In a recent article, Alastair MacGibbon was quoted as saying that “a potentially cataclysmic cyber security failure is the greatest existential threat we face as a society today”. Obviously, no one wants this to happen, however, we live in a world where we are rapidly connecting everything to the internet - including ourselves - and as a result, the complexity has become unimaginable. This means we can’t assume we can prevent 100 per cent of all potential incidents - just like we haven’t been able to prevent all deaths on our roads (at least not yet).
One of the main things we have been working on this year is our whole-of-government (WoG) cyber security incident response plans. We held three WoG exercises to test our plans and measure how well we respond and bounce back from incidents (our resilience). These exercises involve a sequence of fictitious events where we monitor how people respond, testing their effectiveness. We learnt a lot from these exercises and our plans have improved in the process. We are also working closely with the Commonwealth Government and other States and Territories to make sure that our response efforts are aligned nationally.
I’d like to talk specifically about the way we are approaching the development of our NSW cyber incident response plans. That is, the principles that underpin our response arrangements. These principles are important because they set the scene for how we engage across the NSW Government as well as with the Commonwealth Government, other States or Territories, private sector organisations and most importantly, the people of NSW.
The following are our cyber incident response principles:
EMPOWER: Aim to empower target organisations (i.e. government agencies or departments impacted by a cyber threat) as much as possible. They are our front line and are working on the ground, closest to the incident. They need to be empowered to be able to respond rapidly.
ONE VOICE: The GCISO is the point of contact for NSW in liaising with other states and the Commonwealth, ensuring consistency, accuracy and reliability of information and effective and transparent decision-making.
TIMELY: Promote time-critical notification of impending or emerging activity to reduce harm. More complete and accurate information will be provided subsequently.
UNDERSTAND: An accurate assessment of the cyber risks facing NSW relies on complete information. A mandatory reporting regime, including more prosaic "business as usual" cyber events is critical to understanding the risk picture. This results in improved situational awareness.
COORDINATE: The GCISO is principally responsible for coordination across multiple stakeholders (agency departments, local councils, other jurisdictions, the Commonwealth and the private sector) managing the flow of information. This results in clear and rapid prioritisation of response efforts.
SUPPORT: The GCISO can help harness and mobilise support during incident response. This includes specialist skills, situational awareness, past experiences and what is proving successful for others (fast tracking response outcomes).
CONTINUOUS: Our assessment of risk will evolve as additional information comes to light. A culture of continuous re-assessment must be embraced to optimise response efforts and reclassify severity or other context, as insights to risk evolve.
SHARE: Share our understanding, our situational awareness and our experience. An integrated network of engaged, aware and capable professionals will form the core of our resilient network. A strong sense of shared responsibility drives everything we do.
I hope this is useful for others who we engage with on managing such incidents. For more information, email cybersecurity@finance.nsw.gov.au.