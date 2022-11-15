Audits reveal weaknesses in government data security

The need to ensure a digital padlock is placed anywhere data exists to ensure bad actors are less likely to break in, steal sensitive information or attempt extortion has preoccupied the federal government. Various case studies such as Medibank, Optus and Telstra highlight the dangers of weak private sector systems.

Medibank, for example, was the target of what the Australian Federal Police believes was an attack by Russian hackers. That hack resulted in the information of almost 10 million of the health insurer’s customers falling into criminal hands before being uploaded to the dark web.

AFP commissioner Reece Kershaw said on November 11 that his team was working with overseas police agencies and Interpol to hold the hackers accountable. Kershaw said all sectors needed to work together to ensure criminals don’t receive the “notoriety they seek”.

“Can I make a plea to business? Ensure your systems are protected,” said Kershaw. “Cyber crime is the break-and-enter of the 21st century and personal information is being used as currency.”

Data theft using the digital superhighway has sparked questions about whether laws are sufficiently tight to keep sensitive data from prying digital thieves. It’s also led to analyses of data security processes and procedures in the private and public sectors.

A November 2022 report by Fitch Ratings states Australia’s “lack of sufficient penalties and accountability has made organisations more attractive targets and underlines a demand for a more comprehensive and vigorous approach”. It says this “places Australia in a unique position to lead efforts in designing and implementing a solution.”

Home Affairs minister Clare O’Neil says the world is “going to be under relentless cyber attack”. She believes government needs to be mindful of weaknesses in its cyber security systems, given it holds so much sensitive information on Australians.

The federal government has announced a 100-strong taskforce involving the AFP and Australian Signals Directorate that “will initiate an ongoing, joint standing operation to investigate, target and disrupt cyber-criminal syndicates with a priority on ransomware threat groups.”

Shining a light on data security weaknesses

Numerous reports at commonwealth and state levels by auditors-general have highlighted problems governments have with data security.

Analysis from the Australian National Audit Office (ANAO) revealed earlier this year that departments such as Defence have shortcomings in their information systems that need fixing to better protect the information of people who work for them.

Its findings on the Defence privacy framework found the department hadn’t conducted reviews of information systems, including programs linked to managing personally identified information.

The audit team didn’t find a consistent dictionary or governance to enable efficient searches for data across different programs and networks. Neither was there consistency in the information held on historical data breaches.

Defence also didn’t carry out timely compliance activities to ensure it met requirements, according to the ANAO.

“Defence was unable to provide evidence and assurance that personally identifiable information was being managed appropriately,” the report says. “The ANAO also identified that Defence has limited ability to discover systems that contain information that would be classified as personally identifiable information, as well as no systematic method for tracking changes, access or distribution of personally identifiable information.”

Weaknesses identified by the ANAO increased the risk that confidential data held by Defence could be accessed and tampered with by unauthorised individuals, with no guarantee it would be detected quickly.

The same review looked at the Department of Veterans Affairs. It found the department had no way of tracking if people who left the DVA had been properly bumped off the information systems. This meant it couldn’t monitor the activities of rogue users properly.

The DVA says it has plans to fix these problems and the ANAO with review this work.

Worrying data security examinations in WA

Western Australian auditor-general Caroline Spencer has published two significant reports in the past 12 months that identify information system weaknesses in local government.

Both reports list issues found by an audit team sent in to take a closer look at whether local government entities passed muster. The first of these reports — released on November 24, 2021 — provides an unflattering assessment.

“Through our examination of control frameworks and ethical simulated cyber attacks (ethical hacking), we found that LG [local government] entities had not managed their cyber security risks well,” Spencer says.

“Out-of-date software accounted for a large number of cyber security vulnerabilities and despite staff awareness training, over half of the audited LG entities did not have controls to prevent their staff falling victim to social engineering attacks.”

A ‘black box’ exercise revealed local government entities were at risk of ‘phishing’ attacks. These are to trick somebody into clicking on a link and parting with information that allows a rogue player into a system.

Four staff at one audited entity got themselves onto the sticky paper by clicking on a link in a test email. Two individuals provided their credentials to what should have been treated as a Dodgy Brothers website.

The problems didn’t stop there for the four targeted by the experiment. One took the initiative of forwarding the test email to others in the same organisation and some external contacts.

What happened? The test phishing email convinced 29 more staff to provide their credentials on a site, 15 people external to the organisation did the same, and four others clicked on the link but didn’t provide information or credentials.

“This case study shows that people generally trust and are more likely to respond to emails from known contacts,” the report says. “Regular and up-to-date cyber security awareness training and controls to detect and prevent phishing emails are important to combat such attacks.”

Cyber security training

Deep dives by watchdogs looking over government shoulders point to problems needing remediation. It’s shown governments also need to train public servants properly.

The Office of the Victorian Information Commissioner has produced online case studies as training materials for public servants online, and these are also available to the broader community. They walk readers through activities or incidents that point to a problem with governance.

These case studies are also linked to the Victorian government’s guidance on cyber security. The goal is to reinforce existing rules to ensure government departments maintain a high vigilance over their digital ecosystems.