A government-led parliamentary committee has called for annual reviews to be conducted into the cyber resilience of Commonwealth entities with many departments and agencies still not having implemented baseline protections, despite these now being mandatory.
The Joint Committee of Public Accounts and Audit (JCPAA), chaired by Liberal MP Lucy Wicks, tabled its report on cyber resilience last week, finding that a lack of accountability mechanisms was contributing to lagging uptake of basic cybersecurity protocols in the public sector.
“It is the committee’s view that there would appear to be no formal framework or implementation plans for the adoption of the 13 behaviours and practices the Auditor-General has outlined as assisting to establish a cyber resilient culture,” the joint committee’s report said.
“Accountability mechanisms to ensure agencies are complying with the Protective Security Policy Framework are limited and that each accountable authority must ensure their own compliance with mandatory frameworks. The committee considers that greater transparency in the implementation of a cyber resilience culture within corporate and non-corporate Commonwealth entities is required.”
The committee recommended that the Australian National Audit Office (ANAO) consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities.
Shadow assistant minister for cybersecurity Tim Watts, a member of the JCPAA, said this would go a long way to improving accountability and transparency in the APS.
“It’s a really big deal, and it’s a reflection of the seriousness with which the committee views the current situation. There’s no accountability if they don’t do it,” Mr Watts told InnovationAus.
“It tackles the accountability problem. At the moment Commonwealth entities are responsible for their own cybersecurity, but if they don’t do what they are required to do, if they don’t do the basics, there are no consequences,’ he said.
“There’s no way for Parliamentarians to know who is doing what’s required – they don’t report to Parliament, and don’t reveal their cyber posturing on an individual level.”
The committee also recommended that this review be paid for by the responsible policy agencies or government.
“The limited assurance process would enable the ANAO to look across the entirety of the Commonwealth to identify areas of non-compliance, to find systemic problems and empower the ANAO to do deeper dives into specific entities and issues and then report to Parliament,” Mr Watts said.
“The reason that figure hasn’t moved is there’s no accountability, no-one is held responsible, and there’s no way for Parliament to identify departments that are non-compliant and force them to take action. That’s the significant part of this report.”
Last week the federal government introduced legislation to Parliament that would impose sweeping new cybersecurity obligations on a wide range of businesses deemed to operate critical infrastructure, including cloud storage firms and data holders.
The government needs to show that it is also following these cyber obligations, Mr Watts said.
“At a time when the government is trying to impose very significant new cybersecurity obligations on the private sector, unless the government lifts its game it leaves itself substantially open to accusations of it telling Australian businesses to do as I say, not as I do,” he said.
“I expect government to listen to the recommendations from its own members. It might sound bureaucratic, but it really matters. We have a Prime Minister in this country who never misses a photo opportunity when it comes to talking about cyber threats, but we need a PM who is there to follow-up on what’s necessary to build cyber resilience.”
The JCPAA also recommended that the Attorney-General’s department provide an update on the implementation of a benchmarking process to verify compliance with cybersecurity requirements, and an update on the cybersecurity maturity within the APS.
The government should also report on any impediments preventing departments and agencies from implementing the baseline four strategies for cyber risk mitigation, the committee said.
Do you know more? Contact James Riley via Email.