The importance of Public-Private Partnerships in Australian Cyber Resilience - Risk Advisory blog | Deloitte Australia has been saved
Limited functionality available
Australia has the opportunity to deliver a future based on world-class innovation, design thinking and smarter engineering underpinned by rapidly evolving digital services. However, in an interconnected world, these opportunities are threatened by organised cybercrime, opportunistic cyber attacks and the spectre of nation-state threat actors. While cyber attacks will continue to be disruptive and destructive, these threats also provide us the opportunity to come together as a nation and create solutions that build resilience across our shared national ecosystem. A rising tide, as the saying goes, lifts all boats.
Effectively combatting cyber threats in Australia’s ecosystem cannot be achieved in isolation—it requires strong partnerships forged across public and private sector organisations. Sharing information, insights and techniques across these partnerships is critical to defending our nation against continually evolving attacks mounted by increasingly sophisticated threat actors.
There are several nationally significant programs emerging that are led by the Federal Government with the support of State Government and industry. These programs are starting to show the significant value of public/private partnerships by delivering practical benefits into Australia’s cyber resilience.
ACSC and the Cyber Threat Intelligence Sharing (CTIS) Program
CTIS is the Australian Cyber Security Centre’s (ACSC) threat information sharing platform that went live in late 2021. The CTIS program establishes a national community of organisations that share threat intelligence bilaterally at machine speed. Participating organisations include Federal and State Government agencies and private sector organisations across multiple industry sectors.
The initial implementation of the CTIS system was the result of a series of co-design activities held with representatives across this broad community of ACSC partners, who brought their collective experience and perspectives together for this shared capability. This spirit of partnership continues through a Technical Advisory Working Group that will see CTIS adapt to the ever changing cyber threat landscape.
In less than 12 months of the program, CTIS has already proven its value to the ecosystem: the information shared has uncovered previously unknown compromises and threats. The shared intelligence is expected to become even richer as new contributing organisations onboard.
Digital Identity and the Trusted Digital Identity Framework (TDIF)
The TDIF is a Digital Transformation Agency (DTA) administered accreditation framework that comprises a set of standards and rules that serve as the foundation for establishing secure, trusted digital identities. Developed by government, initially to support participation in the Australian Government Digital Identity System, TDIF is increasingly being adopted by the private sector for use outside government. The DTA continues to evolve the TDIF standard in collaboration with industry.
By establishing rules around how end users prove their identities, and providing assurance about the privacy, security, usability and interoperability of an identity provider’s processes, the TDIF provides the ability for organisations to have greater confidence that the person they are dealing with is who they claim to be. Because identities underpin all digital services, establishing trust in identities is one of the most critical elements in cyber defences.
TDIF accreditation offers different benefits in different contexts.
Security of Critical Infrastructure (SOCI) Act
SOCI is a legislative instrument first passed in 2018 to manage the risks associated with critical infrastructure. SOCI has since expanded to 11 sectors, adding obligations on more entities in Australia and giving additional powers to government. Under the SOCI Act, affected owners and operators of critical infrastructure assets need to identify, minimise and mitigate any hazards that could affect the availability, integrity, reliability, or confidentiality of information related to the asset.
The SOCI 2021 amendment provides government with significant powers to respond to cyber attacks on critical infrastructure, and it imposes an obligation on critical infrastructure operators to report on cyber attacks that affect supply of their services.
SOCI’s ability to be successful and embed essential safeguards in our national infrastructure will depend in the longer term on the ability of critical infrastructure providers to understand the benefits of SOCI, what its objectives are and how best to meet obligations. It will require a general recognition across providers that risks are not static; rather, they change as the threat landscape evolves and mitigations must also adapt and evolve accordingly.
Considerations for success
Public/private partnership programs are providing evolutionary rather than revolutionary cyber outcomes as participants navigate the complex policy, process and technology landscapes involved in each program. From Deloitte’s observation, several themes emerge in terms of what can help make these partnerships a success.
Julie is a Director in Deloitte’s Cyber Team in Canberra. Julie has over 20 years consulting experience in digital identity and related cyber security programs, with a particular speciality in digital identity. Julie has led teams delivering identity and cyber solutions into major government agencies and other organisations. She is adept at aligning technical delivery with both business and security aims, helping ensure that secure solutions remain usable.
Ryan is a Senior Manager in Deloitte’s cyber practice focusing on cyber risk, strategy, and governance. During his career, he has focused on assisting organisations with identifying their real risks, assessing their readiness to manage these risks, and developing practical strategies and governance models to manage their cyber risks more effectively. Ryan’s passion is in demystifying cybersecurity, supporting Deloitte’s clients in raising cyber awareness, and the implementation of effective process and technology controls.