Labor has criticised a new report on the Commonwealth government’s cybersecurity posture, claiming that it lacks the transparency and accountability needed to ensure federal agencies implement necessary cybersecurity measures.
The new report to parliament from the Australian Signals Directorate and Attorney-General’s Department has been released this week in response to recommendations from the Joint Committee of Public Accounts and Audit to support increased transparency in cyber security reporting.
Shadow assistant minister for cybersecurity Tim Watts says the report is an “indictment of seven years of failure by the Abbott-Turnbull-Morrison government to ensure the cyber-resilience of Commonwealth agencies and its continuing efforts to avoid public scrutiny”.
The report notes the Australian Cyber Security Centre responded to 427 cyber incidents against Commonwealth entities last year. Of those, 65% were self-reported, with the remainder identified through ACSC investigations, third-party reports, and analysis of classified and open-source material.
Sighting reports and indications of compromise accounted for 36% of incidents; 18% were due to malicious emails; data exposure, theft, or leak accounted for 14%; network scanning or brute force attacks also accounted for 14%; compromised systems made up 8%; and 3% were due to denial of service. The remaining incidents were classed as “other”.
The report also refers to the “Cyber Uplift” program, claiming it has improved entities’ cyber security posture.
However, it found Commonwealth entities “remain vulnerable to cyberthreats”.
“Additional work is required for Commonwealth entities to reach a mature and resilient cybersecurity posture that meets the evolving threat environment,” it says.
It found the baseline adoption of the Essential Eight mitigation strategies across the government “requires further improvement to meet the rapidly evolving cyber security threat environment”, and implementation of the mandatory Top Four cybersecurity incident mitigation strategies is incomplete.
He argues the report “offers little comfort that the Morrison government is addressing this important national vulnerability”.
“Extraordinarily, of the 25 Commonwealth entities that were prioritised for improvement as part of the Morrison government’s ‘Cyber Uplift’, none were assessed by the ACSC to have achieved their recommended cyber security maturity level. As a result, the report concluded that ‘these entities are vulnerable to current cyber threats targeting the Australian government’,” he says.
“Most damningly of all, more than six years after the government made them mandatory, the report found that implementation of the ASD’s Top Four cyber security measures ‘remains at low levels across the Australian government’.
“Despite this ongoing failure of security governance, this report provides no transparency or accountability for these failures.”
The Labor minister is concerned that the scope for public accountability of the government’s cybersecurity posture is extremely limited, particularly due to a “blanket refusal to answer questions about Commonwealth agencies’ cyber resilience through the Senate Estimates process”.
He says Labor will continue to scrutinise the government through the Joint Committee of Public Accounts and Audit’s inquiry into the cyber-resilience of Commonwealth government agencies.
The report suggests areas Commonwealth entities should work on improving in 2020, “to maintain the currency and effectiveness of cybersecurity measures”. These include:
- continuing to review the ACSC’s cyber security advice, ensuring it is applicable, practical and effective for Commonwealth entities;
- ensuring the recommended cyber security measures keep pace with new and emerging technologies and constantly evolving cyberthreats;
- driving the modernisation of the government’s ICT systems to support the necessary cybersecurity posture, including stimulating and diversifying the ICT-skills pipeline;
- ensuring that baseline cybersecurity recommendations include detection and response readiness measures appropriate to the current cyberthreat environment;
- providing security reports, tools and supporting infrastructure to Commonwealth entities to supplement their detection capabilities and improve resilience against cyber threats; and
- increasing the situational awareness of the scope and scale of malicious activity impacting Australia, including increased monitoring, technical security controls and identifying known vulnerabilities of the networks of Commonwealth entities.
Watts told The Mandarin that while these points are full of good intentions, “without clear objectives and transparent accountability mechanisms we have little reason to expect any improvement in the glacial progress we have seen on cyber-resilience over the past six years”.
“Thankfully, the independent Australian National Audit Office is continuing its ongoing series of Performance Audits of individual entities’ cyber resilience, highlighting the importance of ensuring the cyber resilience of Commonwealth entities,” he added.
The ANAO has conducted five public cyber resilience performance audits of 16 different Commonwealth entities examining Top Four compliance over the past six years, Watts says, and is currently undertaking such an audit into nine departments, including Home Affairs, the ASD, and the AGD, due in October.