Op-Ed: Shields up! Fortifying Australian cyber resilience through government attack surface management policies

These shields span diverse domains from advancing automated threat detection, sharing and blocking, to fostering coordinated global cyber security efforts through international collaboration.

Australia’s fourth shield is singularly committed to defending critical infrastructure from cyber threats, acknowledging the potentially catastrophic impacts of service loss across the nation. This shield also underscores the crucial need for the government to enhance its cyber defences, given its ownership of vital infrastructure and responsibility for safeguarding sensitive data. This emphasis is well-founded, considering the escalating cyber security threats targeting critical infrastructure globally. It is in this context that attack surface management (ASM) has emerged as a cornerstone of modern cyber security practices and is pivotal to creating cyber resilience across national critical infrastructure.

In August this year, the United States Cybersecurity and Infrastructure Security Agency (CISA) outlined its 2024–26 strategic plan for critical infrastructure uplift, stating it will leverage commercial ASM to help its critical infrastructure and other partners “identify exploited or exploitable conditions and gain a better picture into security trends across the country”. The European Union (EU) also recognised ASM’s value via a landmark law in 2022, which encourages national cyber security incident response teams to deploy ASM capabilities to ensure they can “identify, understand, and manage the entity’s overall organisational risks”.

While the US and EU governments have developed various policies emphasising the role of ASM in national cyber resilience, the Australian government is yet to release guidance or policy addressing this capability.

As Australia develops its next cyber security strategy and sets the laudable goal of becoming the world’s most cyber-secure nation by 2030, a crucial question emerges: How can we comprehensively manage national cyber risks and fortify our cyber shields when we cannot fully identify threats and vulnerabilities across critical infrastructure and government networks?

Cyber defence through the eyes of the adversary

The surge in cloud adoption, continuous digital transformation, and the ubiquitous embrace of remote work – all further accelerated by the disruptive impact of the COVID-19 pandemic – have expanded the digital footprint and attack surface of an average organisation. Collectively, this has rendered corporate and government networks larger, more dispersed and dynamic, with a constant influx of new assets interfacing with the network. As Palo Alto Networks 2023 Attack Surface Threat Report highlights, cloud-based IT infrastructure is always in a state of flux – in a given month, an average of 20 per cent of an organisation’s cloud attack surface will be taken offline and replaced with new or updated services.

As a consequence, organisations struggle with gaining clear visibility across all their internet-facing assets that may or may not be vulnerable to attacks. This challenge is often compounded by (manually managed) traditional asset discovery and vulnerability management processes, which were developed when corporate networks were more stagnant and centralised. This complex digital environment unfolds against a backdrop of an increasingly hostile cyber terrain, financial constraints, and a global shortage of cyber security expertise.

VIEW ALL

In response, ASM has become a foundational element in contemporary cyber security practices. Sometimes called internet operations management, ASM is the process of continuously identifying, monitoring, and managing all internal and external internet-connected assets for potential attack vectors and exposures – including IP addresses, domains, certificates, cloud infrastructure, and physical systems. It is founded on the understanding that one cannot secure what one does not know.

Unlike other cyber security capabilities, ASM is a unique approach that gives organisations a view of their network from an adversary’s perspective – identifying targets and assessing risks based on the opportunities they present to a malicious attacker. The ultimate goal of ASM is to increase attack surface visibility and reduce risk across both known and unknown assets that an organisation’s security team is unaware of and has not authorised or sanctioned.

Setting the direction: ASM a focal point in global government policies

The US government has made a number of references to the strategic importance of ASM across various government strategies and reports from US Congress. CISA not only included ASM in its strategic plan for the years 2024–26 but also released Binding Operational Directive 23-01, which compelled Federal Civilian Executive Branch agencies in the US (the .gov domain) to perform a range of automated asset discovery and vulnerability enumeration activity.

The US National Security Agency (NSA) has contributed to this narrative by providing no-cost attack surface management services through its Cybersecurity Collaboration Center to protect defense industrial base (DIB) entities. According to the NSA, its ASM service “has detected thousands of vulnerabilities on DIB networks and worked with network defenders to implement mitigations before they became compromises”. There are also various legislative provisions, such as the National Defense Authorization Act, that have called for the US Department of Defense to achieve real-time visibility of all internet-connected assets and attack surfaces across the DOD enterprise using commercial-off-the shelf (COTS) solutions.

The EU has adopted the revised Network and Information Security Directive (NIS2) that also encourages cyber security incident response teams to be able to provide, upon request of a covered entity, “a proactive scanning of the network and information systems used for the provision of the entity’s services” and assistance in monitoring “an entity’s internet-facing assets … to identify, understand, and manage the entity’s overall organisational risks”.

It’s clear in the global context that ASM is increasingly seen as playing a critical role in safeguarding national interests.

Enhancing Australian policies to proactively confront cyber risk

As Australia strives to become the world’s most secure nation by 2030, the government must signal the vital role of ASM capabilities through the forthcoming cyber security strategy, which should call out the need to integrate ASM across key government policies such as the Essential Eight and the Critical Infrastructure Risk Management Program (CIRMP).

From the Essential Eight to the Necessary Nine
The Australian Cyber Security Centre’s (ACSC) Essential 8 (E8) has long been positioned as a beacon for organisations to shield themselves against a multitude of cyber threats. In recent years, the government has promoted these prioritised mitigation strategies as the cyber security standard for all organisations and has dedicated substantial resources to the promotion and adoption of the E8 across the federal government. Nonetheless, the E8 does carry certain limitations. While their implementation can be instrumental in preventing threats, it often presents formidable challenges and substantial costs for most organisations to implement these mitigations effectively.

In light of these considerations, the government may wish to expand the E8 to become the Necessary Nine, incorporating ASM as its foundational cornerstone. Consider this scenario: an organisation leveraging an ASM platform gains awareness of potential Common Vulnerabilities and Exposures (CVE), such as a zero-day exploit, within an unpatched internet-facing application – enabling them to prioritise this in the organisation’s E8 remediation over an application that may be internal facing only. By integrating ASM into the E8, government agencies can pivot towards a risk-based approach to cyber security, an increasingly indispensable stance, especially within financially constrained circumstances.

Of course, such a paradigm shift should be accompanied by a corresponding revision of the ACSC’s guidance and materials such as the Information Security Manual (ISM), Cyber Security Principles, and Cyber Security Guidelines. These revisions are vital to engendering a comprehensive understanding among government entities and other stakeholders regarding ASM capabilities, articulating the critical functions essential for an organisation’s business operations.

Proactive risk management for critical infrastructure
In 2022, a significant milestone was achieved as the Australian government concluded the final phase of amendments to the Security of Critical Infrastructure Act 2018 to elevate the resilience of Australia’s critical infrastructure across 11 vital sectors. The amended legislation now mandates that critical infrastructure sectors establish a comprehensive CIRMP encompassing an “all-hazards” approach to risk – including cyber and supply chain risks.

To further fortify this framework, the Australian government may wish to incorporate ASM capabilities into the CIRMP. The integration of ASM can serve as a catalyst for organisations, empowering them to proactively grapple with cyber risks rather than responding reactively to breaches or incidents. Importantly, this proactive engagement enables these entities to strategically allocate resources, effectively prioritising remediation endeavours – offering a cost-effective approach to cyber risks.

ASM: A timely and national imperative

While cyber threats are a constant challenge, nations must be proactive in their approach to cyber security. ASM is an effective strategy to enhance cyber resilience by identifying vulnerabilities and mitigating risks. The Australian government should look to provide clear guidance and incentivise the adoption of ASM capabilities across government departments and critical infrastructure sectors, thus fortifying its cyber shields.

In doing so, Australia can confront the ever-evolving cyber threats, reinforce its cyber defences, and secure its national interests.

Sarah Sloan is head of government affairs and public policy, ANZ at Palo Alto Networks.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.