Australia instructs government entities to check for tech exposed to foreign control

Australia has instructed all of its government entities to take stock of their entire technology estates and identify any assets that could be controlled or manipulated by foreign states.

It comes as the country addresses a growing number of hostile state and financially motivated cyberthreats, with the Australian Signals Directorate (ASD) this week also warning that a state-sponsored Chinese hacking group has “repeatedly targeted Australian networks.”

In three new legally-binding instructions published on Monday, the country’s Department of Home Affairs required that all government entities — of which there are more than 1,300, from cabinet departments through to statutory offices — identify Foreign Ownership, Control or Influence (FOCI) risks associated with the technology they’re using.

This includes “any hardware, software or information system” such as mobile apps and as-a-service offerings as well as hosting platforms and enterprise systems, that “stores, processes, transmits or transforms official or security classified information.”

The public sector organizations will have until June 2025 to identify FOCI risks and report them to the Department of Home Affairs’ cyber and protective security branch.

These entities will also have to conduct a full stocktake “on all internet-facing systems or services,” under a second direction, covering anything that can be “directly accessed by untrusted or unknown entities over the internet” and then develop a security risk management plan specific to those systems and services.

According to a spokesperson from the Department of Home Affairs, the aim is to “give us better visibility of the Australian Government’s technology estate.”

The third direction requires all government entities using threat intelligence sharing platforms to be working with the ASD by the end of this month and connected to the agency’s threat intelligence sharing platform.

“While many entities already engage with ASD, this direction puts the issue beyond doubt,” said the spokesperson. “Government’s view is that engagement with the ASD is mandatory and the Government has chosen to act. We encourage all Australians and businesses to engage with ASD advice.”

The new cybersecurity directions are the first issued under the Protective Security Policy Framework since April 2023, when Australia banned the installation of TikTok from government devices, “based on the security risk presented by that application.”

It follows Mike Burgess, the head of Australia’s domestic security agency — the Australian Security Intelligence Organisation (ASIO) — warning earlier this year that more Australians are “being targeted for espionage and foreign interference than ever before.”

Burgess stressed the risks posed by cyber activities too: “The most immediate, low-cost and potentially high-impact vector for sabotage is cyber. Our critical infrastructure networks are interconnected and interdependent, which increases the vulnerabilities and potential access points.”