The importance of Public-Private Partnerships in Australian Cyber Resilience

Australia has the opportunity to deliver a future based on world-class innovation, design thinking and smarter engineering underpinned by rapidly evolving digital services. However, in an interconnected world, these opportunities are threatened by organised cybercrime, opportunistic cyber attacks and the spectre of nation-state threat actors. While cyber attacks will continue to be disruptive and destructive, these threats also provide us the opportunity to come together as a nation and create solutions that build resilience across our shared national ecosystem. A rising tide, as the saying goes, lifts all boats.

Effectively combatting cyber threats in Australia’s ecosystem cannot be achieved in isolation—it requires strong partnerships forged across public and private sector organisations. Sharing information, insights and techniques across these partnerships is critical to defending our nation against continually evolving attacks mounted by increasingly sophisticated threat actors.

There are several nationally significant programs emerging that are led by the Federal Government with the support of State Government and industry. These programs are starting to show the significant value of public/private partnerships by delivering practical benefits into Australia’s cyber resilience. 

ACSC and the Cyber Threat Intelligence Sharing (CTIS) Program

CTIS is the Australian Cyber Security Centre’s (ACSC) threat information sharing platform that went live in late 2021. The CTIS program establishes a national community of organisations that share threat intelligence bilaterally at machine speed. Participating organisations include Federal and State Government agencies and private sector organisations across multiple industry sectors.

The initial implementation of the CTIS system was the result of a series of co-design activities held with representatives across this broad community of ACSC partners, who brought their collective experience and perspectives together for this shared capability. This spirit of partnership continues through a Technical Advisory Working Group that will see CTIS adapt to the ever changing cyber threat landscape.

In less than 12 months of the program, CTIS has already proven its value to the ecosystem: the information shared has uncovered previously unknown compromises and threats. The shared intelligence is expected to become even richer as new contributing organisations onboard. 

Digital Identity and the Trusted Digital Identity Framework (TDIF)

The TDIF is a Digital Transformation Agency (DTA) administered accreditation framework that comprises a set of standards and rules that serve as the foundation for establishing secure, trusted digital identities. Developed by government, initially to support participation in the Australian Government Digital Identity System, TDIF is increasingly being adopted by the private sector for use outside government. The DTA continues to evolve the TDIF standard in collaboration with industry.

By establishing rules around how end users prove their identities, and providing assurance about the privacy, security, usability and interoperability of an identity provider’s processes, the TDIF provides the ability for organisations to have greater confidence that the person they are dealing with is who they claim to be. Because identities underpin all digital services, establishing trust in identities is one of the most critical elements in cyber defences. 

TDIF accreditation offers different benefits in different contexts. 

• TDIF accredited identities are being used by businesses to confirm proof of age, address details or bank account information etc.
• For regulated entities within the financial or gaming sectors, use of TDIF accredited identities can help simplify the way organisations meet their Anti-Money Laundering and Counter-Terrorism Financing Act (AML/CTF) obligations by ensuring ongoing due diligence in their customer identification processes.
• Accredited TDIF participants are bound by fraud and security control requirements, including requirements to identify, flag and share identities or credentials that have been subject to a cyber security incident. This provides benefit to all participants in the ecosystem in terms of better safeguards against digital identity and credential theft fraud.

Security of Critical Infrastructure (SOCI) Act

SOCI is a legislative instrument first passed in 2018 to manage the risks associated with critical infrastructure. SOCI has since expanded to 11 sectors, adding obligations on more entities in Australia and giving additional powers to government. Under the SOCI Act, affected owners and operators of critical infrastructure assets need to identify, minimise and mitigate any hazards that could affect the availability, integrity, reliability, or confidentiality of information related to the asset. 

The SOCI 2021 amendment provides government with significant powers to respond to cyber attacks on critical infrastructure, and it imposes an obligation on critical infrastructure operators to report on cyber attacks that affect supply of their services.

SOCI’s ability to be successful and embed essential safeguards in our national infrastructure will depend in the longer term on the ability of critical infrastructure providers to understand the benefits of SOCI, what its objectives are and how best to meet obligations. It will require a general recognition across providers that risks are not static; rather, they change as the threat landscape evolves and mitigations must also adapt and evolve accordingly. 

Considerations for success

Public/private partnership programs are providing evolutionary rather than revolutionary cyber outcomes as participants navigate the complex policy, process and technology landscapes involved in each program. From Deloitte’s observation, several themes emerge in terms of what can help make these partnerships a success. 

• Establish a shared vision and objectives and communicate these well.
• Acknowledge the important role of government in creating the policy conditions that will help foster collaboration supporting that shared vision.
• Where possible, use a co-design approach, involving close collaboration between partners throughout design, implementation and operations. Anticipate the value that partners’ different perspectives and experiences can bring to the program.
• Understand the importance of establishing trust and don’t underestimate the impact of cultural change. Participating partner organisations can be competitors for example who wouldn’t naturally collaborate in other circumstances; other organisations may be wary of sharing information with agencies who regulate them.
• To engage effectively, partners require agreed structures for communication and collaboration. Consider how the structure can be adapted over time as programs evolve.
• Understand that any program is sustained by people. Relationships are usually needed at policy, strategic, tactical and operational levels across the partnership. Consider how these relationships will be established and maintained.
• Bring a willingness to learn and a willingness to teach. Cyber maturity is much more than how much money an organisation spends on cyber controls. Just as our adversaries are learning from each other, we must be prepared to share our knowledge, and to learn from the experiences of our partners.