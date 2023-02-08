Cyber Security NSW, the government agency supposed to set the guardrails for other government entities to fortify them against hackers, has been given a spank on the nose by the state’s auditor-general for not sniffing around enough to make sure protections are in place.

And there are serious concerns about how local governments and councils are monitored for cybersecurity vulnerabilities and how these get reported up the chain.

In a report that draws a question mark over the efficacy of agencies assessing themselves — but stops short of directly criticising the practice — the auditor wants Cyber Security NSW to conduct more checks to find out if anyone is gilding the lily.

“As a central agency whole-of-government function, Cyber Security NSW’s primary form of authority is a mandatory administrative requirements circular issued by the Secretary of the Department of Customer Service. The circular notes that clusters and agencies will be ‘…subject to audits by Cyber Security NSW commencing 2020–21 to test compliance with the Policy and reporting these outcomes to the Secretaries’ Board’,” the audit states.

“Cyber Security NSW has not yet performed audits of agencies to test compliance with the Cyber Security Policy. This is despite the Audit Office of NSW (and an external consultant engaged by Cyber Security NSW) previously finding inconsistency in how agencies perform and report these self-assessments.

Reflections on self-refections

The use of cyber self-assessment has become more common for a number of reasons, firstly that it makes agency chiefs and executives directly accountable for an organisation’s cyber posture rather than blaming it on another service provider, agency or external supplier.

However, the recent increase in general cyber-tempo, ranging from a ransomware epidemic to a proliferation of phishing scams like Business Email Compromises, has exacerbated an already chronic cyber-skills shortage to the point where agencies just have to do the best they can with what they can get.

The auditor has also pulled up Cyber Security NSW for not having a forward-looking program of work to guide its efforts.

“It is unclear what method or process is applied to prioritising functions or activities, particularly longer-term initiatives. Interviews with staff and stakeholders noted that Cyber Security NSW has a service-focused, customer-centric approach to engaging with agencies and councils, including to build its reputation during its period of expansion,” the report said.

Again, the reality of the situation for many agencies is a reactive state of affairs, responding quickly to new threats and developments as they occur, applying patches, and updating software shutting holes as they are identified.

The problem with state-based and criminal hackers is that they don’t play by the rules auditors set down, though it doesn’t hurt to check that allegedly applied patches and upgrades have been done.

Cyber has no location. All cyber is local

The issue of local government cyber security is a far more serious problem, not least because of the delegated lines of authority and the general pennilessness of the sector.

“Cyber Security NSW has a remit to assist local government to improve cyber resilience, however, it cannot mandate action, and does not have a strategic approach guiding its efforts,” the audit observes.

That’s essentially saying that the Cyber Security NSW is powerless to put the boot into councils, even if it would like to, but it’s allowed to make growling noises at a sector that is renown for governance challenges.

Councils, despite running heaps of critical infrastructure like water (don’t mention fluoride), roads, waste and resource management and sometimes childcare and aged care, don’t seem to want the extra burden either.

Next time, bring money

“Among agencies and councils consulted in this audit, there was general acceptance and understanding of the high-level purpose of Cyber Security NSW, although there were mixed views on how robustly it should undertake its compliance and assurance role,” the audit said.

“While agencies consulted were not receptive to the idea of Cyber Security NSW playing a strong enforcement and regulatory role, there was an acknowledgement of the need to ensure that agencies were achieving, assessing, and reporting on their compliance under the Cyber Security Policy in a consistent and reliable manner.”

Let’s unpack that … “not receptive to the idea”.

Funny smell

Council ambivalence to cyber audits could be because many councils are flat broke after being flooded, having houses, facilities and towns washed away and enduring months of delays to even get simple contractors like plant operators.

Which is not to say there is no cyber threat, or that good things aren’t happening.

A cyber incident in Maroochydore resulted in the first prosecution of a real-world cyberattack after a disgruntled employee released thousands of litres of untreated sewerage from a treatment plant after hacking its control software.

Who you gonna call?

That location is now the home of a not-for-profit cyber industry group dubbed the Critical Infrastructure – Information Sharing and Analysis Centre (CI-ISAC), a member-based organisation whose aim is to keep critical infrastructure operators — like councils — in the loop about threats and provide practical tools and intelligence to help manage risks.

“Existing Information Sharing & Analysis Centres (ISACs) operating in Australia are sector-specific and do not adopt a risk-based approach to intelligence sharing. This coupled with many CI public and private sector entities lacking the knowledge, resources or capabilities to effectively participate results in many being excluded,” the group said as part of its public launch this week.

The group is chaired by former Army electronic warfare and cyber warrior (Brigadier) Stephen Beaumont and helmed by former NAB and ANZ cyber defence expert David Sandell.

READ MORE:

Clear and present dangers: understanding and preparing for cyber threats