Vic Govt launches $51m Cyber Strategy; moves to remove ‘complexity’ in cybersec procurement

Cyber Strategy Victoria

The Victorian Government is set to make it easier for public agencies to procure goods and services related to the Australian Cyber Security Centre’s (ACSC) Essential Eight maturity model as a key priority of its just-released cyber strategy.

Unveiled this week by government services minister Danny Pearson, Victoria’s 2021 Cyber Strategy sets out a program of work with the aim of both uplifting the state’s whole-of-government cyber resilience as well as nurturing local cyber talent, including homegrown companies.

The new strategy is a departure from the now-expired 2017 strategy, in which the Victorian Government’s focus was limited to merely uplifting public sector cyber resilience.

The release of the new strategy follows a $50.8 million investment by the state into public sector cyber resilience, announced in this year’s budget in May.

Over a five-year period, the new strategy will look to advance three core missions: safe and reliable government service delivery; a cyber-safe place to work, live and learn; and a vibrant cyber economy.

“The Victorian Government must play a key role in supporting industry and community groups to reduce their cyber risk,” the strategy noted, stressing that the Government must “lead by example”.

The new strategy further considers how Covid-19 has accelerated economy-wide digitisation, exacerbating malicious cyber threats as well as making them “more complex”.

Under Victoria’s new cyber strategy, five annual “mission delivery plans” – the first of which was released in April by the state’s chief information security officer John O’Driscoll – will be published, spelling out detailed implementation plans for each year.

Under O’Driscoll’s 2021-2022 mission delivery plans, the state aims to set up a “simple procurement process” for Essential Eight related products, allowing for “faster engagement with industry” when support is needed.

The Essential Eight refers to a minimum set of cyber risk mitigation controls developed by the ACSC, Australia’s chief cybersecurity agency; for now, implementation of the eight controls are mandatory only for Federal Government bodies.

As a result, standing offer arrangements will be set up with selected anti-malware service providers, as well as suppliers of IT asset discovery and monitoring tools.

To promote further adoption of the ACSC’s Essential Eight principles, the Government will also issue guidance on successful implementation and introduce a “status monitoring program” alongside the Victoria Managed Insurance Authority (VMIA).

Beyond expediting implementation of the Essential Eight, O’Driscoll’s plan also requires critical services to achieve a “higher minimum standard”, ensuring resistance to cyber-attacks.

The state will further implement domain-based message authentication reporting and conformance (DMARC), an anti-spoofing protection mechanism, across all email services on the state’s domain.

Other actions in the roadmap include a “cyber education program” for Victorian Government executives in critical service operations, which will be made available to select senior staff.

The focus of O’Driscoll’s initial plan is on strengthening public agencies’ network defences to a point where they are “equal to the current and emerging threat”; its key priorities include data privacy, service resilience, and trustworthy digital communication channels.

“This mission will protect the confidentiality and integrity of sensitive information and support the reliable delivery of IT-dependent government services to the Victorian community,” the plan noted.

As part of the plan, the Government will also support the delivery of a new Victoria Police Cybercrime Strategy, helping authorities to prosecute cybercrime more effectively.

At the same time, an expert advisory panel will be set up to advise the state on opportunities to “enhance cybercrime messaging and education” as well as to consider “legislative reforms” around cybercrime law enforcement.

Additionally, a similar panel will be set up to advise the state on “cyber capability uplift opportunities and digital economy growth”, which includes nurturing key skillsets, improving security for small businesses, as well as driving commercial engagement with the state’s cyber ecosystem.

According to a statement by the premier, cybersecurity features heavily as part of the state’s $64 million Digital Jobs Program, for which tailored skills-building initiatives have been developed alongside local firms including vendor powerhouse CyberCX.

The Victorian Government parallels NSW’s own cyber strategy (released in June), with both states taking a multi-pronged approach to support skills development, grow local cyber businesses, and promote government resiliency.

NSW, however, appears to have gone a step further in its plan to advance cybersecurity research and innovation, moving to enable closer collaboration between government, industry and academia.

Victoria’s Cyber Strategy 2021 can be viewed here.