ASD responded to 1100 serious govt cyber incidents in three years

Almost 1100 cyber security incidents against federal government networks were serious enough to warrant an operational response over the last three financial years, the Australian Signals Directorate has revealed.

In a long overdue response to questions on notice from the now complete digital delivery of government services inquiry, the agency said the incidents had occurred between 2015-16 and 2017-18 with varying degrees of success.

“The data available to ASD indicates that across the last three financial years (FY 15-16, FY 16-17, FY 17-18), there were 1097 cyber incidents affecting unclassified and classified government networks that were considered serious enough to warrant an operational response,” it said this week.

ASD specified that action against an incident is necessary when it “achieves any degree of success”, which can vary from “significant data exfiltration and degradation of the network through to no harm being realised”.

“The nature of the response varied depending on the incident, and ranged from telephone conversations through to deployment of staff resources and tools to assist in mitigating the incident,” it said.

However, in responding to questions from Centre Alliance Senator Rex Patrick, the agency said it was not possible to break down this data further so that incidents are categorised by the network affected or impact realised.

“The data available to ASD is not categorised by the classification of the network or impact realised, and that level of detail would require costly manual review of every incident,” it said.

ASD also indicated that it “does not have visibility of all Australian government agencies’ physical or cyber security postures”, despite agencies being required to report this information as part of yearly protective security policy framework (PSPF) reporting.

The reporting requires agencies to detail their level of compliance with the government's minimum mandatory information security controls known as the top four strategies to mitigate cyber security incidents.

Last year's PSPF report revealed that almost forty percent of agencies were still yet to fully implement ASD’s top four strategies, which are widely considered the best way to avoid at least 85 percent of cyber intrusions.

The government has since overhauled the PSPF compliance regime, which now contains four core requirements for information security.

ASD response comes more six month after the final report was handed down by the Finance and Public Administration References Committee and more than ten months after the questions were asked.

The report, which does not mentioned number of successful cyber incidents, was highly critical of the government and public sector readiness and ability to execute digital projects.