Late last year, the federal government’s updated Cyber Security Strategy marked a pivotal moment in the nation’s cybersecurity journey.
While the strategy included several measures to help protect Australian consumers and organisations — including campaigns attracting skilled migrants in a bid to address the local talent shortage and increasing intelligence sharing with international partners — the most important in terms of improving the federal public sector’s cyber resilience was setting a target to have a “Zero Trust culture” embedded across the Australian Public Service by 2030.
For those unfamiliar with Zero Trust architecture, it is an approach to cybersecurity that assumes breaches are inevitable. Rather than focus entirely on preventing cyberattacks (though this is still important), much more emphasis is on minimising the impact of a successful attack.
Central to this approach is eliminating any implicit trust within a network. Approved users and public service personnel are allowed access to only the absolute minimum required for their roles.
The approach dramatically minimises the impact of any compromised user credential, as an attacker would only be able to gain access to a limited portion of the network.
Another way to visualise Zero Trust is to think about the family home. After you’ve locked your front gate, do you consider the job done and leave the front door ajar and windows open?
Before Zero Trust architecture, the standard cybersecurity strategy was to place all one’s faith in the front gate. Once beyond the perimeter, everything inside was easily accessible. This new approach also locks the front door and the windows and ensures the ‘crown jewels’ — personal information, banking details, and other sensitive data — are locked within a safe.
Yes, breaches will still occur, but the damage will be significantly lower.
As more critical government services shift to online platforms, ensuring personal data security — and the platforms’ resilience — has never been more critical.
Ransomware is the most prevalent cyberattack and one that the Australian Cyber Security Centre describes as the ‘most destructive‘.
To put things in perspective, a successful ransomware attack against an online government service like MyGov, Centrelink, or Medicare could have several dire consequences. First, the personal information of thousands, if not millions, of Australians, could be stolen and then used for identity fraud — such as taking out loans or credit cards.
The second is that the services could go offline indefinitely as the key data that informs them would be encrypted until a ransom demand is met.
Zero Trust helps to protect against these consequences. First, very few — if any — public service accounts should have access to the entire user information database on a platform like Centrelink. While an attacker might succeed in compromising an administrator’s account, they’d find it near impossible to escalate privileges to a point where the entire user base was available.
In protecting against taking down the platform, just as few accounts — if not less — would have access to backup data.
Recent ransomware attacks against organisations have shown a marked increase in attackers targeting backup data in their campaigns. Immutable backups allow the victim to recover operations from a point in time before the compromise — without having to pay a ransom.
Recent research found that 98% of the Australian organisations that experienced a cyberattack in 2022 saw hackers attempt to compromise their backup data. In 87% of those cases, they were at least partially successful.
With few, if any user accounts, being given account privileges that allow access to backup data it is much harder to compromise this critical last line of defence. Further, a true Zero Trust architecture would ensure that backups are ‘air-gapped’ from the rest of the network.
That’s why the government’s 2030 commitment to adopt a Zero Trust approach is the right step, but the momentum needs to be accelerated. Zero Trust and cyber resilience need to be a priority, with any bureaucracy moved to make it happen as soon as possible.
Taking the example of the US Federal Public Service, its whole-of-government push to implement a Zero Trust architecture was made in 2021.
In that regard, we’re already behind. Anything we can do to catch up, particularly as geopolitical tensions increase, should be done.
READ MORE:
Cybersecurity scholarships to boost workforce and promote diversity
Any feedback or news tips? Here’s where to contact the relevant team.