2.1
This Chapter discusses the Committee’s findings in relation to the audited entities’ compliance with the Australian Signals Directorate (ASD) mandatory Top Four mitigation strategies. The new Essential Eight mitigation strategies released this year by the ASD, which subsume the Top Four, are also discussed. The chapter comprises the following sections:
Committee conclusions and recommendations
Implementation of the Top Four mitigation strategies
From Top Four to Essential Eight
Implementation of ANAO Recommendation 1
Committee conclusions and recommendations
2.2
The Australian Government set a target date for government entities to achieve compliance with the ASD Top Four mitigation strategies by 30 June 2014. The Committee is concerned that the Australian National Audit Office (ANAO) Report No. 42 (2016–17) found that the Australian Taxation Office (ATO) and Department of Immigration and Border Protection (DIBP) were not compliant with the mandatory Top Four mitigation strategies and were not cyber resilient. The Department of Human Services (DHS) was found by the ANAO to be compliant and cyber resilient.
2.3
Under the Public Governance, Performance and Accountability Act 2013, all non-corporate Commonwealth entities (NCCEs), such as the ATO, DIBP and DHS, are required to report annually to the Attorney-General on the implementation of the Protected Security Policy Framework (PSPF). The mandatory requirement for NCCEs to implement the ASD Top Four mitigation strategies sits within the PSPF.
2.4
The Committee is most concerned to hear that in 2015–16 only 65 per cent of NCCEs reported compliance with the Top Four mitigation strategies. This is despite the fact that the Top Four mitigation strategies represent the minimum requirement for entities and, according to the ASD, if implemented will stop 85 per cent of cyber intrusions. The Committee heard from submitters and witnesses that while implementation of the Top Four mitigation strategies improves the cybersecurity posture of an entity, it does not necessarily make an entity cyber resilient. The necessary elements to make an entity cyber resilient are discussed in greater detail in Chapter 3.
2.5
The Committee notes the ANAO’s assessment that there is no impediment to entities implementing the Top Four mitigation strategies. The Committee reiterates its previous recommendation (made in March 2015) that entities should achieve compliance with the Top Four mitigation strategies as soon as possible.
2.6
The Committee notes observations by DHS and DIBP that a key element to achieve compliance with the Top Four mitigation strategies is significant investment. This is evidenced by DHS making ‘significant investment’ in its cybersecurity and achieving compliance, whilst facilitating billions of dollars in social security payments.
2.7
The Committee is concerned to hear from DIBP that it is only in its second-year of implementing cybersecurity enhancement programs. The Committee notes that significant machinery of government changes—with the creation of Australian Border Force—contributed to the delay in achieving compliance, however considers that compliance may have been achieved sooner if investment in these programs were made earlier. It is concerning to the Committee that a national strategic organisation, which is expected to operate in most, if not all time zones, on a 24 hour basis cannot, as yet, achieve the minimum requirement towards cyber resilience and has no timeframe in which to do so.
2.8
The Committee considers that all non-corporate Commonwealth entities should become compliant with the Top Four mitigation strategies by June 2018 and recommends that the ATO and DIBP report back to the Committee on their progress to achieving full compliance with the Top Four mitigation strategies.
2.9
The Committee recommends that the Australian Taxation Office and Department of Immigration and Border Protection report back to the Committee on their progress to achieving full compliance with the Top Four mitigation strategies by June 2018, including advice as to barriers and timelines to complete outstanding actions.
2.10
In February 2017, the ASD updated its cybersecurity strategies, which resulted in the new ‘Essential Eight’ strategies subsuming the Top Four strategies. The Committee notes that the additional four strategies are a response to the increasing threat of ransomware, such as the recent WannaCry virus. The Committee notes that whilst the Government has not made the Essential Eight mandatory, the ASD considers them to be ‘baseline’ for all organisations. The Committee notes that the ATO and DIBP are preparing plans to implement the Essential Eight. The Committee notes the importance of entities being able to recover from a cyber attack and that backing-up data, which is one of the Essential Eight, is key to being able to quickly recover. This reflects good practice, which should anticipate a successful attack and/or a system failure that in turn requires a focus on high system availability, system recovery and data recovery as essential elements of a back-up strategy.
2.11
The Committee views the implementation of the Essential Eight by all government entities as a matter of best practice and critical to enhancing the Commonwealth’s cyber posture as a whole. The Committee recommends that the Australian Government mandate the Australian Signals Directorate’s Essential Eight cybersecurity strategies for all entities under the Public Governance, Performance and Accountability Act 2013 by June 2018.
2.12
The Committee recommends that the Australian Government mandate the Australian Signals Directorate’s Essential Eight cybersecurity strategies for all Public Governance, Performance and Accountability Act 2013 entities, by June 2018.
2.13
The Committee notes the ANAO’s finding that the self-assessing and reporting of compliance by both the ATO and DIBP could be improved. The ATO’s and DIBP’s ‘self-assessments both reported compliance against three of the Top Four mitigation strategies’. However, the ANAO assessed that the ATO and DIBP complied with only two and one of the strategies respectively.
2.14
The Committee recommends that the Australian Taxation Office and Department of Immigration and Border Protection report back to the Committee on their progress in implementing ANAO Recommendation 1, including advice as to barriers and timelines to complete outstanding actions.
2.15
Given the discrepancies between the self-assessed cybersecurity compliance of two of the three audited entities and the ANAO’s assessment, the Committee is concerned with the effectiveness of the self-assessment and compliance reporting regime under the PSPF. Therefore, the Committee recommends that the Auditor-General consider conducting an audit of the effectiveness of the PSPF’s self-assessment and reporting requirements for cybersecurity compliance. The audit could include review of Commonwealth agencies’ practices in undertaking self-assessments and the broader quality assurance oversight by the Attorney-General’s Department and ASD.
2.16
The Committee recommends that the Auditor-General consider conducting an audit of the effectiveness of the self-assessment and reporting regime under the Protected Security Policy Framework.
2.17
The Committee notes that cybersecurity is a strategic priority for the Australian Government. As a strategic priority, it is crucial that Commonwealth entities be accountable to the Australian Parliament.
2.18
The Committee considers it important that the Commonwealth’s cybersecurity posture is reported to Parliament on an annual basis, while noting the sensitivities around public reporting on cyber resilience.
2.19
The Committee recommends that the Attorney-General’s Department and the Australian Signals Directorate report annually on the Commonwealth’s cybersecurity posture to the Parliament, such as through the Parliamentary Joint Committee on Intelligence and Security.
Review of evidence
Implementation of the Top Four mitigation strategies
2.20
In 2010, the ASD developed a list of 35 strategies to assist entities to achieve the desired level of control over their ICT systems and mitigate the risk of cyber intrusions. In 2013 the Australian Government made the top four of these strategies mandatory for Government entities through an amendment of the PSPF.
2.21
The Top Four mitigation strategies are:
Patching operating systems
Minimising administrative privileges
(No) Impediments to implementation
2.22
The ANAO assessed that there is no impediment to ‘entities establishing a sound ICT general controls framework and effectively implementing the Top Four mitigation strategies’. Across the ANAO’s series of cybersecurity audits, the ANAO assessed three of the 11 entities examined as cyber resilient, noting that these entities ‘chose to prioritise cybersecurity and achieved cyber resilience as a result’.
2.23
DIBP stated that machinery of government changes slowed progress:
July 2015 saw the disestablishment of the ACBPS and the creation of the Australian Border Force as part of an integrated immigration and border protection portfolio. From an ICT perspective, this presented an enormous challenge of integrating two very different ICT architectures, ICT operational management processes and cybersecurity maturity.
…as a consequence of what is quite a significant machinery-of-government change, we have still maintained a positive trajectory and maintained critical business services, but it has adjusted the time it will take.
2.24
DIBP also stated that in comparison to DHS and the ATO, it had not invested as early to achieve compliance:
Both the Department of Human Services (DHS) and the Australian Taxation Office (ATO) have invested heavily over the last three to five years in large cybersecurity and ICT investment programmes. The Department of Immigration and Border Protection, however, is only in its second year of a number of multi-year programmes - Security; Identity and Access Management; End User Computing Consolidation and ICT Consolidation - that will significantly enhance the Department’s cybersecurity capability.
2.25
DIBP could not provide a date for when it would be fully compliant with all of the Top Four mitigation strategies. However, in the Executive Minute (3 December 2015) to this Committee’s previous report, the Secretary indicated compliance would be achieved by 30 June 2016. In its submission to this inquiry, DIBP told the Committee it ‘is working towards full compliance with ASD requirements through a number of activities’ and at the hearing provided the following updates:
Achieved desktop application whitelisting, with server whitelisting to be applied by July 2018;
Patching applications in the next two to three years;
Patching operating systems at the proposal stage;
Achieved minimising administrative privileges.
2.26
The ATO told the Committee at the public hearing that it expects to be fully compliant by November 2017, with most requirements to be achieved by 30 June 2017.
2.27
The following sections outline the detailed progress of implementation of the Top Four mitigation strategies by DIBP and the ATO.
Application whitelisting
2.28
A whitelist is a list of trusted applications available on desktops and servers. It prevents malicious software and unapproved programs from running on a computer. It is a more secure method than prescribing a blacklist of applications that are to be prevented from running.
ANAO findings
2.29
The ANAO found that the ATO and DIBP had not effectively implemented application whitelisting on their servers. DIBP had also not effectively implemented application whitelisting on its desktops. Additionally, the ATO did not have a coordinated approach to application whitelisting. However, during the course of the audit, the ATO developed an overarching strategy to better coordinate its approach to implementing application whitelisting.
ATO progress on compliance
2.30
The ATO advised that it was fully compliant with whitelisting in November 2016. However, whitelisting on some servers had to be disabled due to recent hardware issues. The majority of servers were expected to have whitelisting re-enabled by June 2017. The ATO also told the Committee it is strengthening whitelisting policies with external vendors.
DIBP progress on compliance
2.31
DIBP provided the following progress update on whitelisting:
i. The ISA and ICT Divisions have in flight projects that will deliver improved and effective application whitelisting controls.
ii. The EUCC is currently deploying the new Windows 10 desktop that is compliant with application whitelisting.
iii. A strengthened application whitelisting solution is being deployed to all legacy Windows 7 workstations and will be completed by July 2017.
iv. By July 2017, all legacy (Windows 7), new Windows 10 including corporate issued laptops and surface devices that connect to the internal network, will have application whitelisting enabled and enforced.
v. The Department is working towards delivering an application whitelisting capability to the Department’s server fleet. This is a multi-year project and is expected to conclude by July 2018.
Patching applications and operating systems
2.32
A patch is a piece of software designed to fix problems with, or update, a computer program or its supporting data. This includes fixing security vulnerabilities.
ANAO findings
2.33
The ANAO found that DIBP and the ATO did not deploy ‘security patches to their servers in the timeframes specified by the Information Security Manual’ and ‘had not deployed security patches for a large number of servers’.
2.34
The ANAO’s finding for automatic desktop patches were mixed. For entities using the Windows environment, patches were efficient and timely. However, for entities with a UNIX/Linux environment, these were not automated or streamlined. The ANAO also found many incidents of outdated software on desktops.
2.35
Further, the ANAO found:
…weaknesses in entities’ management of ICT contracts… Both the ATO and Immigration did not effectively use their internal assurance processes to validate the accuracy of service provider self-assessments against contractual obligations. This led to both entities having limited visibility of the true status of security patches across their ICT environments.
ATO progress on compliance
2.36
The ATO advised that it now has a compliance rate above 99 per cent for all patching of applications and that all critical patches are deployed within 48 hours (as recommended by the ASD).
2.37
The ATO stated that its overall patching of operating systems has improved. Full compliance was hindered by recent storage area network outages but the remaining patches in the Linux environment are scheduled for the second half of 2017.
DIBP progress on compliance
2.38
DIBP submitted that it is developing a business case for 2017–18 to increase the patching frequency to a monthly cycle. DIBP informed the Committee that it will reassess its compliance with patching in December 2017.
2.39
To improve the assessment of ICT contractors’ compliance with the Top Four mitigation strategies, DIBP now requires major service providers to ‘undertake an annual ASD approved I-RAP assessment on the services provided’. Further, any remediation activities generated from the assessment will be ‘closely monitored’ to ensure compliance with the Top Four mitigation strategies is achieved ‘as soon as practicable’.
Minimising administrative privileges
2.40
Administrative privileges include the ability to change system configurations and control parameters, circumvent security measures, access sensitive information and modify files and accounts of other users. By minimising these privileges an entity reduces the risk of security compromises, such as unauthorised disclosure and system breakdown.
ANAO findings
2.41
The ANAO found that all entities had policies and procedures in place to minimise privileged access. However, ‘there was room to improve the monitoring of privilege account usage’ and entities were implementing solutions to address this matter.
From Top Four to Essential Eight
2.42
In February 2017 the ASD expanded the Top Four mitigation strategies and created the Essential Eight. The introduction of the Essential Eight is part of the broader Government’s Cyber Security Strategy for 2017–2020. This strategy is aimed at improving the cyber security of not just government entities, but all Australian organisations. The Essential Eight are not mandatory for government entities. The additional four ‘essential’ strategies are:
Disable untrusted Microsoft Office macros
User application hardening (block web access to Flash, Java and ads)
Multi-factor authentication
Daily backup of important data
2.43
The ASD says ‘implementing the ‘Essential Eight’ mitigation strategies can save organisations considerable time, money, effort and reputational damage compared to cleaning up after a compromise’. ASD is also of the view that the Essential Eight are so effective it ‘considers them to be the cyber security baseline for all organisations’. The Committee heard from both the ASD and the Department of the Prime Minister and Cabinet, that the Essential Eight addresses the increased threat of ransomware from criminal actors (which is less of a concern to Government than state-sponsored threats).
2.44
At the hearing, ASD informed the Committee that the updated strategies were developed in response to an evolving threat and to assist entities to identify the types of strategies needed for particular risks. As such, the strategies are grouped by the risks that they minimise, as follows:
prevent malware delivery and execution;
limit the extent of cyber security incidents;
detect cyber security incidents and respond;
recover data and system availability; and
prevent malicious insiders.
2.45
At the hearing the ATO and DIBP informed the Committee that they are preparing plans to implement the Essential Eight strategies. DIBP provided the following additional information on its plan to be compliant with the Essential Eight:
The consolidation of the Department’s technology platforms and move to a single ICT environment is a key enabler to achieving compliance with the Essential Eight.
The implementation of Windows 10 and Office 2016 across the Department will mean macros are prevented from running without user approval. The Department is also investigating the use of digitally signing trusted macros to further reduce the risk of malicious macros compromising ICT systems.
The Department already requires websites to be whitelisted before they can run java applications and has implemented additional controls through network gateways to block content, including inappropriate and potentially malicious web content.
Multi-factor authentication is currently being piloted with administrative users. Following analysis of the pilot, the Department will design and implement an enterprise wide multi-factor authentication solution.
The Department already backs up all data on a daily basis and replicates the backup data to the Department’s secondary data centre.
Since the ‘Wannacry’ ransomware attack in mid-May 2017, the Department has implemented two hourly backups for its record keeping and corporate file systems.
2.46
A case study of the WannaCry cyber attack is outlined in Chapter 3. It explores how the Essential Eight could prevent such an intrusion.
Implementation of ANAO Recommendation 1
2.47
The ANAO found that both the ATO and DIBP incorrectly self-assessed their compliance with the Top Four mitigation strategies. Both entities reported compliance with three of the strategies. However, the ANAO found the ATO to be compliant with two and DIBP with one of the Top Four mitigation strategies.
2.48
The ANAO made the following recommendation:
The ANAO recommends that entities periodically assess their cybersecurity activities to provide assurance that: they are accurately aligned with the outcomes of the Top Four mitigation strategies and entities’ own ICT security objectives; and that they can report on them accurately. This applies regardless of whether cybersecurity activities are insourced or outsourced.
ATO progress on implementation
2.49
The ATO told the Committee its ‘Security Committee is monitoring the status of the implementation of the recommendations from ANAO and other audits relating to cybersecurity’.
2.50
The ATO has planned an external review in October, which will:
…assess the ATO’s cybersecurity activities to provide assurance that the activities are aligned with the outcomes of the Top Four mitigation strategies, [and that] the ATO’s ICT security objectives…are effective.
2.51
The ATO submitted that it has strengthened arrangements with third party suppliers to monitor compliance with the Top Four mitigation strategies through:
Full baseline Top Four governance reporting, to be extended to the Essential Eight in 2017
Independent validation processes on the information provided to the ATO by third parties through access to third party whitelisting and patching tools.
DIBP progress on implementation
2.52
DIBP submitted that it will assess its cybersecurity activities on an annual basis. With regard to monitoring outsourced ICT service providers. DIBP advised that it:
…has now included a requirement for its major ICT service providers to undertake an annual ASD approved I-RAP assessment on the services provided.
The remediation activities from the I-RAP assessments will be closely monitored by the Department to ensure the service providers remediate any non-compliances with the Top Four mitigation strategies as soon as practicable.