The best answer to cyber threats is specific whole-of-government security standards, says Western Australian auditor-general Colin Murphy, and the government’s new chief information officer reckons regular compliance audits are the way to go.
Murphy’s team recently audited six entities and found serious malware infections in two. Both he and the GCIO, Giles Nunis, remind government agencies they are juicy targets for cyber attacks and that the general consensus among information security crowd is every organisation should assume its defences can and will be breached.
The audit notes that WA agencies have been bound by general requirements to address cybersecurity since 2010, when these were set out in a circular from the public service commissioner. But, while a new and more detailed Digital Security Policy has been published by WA’s whole-of-government chief information officer, whose office was established last year, “the all-important security standards” to support the policy are yet to emerge.
The audit highlights the importance of layered security controls, or defence-in-depth strategies. Cybersecurity starts with getting the basics right — which is not very difficult, the WA auditor-general points out — and also requires constant improvement and upgrades to match the ever-evolving threat landscape.
But the main conclusion was that the state public sector needs an overarching set of technical standards to follow:
“The audit highlighted a need for the WA public sector to have a coordinated approach to the management of cyberthreats. At the time of our audit, there were no statewide requirements for cybersecurity and anti-malware controls.
“Each agency has to carry the full cost of planning for and guarding against malware threats as there are no official forums for collaboration, sharing of advice, resources and experiences.”
In his response to the audit, Nunis also emphasises this is not a drill; government agencies are targets:
“Cyber Security will continue to be a growing issue as these types of security threats are continuously evolving, sometimes on a daily basis. Some countries have dedicated teams breaking through virtual security barriers in order to gain commercial advantage or simply cause anarchy.
“As the WA Government, not unlike other governments around the world, moves into more online access for its staff and the community, the threat of loss of data or viruses remains a high-risk, high-impact consideration for government.”
Get the Juice - the Mandarin's free daily newsletter delivered to your inbox.You’ll also receive special offers from our partners. You can opt-out at any time.
Nunis makes the point that “publishing a security policy only sets a standard” and suggests ongoing compliance audits across government also need to be part of the framework — adding that his office does not have the resources to do that.
The audit found all six agencies “were facing constant cybersecurity threats” but had some controls in place that worked. A “high volume” of attacks breached the first layer of security, but few “ongoing infections” were found.
In two of the audited systems, “malware infections that present a serious risk to the agency network, systems and data” were found. According to the report:
“The attacks and malware observed during the audit are common, well understood and use techniques that security tools and agencies should be aware of. Yet because of weak or missing security controls, many were still able to enter the network and attempt to infect computers.”
In his response, the GCIO points to the importance of building capability across the sector:
“There also is a significant skills gap in the public sector that must be addressed to ensure that appropriate security measures are in place, that CEOs and CIOs instil the right disciplines and ensure that their government agency proactively mitigates its security risk from outside threats.
“It is imperative that government works in a collaborative manner to achieve this outcome, the OGCIO is attempting to lead this outcome. It is suggested that Government CEOs must have cyber security as a standing agenda item on their corporate executive risk register and reviewed frequently throughout the year.”
Murphy noted that it wasn’t the first time he had found a need to improve cybersecurity practices in the WA public sector:
“For a number of years I have advised agencies there are very basic, easy-to-implement and cost-effective solutions that reduce the risk of malware infections and breaches.
“System security is not only about the tools, it is also about the people. Skilled professionals, staff aware of the dangers of malware and engaged executives are crucial to providing ongoing security management and monitoring.”
This time last year, his team found a litany of fundamental cybersecurity failures in seven Western Australian publicly funded bodies. After his latest audit, Murphy reminds government agencies again they are “a prime target for infiltration and attacks” due to their large data holdings that usually include confidential or personal information.