Poor information security in government can have serious consequences for individual citizens and organisations in the community, but cyber resilience is still too rare in the public sector.
Auditor-General Grant Hehir recently called on the Attorney-General’s Department, Australian Signals Directorate and the Department of Home Affairs to work on improving compliance with the cyber security elements of the Protective Security Policy Framework across the Commonwealth.
Home Affairs is itself one of the agencies Hehir has found failing to comply with mandatory cyber controls, most recently in March 2017. The AGD has slated a broad set of reforms to the PSPF to come into effect on October 1.
Hehir recommended last month that the three agencies work together to boost compliance by providing more technical guidance on how agencies can self-assess against the mandatory controls, new measures to verify that agencies really do comply when they say they do, and more “transparency and accountability about entities’ compliance” with the security protocols.
All agreed, although AGD only agreed to the new verification program in principle; it says that would be a matter for the Australian Cyber Security Centre in its response to the auditor-general.
The Australian National Audit Office notes it has consistently found “compliance with mandatory requirements of information security continued to be low” in the past four years of assessing cyber resilience across 14 government bodies, in its latest roundup of recent reports. This is by no means exclusively a Commonwealth malaise; state auditors have come to similar conclusions, too.
Cyber security is crucial to effective government in many ways. The auditors point out security breaches could not only harm national security, at one very serious end of the spectrum, but also “diminish the reputation of government and willingness of individuals and entities to share information with the government” in a broader sense.
These days, organisations face a barrage of basic cyber attacks of various types and attempts to breach security controls as a matter of course.
“Cyber resilience is the ability to continue providing services while deterring and responding to cyber intrusions,” says acting executive director Elenore Karpfen, opening ANAO’s latest Audit Insights video. “Cyber resilience also reduces the likelihood of successful cyber intrusions.”
The first step, of course, is to establish controls and make sure they are actually followed and maintained throughout the organisation. The Australian Signals Directorate published an updated list of 35 potentially useful mitigation strategies last year, highlighting the “essential eight” for federal agencies and the top four, which are mandatory.
The top four have gone far and wide but the ANAO sees fit to repeat them again: application whitelisting on desktops and servers; sound policies, procedures and practices to keep software security up to date; the same for operating systems; and tight management of all privileged user accounts for any system.
The other four “essential” controls are also extremely valuable, and while they are not mandatory, the committee that oversees ANAO recommended last year that they should be.
In the past four years, the audit office observes:
“While efforts have been made to achieve compliance, there were low levels of compliance for whitelisting, particularly for servers (higher levels of compliance for desktops), variable levels of compliance for security patching of applications and operating systems (lower for operating systems) and while privileged accounts had some controls, there were also shortcomings in a number of entities.”
“The 14 entities examined in these audits held information across the spectrum of economic, commercial, policy and regulatory, national security, program and service delivery and corporate activities.”
Two new reports last month showed there is still plenty of work to be done. The Interim Report on Key Financial Controls of Major Entities on June 14 found that of 23 government agencies, just under half were compliant with the mandatory top four cyber controls.
A fortnight later, a performance audit of cyber resilience in Treasury, the National Archives and Geoscience Australia found only Treasury had implemented the compulsory top four. None had implemented the other four “essential” controls that remain optional; they were “largely at early stages of consideration and implementation” according to the report.
“These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened,” the audit found.
“National Archives was not compliant with the Top Four mitigation strategies but had sound ICT general controls and so was assessed as not cyber resilient but internally resilient.
“Geoscience Australia was not compliant with the Top Four mitigation strategies and did not have sound ICT general controls so was assessed as vulnerable to cyber attacks.
“All three entities had implemented only one of the four non-mandatory mitigation strategies in the Essential Eight, and were not well progressed in considering an implementation position for the other three strategies.”
Geoscience and the National Archives agreed to establish a plan to implement the mandatory top four, and monitor progress with reference to a pre-determined timeframe, on Hehir’s recommendation.
However, it is Hehir’s recommendation to AGD, ASD and Home Affairs to work on improving compliance with the Protective Security Policy Framework across the federal public sector that is the more important piece of work.
His latest Audit Insights summary includes a list of useful “behaviours” for various limbs of government agencies that contribute to a strong cyber security culture, and a few closing observations in a similarly constructive vein.
“The recent Cyber Resilience audit found that low levels of compliance were driven by entities not adopting a risk-based approach to prioritise improvements to cyber security, and cyber security investments being focused on short-term operational needs rather than long-term strategic objectives.
“The audit noted that cyber resilient entities had a business model and ICT governance that incorporated ICT security into their strategy, planning and delivery of government services. For these entities, ICT systems were no longer considered an enabler to business—they were core business.”
The auditors are keen to point out that legal compliance and ticking items off handy lists are not enough; what is required is a cultural shift towards resilience, through “an open and proactive approach to managing cyber risk that considers both vulnerabilities and opportunity” and clear-eyed management of cyber risk at all levels.