Look beyond cyber audits: ASD
Mike Burgess: Audits of cyber compliance only tell part of the cyber story
Damning audits of government departments and agencies do not paint the full picture of the state of play in public sector cyber security, according to Australian Signals Directorate chief Mike Burgess.
Across the last five years, the Australian National Audit Office has completed a series of audits of the cyber security reliance of government agencies and departments, and whether they were compliant with the ASD’s top four mitigation strategies.
It has found that just four government entities out of the 14 audited were compliant with these baseline strategies.
“These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened,” the ANAO report said.
But ASD director-general Mike Burgess told a Senate estimates hearing on Wednesday evening that this exercise isn’t all that effective in determining whether an agency or department is actually cyber resilient.
“The problem in the security world with audit findings is that you can’t just view it as a tick and flick compliance matter, because an agency that does not necessarily follow our guidance is not in and of itself a measure of security or insecurity,” Mr Burgess told the estimates hearing.
“Security is risk management, it is not risk avoidance and there’s no such thing as perfect security. So to just call out a government department that isn’t compliant in itself is not a sensible measure of the security of that department.”
While an agency may be unable to patch their software, for example, it may be able to take other measures to achieve the same result, Mr Burgess said.
“If you’re an organisation using legacy IT, sometimes our advice may be impractical to do, but they key thing here is you identify your risk, know that risk and know when you can fix that,” he said.
Australian Cyber Security Centre head Alastair MacGibbon, who was also appearing at the estimates hearing, pointed to the example of a hospital as an organisation that may be unable to follow the top four strategies but can still remain as secure as possible.
“They tend to have very expensive machines attached to computers that when the machine is certified for medical use, the computer is as well and you can’t upgrade the computer with them,” Mr MacGibbon said.
“Some of that software gets old and there are no longer patches written for it, but you need to patch these computers to reduce the threat surface against known attacks."
“Technically they’re not compliant, but you can do a whole range of things that are about risk management. An audit would say that you’re not complying with the patching because you can’t, but I can effectively risk manage to achieve exactly the same outcome.”
“While there are compliance regimes and that can create hygiene if it’s done well, in and of itself that doesn’t create security. But security without any compliance is just as unlikely. It’s a combination of rules and behaviours and maturity of management, and it’s a risk management exercise.”
Mr MacGibbon also hit back at recent media reports that the Chinese government has used small computer chips to infiltrate US companies – the same chips used by some Australian government agencies – saying there was “no substance” to these claims.
“There’s no evidence from any of our allies that the assertion in the Bloomberg article are correct, and our counterparts in the UK and US came out very quickly to say that they don’t believe the article was correct,” he said.
But he did say that the article does approach a more significant issue in securing the government’s tech supply chain.
“It raises a broader question around the security of our supply chain and that is a significant problem that has been increasingly identified over the last several years. We don’t believe the article to be correct, but the notion in the article is indeed a true threat to cyber security generally,” Mr MacGibbon said.
The cyber security of Australia’s electoral system was also questioned by senators, with Mr MacGibbon saying that while he believes it is very safe, it is a “constant struggle”.
“There are no specific concerns and no evidence that anyone has been inside those systems,” he said.
“There are lots of ways that are outside of our remit that people could try to influence the outcome of elections. But in terms of the electoral systems, we work with Home Affairs to look to the integrity of those systems and I don’t think you would ever rest on your laurels, you certainly don’t when it comes to cyber security.
“No-one ever puts up a mission accomplished sign around cyber security, we would always be looking at new ways to secure systems.
“We’ve brought technology into uses that we’ve not done before and that increases the threat surface and we’re dealing with nation states and criminal groups looking at new ways to ply their trade,” Mr MacGibbon said.
“We’re in a constant struggle and that goes well beyond electoral systems into every other part of Australian society.”