ASD says cyber resilience still far too low across govt

Most federal government agencies are still struggling to fully-implement mandatory cyber security controls, with more than 70 percent reporting below baseline levels of maturity last year.

The finding, contained in the Australian Signals Directorate's first cyber security posture report to parliament, continues a worrying trend first revealed by the national auditor three years ago.

The report, released last week, reveals that implementation of the ASD's top four cyber mitigation strategies by agencies remains at “low levels across the Australian Government”.

The top four have been mandatory for non-corporate Commonwealth entities (NCCEs) for the past seven years in a bid to avoid the vast majority of percent of cyber intrusions.

They now form part of the more exhaustive list of essential eight strategies, which is considered the government's new baseline for cyber security.

But the report reveals 73 percent of NCCE’s reported either ‘ad hoc’ (13 percent) or ‘developing’ (60 percent) levels of maturity in 2018-19 protective security policy framework (PSPF) reporting.

An ad hoc rating is considered the lowest possible score under the scoring metric, and indicates only “partial or basic implementation and management” of the top four.

A developing rating, one the other hand, is one step up from ad hoc and means an agency implementation and management of the top four has been “substantial, but not fully effective”.

Both ratings are below the baseline maturity level for reporting entities, which is defined as ‘managing’ or the “complete and effective implementation and management” of the top four and consideration of the remaining voluntary essential eight controls.

Just under 25 percent of agencies reported a ‘managing’ level of maturity, while the remaining two percent consider themselves ‘embedded’ and “excelling at implementation of better-practice guidance”. 

While it is difficult to determine how the implementation of top four has changed since 2017-18, as the PSPF reporting process has changed in the last year, the majority of agencies said some improvement was needed.

ASD said PSPF reporting from 2018-19 indicated that 67 per cent of NCCE's acknowledged the “need to raise the maturity of their cyber security against at least one of the top four strategies” in future years.

The final PSPF report before the scheme changed last year revealed that almost 40 percent of agencies had not fully-implemented the top four. It also indicated that compliance with the top four had improved by just three percent between 2015-16 and 2017-18.

Essential eight

Despite ongoing problems with top four implementation across the federal government, the cyber security posture report indicates that agencies are beginning to improve their compliance with the voluntary controls under the essential eight.

“In 2019, implementation of the essential eight across Commonwealth entities improved slightly in comparison to previous years,” the report states.

“More entities are taking steps to apply the baseline strategies and increase the maturity of their implementation.”

The report, which cites information from the Australian Cyber Security Centre’s cyber security survey, said 50 percent of agencies had “progressed from partly to mostly aligned with the essential eight strategy on user application hardening” between 2018 and 2019.

“This helps reduce the potential attack surface of Commonwealth workstations, as well as limiting adversaries’ ability to bypass other security controls,” ASD said.

More than 30 percent of agencies have also progressed from party to mostly aligned with strategies around multi-factor authentication and configuring Microsoft Office macros.

However, ASD said baseline adoption of the essential eight, much like the top four, “still requires further improvement to meet the rapidly evolving cyber security threat environment”.

This includes the 25 agencies that were assessed as part of ASD’s uplift program in the wake of the state-sponsored cyber attack against Parliament House - Australia’s “first national cyber crisis”:

“While all of the Commonwealth entities assessed through the cyber uplift sprints were found to be taking positive and proactive steps to improve their cyber security, the ACSC assessed that they had not yet achieved the recommended maturity level for the essential eight,” ASD said.

“As a result, these entities are vulnerable to current cyber threats targeting the Australian Government.”