A new parliamentary report has called on the national auditor-general to conduct an annual review into whether commonwealth agencies have embedded a cyber resilience culture, to protect agencies against growing cyber threats.
The inquiry’s findings were “alarming”, and showed a “staggeringly high rate of noncompliance” from the commonwealth, according to cyber security shadow assistant minister Tim Watts.
“It’s an indictment of this government’s ongoing failure to ensure the cybersecurity of its own departments,” he said on Wednesday.
“Just over one in four commonwealth entities that were audited by the ANAO have implemented the Top Four cybersecurity measures recommended by the Australian Signals Directorate, six years after they became mandatory.”
Issues with compliance and cyber-resilience have been highlighted by a number of audits and inquiries from ANAO and the audit committee over the past seven years.
Last year, the Australian Cyber Security Centre’s cyber security posture report found that implementation of the ASD’s Top Four strategies to mitigate cyber security incidents “remains at low levels across the Australian government”.
Watts said a key part of the problem has been the lack of accountability for government agencies.
“Each commonwealth entity is currently responsible for its own cyber-resilience, but there’s no one marking their homework to ensure that they are compliant,” he said.
“Each year, non corporate commonwealth entities are required to conduct a self-assessment of their compliance with the Protective Security Policy Framework (PSPF) and the Information Security Manual within it.
“When a commonwealth entity is noncompliant with the ASD’s mandatory Top Four all they have to do is tell their minister and the Attorney-General’s Department, and nothing happens. There’s no way for parliament to hold a commonwealth entity accountable for ongoing failures on their own self-assessments and for the cybersecurity vulnerabilities within these commonwealth entities.”
The audit office told the inquiry that the government’s current framework hasn’t been “driving the behavioural change to ensure the regulatory stance was robust enough”.
As a result, the ANAO has developed a framework of 13 behaviours and practices that can help build a strong cyber resilience culture. The behaviours relate to governance and risk management, roles and responsibilities, technical support, and monitoring compliance.
The behaviours and practices were developed “to test whether organisational leadership goes beyond simply instructing personnel on security measures to embedding cyber resilience into the ‘day to-day management and practices of the entity’”, the report said.
The committee has recommended that the PSPF be amended to reflect or incorporate the ANAO’s framework, and that a section be created within the PSPF self-assessment questionnaire addressing the 13 behaviours and practices that facilitate a cyber resilience culture.
The committee has also called on the ANAO to conduct an annual limited assurance review into the cyber resilience of commonwealth entities, to examine which agencies have embedded a cyber resilience culture through alignment with the behaviours and practices framework.
The review should also examine the compliance of corporate and non-corporate entities with the Essential Eight mitigation strategies.
Meanwhile, the Attorney-General’s Department should give an update on the levels of cyber security maturity within agencies and the feasibility of mandating the Essential Eight across entities, and should report back on any impediments to mandating the Top Four mitigation strategies, the report recommended.