Home Affairs to migrate AUSTRAC, ACIC out of cyber hub
Home Affairs will spend $3.7 million helping AUSTRAC and the Australian Criminal Intelligence Commission (ACIC) transition off cyber security services it provided under the government’s axed cyber hubs pilot.
The pilot was discontinued earlier this month after a Finance-led review of the pilot scheme.
The purpose of the pilot was to bring smaller agencies that lacked budget or resourcing for sophisticated cyber security operations into hubs run by larger federal IT shops, improving general protection levels across the government.
But limited forward funding for the pilot was provided in the federal budget, and Home Affairs secretary Mike Pezzullo confirmed at senate estimates yesterday the pilot had been discontinued, and alternative arrangements are now being made.
He also noted that responsibilify for hardening government IT security, which the cyber hubs pilot came under, had transitioned on May 1 from Finance and the DTA to Home Affairs.
“We’re now obligated under that shift in mandate to think through whether the hub model or some other model of hardening the perimeter of our networks and devices is going to be better suited to the task, given our learnings from that cyber hub pilot process,” Pezzullo said.
The responsibility sits with the new cyber and infrastructure security group, led by Hamish Hansford.
While a new strategic direction is formulated, it appears the plan is to move agencies that had participated in the cyber hubs pilot to “last resort” services supplied by the Australian Signals Directorate (ASD) instead.
This will occur for the Home Affairs-operated hub, with the two agencies that participated in the pilot – the Australian Transaction Reports and Analysis Centre (AUSTRAC) and ACIC – shifting to the ASD services by December.
“With the termination of the [cyber hubs] program, as part of the cyber security strategy we have to rethink how we provide those services to medium and smaller agencies where it wouldn’t make sense to have, for example, an organic 24×7 capability,” Pezzullo said.
“As a safety net or provider of last resort, the ASD will provide those services.”
Home Affairs would also work with the two agencies to build a small amount of internal capability as well.
“We’re not just dumping them and leaving them,” said group head of the technology and major capability group, Mike Milford.
“We’re working with those two agencies to ensure that they have their own level of internal capacity, because they still have their own cyber people working inside, to be able to provide additional services.”
It’s unclear if this is also the plan for the other hubs.
Pezzullo noted that without the cyber hubs pilot, a plan was still needed to harden the government’s IT perimeter and avoid having “195-odd” agencies standing up cyber security operations of their own.
“There’d be a lot of waste and duplication,” he said.
Pezzullo said questions about the review of the cyber hubs pilot, and why it was discontinued, needed to be directed at either Finance or the DTA.
He also declined to be drawn on questions about why the decision had been taken, particularly given the Cyber Security Industry Advisory Committee to government, chaired by former Telstra chief Andy Penn, had wanted the hubs to be given “more teeth” and for their work to be accelerated. [pdf]