This Chapter discusses the broader elements of cyber resilience, how it can be measured, and the type of culture entities need to foster cyber resilience. It comprises the following sections:
Committee conclusions and recommendations
Good governance and culture
Implementation of ANAO Recommendation 2
External guidance and assessment
Committee conclusions and recommendations
The Committee concurs with the ANAO’s assessment that:
…cyber-resilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements; they demonstrate an effective security culture.
The Committee notes submitters’ and witnesses’ concerns that compliance with the Top Four mitigation strategies is a minimum standard and does not necessarily equate to cyber resilience.
The Committee considers that entities would benefit from clear guidance on the hallmarks of cyber resilience. The Committee notes that the Department of the Prime Minister and Cabinet (PM&C) agreed to work with the ANAO to better define these key features.
The Committee also notes that the audit forming the basis of this inquiry is part of a series. In Report No. 37 (2015–16) the ANAO provided a checklist of behaviours and practices that may improve entities’ level of cyber resilience. Future audits on the cyber resilience of entities may benefit from entities being clearly assessed against this or similar criteria.
The Committee recommends that in future audits on cybersecurity compliance, the ANAO outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these.
The Committee notes that the ATO and DIBP are working to improve their governance arrangements and organisational culture. The level of detail provided to the Committee on these activities could have been more fulsome to assure the Committee that ANAO recommendation two is being fully implemented.
The Committee recommends that the Australian Taxation Office and Department of Immigration and Border Protection report back to the Committee on their progress in implementing ANAO Recommendation 2, including advice as to barriers and timelines to complete outstanding actions.
The ASD sends an annual survey to all Government entities to ascertain their cybersecurity posture. The information collected assists the ASD to identify high-risk entities and offer assistance. The ASD cannot compel entities to complete the survey. In 2016 and 2017 the survey was only completed by approximately 30–40 per cent of entities. The Committee considers that in the interests of effecting cultural change and emphasising the importance of compliance, the survey should be completed by all Government entities. The Committee recommends that by June 2018 the Australian Government make the completion of the ASD survey mandatory for all Public Governance, Performance and Accountability Act 2013 (PGPA Act) entities.
The Committee recommends that by June 2018, the Australian Government make the annual ASD survey mandatory for all Public Governance, Performance and Accountability Act 2013 entities to complete.
The Committee notes that secure internet gateways add a valuable layer of cybersecurity and encourages entities to join the Internet Gateway Reduction Program (IGR Program). The Committee acknowledges that Internet Gateways are complementary to other cybersecurity resilience strategies and do not alone provide comprehensive protection. However, Internet Gateways provide a sound baseline of protection within a broader cyber resilient strategy and would greatly benefit smaller agencies’ resilience.
Noting that currently all non-corporate Commonwealth entities are by default part of the IGR Program, the Committee recommends that the Australian Government mandate participation by all PGPA Act entities.
The Committee recommends the Australian Government make the Internet Gateway Reduction Program mandatory for all Public Governance, Performance and Accountability Act 2013 entities.
The Committee notes the Digital Transformation Agency (DTA) is conducting a review of the Internet Gateway Reduction Program, including whether the program has been assessed as fit for purpose. The Committee recommends that the DTA report back to the Committee on the outcomes of the review.
The Committee recommends that the Digital Transformation Agency report back to the Committee on the review of the Internet Gateway Reduction Program, including:
a progress report on the review by December 2017
outcomes of the review and associated key actions and corresponding timelines by April 2018.
Review of evidence
Good governance and culture
Cyber resilience is ‘the ability to continue providing services while deterring and responding to cyber attacks’. Submitters agreed with the ANAO that effectively measuring cyber resilience requires a broader assessment than just compliance with the ASD’s mandatory strategies. An entity’s governance and culture also need to be part of the assessment.
As part of its cybersecurity audit work, the ANAO has outlined the behaviours and practices that may improve an entity’s cyber resilience (See Figure 3.1).
Figure 3.1: Behaviours and practices that may improve the level of cyber resilience
Source: ANAO Report No. 37 (2015–16), p. 41.
Other submitters and witnesses provided a similar list of behaviours and practices observed in cyber resilient entities, including seeking external information and guidance on cybersecurity. This is discussed later in this Chapter.
In its latest cybersecurity report, the ANAO found that the ATO and DIBP were not cyber resilient and ‘need to improve their governance arrangements and prioritise cybersecurity’.
The ANAO made the following recommendation:
The ANAO recommends that entities improve their governance arrangements, by:
(a) asserting cybersecurity as a priority within the context of their entity-wide strategic objective;
(b) ensuring appropriate executive oversight of cybersecurity;
(c) implementing a collective approach to cybersecurity risk management; and
(d) conducting regular reviews and assessments of their governance arrangements to ensure its effectiveness.
All entities audited agreed to the recommendation and the progress on their implementation of these is outlined below.
Implementation of ANAO Recommendation 2
At the hearing, the Acting Auditor-General told the Committee that one way to identify whether an entity had prioritised cybersecurity, is through its inclusion in that entity’s corporate plan. The ATO’s corporate plan for 2015‑16 did not include any mention of cybersecurity. However, the 2016–17 corporate plan discusses cybersecurity as part of its operating environment and as a risk that needs to be managed. DIBP’s corporate plan for 2015–16 noted cybersecurity on a list of capability activities planned for the year. Cybersecurity was not mentioned in the 2016–17 corporate plan.
The ATO told the Committee their number one priority of the entity is to ‘prevent people from gaining access to our system in an unauthorised way’. The ATO is developing an overarching security strategy. It is also expanding its reporting to encompass the Essential Eight strategies.
DIBP stated it ‘prioritises the external threat’ and provided an example of its response to the WannaCry virus. DIBP informed the Committee that it had prioritised the patching of its secure internet gateway and had updated the antivirus signatures on the gateway prior to the attack. DIBP had also applied desktop application whitelisting. As a result, the risk of the WannaCry attack was limited to ‘a very small subset of [DIBP’s] lightly managed users’.
Appropriate executive oversight
The ANAO suggested that entities need to focus on risk planning, managed through audit committees, and advising accountable authorities on their cybersecurity posture/achievements.
The ATO appointed a Chief Security Officer and has strengthened its executive oversight of cybersecurity in the following ways:
The Security Committee monitors the level of compliance with Top Four mitigation strategies
The Chief Information Officer and the Security Committee received monthly reports on level of compliance with the Top Four mitigation strategies
The Risk Management Committee receives regular reporting on the level of compliance with cybersecurity controls.
The Audit and Risk Committee receive both quarterly and annual updates from the ATO Security and Business Continuity Management Committee as well as briefings on security matters throughout the year. ‘Both committees have common advisers or members to ensure regular and ongoing information exchange’.
DIBP has elevated the Chief Information Security Officer role to First Assistant Secretary Integrity, Security and Assurance position. The Audit and Assurance Branch of the department will also conduct a review of cybersecurity executive oversight and governance.
DIBP advised that its:
audit committee meets formally at least four times per year;
the ‘Chair of the audit committee has an interest in cybersecurity issues and is briefed on these matters’; and
the ‘Chair invites specialist advisors whenever necessary to supplement the skills of the Audit Committee members’.
Cybersecurity risk management
During 2017 the ATO is transitioning to its new Enterprise Risk Management Framework ‘which facilitates and ensures a collective approach to cybersecurity risk’. No further details on the framework were provided to the Committee. The ATO has also established a ‘Security Operations Centre to facilitate real-time monitoring of security threats, to increase the focus on external threats and to actively inform security risks facing the ATO’. Further, the ATO has scheduled external advice to review the effectiveness of its cyber governance structures in October 2017.
Staff training and information
At DIBP, mandatory security training is provided for all staff and they receive reminders when sending emails externally. The ATO also has mandatory training for all staff, as well as regularly publishing information for staff.
External guidance and assessment
The ASD conducts a rolling program of assessing entities’ cybersecurity postures based on the ASD’s Strategies to Mitigate Targeted Cyber Intrusions. This includes an annual survey sent to all entities under the PGPA Act to complete and return to the ASD. The survey canvasses the ‘implementation of the recommended [ASD] strategies, [agencies’] ability to repeat those profiles sensitive to the information they hold, for both the government and the public perspective, and the likelihood the agency would be targeted’. The survey has been sent out most years since 2010.
The results of the ASD survey are reported to a secretaries’ cyber security board, coordinated by PM&C. The results of the surveys provide a list of high-risk entities, for which ASD can then focus its resources on assisting.
However, the ASD has no capacity to compel agencies to complete the survey. For this year’s survey, as at 23 June, fewer than 40 per cent of agencies had completed the survey. In 2016, fewer than 30 per cent completed the non-mandatory survey.
Self-assessing against broader criteria – an international comparison
Mr Ian Brightwell submitted that he is concerned that, as demonstrated by the shift from Top Four to Essential Eight, ‘any concept of a list of minimum mandatory strategies is a moving target’. As a consequence, entities that are compliant now, ‘will not be in the near future when the goal posts will have moved’.
As such, Mr Brightwell suggests ‘a broader assessment of cyber resilience by using a full set of ICT general controls would be a more effective indicator of resilience’. This aligns with the ANAO’s findings that ICT general controls need to be sound to form the foundation for cyber resilience.
Mr Brightwell argues that methodologies in the United States and United Kingdom are based on a broader set of criteria. For example, the US government applies the Cyber Resilience Review (CRR) self-assessment methodology. One of the fundamental principles of the CRR is the:
…idea that an organisation deploys its assets (people, information, technology, and facilities) in support of specific operational missions (i.e., critical services).
By applying this principle, the CRR ‘seeks to understand’ entities’ capacities and capabilities in: performing, planning, managing, measuring; and defining cybersecurity practices and behaviours across ten areas. These areas include, but are not limited to:
Asset Management—identifying, documenting and managing assets
Controls Management—defining, analysing, assessing, and managing the organisation’s controls.
Service Continuity Management—ensure the continuity of essential services
Situational Awareness—discovering and analysing information related to the immediate operational stability of critical services and to coordinate such information across the entity.
In responding to Mr Brightwell’s submission, the ASD advised the Committee that the United States and United Kingdom’s programs ‘were designed to achieve a different purpose from the Essential Eight’. The ASD also stated that alone, these programs ‘would not be sufficient to successfully protect Australian Government official information’.
Mr Brightwell further suggests making mandatory those controls that improve an entities’ capability to:
detect misconfigurations or if a user is operating outside normal parameters; and
detect malicious operational anomalies through continuous activity monitoring.
Secure internet gateways
Submitters discussed the use of a Secure internet gateway (gateway) as a complementary or alternative protection against cyber threats. A gateway can provide an additional level of security, which has the potential to thwart some cyber attacks even if the Top Four/Essential Eight have not been implemented. For example, all entities with a gateway provided by Macquarie Telecom Group were protected from the WannaCry virus, including any entity not fully compliant with the Top Four mitigation strategies.
DIBP has indicated that it prioritises its gateway: ‘We prioritise, of course, the layers that are closest to the external, our secure gateways. We have two secure gateways and they are accredited by ASD’.
The Secretary of DIBP gave evidence at Senate Estimates that the department runs a resilient and secure gateway :
Effectively, that constantly protects our outer perimeter, detecting things that are touching that outer perimeter and either checking them before they enter or bouncing them back. That also includes the capacity to engage in geoblocking and defeating denial-of-service attacks before they become serious. …
Running an organisation requires you to make decisions about where to invest your resources. We have decided to throw our resources into securing our outer perimeter.
The ANAO and PM&C told the Committee that the use of a gateway, without implementing the Top Four mitigation strategies, is not a sufficient cybersecurity practice. Mr MacGibbon told the Committee:
I often fear that an agency can be lulled into a false sense of security because it sits behind a gateway, for example, or it meets compliance of the top four or the Essential Eight and therefore all is good.
Government’s Cloud First policy—Internet Gateway Reduction Program
The Australian Government’s Internet Gateway Reduction Program (the IGR program) was designed to be a cost efficient mechanism to ensure small government entities had a secure internet gateway. First promoted under the Government’s 2009 Cyber Security Strategy, it will now be reviewed under the new Digital Transformation Agency to determine its effectiveness and suitability as the number of devices and threats have increased. Mr MacGibbon suggested to the Committee that it may no longer be ‘fit for purpose’, due to the increased number of mobile devices and a more pervasive perimeter.
Macquarie Telecom Group submitted:
The combination of the cost of upgrades and the speed of the changes in the cyber security threat landscape could mean that even the most well intentioned smaller agency is chasing a moving horizon, without having the internal resources and expertise to be able to always keep up.
However, part of the solution to this may also be in existing policy, in this instance the Government’s Cloud First policy.
Agencies could be helped to understand that the Government’s policy to encourage them to consider cloud computing solutions before investing more heavily in computing resources they manage and own entirely on their own is a means to transition to a more robust security environment, as well as a more efficient model of obtaining computing resources.
Cloud based services, like the [Internet Gateway Reduction] program, take advantage of scale to defray costs of upgrades across a wide user base, and recovery of those costs are operational expenses rather than “lumpy” capital expenses.
Box 3.1: Case study of the global WannaCry virus
A case study of the recent WannaCry global cyber attack illustrates how cyber strategies, such as the ASD’s Essential Eight and a secure internet gateway, if implemented, would have protected entities from this attack.
The WannaCry ransomware attack exploited a vulnerability in Microsoft’s software. Once inside a network it spread to computers across the network, locked users out of their data and files and demanded a ransom to have them unlocked.
Two of the Essential Eight strategies could protect an organisation from the Wannacry virus – patching operating systems and daily back-up of important data.
In March 2017 Microsoft issued a patch for the vulnerability in most versions of its operating systems that WannaCry exploited in the May attack. Systems that had installed the patch were protected. Microsoft did not initially release a patch for its oldest versions of the software in March, but did so after the attack.
Alternatively, if a back-up of important data had been undertaken in the recent past, users could have wiped their systems clean of the virus.
Information (in the form of a signature) was available to anti-virus software vendors weeks before the attack. This means that up-to-date anti-virus software, and secure internet gateways should have been able to prevent the attack even if the patch was not installed.
It is likely that Australian organisations were saved from the attack due to the circumstance of timing, rather than by good cybersecurity Most Australian organisations were not online at the time, which allowed for patching, updating anti-virus software or backing up data to be undertaken before users logged in on Monday morning.
Source: Macquarie Telecom Group, Submission 3.1
18 October 2017