Australian governments should be using their ICT procurement to drive cyber security and boost sovereign capability, a report says.

Government is currently the biggest buyer of IT, according to a report from ASPI’s International Cyber policy Centre. The federal government currently spends almost $10 billion a year on procurement while the NSW government’s IT budget tops $3 billion a year.

But government is wasting the opportunity to leverage its dominant market power to lift cyber security standards, author Rajiv Shah says.

“Government spends a lot money on ITC and that could be leveraged to improve security,” Dr Shah told Government News ahead of its launch on Tuesday.

The report recommends commercial incentives for better cybersecurity solutions, a cybersecurity insurance scheme, managed data enclaves, a single set of standards and more even market access for suppliers.

A ‘fourth pillar’ for tenders

It says government IT spend is spread across about 200 departments and agencies that make their own procurement decisions.

“Definitely there’s a lack of clear responsibility and clear accountability, with different people trying to solve different parts of the problem in their own ways, and a lack of coordination,” Dr Shah says.

Many procurements are made through inflexible panel arrangements with procurement routed through a handful of suppliers. Bundling projects also limit access for smaller players, the report says.

The report calls for a single, coherent set of security standards, with cybersecurity mandated into tender evaluation processes as a “fourth pillar” alongside cost, quality and timescales, as well as having multiple levels of accreditation rather than a pass/fail system.

It highlights the UK Cyber Essentials Scheme and the US CMMC (Cybersecurity maturity model certification) as good models.

Recent changes to Australia’s cloud provider accreditation system, which saw an end to the Certified Cloud Services List (CCSL), come with both benefits and risks, Dr Shah says.

“Ultimately there was a problem in the previous system that everything was bottlenecked with an organisation that didn’t have the resources to deal with it,” he said.

“Effectively it was blocking people coming into the market and blocking services getting approved. The problem now is the risk that we fragment again.”

Incentives

There should be commercial incentives for suppliers to improve security, meaning tech companies would have to lift standards in order to do business with government, the report says.

This could be a similar system to construction, where companies have to comply with a code if they want to bid for federally funded projects.

“If government can define the security outcomes required, that can encourage suppliers to compete to develop the most effective and value‑for‑money approaches to delivery,” the report says.

It also recommends a secure  cloud-based environment that contractors can use for projects under contract to the government.

As well, the report says having mandatory cybersecurity insurance for all government suppliers will not only reward better security with lower premiums, but also help mature the cybersecurity insurance market.

Sovereign capability

The report also calls for the government to establish a sovereign capability framework identifying technologies to develop locally and guiding procurement and investment.

Sovereignty isn’t just important for national resilience, Dr Shah says.

“Australia has a lot of good cybersecurity entrepreneurs and ideas, and if we can boost this it also becomes something we can export for economic benefit,” he says.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter