Better transparency is needed on the cyber resilience measures taken by departments and agencies in the wake of damning exposures of cyber shortcomings across government, with Labor now calling for a name and shame-style approach to public sector to driving cyber improvements.
The Australian National Audit Office (ANAO) appeared before a Joint Committee of Public Accounts and Audit hearing last week to address recent audits of 14 entities, and whether they were compliant with mandatory government requirements for information security.
These audits have repeatedly found public departments and agencies have failed to put in place even the most basic cyber mitigation tactics, with just 29 per cent compliant with the ASD’s Essential Eight tools.
And the poor performance was not showing signs of improving, Auditor-General Grant Hehir told the hearing.
“We wouldn’t be auditing as much as we do if we had seen a progressive improvement through time. Within the first couple of audits if we had seen a broad-scale compliance with the mandatory framework, I don’t think you would be seeing us putting out an audit every year into this space, so the level of work we do is a reflection of our concerns about the level of compliance within the sector,” Mr Hehir said.
“It goes not just to individual entities but to the effectiveness of the framework. There has been a new framework put in place which has additional oversight arrangements and that may be more successful, but we are not in a position to comment on that yet.”
Under the current framework, entities typically self-assess on whether they are compliant with baseline cybersecurity guidelines, and this information is not made public.
Labor is now calling for a significant overhaul of this scheme to provide more transparency in an effort to improve cyber resilience in the public sector.
“Transparency could increase cybersecurity by creating incentives for improved performance through public accountability, [like] the name and shame approach,” shadow assistant minister for cybersecurity Tim Watts said following the hearing.
“On top of these transparency problems, there’s an accountability problem too. Namely, Commonwealth entities get to mark their own home work,” he said.
“Unsurprisingly, when agencies mark their own homework, they give themselves higher grades than when someone else marks them.
“The ANAO has said that it will be looking again at the self-assessment process in its current cyber resilience audits. The current approach to cyber resilience in Commonwealth entities isn’t working and hasn’t been working for a long time. At a time when the threats to our national cyber resilience have probably never been greater, this is a problem.”
The ANAO has previously found that while 60 per cent of departments self assessed themselves as compliant, less than 30 percent are actually found to be compliant by the audit office.
While the departments have claimed at senate estimates that this is due to different criteria, the ANAO could not list any differences at the recent public hearing.
And while the Attorney-General’s Department and ASD do now report annually on Commonwealth cybersecurity posture to Parliament, this is in the form of anonymised and aggregate data. The most recent report did however admit that cybersecurity levels “remain at low levels across the Australian government”.
But the lack of detailed information on which departments and agencies are lagging behind will hamper progress, Mr Watts said.
Labor asked every entity at the most recent senate estimates hearing to list which of the Essential Eight measures they are compliant with, but all except for a single agency refused to do so on security grounds.
These departments said that listing their compliance would provide a “single, detailed and individualised snapshot in time of the entire federal government’s cybersecurity maturity” and “may provide a heat map for vulnerabilities”.
But the one entity that didn’t have an issue with publicly listing its compliance with the security measures was the ANAO itself, with Mr Hehir telling the hearing that the agency had no issue with making that information freely available.
“I think everyone takes into account the security implications of publishing information with respect to security vulnerabilities,” Mr Hehir said.
Labor MP Julian Hill criticised this for being a “get-out-of-jail-free card” for government entities.
“When you’re asking agencies to comment on their cybersecurity posture and they say, ‘oh, we can’t comment on that because it might risk our cybersecurity’, or ‘we’ll only talk to you about that in secret’, it starts to undermine the whole intent of that transparency framework,” Mr Hill said.
Improving cyber resilience in the public sector has never been more important in the wake of the COVID-19 pandemic, Mr Watts said.
“We all understand how important cyber resilience is. COVID-19 reminds us of the consequences of unexpected events. Serious cyberattack or failure could also have devastating systemic consequences, so it’s good to be prepared. Unfortunately, we have some reasons to be worried,” he said.