July 8, 2024
A stocktake of internet-facing systems will be carried out across the federal government over the next12 months as part of a new directive designed to weed out vulnerable technologies and foreign interference risks.
New frameworks for public servants will also be introduced to plug supply chain and ownership risks in technology procurements to protect agencies from “unlawful activities”.
Home Affairs secretary Stephanie Foster signed off on the two mandatory directions for agencies on Friday, following advice from the secretary-level Protective Security Board set up last year.
The directions, which apply to non-corporate Commonwealth entities (NCEs), are the first to be issued by the government since it banned the use of TikTok on government-issued devices last year.
Other Chinese-made technologies have also been blacklisted in parts of the federal government over thepast 18 months, including CCTV cameras from Hikvision and Dahua and DJI drones.
Defence and Home Affairs suspended their use of the cameras and drones last year after the United States Defense department took similar action, and promised an audit of other high-risk technology still in use. But other agencies were slower to react, leading Liberal senator and shadow cybersecurity minister James Paterson to call for a more proactive approach to assessing cybersecurity and other technology risks in government.
“We need to move beyond the whack-a-mole approach towards something more systemic and forward-leaning,” Senator Paterson told the Australian Cyber Security Connect Summit last year. According to the new government-wide directions , agencies will be required to identify their technology assets across all “internet-facing systems or services” and report to Home Affairs by June 2025. The stocktake is expected to capture key information on the manufacturer, supplier and provider of each internet-facing system or service, as well as the outsourced manager, where applicable.
Any hardware or software system that “stores, processes, transmits or transforms official or security classified information belonging to, or utilised by, the Australian government” is in scope.
For each of the assets identified, the agency is then required to develop a technology security risk management plan that outlines the controls that would be used to mitigate security vulnerabilities and Foreign Ownership, Control or Influence (FOCI) risks.
The Protective Security Board, which was set up in October to focus on strategic protective security issues and challenges facing government, said the direction was intended for agencies to “proactively” address cybersecurity risk.
“… There is a pressing need for Australian Government entities to harden their technology management practices, and to proactively seek out vulnerabilities that may be present on Australian Government networks,” the direction states.
Senator Paterson welcomed the long overdue directive, which he said will provide the government with visibility of technology risks across some 100 agencies.
“I’ve been calling on the government to take exactly this action for almost two years, since I first identified thousands of cameras, drones, solar inverters and software from high-risk vendors in audits of the federal government,” he told InnovationAus.com.
“This will finally give Home Affairs a central database of technology risks from authoritarian countries like China, and force other agencies to be up front about their exposure. Better late than never.”
The board has also sought to address FOCI risks in technology procurement, which it said was an “equally pressing need” and necessary to “protect the Australian Government for unlawful activities”.
All agencies are expected to conduct an assessment of potential FOCI risks during the procurement of technology assets, identify and manage those risks depending on the risk environment, and monitor contracts regularly to ensure risks don’t materialise.
Both PSPF changes come into effect as the government unveils a new Technology Foreign Interference Taskforce (TechFIT), which is modelled on the University Foreign Interference Taskforce. The taskforce has been established to protect the tech sector from espionage, foreign interference and sabotage in response to concerns about potential backdoors for surveillance and disruption.
