The Department of the Prime Minister and Cabinet and the Attorney-General’s Department are not ‘cyber resilient’ and have overstated their implementation of the federal government’s mandatory strategies to mitigate cyber security incidents, an audit has found.
Non-corporate commonwealth entities have been required to implement the Australian Signals Directorate’s (ASD) Top Four mitigation strategies since 2013, under the Protective Security Policy Framework (PSPF).
In its latest audit report, released on Friday, the Australian National Audit Office (ANAO) has examined whether a number of departments and agencies have been complying with the PSPF requirements.
The ANAO audited PM&C, AGD, and the Education and Health departments, as well as the Future Fund Management Agency, the Australian Trade and Investment Commission, and IP Australia.
None of the entities have fully implemented all of the mandatory Top Four mitigation strategies, the audit found.
In a self-assessment, PM&C had reported that it had fully implemented all four of the strategies, but ANAO found it had only implemented three.
“PM&C has not fully implemented the mitigation strategy for restricting administrative privileges,” the report said.
Meanwhile, AGD incorrectly reported that it had fully implemented two of the strategies, when it had fully implemented just one.
The Future Fund, on the other hand, has “accurately self-assessed the two Top Four mitigation strategies for which it reported full implementation”, ANAO found.
The report noted that none of the three entities were assessed as cyber resilient.
“Under the cyber security framework, PM&C and AGD are categorised as vulnerable to cyber security incidents as they have not fully implemented all the Top Four mitigation strategies and are continuing to strengthen the controls for managing cyber security incidents,” it said.
“Future Fund has not fully implemented all of the Top Four mitigation strategies, but is internally resilient as it has effective controls in place to support its ability to detect and recover from a cyber security incident.”
Under the PSPF, agencies assess their cyber security ‘maturity’ against four levels: ad hoc, developing, managing and embedded.
The audit report noted that Austrade, IP Australia, and the Education and Health departments each reported that they had not fully implemented any of the Top Four, while AGD and Future Fund said they had not fully implemented two of the strategies.
Of those six entities, all but AGD have established strategies and activities to progress their maturity level to ‘managing’, the audit found.
Three of the six entities — Austrade, Education, and AGD — also hadn’t set a corresponding timeframe to improve their maturity level to ‘managing’.
The ANAO has highlighted low levels of compliance with the PSPF requirements in past audit reports, while the Joint Committee of Public Accounts and Audit has been vocal about issues with compliance.
In December the committee called for the ANAO to conduct an annual review into whether commonwealth agencies have embedded a cyber resilience culture, after the audit office told the committee of its concerns with the PSPF.
Committee deputy chair Julian Hill and shadow assistant minister for cyber security Tim Watts said the latest ANAO report has shown the Morrison government is “all announcement” and “no delivery” when it comes to cybersecurity.
Last year Prime Minister Scott Morrison had warned that a sophisticated state actor had been targeting Australia, and stated that “cyber security is a shared responsibility of us all”. Hill and Watts have criticised the PM, arguing that he was “there for the photo op, but has been missing for the follow up”.
“Despite the prime minister’s press conference on the need to ‘enhance the resilience’ of Australian networks, his own department is failing to implement mandatory cyber security measures,” they said in a statement on Saturday.
“The Morrison government talks tough on cyber security and likes to tell the private sector to protect themselves, but the ANAO reveals the government doesn’t have its own house in order.
“This report is a timely reminder for the prime minister that cyber security isn’t just about media events, it’s about delivery.”
- Australia’s most important government agencies refuse to secure their IT systems
- Parliamentary committee recommends stronger oversight to increase commonwealth’s cyber resilience
- Opinion: almost four in 10 government entities fail to implement basic cyber security measures — six years after they became mandatory
- Commonwealth agencies ‘vulnerable to cyberthreats’, according to Australian Signals Directorate
- Odd logic: why the Morrison government won’t mandate Essential Eight cyber controls