While the Morrison government harangues us about cybersecurity and uses it to offer more power and money to spy agencies to “protect” us, it’s the biggest cyber-hypocrite of all. The great majority of government departments don’t comply with the most basic cybersecurity standards the government itself established years ago.
In 2013, the government mandated that all agencies had to be compliant with the “top four” mitigation strategies of the Australian Signals Directorate (ASD) by July 2014.
In ASD’s view, if the “top four” strategies (application whitelisting, patching applications, restricting administrative privileges and patching operating systems) were put in place, 85% of cyber intrusions would be prevented.
In 2017, the top four were subsumed within an “essential eight” strategy, though the full eight haven’t been made mandatory yet.
But that’s understandable because more than six years after the deadline, few agencies are compliant with the top four. Multiple audits by the Australian National Audit Office (ANAO) of compliance over the years revealed that just four of 14 agencies had complied with their obligations. And the Australian Cyber Security Centre (ACSC) admitted to parliament earlier this year that:
“entities’ self-assessed implementation of the top four remains at low levels across the Australian government, with: 73% of non-corporate Commonwealth entities reporting ad hoc or developing levels of maturity [and] 67% of non-corporate Commonwealth entities acknowledging the need to raise the maturity of their cyber security against at least one of the top four strategies.”
One of the worst offenders, which Crikey has reported on over a number of years, is the Immigration/Home Affairs portfolio, which in 2017 promised, after years of non-compliance, that it would be compliant by June 2020.
Home Affairs now has oversight of the implementation of the government’s new cybsersecurity strategy, which refers to “the work of Australian government agencies to strengthen their cybersecurity and implement the ACSC’s essential eight mitigation strategies”.
Home Affairs refuses to even respond to questions about its compliance, but a current ANAO audit of compliance by Home Affairs and a number of other major agencies may well reveal that Home Affairs is in breach of the government’s requirements for the seventh straight year.
The government-wide non-compliance was the subject of a Kafkaesque hearing of the Joint Committee of Public Accounts and Audit in early July at which bureaucrats from Home Affairs, Attorney-General’s Department (AGD), ASD and the ACSC appeared, with ANAO officers present to provide a reality check.
Asked about the failure to comply, Sarah Chidgey of AGD generously acknowledged “there are opportunities to improve compliance”. Hamish Hansford of Home Affairs blamed “a rapidly evolving cybersecurity environment, and malicious cyberactors and the threats are consistently changing” for the lack of compliance.
“The top four hasn’t changed in seven years,” Labor’s Tim Watts replied.
Hansford responded by activating full bureaucratic automaton mode. “We’re looking, as a government, at how you defend the cybersecurity threat at scale and how you integrate networks where appropriate. How do you bring the cybersecurity culture across government? How do you integrate it with the digital uplift more generally with government services?”
Watts must have known what adjective would come next. “And,” Hansford concluded, “how do you look at it in a holistic way?”
Auditor-General Grant Hehir was less holistic and more blunt about the non-compliance: agencies couldn’t be bothered.
“Where you see a strong focus within organisations on developing cyber-resilience and a willingness to privilege investment in that area, investing in the infrastructure needed to provide greater cyberresilience, it happens. If it’s lower down the priority lists of an entity, it doesn’t happen. It’s not much more complicated than that when you look at it.”
In their efforts to justify non-compliance, the bureaucrats talked themselves into deep confusion about who was actually in charge of cybersecurity within the government. Committee chair Lucy Wicks asked AGD to confirm that “it is your department that is the policy owner and has the policy-owner responsibility for the essential eight mitigation strategies.”
No, Chidgey replied. AGD was responsible for the overarching policy, but ASD was responsible for agencies having to comply with the top four.
The ACSC bureaucrat helpfully then said that ACSC was responsible for the technical aspects.
Hehir offered that AGD, Home Affairs and ASD were responsible.
Chidgey then asked if she could try again to explain, before Hansford told the committee that AGD, Home Affairs, Defence, ASD, ACSC, Foreign Affairs, “our industry, science and technology portfolio”, the Digital Transformation Agency and the Communications Department all played a role.
“Under that,” Hansford added, holistically, “we’ve also got state and territory responsibilities.”
It might have been a little quicker if he’d identified who wasn’t in charge of cybersecurity.
This was just a couple of weeks after Scott Morrison’s melodramatic warning that Australia was under attack from an (inevitably “sophisticated”) “state-based cyber actor”.
“Australia has some of the best agencies in the world on these issues,” Morrison said that day. “And Australians, like I, I believe, have confidence in those organisations and they are doing their job and they are doing it effectively.”
Except, no one has a clue who is in charge and more than 70% of agencies don’t comply with the simplest cybersecurity strategies put in place seven years ago to protect themselves and citizens’ information.
It’s almost enough to make you wonder whether it’s all a cover for handing ever more power and money to unaccountable national security bureaucrats.
How worried are you about cybersecurity? Let us know your thoughts by writing to [email protected]. Please include your full name to be considered for publication in Crikey’s Your Say section.