The New South Wales government’s cyber agency is yet to verify other agencies’ security claims and has “no plan” to realise its maturity uplift target, despite a massive funding boost and a government declaration audits would start two years ago.
The agency is also struggling to impact the local government sector because it has “no authority” and no formal plan to engage councils.
Cyber Security NSW’s lack of scrutiny, direction and impact was highlighted in a performance audit of the agency released on Wednesday. It found that despite the agency’s funding quadrupling, Cyber Security NSW “cannot effectively demonstrate its progress toward improving cyber resilience”.
The findings are concerning to New South Wales Labor, with the Opposition committing to review the cyber agency’s operations if it forms government next month.
The state’s cyber chief said the agency is already working on initiatives to address the audit’s four recommendations, which will be part of the next New South Wales government cyber policy to be released in July.
Cyber Security NSW, set up in 2018 and significantly expanded in 2020 with $60 million over three years, has a “high-level purpose” and sound “core pillars” to support the government’s cyber security aims, the audit found.
But it has struggled with communicating and measuring its aims and objectives.
The audit office could find “no plan” for the agency to achieve the cyber maturity level uplift across government that was key to the business case behind its 2020 expansion.
“We found no subsequent plan or roadmap for moving toward the level 3 target [cyber maturity level], nor any benefits realisation plan illustrating how other intended benefits or outcomes of the business case would be achieved, as well as how they would be monitored to track progress,” the audit said.
The state’s Auditor-General Margaret Crawford, also pointed to a failure by the agency to address well-known concerns with government agencies’ self-assessments of cyber maturity.
“Cyber Security NSW has a remit to carry out audits of agencies’ self-assessments, but it has not carried out these audits and does not seek its own assurance of the results of these self-assessments. It is not sufficiently addressing previously identified inconsistencies and inaccuracies in how those self-assessments are performed and reported,” the audit said.
Cyber Security NSW is not responsible for other agencies cyber risks, mitigation or responses. But it does have an assurance role and the remit to audit other agencies’ self-assessments.
The self- assessments provide the only measure of the state government’s cyber security maturity but have been found to be inconsistent and agencies have tended to overstate their maturity, according to previous audits.
A government circular issued in 2020 said agencies would be subject to audits by Cyber Security NSW commencing 2020–21 to check their compliance with the state’s cyber security policy.
This form of external checking of agencies cyber maturity would be an “important assurance” the claims are reliable, the Auditor-General’s report said. But Cyber Security NSW has not performed any.
Shadow minister for Digital and Customer Service, Yasmin Catley, said the lack of audits is concerning.
“Cyber Security NSW is the NSW government agency with the foremost cyber security knowledge, it must ensure that cyber security resilience is up to standard across the board,” she told InnovationAus.com
“I am comfortable with Cyber Security NSW conducting these audit but they simply must be done in a timely fashion.”
Auditing all government agencies’ cyber claims would not be reasonable or feasible, the Auditor-General said, but a risk-based approach may help with compliance and education outcomes.
“As one senior agency stakeholder suggested, agencies are more likely to comply with the policy if ‘…someone might be looking over their shoulder’,” the report said.
A limited impact on the local government sector was also identified, with the Auditor-General finding the agency “has some responsibility, although no authority, to improve cyber security resilience in the local government sector”.
As part of its increased funding in 2020, Cyber Security NSW was tasked with raising the capability of cyber security in the local government sector through intelligence and awareness.
But the agency has “no formal authority to mandate cyber security requirements on local councils” and has not developed formal engagement strategies, instead relying on “relationship building” and an opt-in from individual councils.
Ms Catley said it was an issue that needed to be addressed in the next Parliament.
“I am concerned that an opt-in approach with local government will leave local councils with unmanaged cyber security risks. Addressing this issue should be a priority for the next Parliament,” she said.
The Audit Office made four formal recommendations.
It called for the Department of Customer Service implement an approach with “reasonable assurance” agencies are consistently and accurately reporting their cyber maturity.
Cyber Security NSW should also develop a clear strategic plan showing how it contributes to government outcomes, develop a catalogue of services available to other agencies, and develop an engagement strategy for the local government sector.
The critical audit comes as Cyber Security NSW is preparing a business case for it next funding round in July.
Department of Customer Service Secretary Emma Hogan accepted all the Auditor’s recommendations, noting work is underway on each but finalisation may need to wait for funding decisions and the 2023 Cyber Security Policy set to release in July.
The state government’s chief cyber security officer Tony Chapman welcomed the audit findings, saying they are being used to inform the upcoming government-wide cyber security policy. But there is no silver bullet for all agencies, he said.
“In 2022 Cyber Security NSW hosted the 2022 Cyber Insights Series: Beyond Essential Eight which was designed to ensure the NSW Government was across industry best practice for cyber security frameworks,” Mr Chapman told InnovationAus.com.
“A recurring theme throughout the discussion was that no one framework could serve as the ‘be all and end all’ for robust cyber security. It is crucial each organisation pursues cyber security uplift which considers their own risk profile and resources.”
Cyber Security NSW has launched a Cyber Insights Panel to facilitate risk-based discussion with individual NSW Government clusters and agencies, Mr Chapman said.
Ms Catley said a Labor government would take a close look at the agency’s operations.
“Labor will review the operation of Cyber security NSW to ensure the NSW Government is adapting to new and emerging cyber security threats and that cyber security knowledge is being prioritised at the highest levels if decision making in all government departments,” she told InnovationAus.com.
“With the continued digitisation of government services and now shared data between the state and federal governments, it is critical that cyber security is a priority policy and investment area for all governments. We must ensure we maintain the trust of citizens that we can protect their data,” Ms Catley said.
Do you know more? Contact James Riley via Email.