Evolving Capabilities through Collaboration, Technology and Risk Awareness

By  Public Sector Network | May 30, 2022


Department of Parliamentary Services and Public Sector Network recently collaborated to deliver the Cyber Security & Risk Management ANZ Q2 National Insights on 19 May 2022.

After the event, we had the opportunity to sit down with Directors’ Nadia Taggart & Chris Lemming to hear their views on sophisticated cyber attacks and how organisations could protect themselves.

Protection against Sophisticated
Cyber-Attacks

One of the side benefits of the pandemic has been the realisation that people need to better protect themselves against threats, both medical and otherwise. In a practical sense, this means that people now wash their hands more than they ever did and also equip themselves with knowledge about how to extend that protection in other ways. For instance, when many people started to work from home, knowledge about cyber-security greatly increased and protections that may have previously been overlooked were suddenly implemented. But as the fortifications became more impenetrable, the threats and the attacks became a lot more sophisticated too. Nadia Taggart, the Director of Cyber Security Operations at the federal Department of Parliamentary Services, says that “our focus is not on the run-of-the-mill incident responses” – which are clearly still important – “but on protecting your organisation from sophisticated, tier one cyber-attacks,” the kinds that are described in reports and newspapers as being ‘significant’ and ‘extremely damaging’.

One of the side benefits of the pandemic has been the realisation that people need to better protect themselves against threats, both medical and otherwise. In a practical sense, this means that people now wash their hands more than they ever did and also equip themselves with knowledge about how to extend that protection in other ways. For instance, when many people started to work from home, knowledge about cyber-security greatly increased and protections that may have previously been overlooked were suddenly implemented. But as the fortifications became more impenetrable, the threats and the attacks became a lot more sophisticated too. Nadia Taggart, the Director of Cyber Security Operations at the federal Department of Parliamentary Services, says that “our focus is not on the run-of-the-mill incident responses” – which are clearly still important – “but on protecting your organisation from sophisticated, tier one cyber-attacks,” the kinds that are described in reports and newspapers as being ‘significant’ and ‘extremely damaging’.

The Department of Parliamentary Services (DPS) is particularly interested in this because it is the department that is responsible for looking after everything at Parliament House in Canberra, including “the House of Representatives, the Senate, the Parliamentary Budget Office, each individual parliamentarian, and their electoral offices.” As such, it is an “exciting” department that works with “a complexity of ICT and a diversity of stakeholders.” Yet, like every department, it has constrained resources, so protection against sophisticated attacks needs to be undertaken in the context of “considerations for prioritising work efforts, evidence-based and intelligence-informed risk assessments, and bringing the entire business into incident response exercises and planning.”

Chris Leeming, the Director of Governance Risk and Assurance at DPS, says that to really be able to respond to a sophisticated incident, the organisation or department “must prioritise getting in on the ground floor.” This is both in terms of “responding to an incident,” but also in terms of “planning and being prepared.” Part of that preparation is about having the right governance in the first place, “because that really sets that foundation.” Sometimes governance may seem to be esoteric or overly procedural, but in reality it is about “having the right policies in place based on legislation, as well as frameworks and strategies. It sets really clear reporting lines and documents the roles and responsibilities that are really important in emergency situations. And it helps us manage and identify risks in a robust way.” Ultimately it is the Cyber Security Operations Centre (CSOC) team that is responsible for the “technical response to an incident,” but without the appropriate governance in place, they can’t fulfil their duties. This is particularly concerning when some estimates suggest that “only 10% of boards and senior executives are extremely confident that they can effectively manage and protect their organisations from attack.” Ideally, “if we do our job properly from a governance perspective, then that number should be a lot higher.”

Practical Tools for Preparation and Response

Chris Leeming says that at DPS, one way of ensuring appropriate governance is through the implementation of a “certification and accreditation scheme” specifically designed to “conduct and monitor risk assessments.” In simple terms, all of the “IT infrastructure” has been grouped into “broad architectural areas that we are calling accreditation boundaries.” They are grouped by people or users, applications or capabilities and by physical attributes. So for instance, a parliamentarian may need to be trained or accredited in protected services in their electoral office. “What that means for us effectively is for these accreditation boundaries, we have one assessment,” and that any new service or system – which is implemented often – “will naturally fit into one of these accreditation boundaries.” This makes it much easier to look at or monitor the risk. “Each time we ask, ‘does it change the risk of an accreditation boundary or not?’” If it does, then a re-accreditation needs to occur, and if it doesn’t then a simple update of documents will suffice.

“Using accreditation boundaries in a resource constrained environment, allows us to conduct more risk assessments in a much quicker way, which in turn means we can respond quicker as well.”

Chris Leeming, Director, Governance Risk and Assurance,
Department of Parliamentary Services

Nadia Taggart says that within the CSOC, they like to use the PICERL incident response framework [1], which breaks down the response “into six meaningful steps” of preparation, identification, containment, eradication, recovery and lessons learned, making them “immediately understood.” All six elements are important and should be part of “business-as-usual (BAU) practices,” but for “critical and catastrophic incidents,” the focus specifically is on preparation and lessons learned, which are the two elements “that every stakeholder in your organisation should be involved with in one way or another.” The reason for this is that for all incidents, but particularly for large-scale and sophisticated ones, “I don’t think it’s always understood how much of the business is required to pull together and step out of their BAU processes.

“If you’re going to withstand and recover from a large-scale attack, it requires a whole-of-organisation response, and particularly in terms of preparation.”

Nadia Taggart, Director, Cyber Security Operations,
Department of Parliamentary Services

Preparation means “embedding your requirements and capabilities throughout the ICT lifecycle.” However, IT and cyber-security professionals in particular see things a certain way, so it means “communicating in a way that they understand.” A good analogy for this is on the soccer field. The goalie is the “last line of defence, or the CSOC,” but it is up to all the other players to manoeuvre the ball away from the goal line and to “understand where it is at all times and where it is headed.”

The CSOC team is good at “switching things on and delivering ICT quite rapidly, which works well until it doesn’t.” The governance, the decision-making and the mitigation of risks up until that point largely determines how the CSOC team will or can respond to an incident. This is built on “trust and relationships.” If the “first engagement with the CSOC team is just before or during an attack, then something has gone seriously wrong.” But it is not only about preparation. “When we recruit new staff, we always ask them about the lessons they learnt from any previous attacks.” The reporting lines and decision-making capabilities need to be clear, so if there is even a hint of an incident, “decisions should be made in seconds or minutes.”

For the most part, having good cyber-security is good business practice and “should be a business enabler,” which should go some way towards “maintaining business continuity.” Therefore, “we strongly believe in security-by-design,” where “security and business impact assessments” are baked in from the outset. Chris Leeming reiterates that this is “why governance is so important,” but also says it has to be practical. “Testing and planning” need to always be the agenda of every team.

Featured Speakers:

  • Nadia Taggart, Director, Cyber Security Operations, Department of Parliamentary Services
  • Chris Leeming, Director, Governance Risk and Assurance, Department of Parliamentary Services