None of the government entities recently examined by an Australian National Audit Office review have fully implemented the mandatory cyber security risk mitigation strategies developed eight years ago to safeguard the information they hold.
The mandatory mitigation strategies are basic: application whitelisting, patching applications, restricting administrative privileges, and patching operating systems.
Two of the entities that had self-assessed full implementation for one or more of the mandatory mitigation strategies – the Department of the Prime Minister and Cabinet and the Attorney-General’s department – did so inaccurately in the 2018/19 financial year.
The Prime Minister’s department claimed full implementation of the four strategies at the time, but the audit office has discovered it had not fully implemented the mitigation strategy for restricting administrative privileges.
The opposition says the report is damming and reveals the exposure of sensitive information across government agencies.
The Australian National Audit Office (ANAO) late on Friday afternoon released its findings from an audit of nine government entities, including the three with responsibilities for the whole-of-government cyber security policy and support.
The Attorney-General’s Department (AGD); Australian Trade and Investment Commission (Austrade); Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; IP Australia; and Department of the Prime Minister and Cabinet (PM&C) were all examined.
The Department of Home Affairs and the Australian Signals Directorate were also included in the review, but their cyber mitigation strategies were not assessed.
All the entities examined by the Auditor General have agreed to its recommendations to improve cyber resilience.
But those with the most responsibility – the ASD, Home Affairs and the AGD – have only “noted” the recommendation to introduce more accountability for implementation of cyber security requirements, arguing that is a task for the government and regulators.
The findings reveal a failure to accurately self-assess the implementation of critical mitigation strategies in some entities and a majority reporting “Ad hoc” or “Developing” maturity levels of cyber mitigation.
None of the three entities examined for cyber resilience – the PM&C, AGD and the Future Fund – were considered either cyber secure or cyber resilient by the Auditor General.
Since 2013 the Australian government has mandated the implementation of at least the “Top Four” cyber mitigation strategies by non-corporate Commonwealth entities under the Protective Security Policy Framework (PSPF) and its revised Policy 10.
Only 24 per cent of non-corporate Commonwealth entities were compliant with the mandatory Top Four mitigation strategies in ANAO performance audits since 2014.
There are a further four that are strongly encouraged, making up the “Essential Eight” mitigation strategies.
But several audits have revealed low levels of compliance with even the mandatory four, leading to the Auditor General being asked to conduct another audit on the effectiveness of the PSPF self-assessment and reporting requirements, as well as the responsible agencies’ role in improving compliance.
According to an audit released on latest review, “The implementation of cyber security risk mitigation strategies by the selected entities was not fully effective and did not fully meet the mandatory requirements of PSPF Policy 10”.
The poor levels of compliance come despite warnings from Australian cyber and spy agencies that malicious cyberattacks are increasing in frequency, scale and sophistication.
In the last financial year Australian government entities reported 436 cyber security incidents to the Australian Signals Directorate.
In December a government-led parliamentary committee called for annual reviews to be conducted into the cyber resilience of Commonwealth entities flagging the same lack of compliance highlighted by the Auditor General.
Shadow assistant minister for communications and cybersecurity Tim Watts said the report showed the Morrison government is failing to “do the basics” on cybersecurity.
“How can the Morrison Government claim any credibility on cyber security when it can’t even implement its own cyber security standards across government?” Mr Watts told InnovationAus.
“These are some of our most sensitive government departments. It’s not good enough that they are left exposed.
“Once again we see the Morrison Government loves a cyber security media event, but isn’t there for the delivery.”