The federal government has set an ambitious target to have a “zero trust culture” embedded across the Australian public service by 2030.
In its revised cyber security strategy [pdf], released Wednesday, the government also said it would expand the remit of the national cyber security coordinator to lead a whole-of-government cyber security uplift, in addition to their better-known responsibilities in incident response.
The strategy makes clear that while the government has been busy imposing elevated cyber security requirements on industry, its own standards have not kept pace.
“The Australian government needs to hold itself to the same standard it imposes on industry,” the strategy states.
Its commitment to build a “zero trust culture” across the Australian public service (APS) has little detail attached to it but suggests uplifts in identity verification and privileged access management may be on the cards.
Work on this is expected to start sometime in the next two years; it would need to be bedded down by 2030 to meet the end date of the strategy.
The government said in an action plan [pdf] that it wanted “a whole-of-government zero trust culture to protect government data and digital estate.”
“Government will implement defined controls across our networks that draw from internationally-recognised approaches to zero trust,” it wrote.
“This builds on the best-practice principles established within ASD’s Essential Eight strategies to mitigate cyber security incidents.”
Meanwhile, the “whole-of-government cyber security uplift” to be led by the national cyber security coordinator – currently Hamish Hansford – will cover “the implementation and reporting of cyber maturity across Commonwealth departments and agencies.”
The coordinator is simultaneously being asked to try to similarly uplift cyber maturity at state, territory and local government levels.
This is particularly ambitious given the layers between the coordinator and councils; even state-based agencies with local government remits have had a hard time effecting change at the council level.
However, the federal government wants to address all potential weaknesses in cyber security posture across the public sector.
“As part of their core functions, Commonwealth, state, territory and local governments all provide essential services to our society. They form a critical part of our nation’s digital infrastructure,” the strategy notes.
Also on the table for federal government is an “internal cyber security program and assurance function” to support government entities “uplifting their maturity against the Essential Eight” security controls.
As reported by iTnews, more federal entities have achieved maturity in the past year, but the percentage is still relatively low overall.
The government promised more maturity reviews of agencies.
It will also designate “systems of government significance’ that need to be protected with higher security standards” – a requirement currently on industry but not on government itself.
There is also an intent to uplift the cyber skills of the APS, though no more detail on this was provided.