The Federal Government leadership and systems for its
Australian Cyber Security Centre (ACSC) is yet to be firmed, according to the
most recent public evidence provided to Senate Estimates hearings, in February.
While the Government remains committed to creating a cyber
security coordination hub by the end of the year, its proposal is to co-locate
staff from a number of top defence, security and legal agencies rather than
create a new integrated group intrigued Senators from both Government and
Opposition ranks.
When first announced back in 22 Jan, Prime Minister Julia
Gillard said the Government had committed $1.46 billion until 2020 to bolster
the security of Australia’s “most sensitive networks”, and a cyber security
office within the Prime Minister and Cabinet.
In practice, no “new funding” will support the strategy,
PM&C’s National Security Adviser, Dr Margot McCarthy revealed at the
Estimates Hearings. Any additional effort would be rolled out “within current
resources”. In “fiscally constrained times” national security agencies were
given a set of directions about national security objectives and the areas in
relation to which additional effort needs to be made within current resources, McCarthy
said.
She identified the ACSC as a good example of one such
initiative. There would be no new funding associated with this strategy.
The new centre will build on the cybersecurity operations
centre in DSD. Initially about five per cent of the people working in that
centre would come from other agencies and will be achieved from within current
agency resources, she added.
Who runs the ACSC?
Also tantalisingly unclear was which agency would be
responsible for the ACSC. While the new cyber security group would be
co-located, its members would be directly accountable to the heads of agencies
from which they came. A senior officer would be in charge. But that official
would be accountable under the Public Service Act “to their own Department,”
McCarthy said.
“How do you make sure that each of these characters is not
just looking after their own patch but is instead acting in a
whole-of-government way,” Liberal Senator Arthur Sinodinos, asked.
McCarthy responded that “bringing those people together”
will help ensure that they work in a whole-of-government way. She added it
would be oversighted by a committee or “a board of secretaries”. The
encroaching fog of bureaucratic organisation proved too much for some of the
senators.
“Who takes ultimate responsibility? It sounds a bit like a
greasy pig that nobody will be able to grab hold of because it can escape in
all directions. Who ultimately is responsible?” demanded Senator Eric Abetz.
McCarthy said the agencies would come together in the ACSC
with a mandate and separate legislation. The first “iteration” of the Centre
will see an officer from Defence in charge of the Centre, she said. But the
people working in the centre will “ultimately” report back to their own
departments, Linda Geddes, PM & C’s Acting First Assistant Secretary, Cyber
Policy and Homeland Security Division, said.
“This is sounding like a camel,” Senator Abetz said.
So will the ACSC be a standalone agency, wondered Senator
Faulkner?
“There must a responsible minister. Who will that
responsible minister be?”
The Acting Deputy National Security Adviser, Sachi Wimmer
weighed in by noting that currently the DSD was responsible for Defence’s
government network. They will remain so, through the Defence minister.
On the industry side, the Attorney-General was responsible
for that through CERT Australia, which is the Computer Emergency Response Team,
she added.
“Those chains of command will remain, so those ministers
will be responsible for the incidents and the cyber situations that we deal
with via industry or government.”
But which portfolio or agency will provide administrative or
other support?, Faulkner asked.
McCarthy said those arrangements were still being worked. An
inquiry from ADM to PM&C failed to clarify its current status at the time
of going to press.
Though it will be mainly staffed from within Defence,
McCarthy said the work of the centre was the work that will be broader than
just government policy issues. It will interact with industry and will continue
to work on the protection of government networks, noting PM&C’s “policy
coordination” role in relation to cyber security generally.
In addition to unclear lines of responsibility, co-locating
systems designed to support the new Centre also remained unclear. The various
intelligence systems used by the co-located staff need to share and exchange
information.
How to co-locate systems and bring them together so people
can talk, was identified by Geddes as a hot issue. She said PM&C was
considering a “layered approach” to the security classifications so it could
bring industry into the building and work in partnership with industry and
others as well. Geddes said they were still developing a business case for how
the systems would work together.
In the absence of better particulars, ACSC and its tentative
bureaucratic shaping reflects the Government’s inability to focus on the main
issues. First and foremost the most sensitive data is often held and often lost
by non-Government agencies. Second, there is a broad gulf of concerns that
characterise cyber security incidents these days. Bringing together diverse
elements within the Government physically could be a good thing or it may just
water down their strengths. We shall see.