Cybersecurity lies at the heart of Australia’s updated Digital Government Strategy

The Australian government has defined a standardised secure Microsoft 365 desktop and a common framework for trusted digital identity as it lays down whole-of-government security standards as part of a major update of the Digital Government Strategy (DGS).

Building on the government’s steadily increasing focus on critical infrastructure protection, the newly updated DGS commits the country to becoming one of the world’s top three digital governments by 2025, and a “world-leading digital economy and society by 2030”.

The strategy includes myriad initiatives designed to kick-start agencies’ digital transformations, providing top-down guidance intended to bring consistency and best-known methods to the many dozens of agencies that have struggled to keep up with transformation leaders like Services Australia, the Australian Taxation Office (ATO), and Home Affairs.

Reflecting the government’s renewed focus on secure digital services, peak body the Digital Transformation Agency (DTA) has been relocated into the Department of Prime Minister and Cabinet—contributing to what Stuart Robert, Minister for Employment, Workforce, Skills and Family Business, called a “laser-like focus” to ensure that all government departments and agencies are “pulling in the same direction”.

Among the newly announced initiatives are the creation of a Whole of Government Digital and ICT Oversight Framework, through which the DTA will provide strategic planning, prioritisation, contestability and delivery assurance for all digital and ICT investments across the government.

Wholistic thinking

Also new to the government’s IT toolbox is the Whole of Government Architecture (WGA), a framework designed to help government bodies “deliver frictionless, joined-up services to Australians, make better use of digital investment, improve efficiency, and invest in strategic capabilities such as emerging technology.”

Among the WGA’s elements is the Protected Utility Blueprint—a design for a “secure, modern desktop for government agencies based on Microsoft 365”—and the Trusted Digital Identity Framework (TDIF) for identity-based government services.

The WGA also subsumes whole-of-economy and whole-of-government strategies — such as the Digital Economy Strategy, Cyber Security Strategy, and APS Reform agenda—and includes a range of formal policies in areas such as digital and ICT reuse, digital sourcing, protective security frameworks, secure cloud, hosting, and the Digital Service Standard.

The government’s decision to tighten the screws on its many agencies — critical to meet Robert’s stated goal of moving all government services online by 2025—is “an important challenge and opportunity to government agencies,” Simon Bush, general manager of policy and advisory with the Australian Information Industry Association (AIIA), said as the changes were announced.

The “incredibly pleasing” target “is achievable and will have significant benefits for all end-users,” Bush said, noting that “digital technology can deliver benefits to both service delivery and cost reduction.”

“It is a massive opportunity that our country needs to grasp.”

Yet simply targeting massive transformation won’t be enough on its own, with a fully digitised government also needing to have a fully mature cybersecurity architecture to support it.

Cybersecurity everywhere

To this end, the existing Hardening Government IT (HGIT) Initiative will soon drive the creation of a network of government-sanctioned Cyber Hubs, which will sprinkle cybersecurity centres of excellence and monitoring, detection, and response (MDR) capabilities throughout key government agencies.

DTA will this week begin engaging with potential contractors for the hubs, which will ultimately provide cybersecurity support for 42 core government services supported by what will initially include the Department of Home Affairs, Department of Defence, and Services Australia.

Yet for all its ambition, not everybody was convinced that the government can execute a completely secure digital transformation in just four years by flooding agencies with policies and procedures.

The Cyber Hubs are “a positive move towards accelerating [government] digital transformation initiatives, but departments and agencies cannot deliver improved digital services when they are still using legacy network and security architecture,” said Budd Ilic, Zscaler’s regional director for government, who called out the continued mandatory use of a “centralised legacy castle and moat security architecture” built around certified Secure Internet Gateways (SIGs).

“The notion of using centralised network security when users and applications are distributed is no longer viable in a digital world. A new model of networking and security that matches the requirement of the digital enterprise [Secure Access Secure Edge, or SASE] is needed,” said Ilic.

“The Cyber Hubs will encourage agencies to transform their network and security by adopting emerging cyber security technologies and capabilities — in particular, cloud cybersecurity platforms that are based on SASE.”