2020 was a year of great resilience and adaptability. For most of us, Covid-19 dramatically changed the way we live and work; in NSW, and around the world. With the rise of a remote workforce, cyber criminals took this opportunity to capitalise on the changing global environment and focus attacks that targeted this changing environment.
The cyber threat landscape is constantly evolving, and we must constantly monitor this changing landscape and quickly adapt and respond. Over this past year, we’ve seen a considerable increase in security awareness and building of capability. Cyber security is not a ‘set and forget’ and we must continue to strive to maintain and improve our capabilities to prepare for a more digitised future and a changing threat landscape.
At the start of the COVID-19 pandemic, we saw a massive shift in phishing scams. Several Australian organisations were impacted by attacks throughout the year and are continuing to occur. These attacks will continue to become more sophisticated.
In the last year, the emerging threat landscape has been driven by four factors: the types of threat actors or adversaries, the changing business environment, the changing technology landscape and our regulatory requirements.
Using insights from our intelligence and response team, we discovered a number of key threat actor groups targeting NSW Government.
It has been widely reported that NSW Government’s maturity is low. We are not alone in this; even the Commonwealth Government has reported low maturity. In 2020, Cyber Security NSW worked towards uplifting this maturity in partnership with all NSW Government agencies. NSW Government has now allocated $240 million to uplifting cyber security across NSW Government.
Our vision for NSW is to become a world leader in cyber security. To achieve our vision, we need to ensure that our cyber security capabilities adapt to the evolving cyber security threat landscape and focus on building the right foundations now.
2020 Key Activities
- Bathurst Vulnerability Management Centre
- Intelligence and Incident Response
- Infrastructure Security
- Cyber Security Strategy
- NSW Cyber Security Policy
- Cyber Security Purchasing Arrangements
- Cyber Security Circular
- Enhanced Critical Infrastructure Security Framework
- Standards Harmonisation
- Involvement in National Cyber Security Committee (NCSC) and Operations and Policy subgroups
- Briefings to Audit and Risk Committees, Parliamentary Hearing and industry forums
- DMARC
- Cyber security exercises
- Training, building community, capability uplift
- Intermedium Government Cyber Security Readiness Report
Bathurst Vulnerability Management Centre
The NSW Vulnerability Management Centre (VMC) was launched in June 2020 and is delivering a vital, sector-wide vulnerability scanning and monitoring of government systems. It is critical to ensuring enhanced monitoring of government systems, as well as early identification and remediation of known vulnerabilities.
Since June, the VMC in conjunction with the Infrastructure Security team have provided vulnerability scanning and website testing services to nine agencies and 18 councils.
Intelligence and Incident Response
This year has proved challenging from a cyber security perspective, with significant changes in how we work, evolving cyber security threats on multiple fronts and forming a united response across all levels of government. With increased capability, the team has coordinated whole-of-government responses to the increasing number and severity of cyber threats and incidents impacting local, state and federal governments.
We disseminated over 200 products in 2020 including briefs, advisories, alerts and summaries across various levels of NSW Government and local councils. As we continue to grow in 2021, our focus will continue to ensure that all NSW departments, agencies and councils have the information they need to prevent, detect and respond to cyber incidents.
Infrastructure Security
To compliment the NSW Vulnerability Management Centre, we established a Health Check team whose remit includes taking vulnerability information to agencies and councils and help them reduce their cyber risk profile.
Through these activities we have engaged directly with 46 agencies and 19 councils discussing cyber security vulnerabilities.
We purchased and deployed UpGuard to provide agencies with insights into internet-facing cyber risks. Thirty-nine (39) agencies have been onboarded to UpGuard with a total of 215 NSW Government employees using the service. This capability has been extended to councils. To date, 19 councils have been provided UpGuard reports detailing internet-facing vulnerabilities. UpGuard also enables agencies to assess the cyber risk associated with vendors and proactively identify potential data breaches. This is a critical tool in improving cyber maturity for NSW Government.
Cyber Security Strategy
The NSW Government announced the development of a comprehensive, sector-wide cyber security strategy this year. The 2021 NSW Cyber Security Strategy will replace the NSW Cyber Security Strategy and the NSW Cyber Security Industry Development Strategy combining both into one overarching cyber security strategy for NSW. The strategy will aim to outline the key strategic objectives, guiding principles and high-level focus areas that the NSW Government will use to align existing and future programs of work.
Approximately 90 strategy submissions were provided by industry partners and cyber security experts. In conjunction with the Australian Strategic Policy Institute (ASPI), we facilitated several focus group meetings with the NSW Government and experts that provided submissions to review common themes among submissions. The Strategy is currently under development and is set to be released in 2021.
NSW Cyber Security Policy
The Cyber Security Policy has been in force since February 2019 and for the second year NSW Government departments and Public Service agencies reported their maturity against the Cyber Security Policy Mandatory 25 Requirements and Australian Cyber Security Centre’s (ACSC) Essential 8 mitigating controls. With each year of reporting, we gain a clearer understanding of the cyber security strengths and weaknesses across NSW Government. For the 2020 reporting period, all NSW Government departments reported, and we received 105 individual reports from a total of 140 agencies in NSW Government – an increase of 43 individual reports compared with the 2019 reporting period.
Cyber Security Purchasing Arrangements
In 2020, Cyber Security NSW has been working closely with the ICT and Digital Sourcing branch within Department of Customer Service to develop whole-of-government Cyber Security Purchasing Arrangements. This work aims to streamline government procurement of cyber security products and services, including making it easier for agencies to identify appropriate suppliers with relevant skills and expertise and facilitate cyber security uplift for NSW government agencies.
A major milestone was reached with the release of Expressions of Interest (EOI) for the Cyber Security Purchasing Arrangements on 19 October. There has been considerable interest in this initiative, with over 200 people from 125 companies attending an EOI briefing in late October and over 100 companies eventually submitting an EOI. The Cyber Security Purchasing Arrangements for an initial set of six professional services will be established and ready for use by all eligible buyers in Quarter 1 of 2021, following a second round of EOIs for professional and cloud services.
Cyber Security Circular
The Circular Cyber Security NSW directive – Cyber Security Hygiene and Practice Requirements (the Circular) went live on 16 October 2020. The Circular mandates responsibilities for all employees and outlines specific responsibilities for executives, departments and agencies. In addition, the Circular mandates compulsory annual cyber security training for all NSW public servants (including contractors).
DCS-2020-05 Cyber Security NSW directive – Practice Requirements for NSW Government
Enhanced Critical Infrastructure Security Framework
From August to December, Cyber Security NSW provided input into the Federal Government’s review of the Security of Critical Infrastructure Act 2018 (SOCI Act).
This work included the Policy team coordinating cyber security input for the NSW submission on the SOCI Act reforms (Protecting Critical Infrastructure and Systems of National Significance - Consultation Paper), participation in related State and Territory working groups, and close collaboration with the NSW Department of Premier and Cabinet (DPC).
As a result of this work, the amended Security Legislation Amendment (Critical Infrastructure) Bill 2020 was introduced into Parliament on 11 December 2020. We will continue to work closely with DPC and other departments and agencies as the related rules and regulations are developed by the Department of Home Affairs in 2021.
Standards Harmonisation
Cyber Security NSW advised and participated in the NSW Standards Harmonisation Taskforce throughout 2020. The ‘Taskforce’ consisted of Standards Australia, AustCyber, NSW Treasury and representatives from across several sectors and met with the objective to improve market access, effect structural change and align business practices with regards to standards. The Taskforce had over 90 participants in attendance over the course of the workshops and meetings, providing expert knowledge and experience to the discussions. Recommendations developed by the Taskforce are being considered by NSW Government.
Involvement in National Cyber Security Committee (NCSC) and Operations and Policy subgroups
Cyber Security NSW continued to represent NSW in the National Cyber Security Committee (NCSC) and its Operational and Policy Sub-Committees in 2020, promoting NSW initiatives and ensuring close collaboration with other States and Territories. Cyber Security NSW chairs the NCSC Policy Sub-Committee and has played a prominent role in reviewing and updating the Cyber Incident Management Arrangements (CIMA). In 2021, the Policy Sub-committee will be exploring whole-of-Australian cyber security procurement reform, leveraging the great work undertaken in NSW on the Cyber Security Purchasing Arrangements. The Operations Sub-Committee met routinely through the year to collaborate on a nation-wide level in response to the evolving cyber threat landscape.
Briefings to Audit and Risk Committees, Parliamentary Hearing and industry forums
Cyber Security NSW continued to regularly brief departments and agency Risk and Audit Committees – an important means of raising awareness of cyber security reporting and incident response requirements. Cyber Security NSW represented NSW at Parliamentary hearings, including the Public Accounts Committee Examination of the Auditor-Generals Performance Audit Reports February 2018 – July 2018, and also briefed many industry forums throughout the year. This year saw a dramatic increase in demand from a broad range of entities and industries requesting more information from Cyber Security NSW on its capabilities and functions.
DMARC
2020 has been an unprecedented year for cyber risks and the DMARC project has strengthened one of the NSW Governments first line of cyber defences. Since commencing the DMARC project in 2019 we have installed DMARC fraud defence on over 2,200 Government email sending domains, across all departments.
The project’s objective was to increase NSW Government security posture by implementing the DMARC protocol on domains, reducing the risk of Government misrepresentation by criminals. This project was completed in 20 months in partnership with Proofpoint.
This project with the assistance of specialist technical subject matter experts from Proofpoint, also delivered this security enhancement to multiple third-party email senders (O365, Mailchimp, Sendgrid, Qvalent & more).
The project will be finalised in December 2020, after 20 months of sustained effort by everybody involved it will become part of normal business for NSW Government agencies.
Cyber security exercises
Cyber Security NSW hosted an exercise for a NSW Government agency in June to test their new Incident Response Plan. Planning has commenced for the next whole-of-government (WoG) exercise, to be held in April 2021. This will follow the inaugural WoG exercise held in September 2018 and the postponement of the planned exercise in 2020 due to the COVID-19 pandemic.
Training, building community, capability uplift
On 16 October 2020, cyber security training and daily cyber security hygiene practices were mandated for all NSW Government staff.
With our new funding, we have embarked on a sector-wide cyber security awareness program to uplift understanding of cyber security. We have trained thousands of staff across the sector with this only increasing as more resources are on-boarded.
We have also begun to provide services to local councils to assist in the cyber security uplift. This includes creating e-learning modules for councils/agencies to implement in their own learning management systems.
Several new cyber security awareness flyers and materials have been developed this year, with motion to publish these on digital.nsw.gov.au for easy access across State and Local Government.
We co-facilitated the NSW Government Capture the Flag (CTF) competition in December 2020 along with TahSec (NSW Government Hacking Team) and the NSW Department of Communities and Justice. Staff from across NSW Government, local Councils and the Australian Federal Police (AFP) spent the day completing cyber security challenges focused on real world examples.
Intermedium Government Cyber Security Readiness Report
The NSW Government received the highest score (9.3) among any state or territory in the 2020 Government Cyber Security Readiness report with only the Federal Government receiving a higher score of 9.6. The report assesses jurisdictions against the following categories:
- Strategy
- Governance
- Policy, Standards & Frameworks
- Compliance Management
- Capabilities
- Collaboration
The full report can be accessed here: https://www.intermedium.com.au/government-cyber-security-readiness-indicator-2020
Acknowledgments
In May 2019, the NSW Government Chief Information and Digital Officer and Deputy Secretary Digital.nsw, Greg Wells, announced the establishment of Cyber Security NSW to more accurately reflect the leadership and coordination role required to uplift cyber security and decision-making across NSW Government.
Key pillars of our renewed focus included enhancing whole-of-government cyber security capabilities and standards and boosting cyber incident response coordination through a revitalised Cyber Security Senior Officers’ Group (CSSOG), chaired by the Secretary of the Department of Customer Service. Re-positioning of the CSSOG provided, for the first time, a direct reporting line to the Secretaries Board. The support of the Executive in 2020 ensured cyber security was clearly on the agenda.
Cyber is a shared responsibility, as is our collective response. One objective of establishing Cyber Security NSW was to empower all team members to utilise and share their expertise, skills and experience. I’d like to offer my sincere thanks to the team for their many achievements throughout 2020. A special mention also to each member of our governance groups, particularly Chief Information Security Officers (CISOs) who form the Cyber Security Steering Group (CSSG) for demonstrating commitment, resilience, responsiveness, and a genuine willingness to collaborate.