Home Affairs says it can’t build its own cyber hub


Joseph Brookes
Senior Reporter

Home Affairs is paying international consultants Ernst & Young $2.5 million to help establish its cybersecurity hub because it lacks the “capacity and specialist knowledge” to do it in-house.

The department leading Australia’s cybersecurity policy and implementation on Monday revealed it has outsourced key parts of the current plan to “harden” government IT through a whole of government cyber hub operating model.

Home Affairs will pay Ernst & Young (EY) nearly $2.5 million for less than 18 months of work on its pilot hub, including supporting other agencies’ use of it. The work is being outsourced because the department does not have enough internal resources and the project “does not lend itself to having staff with these specialist skills as part of the ordinary staffing compliment”.

Karen Andrews
Home Affairs Minister Karen Andrews defended the use of a big four consultancy for work on a government cyber hub

Last year the Australian government said it would improve its security by centralising agencies’ IT management and operation through “Cyber Hubs”.

Part of the $1.6 billion 2020 Cybersecurity Strategy and now known as the Hardening Government IT (HGIT) Initiative, it is run by the Digital Transformation Agency (DTA) and is trying to establish a whole of government Cyber Hub operating model.

The Department of Home Affairs is supporting the HGIT as the cybersecurity lead and as one of three departments operating pilot hubs. The pilot hubs, also being run the Department of Defence and Services Australia, commenced in July and are operating for a year.

The three departments are responsible for the design and implementation of their own hub, which are testing core services and a hub operating model to improve their own and other agencies cyber defences.

An audit of Australian government agencies’ cybersecurity resilience this year found many had failed to meet mandatory risk mitigation strategies. The review repeated a previous call by the Auditor General for Home Affairs to do more to support cyber security implementation and for the introduction of arrangements to hold it to account when it did not.

Home Affairs did not agree with the recommendation and argued an increase in accountability and transparency of cyber security requirements should be measured once the cyber hub capability is operational. This would be late 2022 at the earliest.

In response to questions on notice from Labor Senator Katy Gallagher about tender documents, Home Affairs Minister Karen Andrews confirmed the department has awarded EY two contracts for work on the pilot hub.

The first, awarded in February, was listed as “IT Technical Services”, and paid the consultancy more than $1.5 million for less than six months work which ended in June. A second, separate contract was awarded in August for $946,000.

“As part of Australia’s 2020 Cyber Security Strategy, EY have been engaged to provide assistance to the Department of Home Affairs to establish a Cyber Hub that will provide cyber security services to other Commonwealth agencies, and to further strengthen the Department’s cyber security posture,” Mrs Andrews said in a written response.

The Home Affairs minister said her department could not perform the work itself because it does not currently have the “the capacity and specialist knowledge to undertake the activities within existing resources”.

“As this is a time-limited activity, it does not lend itself to having staff with these specialist skills as part of the ordinary staffing compliment. EY is providing specialist knowledge and expertise in this field that will supplement the existing staffing complement.”

EY enjoyed a bumper 2020 in government contracts, recording an annual increase of $27 million in the pandemic year, up nearly a third on 2019, according to an InnovationAus analysis of tender documents.

For its latest contract with the Department of Home Affairs, the big four consultancy will be used to support other government agencies’ transition to the pilot cyber hub by reviewing their “transition readiness”.

“EY will engage with the Home Affairs Cyber Hub client agencies to review relevant technical and policy documentation, and provide a transition readiness assessment to enable the smooth transition of the client agency to the Home Affairs Cyber Hub,” Ms Andrews said.

Do you know more? Contact James Riley via Email.

Leave a Comment