Victorian government plans to counter cyber emergencies

Every 45 seconds there is an attempted compromise of a Victorian government network, according to John O’Driscoll, the state government’s chief information security officer (CISO).

The statistic is included in O’Driscoll’s foreword to the new Victorian government Cyber Incident Management Plant (CIMP), which offers guidance to the state’s public sector agencies in responding to data breaches or other security incidents.

Attacks on Victorian government networks “involve cyber criminals, nation state actors, political ‘hacktivists’ and online vandals,” the CISO says.

The CIMP is intended to support public sector entities’ internal incident response policies and procedures and complement the Victorian government’s State Emergency Response Plan (SERP) Cyber Security Sub-Plan.

The document states that in 2017-18, 90 per cent of Victorian government organisations experienced a “cyber incident”. Most of those incidents involved phishing attacks or the discovery of malware. In January this year public sector employees were warned about a phone-based social engineering campaign, which was believed to potentially be laying the groundwork for a wave of phishing attempts.

Seventy five per cent of state government organisations “reported having systems or services disrupted by cyber incidents” in 2017-18, according to the CIMP.

In mid-2018, the Victorian government launched its Cyber Incident Response Service (CIRS) as part of the state’s cyber security strategy. (Creating the whole-of-government CISO position, filled by O’Driscol, was a key component of that strategy.)

The CIRS is a “second line of defence” for Victoria’s public sector, sitting within the Department of Premier and Cabinet. It offers a range of services to agencies including threat intelligence, law enforcement liaison, cyber forensics and support to develop incident response plans.

The new CIMP directs government organisations to establish their own response plan, establish a team empowered to oversee the response to security incidents, and conduct an annual exercise of the plan.

The government has a four-tier model for classifying the severity of incidents: Cyber event, cyber incident, significant cyber incident, and cyber emergency.

Agencies are obliged to alert the CIRS of any events categorised as a significant cyber incident (which could include compromise of security controls or a limited or major degradation of services) or a cyber emergency (incidents could lead to the loss of life or extensive damage to property or infrastructure).

The CIRS will manage the response to incidents involving multiple organisations, as well as manage the sharing of intelligence.

The document is available online.