The Hon Dan Tehan MP, Minister Assisting the Prime Minister for Cyber Security, said, ‘In the world of cyber security, if you are standing still you are going backwards’. The findings in the Australian National Audit Office (ANAO) Report No. 42 (2016–17) Cybersecurity Follow-up Audit outlined that the Australian Taxation Office (ATO) and the Department of Immigration and Border Protection (DIBP) were not cyber resilient and needed to ‘improve their governance arrangements and prioritise cybersecurity’.
ANAO Report No. 42 is a follow-up audit of the cyber resilience of the ATO, DIBP and Department of Human Services (DHS). All three entities are significant users of technology: collecting, storing and using data to process electronic tax lodgements (ATO); social security payments (DHS); and visas and cargo imports and exports (DIBP). This data can be used to identify, contact or locate an individual.
The Committee is most concerned that the audit found that the ATO and DIBP are still not compliant with the mandatory ‘Top Four’ mitigation strategies (in the Australian Government’s Information Security Manual) and are not cyber resilient. DHS was found by the ANAO to be compliant and cyber resilient. Both the ATO and DIBP reported compliance with three of the strategies, however, the ANAO found the ATO to be compliant with only two and DIBP with just one of the Top Four mitigation strategies. The Australian Government’s target date to achieve compliance was 30 June 2014.
As technology evolves, more and more government services are being delivered online. New technology can deliver efficiencies to services and products, but it also carries new and significant risks. With increasing volumes of data being collected and used by various government systems, the security of sensitive personal, industry and government information is becoming a greater challenge.
Cybersecurity is a strategic priority for the Australian Government. Ensuring a strong and responsive cybersecurity strategy is critical to protect Australians’ privacy and Australia’s interests across the fullest range of areas—from administrative efficiency to national security. Effective implementation across all government systems, alongside a corresponding enhanced security culture, is required to deter and successfully respond to cyber threats and attacks.
A timeline of policy announcements and related audits and inquiries is provided at Table 1.1.
Compliance with the mandatory Top Four
The Top Four mitigation strategies represent the minimum mandated requirement for Commonwealth entities and, according to the Australian Signals Directorate (ASD), if implemented would prevent 85 per cent of targeted cyber intrusions.
The Committee is concerned that in 2015–16 only 65 per cent of non-corporate Commonwealth entities reported compliance with the Top Four mitigation strategies. This is despite the fact that the Top Four mitigation strategies represent the minimum requirement for entities.
The Committee heard that the ATO expects to be fully compliant with the Top Four mitigation strategies by November 2017. DIBP, on the other hand, could not provide a date for when full compliance with all of the Top Four mitigation strategies would be achieved, despite previously advising the Committee that full compliance would be achieved by December 2016.
The Committee notes that the ANAO assessed that there is no impediment to entities implementing the Top Four mitigation strategies. The Committee also notes that key elements to achieve compliance with the Top Four mitigation strategies are a significant investment, as well as a culture which recognises the importance of, and requirement for, cyber resilience. The Committee is concerned to hear from DIBP that it is only in its second year of implementing cybersecurity enhancement programs. The Committee notes that significant machinery of government changes—with the creation of Australian Border Force—contributed to the delay in achieving compliance, however considers that compliance may have been achieved sooner if investment in these programs were made earlier.
The Committee considers that all non-corporate Commonwealth entities should become compliant with the Top Four mitigation strategies by 30 June 2018 and that the ATO and DIBP report back to the Committee on their progress in implementing the Top Four mitigation strategies.
This year the ASD updated its cybersecurity strategies from the ‘Top Four’ to the ‘Essential Eight’ in response to the increasing threat of ransomware. The Committee notes that whilst the Government has not made the Essential Eight mandatory, the ASD considers them to be ‘baseline’ for all organisations. The Committee notes that the ATO and DIBP are preparing plans to implement the Essential Eight. The Committee recommends that the Government mandate the Essential Eight cyber security strategies for all Public Governance, Performance and Accountability Act 2013 entities by June 2018.
The Committee notes that the ANAO’s finding that the self-assessing and reporting of compliance by both the ATO and DIBP could be improved. The Committee recommends that the ATO and DIBP report back to the Committee on their continued progress in implementing ANAO Recommendation 1, including advice as to barriers and timelines to complete outstanding actions.
The Committee has concerns with the discrepancies between the ATO’s and DIBP’s self-assessments and the ANAO’s assessments on cybersecurity compliance. The Committee recommends that the Auditor-General consider conducting an audit of the self-assessment and reporting regime under the Protected Security Policy Framework (PSPF).
As a strategic priority, it is crucial that Commonwealth entities be accountable to the Australian Parliament on cybersecurity. The Committee recommends that the Attorney-General’s Department and the ASD report annually on the Commonwealth’s cybersecurity posture to the Parliament, such as through the Parliamentary Joint Committee on Intelligence and Security.
The hallmarks of a cyber resilient entity
The Committee concurs with the ANAO’s assessment that:
…cyber-resilient organisations demonstrate a leadership culture and behaviours that prioritise cybersecurity and focus on it. They do more than comply with mandatory requirements, they demonstrate an effective security culture.
The Committee notes the concerns expressed by both submitters and witnesses that compliance with the Top Four mitigation strategies is a minimum standard and does not necessarily equate to cyber resilience, particularly having regard to the fact that cyber resilience contemplates the likelihood that systems can and will fail.
The Committee considers that entities would benefit from clear guidance on the hallmarks of cyber resilience and notes that the Department of Prime Minister and Cabinet (PM&C) agreed to work with the ANAO to better define these key features. The Committee recommends that in future audits on cybersecurity compliance, the ANAO outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these.
The Committee notes that the ATO and DIBP are working to improve their governance arrangements and organisational culture. Given the risks which have been identified as to the likely effects of either organisation experiencing loss of data as a consequence of not being cyber resilient, this must be a priority. The Committee recommends that the ATO and DIBP report back to the Committee on their progress in implementing ANAO Recommendation 2.
The ASD sends an annual survey to all Government entities to identify high-risk entities and offer assistance. In recent years, the non-mandatory survey has only been completed by 30–40 per cent of entities. The Committee considers that the ASD survey serves an important role in assisting entities to be cyber resilient. The Committee considers that in the interests of effecting cultural change and emphasising the importance of compliance, the survey should be completed by all Government entities. The Committee recommends that the Australian Government mandate by June 2018 that all Public Governance, Performance and Accountability Act 2013 (PGPA Act) entities complete the annual ASD survey.
The Committee notes the evidence received that secure internet gateways add a valuable layer of cybersecurity. Noting that all non-corporate Commonwealth entities are by default part of the Internet Gateway Reduction Program (IGR Program), the Committee is concerned that entities are not compelled to join the Program. While the Committee acknowledges that secure internet gateways do not alone provide entities with cyber resilience, nor are they a substitute for implementing the Top Four/Essential Eight mitigation strategies, the Committee recommends:
the IGR Program be mandatory for all PGPA Act entities; and
the Digital Transformation Agency report back to the Committee on the progress and outcomes of its review of the IGR Program, including associated key actions and corresponding timelines.
Table 1.1: Timeline of policy announcements and related audits and inquiries
The ASD developed a list of 35 strategies to assist agencies to achieve cybersecurity resilience. ASD advised that, if fully implemented, the Top Four mitigation strategies would prevent at least 85 per cent of targeted cyber intrusions to an agency’s Information and Communication Technology (ICT) systems.
The Government mandated the Top Four strategies with an implementation date of 30 June 2014.
The ANAO Report No. 50 (2013–14) Cyber Attacks: Securing Agencies’ ICT Systems was published. The ANAO audited seven entities’ implementation of the Top Four strategies, including the ATO and Australian Customs and Border Protection (now DIBP). The audit found that none of the seven entities were compliant with the strategies and none were expected to achieve compliance by 30 June 2014.
The JCPAA tabled Report 447, which inquired into ANAO Report No. 50 (2013–14). The ATO, DIBP and DHS appeared at a public hearing as part of the inquiry. At the hearing, each entity gave assurances that compliance with the Top Four strategies would be achieved during 2016.
The Committee recommended that the audited agencies achieve full compliance as soon as possible. The Committee further recommended that each agency produce a clear and detailed plan of necessary activities; and agencies that do not expect to achieve full compliance before August 2015 should notify the Committee.
The Committee also recommended that the ANAO consider regular audits of compliance with the Top Four strategies and related controls in the Information Security Manual as well as Commonwealth agencies’ overall security posture.
The ATO and DHS provided their response to the JCPAA Report 447 recommendation.
The ATO advised it had addressed the Top Four strategies through compliance or risk mitigation strategies.
DHS advised it was continuing its work to full compliance with the Top Four.
DIBP provided its response to the JCPAA Report 447 recommendation. The response indicated that DIBP expected to be fully compliant with the Top Four by 30 June 2016.
The ANAO, in response to the JCPAA recommendation, extended audit coverage of cybersecurity and assessed another four entities for compliance under Report No. 37 (2015–16) Cyber Resilience. The audit found two entities had achieved compliance—AUSTRAC and the Department of Agriculture and Water Resources. The other two entities did not achieve compliance—Australian Federal Police and the Department of Industry, Innovation and Science.
The ANAO published Report No. 42 (2016–17) Cybersecurity Follow-up Audit. Two recommendations were made:
Recommendation 1: The ANAO recommends that entities periodically assess their cybersecurity activities to provide assurance that: they are accurately aligned with the outcomes of the Top Four mitigation strategies and entities’ own ICT security objectives; and that they can report on them accurately. This applies regardless of whether cybersecurity activities are insourced or outsourced.
Recommendation 2: The ANAO recommends that entities improve their governance arrangements, by:
asserting cybersecurity as a priority within the context of their entity-wide strategic objective;
ensuring appropriate executive oversight of cybersecurity;
implementing a collective approach to cybersecurity risk management; and
conducting regular reviews and assessments of their governance arrangements to ensure its effectiveness.
All entities agreed to both recommendations.
The JCPAA resolved to conduct an inquiry on any items, matters or circumstances connected with ANAO Report No. 42 (2016–17), Cybersecurity Follow-up Audit.