Govt moves to strengthen ‘cyber hubs’, ends internet gateway certification by ASD

Secure Internet Gateway (SIG) ASD DTA

In a bid to bolster network security across Australia’s public sector, the nation’s chief signals and infosec intelligence bureau will stop certifying Secure Internet Gateway (SIG) services, paving the way for the consolidation of government agencies’ IT networks and cyber capabilities through dedicated ‘cyber hubs’.

The SIG policy change was jointly revealed this week by the Digital Transformation Agency (DTA) and the Australian Signals Directorate (ASD) in preparation for the expansion of the cyber hubs as early as mid-next year.

The hubs initiative was first announced in the Government’s 2020 Cyber Security Strategy, with a view to reducing the public sector’s IT attack surface whilst allowing for more targeted investment on fewer networks.

Under the new model, cyber hubs will provide a suite of protective services, including SIGs (a protective layer in the perimeter between an agency’s networks and the internet) to government bodies.

To date, public sector agencies have only been approved to work with gateway providers that are IRAP assessed and ASD-certified; these so far include Emantra, Macquarie Government, NTT Security, Optus Business, Sliced Tech, Telstra, and Verizon.

However, as part of the latest SIG policy amendment, the ASD will no longer be a ‘certifying authority’ for SIG solutions; existing ASD-certified gateways will remain certified only until July 2022.

“SIG policy is being modernised so that it is consistent with and supports the implementation of Cyber Hubs, and so that Commonwealth entities, using existing SIGs, can readily adopt new technologies and capabilities,” the DTA said in a statement.

Since July, three pilot cyber hubs to test core services have been underway with the Department of Home Affairs (DHA), Department of Defence and Services Australia, with trial results set to inform a future whole-of-government (WofG) operating model.

Leading the WofG cyber hubs program of work is the DTA, in collaboration with the ASD’s Australian Cyber Security Centre (ACSC), DHA, and the Attorney General’s (AG) Department.

The three agencies are considering how best to integrate SIG services with a future cyber hubs model, as well as to ensure alignment of the new SIG policy and Information Security Manual (ISM) with the AG’s Protective Security Policy Framework (PSPF).

The Government’s update to the internet gateway accreditation comes more than two years after its shared gateway scheme was reviewed by the DTA, with the agency recommending a more flexible approach for public sector agencies.

Drawing on this 2019 review, the DTA also recommended that SIGs form a core part of the PSPF, but that agencies be given the freedom to use services that best fit their respective security postures.

According to the DTA, the forthcoming shift from disparate networks to a cyber hub model parallels the Government’s approach to cloud security, with the cloud services certification program (CSCP) similarly scrapped in early 2022 in favour of new guidelines “co-designed” with industry.

“In the interim, entities will continue to meet their SIG requirements in line with the PSPF obligations, and existing industry partners will continue to provide services in line with current arrangements,” the DTA’s latest update said.