Repeated ransomware attacks that interrupted critical medical services may have suggested the Victorian Government’s cyber security needed fixing, but the sector didn’t even merit a mention as the state committed $50m to a four-year Victoria Cyber Strategy that speaks in broad terms about skills development, industry development, and securing e-government services.
The new plan, entitled Victoria’s Cyber Strategy 2021, is aligned around three core missions: the safe and reliable delivery of government services; making Victoria a cyber safe place to work, live and learn; and creating a “vibrant cyber economy”.
The first year of the strategy will focus on “strengthening security for government online services and communications”, Assistant Treasurer and Minister for Government Services Danny Pearson said in launching a new strategy designed to “give Victorians and local businesses confidence that online services and electronic messages from the Government are both safe and secure.”
The new funding will support the creation of a Security Operations Centre (SOC), which in partnership with managed security services provider IPSec will provide a single statewide centre to monitor and manage security issues across the state government’s services.
Replete with feel-good images, pointless animations, meaningless infographics and useless Venn diagrams, the strategy offers little in the way of actual detail apart from charging State Chief Information Security Officer (CISO) John O’Driscoll – who has helmed the state’s cyber security strategy since his appointment in late 2017 – with tracking and reporting annually on progress promoting its three core missions across all 1817 agencies and 322,050 people that comprise the Victorian Government.
Longer-term initiatives will focus on jobs growth and collaboration across government, industry, and the community – dovetailing with the $64m Digital Jobs Program launched in August to help 5,000 mid-career Victorians change careers and retrain in a range of digital industries including cyber security.
“Cyber security has never been more important to our economy,” Pearson said, noting that the new strategy “re-focuses on protecting Victoria’s data and government systems while growing jobs and supporting cyber businesses.”
Work already cut out for them
The complexity and vulnerability of Victorian government services have been demonstrated over and over again, with repeated audits ringing alarm bells even before the state suffered not one but two major hospital cyber attacks in recent years.
In March, Department of Health and Human Services (DHHS) security and IT specialists were scrambling to recover from a ransomware attack that was deemed to have been avoidable – and comes four years after a Victorian Auditor-General report concluded that DHHS had left key systems riddled with weaknesses and had not audited its disaster-recovery plans in the previous five years.
Those audits warned of “unacceptably high risk should a disruption occur” and overall poor resiliency planning across a range of agencies.
Just three of 24 audited systems at Victoria Police, for one, had disaster recovery plans in place and 79 per cent of the systems were obsolete – leaving sensitive records exposed because the agency had not “effectively managed the risk of system obsolescence”.
The new strategy offers little in the way of detail, speaking only of the CISO’s obligation to oversee the plan, the theory that “all Victorians share responsibility for improving their cyber resilience”, and the importance of delivery partnerships in managing the “interconnected nature of cyber risk”.
These partnerships will span corporates, industry associations, startups, not-for-profits and small and medium enterprises (SMEs), the strategy says, “to spread cyber security awareness, build expertise and encourage innovation.”
Knowledge sharing will factor heavily into the strategy, with the government promising to “improve knowledge sharing with industry and improve procurement practices to allow for faster engagement with industry for support”.