Home Affairs revamps security to tackle cyber and critical infrastructure threats

The Australian Government is taking a sharper view of managed service providers (MSPs) as it considers the combined risk they have in providing services to all infrastructure and government agencies, said the Department of Home Affairs’ head of national security, Hamish Hansford. 

During a public industry town hall hosted by the Department of Home Affairs on 17 July, attended by stakeholders across the critical infrastructure sector to discuss the commencement of the new national security structure, ARN asked Hansford if MSPs could be brought under the cybersecurity frameworks, comparable to the UK’s National Institute of Standards and Technology, to improve oversight and security. 

“Short answer is yes, and you’ll notice that managed service providers is an action item in the Australian Cybersecurity Strategy,” he said. “We do cover quite a few, particularly in the data processing and storage area.” 

According to the Australian Cybersecurity Strategy 2023–2030, the government will develop a framework for assessing the national security risks presented by vendor products and services operating within and entering the Australian economy. 

Using this framework, the government looked to help the industry manage supply chain risks and make informed procurement decisions about the security of products and services. 

The report also noted that it would consult with the industry on further options to limit the availability of non-secure products in the domestic market. 

“But we’re always actively thinking around the aggregated risk that managed service providers have in providing services to all Australian infrastructure and governments,” said Hansford. 

The department has set up a “particular supply chain body of work to think about this issue in partnership with industry,” led by Department of Home Affairs critical infrastructure partnerships and policy first assistant secretary Sally Pfeiffer, he said. 

“We’ll pick up the standard point and our collaboration with the UK.” 

National security structure 

Hansford’s comments come amid structural changes to the national security structure for the Department of Home Affairs. 

As the newly appointed head of national security, Hansford will lead a team under the Department of Home Affairs, bringing together the functions of counter terrorism, counter-foreign interference, national resilience, protective security for parliamentarians, Commonwealth security policy, cyber and technology security, critical infrastructure, transport security, criminal justice, and law enforcement. 

As of 14 August, Australia’s Ambassador for Cyber Affairs and Critical Technology, Brendan Dowling, will commence in the role of Ambassador for Critical Infrastructure and Protective Security. 

He’ll be supported by Justine Jones in the infrastructure risk and regulation division, Sally Pfeiffer in the critical infrastructure partnerships and policy division, and Philip Kimpton in the resilience and protective security division. 

A full list of people and titles in the new structure will be released shortly, said Hansford. 

“That is going to be a very strong policy and programming coordination function for us to think about opportunities to protect Australians in the division that looks at tech, cyber, and foreign interference,” he said. 

“We’re keeping the counter foreign interference coordination centre.” 

National cyber security coordinator, Lieutenant General Michelle McGuinness, will continue in her role and will report directly to the Home Affairs Minister, Tony Burke. 

“In my group, we handle a lot of cybersecurity [policies] and I speak with Michelle multiple times a week,” he said. “Her role hasn’t changed; she still reports directly to the minister. However, we collaborate with her almost daily and very closely.” 

Hansford said the team will be working with industry, particularly community groups, educational institutions, and industry generally, to think about how to “best protect the economy from foreign interference and espionage risk.” 

From today, Hansford said the critical infrastructure security centre has been renamed, previously known as the Cyber and Infrastructure Security Centre. 

“We modeled the name on the US Cyber and Infrastructure Security Agency, but on balance, the critical infrastructure security centre better reflects our all-hazards mission, inclusive of cyber but not only cyber,” said Hansford. “We’ve also established and decided to create a protective security coordination centre.” 

“That will be very important to bring together all our security functions for the protection of the Australian Government, Australian high office holders, and Australian parliamentarians.” 

“It effectively creates a centre of excellence in security. Putting that function together with critical infrastructure security more generally effectively makes government critical infrastructure in and of itself.” 

Reasons for the change 

According to Hansford, there were three reasons why the government created a new structure. 

“The first is really to put together our security functions in the Department of Home Affairs,” he said. “Bringing together two groups and slightly reorganising ourselves to try and think about a single unified agenda, really thinking about ambition, execution, and delivery of issues.” 

He pointed out that collaborating with industry, working across Australia on the protection of lots of different things under our mission, really to create a prosperous, secure, and united Australia, was “a foundational principle” of the department. 

“The big issue is the government’s asked us to play a stronger, more coordinated role in security,” said Hansford. 

Driver number two was around the threat environment that Australia faces today. 

“We are not managing yesterday’s risks,” he said. “We have an environment that our director-general of security has outlined… that Australia has entered into a period of strategic surprise and security vulnerability.” 

“There are lots of different parts of our work, whether it’s foreign interference, terrorism, infrastructure, transport security, we want to think more holistically about the environment we have in the future.” 

“That’s a driving force for us to have smarter coordination, deeper foresight, faster action, more integrated policy, and ultimately delivering better public value for Australians and Australian industry.” 

Driver number three was about creating a mass of people who have a career in national security and work on security issues. 

“We have ambitions to uplift the security profession broadly,” said Hansford. “Initially, we want to focus on Australian government security professionals.” 

“We now partner with the APS Academy, which provides a lot of training, and you’ll notice the cybersecurity strategy included funding for their security education efforts.” 

“We’re also considering accreditation programs and building a cadre of chief security officers, not just in government but across industry.” 

While there is a national appetite for this, Hansford said “funding” was always a consideration.