Victoria will set up a central cyber defence centre and whole-of-government cyber operating model this year under a continuing five-year, $50 million cyber security strategy implementation.
The government quietly released a mission delivery plan for the 2023 activities at the end of last week, as well as a progress report on work implementing the cyber security strategy to date.
One of the priorities of the 2023 work is to reduce “the risk of adverse cyber security events on government systems and services”, the mission plan states.
This covers the establishment of a whole-of-goverment “cyber operating model to improve cyber risk management across the Victorian Public Service (VPS)”, as well as a VPS ‘cyber hubs model’ to improve cyber governance, technology, resource management and interoperability across the VPS, supported by a central Victorian government cyber defence centre.”
It appears that work on the hubs and centre started at the end of last year, perhaps explaining the “2022-23” reference in the online version of the mission plan, although it was only published in 2023.
James Fell, formerly Victoria’s emergency services sector CISO and also a one-time CISO for government shared services provider Cenitex, became program lead for the cyber hubs, including the cyber defence centre, in October last year, according to his LinkedIn profile.
The mission plan also details intentions to support “the scale and reuse of common cyber capabilities” across the state government; adopt “baseline cyber controls and cyber skills across the VPS”; and enhance incident management capabilities.
Several initiatives aim to develop a pipeline of cyber security talent for agencies to tap into, and career pathways specific to cyber security.
There is also a specific effort to help Victoria Police “to develop enhanced cybercrime capability, improving the ability of police to identify, detect, investigate, disrupt and deter cybercrime in Victoria,” the mission plan adds.
A letter dated February 17 and attributed to the “Victorian Government Chief Information Security Officer” - currently David Cullen, though not named in the letter - touts the release of the mission plan.
“I am pleased to release our next mission delivery plan and share the strategic initiatives and priorities that guide our future delivery of Victoria’s cyber strategy,” the letter states.
“This plan reflects the dynamic nature of the cyber security environment and highlights our adaptive approach towards building a cyber safe Victoria.”
The first year of cyber security uplift efforts
The letter is set up mostly as a “progress report” on implementing the state’s cyber strategy, the first such report to be released.
“In the first year of delivery, we have heavily focused on building the solid foundations and partnerships across government and industry that are required to see the strategy succeed over the next four years,” it states.
Specific works covered promotion of the Essential Eight controls; education for agencies on “the safe and secure use of cloud”; new “automated threat intelligence sharing programs”; “widespread implementation of domain-based message authentication, reporting and conformance (DMARC) capability across email services using the vic.gov.au domain”; and staff training.
“Staff in high-risk and sensitive roles have been supported to enhance protection of security classified and sensitive information against unauthorised access,” the letter text states.
“Training has also been provided to members of government boards so they can better understand and fulfil their cyber security obligations.”