The Australian Signals Directorate’s Essential Eight cyber threat mitigation strategies should be mandatory for federal agencies, recommends a joint parliamentary committee, whose members are also keen to see the Tax Office and the Department of Immigration and Border Protection achieve full compliance.
The Joint Committee on Public Accounts and Audit also wants it to be mandatory for every agency covered by the Public Governance, Performance and Accountability Act — that’s corporate entities and the public service — to respond to the ASD’s yearly survey. Only 30-40% have found the time in recent years.
Another recommendation is that the Internet Gateway Reduction Program also become mandatory for all PGPA entities. The plan dates back to 2009 but seems to have fallen by the wayside.
Earlier this year federal cyber security leader Alastair MacGibbon, who often points out that continuous risk management is better than set-and-forget compliance, told the committee he doubted the gateway reduction policy was still fit-for-purpose.
MacGibbon asked the Digital Transformation Agency to review the gateway reduction program, and the committee would like a progress report by December and hopes to hear of the outcomes, key actions and timelines arising from the review by next April.
The struggle for compliance
This story goes back to 2014 when the Australian National Audit Office checked on seven agencies and found none would have totally implemented the mandatory “Top 4” information security measures by the deadline of June 30 that year.
A follow-up audit in March this year looked at the ATO, DIBP and the Department of Human Services. Only DHS got a passing grade on cyber resilience. Now the JCPAA would like the two non-compliant agencies to report back to it by next June on their progress towards full compliance with the Top 4. The committee heard that in 2015-16 only about 65% of the APS had reported meeting this standard.
The ATO told the committee it expected to get there by this November while DIBP, which once told the committee it would be fully compliant by December 2016, could not give a date. Tax Commissioner Chris Jordan told a Senate estimates committee yesterday these efforts had been slowed down because of the immediate need to fix the series of hardware breakdowns that caused service interruptions late last year and early this year.
The agencies have an opportunity to explain what barriers there are to them reporting full compliance, and provide their own thinking about realistic timelines to get there.
The ASD actually listed 35 mitigation strategies in 2010, but it has always said the Top 4 alone should prevent about 85% of attempted cyber attacks.
At face value, both the mandatory Top 4 and the slightly longer and newer Essential Eight, which the committee recommends should now become mandatory, are pretty basic checklists. But not being 100% compliant doesn’t mean these agencies are necessarily full of dangerous security holes, either, as The Mandarin heard from Brian Fletcher, who worked for ASD for about a decade.
Obviously some computers or servers are higher risk than others, depending on who or what could potentially connect to them, and some types of information are more sensitive than others.
On the other hand, “the ANAO assessed that there is no impediment to entities implementing the Top Four mitigation strategies” according to the report.
Committee members express concern that DIBP is “only in its second year of implementing cybersecurity enhancement programs” and even though the machinery of government changes that created the Australian Border Force are part of the reason, the JCPAA believes “compliance may have been achieved sooner if investment in these programs were made earlier”.
“With increasing volumes of data being collected and used by various government systems, the security of sensitive personal, industry and government information is becoming a greater challenge,” the committee comments.
“Cybersecurity is a strategic priority for the Australian Government. Ensuring a strong and responsive cybersecurity strategy is critical to protect Australians’ privacy and Australia’s interests across the fullest range of areas — from administrative efficiency to national security. Effective implementation across all government systems, alongside a corresponding enhanced security culture, is required to deter and successfully respond to cyber threats and attacks.”
What agencies report vs. what audits uncover
The JCPAA reports it is concerned with “discrepancies” between self-assessed cyber security compliance in the two agencies, under the the Commonwealth’s overarching Protective Security Policy Framework, and what the auditors found this year.
The bipartisan committee recommends the ANAO should get back into the issue, and audit “the effectiveness of the self-assessment and reporting regime” that forms part of the protective security policy. And it would like the audit office to “outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these” in future cyber security audits.
Further, it would like to hear about how the two agencies are going with the two recommendations of the March ANAO report, and recommends the Attorney-General’s Department and ASD should report annually on the government’s overall cyber security “posture” to Parliament.