A blind eye to ASD top four
Cyber tools: Mandatory rules are proving to be hard to enforce
Despite having three years to comply with the federal government’s top four mandatory cybersecurity mitigation strategies, the Australian Taxation Office (ATO) and the Immigration department have both failed to meet the standard, a Joint Committee of Public Accounts and Audit (JCPAA) report has found.
The committee said it was “most concerned” the two entities were not compliant with the top four mitigation strategies and are not cyber resilient.
The Australian Signals Directorate (ASD) says that if the top four mitigations strategies were to be implemented across government, it would prevent 85 per cent of targeted cyber intrusions.
Committee chair Dean Smith said cybersecurity should be a top priority for all government entities.
“Achieving compliance with the mandatory cyber mitigation strategies is one way entities improve their cyber resilience and mitigate cyber-incidents, alongside good governance and a strong culture of prioritising cybersecurity within the context of entity-wide strategic objectives,” Senator Smith said.
This conclusion comes off the back of an Auditor-General’s cybersecurity follow-up audit in March, which found – after assessing three federal government entities – that only the Human Services department was compliant with the top four mitigation strategies, leaving the ATO and Immigration left to improve and prioritise their cybersecurity arrangements.
“With increasing volumes of data being collected and used by various government systems, the security of sensitive personal, industry and government information is becoming a greater challenge,” the ANAO said.
The report made 10 recommendations around how the federal government can strengthen its cybersecurity hygiene.
The first recommendations was to ensure the ATO and the DIBP report back to the committee on their full progress of achieving full compliance with the top four mitigation strategies by June 2018.
ATO chief information officer Ramez Katf said in light of the JCPAA the ATO had committed to be fully compliant with the top four mitigation strategies by the end of November.
“Since the ANAO report was released earlier this year, work has already been completed to implement the recommendations and move to full compliance,” Mr Katf told InnovationAus.com.
“We had planned to be fully compliant by mid this year, however the IT outages we experienced in December and February slowed down progress
“As with all large organisations, the ATO faces an ongoing challenge to ensure the security and integrity of our IT systems and the data we hold. To mitigate these risks we have a number of supporting functions and practices to protect the data and systems from cyber intrusion and attack.
“We are committed to continuing to provide the community with new channels to interact with the ATO which make it easier to comply with their tax and superannuation obligations and ensure a level playing field for all taxpayers in a safe and secure environment.”
The Immigration department, on the other hand, was not able to provide a date for full compliance, which the committee said was “particularly concerning” because the department had previously told the committee it would be fully compliant by December 2016.
“The committee is concerned to hear from [Immigration] that it is only in its second year of implementing cybersecurity enhancement programs.
"The Committee notes that significant machinery of government changes—with the creation of Australian Border Force—contributed to the delay in achieving compliance, however considers that compliance may have been achieved sooner if investment in these programs were made earlier,” it said.
Immigration deputy secretary Maria Fernandez informed the committee the agency did prioritise securing its internet gateways.
“We prioritise, of course, the layers that are closest to the external, our secure gateways. We have two secure gateways and they are accredited by ASD,” she said.
This defence mechanism the Immigration department uses falls under federal Internet Gateway Reduction Program, which aims to consolidate the internet gateways across government to reduce the risk of successful cyberattacks. The committee recommended for the program to be reviewed by the Digital Transformation Agency.
Additionally, a spokesperson for Immigration pointed out in the department’s defence that when the original audit was tabled in 2014, it assessed the cybersecurity compliance of the former Australian Customs and Border Protection Service, which has since been integrated, and now “operates in a significantly more complex environment”.
The Immigration spokesperson says the department recognised its obligation to securing information and its IT systems, and hds already made “substantial” progress on achieving cybersecurity compliance.
“Significant progress against a number of aspects of the ANAO audit has been made since the audit was tabled, including increasing the frequency of security patching,” the spokesperson said. “The Department has a range of strategies in place to prevent, detect and respond to cyber-attacks.”
In addition, the committee recommended the Attorney-General’s Department and the ASD report annually on the federal government’s cybersecurity posture to parliament, such as through the Parliamentary Joint Committee on Intelligence and Security.
This year the ASD updated its cybersecurity strategies from the top four to the essential eight in response to the increase of ransomware threats.
But unlike the top four, the essential eight is not mandatory. However, the committee has recommended the government mandates the essential eight cybersecurity strategies by June 2018.