Audit slaps Govt cyber practice
Alastair MacGibbon: The Australian Government cyber security chieftain
A Parliamentary inquiry is underway into two government agencies’ lack of ‘cyber resilience’ due to a failure to adhere to basic cybersecurity practices.
The Joint Committee of Public Accounts and Audit launched the Cybersecurity Compliance inquiry late last week in response to an Auditor-General’s report on the cybersecurity practices internally at the Department of Human Services, Department of Immigration and Border Protection and the Australian Taxation Office.
Only the Department of Human Services was found to be “cyber resilient” and adhering to the government’s own baseline standards for cybersecurity.
The ATO and Immigration were found to not be practicing all of the Australian Signals Directorate’s (ASD) Top Four strategies to prevent cyber intrusions, which are mandatory for all government departments.
Both agencies are highly reliant on technology and online services to process large amounts of money and sensitive information, and are at risk of cyberattack. The ATO collects over $440 billion in gross tax revenue annually through its electronic lodgement systems, while Immigration processes around seven million visas each year.
They also collect, store and use sensitive personal data of individuals.
The audit found that the Department of Immigration and ATO were not “cyber resilient”, meaning they don’t have an adequate ability to counter or prevent external cyber attacks.
“Not operating in a cyber resilient environment puts entities’ data and business processes at risk, with potentially significant consequences for Australian citizens and other clients and stakeholders,” the audit report said.
The Top Four mitigation strategies include application whitelisting, application patching, operating system patching and minimising privileged user access.
Both Immigration and ATO were found to not be implementing all of these strategies, with neither properly employing application patching, while both had an application whitelisting strategy but had “deviated from it”.
The ATO also only developed its strategy during the course of the audit.
The failure to adhere to the Top Four guidelines is compounded by the fact that these are now obsolete, having been updated by the ASD in February.
The basic guidelines were expanded to become the Essential Eight, with a new focus on preventing “ransomware and external adversaries with destructive intent, malicious insiders, business email compromise and industrial control systems”.
“Cybersecurity is a strategic priority for the Australian government. Entities that choose to prioritise cybersecurity are better positioned to achieve cyber resilience. Being cyber resilient will help entities to effectively deter and respond to cyberattacks while still focusing on delivering business outcomes,” the report said.
“Entities that do not manage cybersecurity as a strategic priority and that do not have effective governance arrangements in place will find it increasingly difficult to be cyber resilient.”
In response to the report, a Parliamentary inquiry was launched late last week to hold the government to account, Liberal senator and committee chair Dean Smith said.
“Cybersecurity is integral to protect government systems and secure the continued delivery of government businesses. Government entities are required to implement mitigation strategies to reduce the risk of cyber intrusions. The Committee is continuing its oversight of entities’ compliance with the mandated strategies with the launch of this inquiry,” Senator Smith said.
It will be accepting public submissions until April 27, with a public hearing taking place in Canberra next month.
In January, Prime Minister Malcolm Turnbull dubbed cybersecurity the “new frontier of warfare” and discussed the dangers of cyberattacks.
“You can pretend these threats are not there if you like, but that will only make you susceptible to being taken in by them. Alertness, awareness is absolutely critical,” Mt Turnbull said.
“We have the means to mitigate the risk. You can’t eliminate it completely but it is very important to take those steps to do so.”