In an unusual piece of logic, the federal government says it will not mandate the Australian Signals Directorate’s Essential Eight information security controls for all Commonwealth public sector organisations, because their “cyber security maturity” isn’t high enough yet.
In an official response to 18-month-old recommendations of the bipartisan parliamentary audit committee, the government declined to set the new rule for all federal entities covered by the Public Governance, Performance and Accountability Act.
The committee originally suggested making the full eight controls compulsory by June 2018 but even if the government did it tomorrow, federal agencies would suddenly have a lot of catching up to do, including the department responsible for cyber security policy.
“However, the Government will consider mandating the Essential Eight when cyber security maturity has increased across entities,” according to the official reply to the Joint Committee of Public Accounts and Audit’s October 2017 report on cyber resilience, published this month.
On the contrary, some members of the committee think having stronger compulsory requirements now — or at least greater urgency about meeting the existing ones — might encourage cyber maturity to improve faster.
The government’s improbable plan “to progress toward implementation of the Essential Eight” oddly involves maintaining the unsuccessful status quo. It wants to keep only the Top Four controls mandatory while “strongly recommending” the others and requiring reports on progress.
The long-delayed response is a combined effort on behalf of the government and five agencies. This includes those whose cyber resilience and compliance with basic controls was found wanting by the auditor-general earlier in 2017: the Tax Office and the Department of Home Affairs (Immigration and Border Protection at the time).
It also purports to speak for entities with roles in government IT and security: ASD, the Attorney-General’s Department, the Digital Transformation Agency and, again, Home Affairs. The joint statement notes this is a departure from “a traditional split between policy and administrative responses” but leaves us to speculate as to why.
The ATO had fully implemented the mandatory Top Four controls by November 2017 and is still “progressively implementing” the complete Essential Eight.
Home Affairs has still only fully implemented three of the Top Four: application whitelisting, patching operating systems, and minimising administrative privileges. It does not expect to have fully implemented the fourth mandatory control – application patching – until the middle of 2020.
It blames the challenges of “consolidating legacy ICT environments” for its tardiness in achieving full compliance.
The response lists various cyber security changes in both agencies since 2017. It spends considerable time trying to reassure the JCPAA that Home Affairs is playing a strong role at a whole-of-government level and that its own information is well protected, by a “defence in depth” strategy with a few key points:
- an accredited and resilient secure gateway which manages any traffic into and out of the Department’s corporate environment;
- layered technical controls that manage access to information and systems;
- regular penetration tests and vulnerability assessments of the Department’s systems;
- rolling system assessments through the Department’s security accreditation framework throughout their lifecycle; and
- governance controls including, policies and procedures, a Cyber Risk Management Board that oversights cyber security issues and regular internal and external reviews of the Department’s cyber security capability.
“These controls have been effective in preventing intrusions to departmental systems or the compromise of data,” asserts the government response.
“The Department is always looking to improve its cyber resilience and remains cognisant of the evolving threat environment, achieved in part through engagement with Australia’s intelligence agencies.”
The statement confidently asserts that Commonwealth public sector information security is generally improving:
“The recent consolidation of policy and operational capability within the Department of Home Affairs and the Australian Cyber Security Centre (ACSC) respectively, has strengthened and streamlined the Government’s ability to not only respond to cyber security incidents but become exemplars of cyber security best practice.
“To support entities, the Government, through the ACSC and the Department of Home Affairs, will take more proactive steps to partner with Public Governance, Performance and Accountability Act 2013 entities to establish effective behaviours and lift their cyber security in ways that accurately address both the barriers they face and their unique risk environments.”
Slow going towards ‘cyber resilience’ in Canberra
Concern about the risks to government systems has grown in recent years, while auditor-general Grant Hehir has consistently found agencies are not “cyber resilient” and the JCPAA keeps hearing efforts to improve this are slow going, when it follows up his reports.
Implementation of the Top Four is normally only checked through self-assessment and reporting to the AGD under the general protective security policy. Hehir thinks an additional layer of oversight would be good; about five years of audits have found only four of 14 agencies or 29% were compliant at the time he audited them, while self-reporting to AGD suggests about 60% claim to have implemented the Top Four.
Just last month, the committee was following up Hehir’s more recent findings from mid-2018 that Treasury was cyber resilient, but Geoscience Australia and the National Archives of Australia were not.
Hehir told JCPAA member Gai Brodtmann in a recent hearing that a stronger form of oversight was probably required to push agencies towards 100% compliance with the mandatory Top Four, on the simple basis that it hasn’t been achieved yet.
The auditor can only assume that if something is mandatory then full compliance must be the ultimate goal; Brodtmann observed that “obviously, mandatory is not explicit enough for our government agencies” and suggested there was “complacency” in the public service about implementing the Top Four.
“Obviously the government needs to articulate that we need 100% compliance, and that, as part of that process, it is mandatory; it’s not an optional extra that people have been kicking down the road for the last five years,” she said.
Brodtmann knew the reply that would follow: the common refrain from public servants that the Top Four, Essential Eight and so on are merely boxes to tick, and there is so much more to managing cyber risk than rote compliance.
She seemed tired of hearing it. Brodtmann agreed with the general point but did not accept this as a logical reason to excuse agencies for failing to tick the basic, mandatory boxes.
“Everyone is blithely writing off this whole notion of ticking a box and saying we don’t want that mentality. Yes, I know we don’t want that mentality; we do want behavioural change and cultural change.
“But this is what we’ve got at the moment and I think we should give some assurance to the Australian people as to whether agencies are compliant or not, whether they’re safe and whether their information is safe.”
The struggle of small agencies
National Archives director-general David Fricker told the committee the limitations of his very stretched budget slowed down the process of improving cyber security.
He also believes “there’s a bit of a weakness built into this system” in that small agencies are well advised about the controls, but may not have the capability to fully implement them or the expertise to assess their own compliance accurately.
In Fricker’s view, “with self-assessment and reliance on individual agencies, each with an uneven capability and an uneven technical knowledge, we’re not going to achieve a consistent resilience across the Commonwealth.”
“There are always going to be agencies among us which represent the weaker link in the chain.”
Geoscience chief James Johnson made headlines when he told the committee on the same day that “executable files” had sat in the agency’s systems for months until found by ASD.
“It hadn’t actually developed into a major problem,” Johnson said, although as he and Fricker both pointed out, one agency can easily infect another if such malware is passed through links that could be as simple as an email from a trusted source.
Fricker said small agencies like the Archives would welcome more specialised assistance and advice and there was currently a “patchwork approach” to federal cyber security that could be improved through more central co-ordination and probably more resourcing.
“We’re all interconnected. … I think this is an issue we all have to collectively address,” he told the JCPAA.
ASD head Mike Burgess recently said in Senate estimates that data was taken from parliamentary computers in the recent high-profile hack, but nothing sensitive. Department of Parliamentary Services secretary Rob Stefanic confirmed in his estimates appearance that he had established a whole new cyber security branch in February, led by assistant secretary Ian McKenzie, and given new responsibilities to chief operating officer Cate Saunders.
Stefanic also told the JCPAA about his own challenges in becoming cyber resilient earlier in March, and said DPS had implemented the mandatory Top Four controls, plus one of the next four. Another of the Essential Eight was “in pilot” while a third was about 70% implemented, DPS told the committee.
Working in parliament house was a challenge, according to the department: “Within our unique environment the variety of software and services utilised by parliamentarians is highly varied and most likely exceeds the volume and diversity evident in other Commonwealth agencies.”
Compulsory surveys, Commonwealth ‘cyber posture’ reports
The Morrison government also agreed to describe the Commonwealth’s overall “cyber security posture” every year in a report to parliament, in its long-delayed response the JCPAA’s 2017 report.
Here the response makes the key point that “neither AGD nor ASD have direct oversight of, or accountability for Commonwealth entities” under current arrangements.
“Any report would be limited to information and obtained through survey instruments, cyber incident reporting and follow up investigations,” it continues.
“Consistent with its responsibility for cyber security policy and coordination, Home Affairs will support AGD and ASD to drive improved standards of cyber security across Government, including though enhanced reporting to the Parliament.”
In another decision that might improve reporting to parliament, the government also agrees to make the ASD’s annual survey compulsory, first for public service bodies and later for corporate public-sector entities, as legislative changes are required to extend mandatory cyber controls to all PGPA entities.
“In light of recent machinery of Government changes affecting Australia’s cyber security governance architecture, the Government will review the various cyber security surveys issued to entities to reduce duplication and ensure the information collected is both applicable to all agencies and informs the Government’s understanding of its cyber security posture.”
The government also agreed to establish another new mandatory requirement, in line with the recommendations of the DTA’s recent review of the Internet Gateway Reduction Program, with further details to be worked out as part of the wider effort to extend stronger cyber security requirements, and assistance, to all PGPA entities.
One issue is that corporate entities are not automatically required to follow all government policy like other agencies. The government commits to pursuing the necessary legislative reform to extend the cyber controls to corporate entities and meanwhile, the Australian Cyber Security Centre would assist them to strengthen security.
The belated statement promises Home Affairs, Attorney-General’s and ASD will continue to “work together to strengthen the standard of cyber security of Australian Government networks through enhanced technical guidance, improved verification and increased transparency and accountability” as well.
The JCPAA has now technically dissolved so the inquiry into cyber resilience has lapsed but just before caretaker period began, its members agreed it should be picked up again after the election — while its high-profile inquiry into the use of contractors and consultants will be left with no final report to the disappointment of participants.
“The Committee remains strongly of the view that effective cyber resilience across Commonwealth agencies is a matter of critical importance to the Parliament and the Australian people and deserves constant review,” said the chair, Senator Dean Smith, in a statement.