Efforts to centralise federal government networks through a handful of cyber hubs in Canberra’s biggest agencies will continue until the New Year, after the pilot program was extended.
The six-month extension, which takes the trial up to the start of January 2023, was enabled by a $30.2 million injection in the 2022 federal budget that also leaves the door open to future changes. The pilot, first envisioned in the 2020 cybersecurity strategy, aims to “harden” government IT by focusing investment on a smaller footprint of networks.
In doing so, the government hopes to uplift cyber resilience across the public sector, particularly in smaller agencies which typically have fewer resources at their disposal.
The first three hubs were established in the Defence department, the Department of Home Affairs and Services Australia in July 2021, followed by a fourth at the Australian Taxation Office.
Announcing the fourth hub in December last year, former employment minister Stuart Robert said the approach was necessary to respond to the growing threat of cyber-attacks.
“The cyber threat is so pervasive that all 14 government departments and 80-odd agencies are not capable of dealing with this threat by themselves,” he said at the time.
The initial 12-month pilot was slated to end at the end of June 2022, but funding provided in the Budget extended the program’s timeframe until the end of December 2022.
Budget document said the funding would be used to “extend the whole of government cyber hubs pilot, including the establishment of a fourth cyber hub pilot in the ATO” without giving a timeframe.
The bulk of the investment appears to flow to a fourth hub at the ATO, however, with an incoming government brief showing Defence will receive just $0.8 million for the extended pilot.
Funding will also be used to develop “high-level transition plans for all remaining non-corporate Commonwealth entities”, according to the Digital Transformation Agency.
Acting digital prioritisation and cyber capability manager Sean Hickling told InnovationAus.com this would “assist future onboarding”, noting the government is yet to consider the program’s future.
It is unclear whether the extended pilot will involve testing the provision of select cyber security services to “client agencies” as transpired with six agencies in the first 12-month pilot.
The six agencies included the Australian Criminal Intelligence Commission, AUSTRAC, Sports Integrity Australian and the Australian Digital Health Agency.
Since the six-month extension, the Industry Advisory Committee on Cyber Security has called for the cyber hubs to be given “more teeth and their work needs to be accelerated”.
“While some progress has been made on the Hardening Government IT program, it is important that government is a cyber security exemplar,” it said.
The extension is the latest indication the government will continue the program indefinitely, having already stopped certifying secure internet gateway (SIG) services.
The DTA approached the market shortly after to investigate whether Australian cyber security firms could support the hub model, particularly 42 core services identified during the pilot.
Of the 73 responses received, 14 providers were capable of providing all 42 core services, while a further 44 had the ability to support at least 50 per cent, according to the DTA.
The positive response to the market approach is likely to be welcome news for the DTA, which last month came under fire for its procurement practices, including those relating to the program.
The scathing audit revealed fundamental problems with the uncompetitive approach used by the DTA to source the program’s business case and model from cybersecurity firm CyberCX.
The market approach sought support for the business case and model development, and program management, with the value of both procurements valued at up to $1 million over six months.
The report shows the DTA approached the market for a consultancy to support the pilot but only after meeting with CyberCX representatives. CyberCX approached the DTA CEO directly for the meet.
But when the DTA approached the market through the Digital Marketplace, CyberCX missed the deadline to make an offer.
The DTA decided to re-approach CyberCX and gave it an opportunity to make an offer to compete with a proposal which had already been ranked highest and considered the preferred supplier.
In order to “get the cost down a bit”, the DTA deputy chief executive allowed CyberCX to bid for the work, giving a verbal approval to set aside the initial preferred supplier and approach CyberCX.
CyberCX would eventually be handed a contract for the work, which has since increased eight-fold to $8.5 million.
