Government departments and agencies are still failing to implement the baseline cyber security requirements, leaving them “vulnerable” to potential attacks, an audit has revealed.
The Australian National Audit Office (ANAO) released its fourth report on the cyber resilience of government departments and agencies last week, again finding a failure to implement even the most basic of cyber security protections.
The audit investigated the Department of Treasury, National Archives of Australia and Geoscience Australia and their compliance with the Australian Signal Directorate’s Essential Eight cyber security guidelines.
While Treasury passed the test, National Archives and Geoscience Australia both failed comprehensively.
“This audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the Top Four mitigation strategies. None of the three entities had implemented the four non-mandatory strategies in the Essential Eight and were largely at early stages of consideration and implementation,” the ANAO said in its report.
“These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened.”
There are four mandatory cyber mitigation strategies for government departments and agencies: application whitelisting, applying application patches, applying operating system patches and effectively managing access provisions for privileged user accounts.
There are also four non-mandatory but highly recommended mitigation strategies for these agencies.
The audit was most scathing of Geoscience Australia, which was found to be “vulnerable to cyber attacks” due to its lack of compliance with the Top Four and unsound ICT general controls.
“Geoscience Australia was assessed as vulnerable, with a high level of exposure and opportunity for external attacks and internal breaches and unauthorised disclosures of information. Geoscience Australia has traditionally had a culture of scientific independence that it had allowed to override resilience considerations,” the report found.
Geoscience Australia has agreed to the ANAO’s recommendation that it establish a plan and timeframe to achieve compliance with the mitigation strategies and to monitor its progress on this plan.
“Geoscience Australia is committed to improving its security compliance and cyber resilience to a level of appropriate for a government organisation that plays a role in providing scientific information and services to industry and the broader community,” the agency said in response to the report.
“We have already commenced actions to improve compliance to address the security issues identified including: the engagement of a senior consultant to advise on an overarching security framework; the establishment of a Security Working Group; and an action plan to address compliance with the ASD’s strategies to mitigate cyber security incidents.”
Geoscience Australia is at the centre of the federal government’s $260 million investment in GPS technologies, announced in this year’s budget. The organisation will be receiving large amounts of money over the next four years to improve the accuracy, integrity and availability of this data.
While National Archives was not compliant with the Top Four, it was found to have sound ICT general controls, making it “not cyber resilient but internally resilient”.
“Until the National Archives and Geoscience Australia achieve compliance with the mandatory strategies, it is inappropriate to consider that a positive cyber resilience culture is in place,” the audit said.
National Archives has also agreed to produce a plan to implement the mandatory mitigation strategies.
All three of the audited entities had also only implemented one of the four non-mandatory mitigation strategies: the daily backup of important data.
The audit also found that National Archives had not accurately self-reported its compliance with the Top Four mitigation strategies. This led the ANAO to recommend that government provide better technical guidance and support for entities to self-assess their compliance and a program for verifying their report compliance.
“In its current form, the Essential Eight Maturity Model is unlikely to achieve its objective of assisting entities to determine their maturity in implementing the Essential Eight mitigation strategies,” the ANAO said.
“This is primarily because there is inconsistent and incomplete alignment between the definitions of the mitigation strategies in the Australian government Information Security Manual and the criteria for attaining a particular maturity level in the Essential Eight Maturity Model document.”
This was agreed to by the Attorney-General’s department.
A parliamentary committee has also recommended that all eight of the ASD’s mitigation strategies be made mandatory for government departments and agencies.
The ANAO has conducted a series of audits of government departments and agencies and their compliance with the baseline of cyber security protections.
So far the Australian Federal Police, Australian Taxation Office, Department of Human Services and Department of Immigration and Border Protection (now Home Affairs), have also failed the test.
A follow-up ANAO audit last year found that the DHS is now cyber resilient, making it one of the few departments that actually complies with the ASD’s mandatory mitigation strategies.