual security incident response practices does not provide an appropriate model for secure modern globally geographically distributed workforces. They emphasise that maintaining security, whilst enabling modern globally distributed and mobile business operations, is only possible through use of offerings from cloud service providers due to the economies of scale. To illustrate this point, Microsoft’s 2019 cybersecurity budget to secure their cloud services was over US$1 Billion (Linn, 2020).They continue, that due to staffing constraints within cybersecurity, and the inability for people to respond fast enough, organisations must employ automation for many detect and response activities.

Cloud services

Continuing from the technology review, Tourani et al. (2019) provide an option to shift organisations to multi-access edge computing, similar to the Australia Government Cyber Security Strategy secure hubs. The United States Department of Defence decision to award Microsoft a US$10B military cloud contract under the Joint Enterprise Defence Infrastructure (JEDI) contract (Nickelsburg, 2019; U.S. Department of Defense, 2020), further demonstrates the belief by other governments that a centralised, cloud hosted capability meets security requirements and is the way forward.

In their 2011 article, Marston et al. (2011) document the benefits of cloud services for whole of government use, and even with the age of the article, whilst capabilities now exceed their original research, the underlying examples still hold true. Australia has an existing whole of government cloud hosted communications and collaboration platform in the GovTEAMS solution (Dennet, 2018). Thanks largely to COVID-19, Federal and State Governments realised the benefits of cloud hosting for GovTEAMS with the volume of registered users expanding from 30,000 in March 2020 to over 100,000 in September 2020 (Microsoft News Center, 2020). Enabling organisations to uplift security capabilities in minutes or hours, as opposed to the traditional weeks or months through use of cloud services, and rapidly adopt new technologies as they are released, adds further weight to the use of cloud for centralised security operations (Better Cloud, 2019).

Shared services experiences

Throughout the world, shared services have a history of trouble due to distrust, additional costs, complexity, and inconsistencies (Miskon et al., 2011). The commissioning of the Australian Government Security Vetting Agency (AGSVA) to provide centralised security vetting to government and private organisations (Department of Defence, 2020) illustrates the distrust and preference for silos held across government organisations. In a similar strategic objective as secure hubs, AGSVA was to standardise security vetting which would result in cost reductions, quality improvements, and ensure alignment with the Australian Government Protective Security Policy Framework (PSPF). Prior to AGSVA each department and agency conducted their own security vetting. The information collected by each organisation for vetting purposes is almost identical; however, the distrust in the capabilities of others within Australian Government has resulted in many departments and agencies continuing their own vetting in spite of the services available through AGSVA (Easton, 2018). Centralised cybersecurity will likely face similar challenges as each organisation argues their unique requirements.

Similarly, the Australian Cyber Security Centre (ACSC) is supposed to provide some centralised cybersecurity operations under requirements from the Australian Signals Directorate (ASD). The centre is also responsible for compliance with the Australian Government Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) through such initiatives as the Information Security Registered Assessors Program (IRAP), and expert recommendations to lead improvements across government. However, recent audit reports from the Australian National Audit Office (ANAO) show that government departments are not adhering to these centralised standards citing funding constraints, inability to maintain pace with technology changes, and prioritisation conflicts (Jenkins, 2020).

Skopik et al. (2016) emphasize that information sharing in government usually occurs via ad-hoc or informal mechanisms. Sharing of information should involve a planned process where organisations properly analyse data subsets to provide more realistic security classifications. Instead, our human nature is to treat information at a higher classification than required thereby creating an unintentional false sense of importance resulting in unnecessary costs. (Baur-Ahrens, 2017; Mallinder & Drabwell, 2013)

Conclusion

The reluctance by Australian Government organisations to leverage cloud services is based on outdated and now unfounded claims. The irrational belief is that on-premises cybersecurity services are superior to cloud or even centralised services. Implementing a centralised service gives others undesired control and reducing employment opportunities. Evidence from the research shows that Australia does not hold special information security requirements compared to other countries. Whilst each department and agency hold specific sensitive information that is on a need to know basis, the reluctance or inability to adopt SOAR and SASE technologies or share any information between departments prevents uplift of Australia’s cybersecurity capabilities.

The idiom ‘there is strength in numbers’ holds true in discussing centralising cybersecurity services. The more data points available to cybersecurity services and solutions, the stronger the capabilities to identify threats and detect attacks. Irrespective of whether the secure hubs take the form of a new or existing government body or third party, shared cloud services must form part of the solution. Australia’s lack of shared services adoption to date is largely down to the freedom each department and agency has had. For the DTA and DHA strategies to succeed, Australian Government leaders will need to enforce initiatives as opposed to the current state of leaving solutions as opt-in. As demonstrated by the research, failure for government organisations to adopt the newer services will dilute Australia’s chances at defending against increasing and future cyberattacks.

Lessons Learnt

In my twenty plus years consulting to government, the concerns and challenges from shared services provide little surprise; however, I did not expect the findings from the research to be so compelling for use of centralised cloud hosted cybersecurity services.

This project topic proved relevant to my employment and as a capstone subject, neatly joined many concepts from other subjects. The project highlighted several positive and negative lessons.

Scope

Neither the Australian Cyber Security Strategy nor research scope for this Paper provided a complete definitions or breakdown of cybersecurity functions to centralise. The project commenced with a narrow scope focusing on a specific technology as DHA had not released their Strategy; however, as work began on the first task combined with the release of DHA’s report, it became quickly apparent that the scope was too narrow to provide adequate research. Unfortunately, in rushing to deliver the first task, the scope became too broad requiring fine adjustments throughout each deliverable, which resulted in missing concepts and opportunities.

Better upfront identification and definition of project aims and exhibiting more control over excitement to include the latest information, would enable more focused research.

Identify themes

The literature review for this Paper involved considerable effort to identify suitable candidates. Use of grey literature, or older academic sources can provide valuable information as history so often repeats itself, just manifested slightly differently.

Identifying underlying themes for the research and therefore reviewing older literature early in the project, would enable access to more material with which to build stronger building blocks for newer concepts.