The Victorian government's IT systems are woefully underprepared for a cyber attack and the state does not have the procedures in place to detect and respond to one, the Victorian auditor-general has found.
Auditor-general John Doyle said a concerted attack on multiple agency ICT systems had the potential to be catastrophic, and the state additionally had no central mechanism to collect reports on such an attack.
“Overall, there is a low level of awareness of how an agency's ICT systems are likely to perform if subjected to a cyber attack," a report on the government’s information security provisions found.
The report discovered that, alongside Western Australia, the Victorian state government accounts for the highest rate of cyber security incidents amongst Australian jurisdictions.
In 2012, inner Victorian agencies experienced 26 "serious cyber threat incidents", only half of which were reported to the Australian Signals Directorate's Cyber Security Operations Centre.
“Some agencies are detecting thousands of intrusion attempts per month, which range from minor errors when entering user names or passwords to serious attacks,” the report said.
“Common incidents included login credentials being stolen and published on websites frequented by cyber criminals and hackers, malicious code being used in online applications to trick a user or hijack a session, website defacement and malicious emails with embedded links or attachments.”
In one agency audited, 70 percent of all staff had a privileged level of access to critical systems, which they held on a permanent basis. In a number of cases across government, the report said, passwords guarding administrative access were “simple and easy to guess”.
During penetration testing commissioned by the auditor-general’s office, testers were able to locate unprotected lists of passwords which they then used to gain privileged access to secure systems - including an account held on behalf of one agency with an overseas financial institution.
Despite this vulnerability, Doyle said, the state’s public sector has no coordinated procedures in place to detect and respond to a coordinated incursion into the networks of more than one agency.
The present reporting strategy means there is no central agency oversight of serious incidents until six months after the attack.
Each agency's IT team is currently responsible for reporting any breaches to the ASD. The ASD in turn hands a six-monthly report back to Victoria’s central IT agency, the Department of State Development, Business and Innovation (DSDBI).
There is also no mechanism in place to notify appropriate ministers an attacked has occurred, the report found.
Falling through the cracks
Additionally, a large number of government bodies are falling through gaps in the state’s security oversight entirely.
The DSDBI’s information security policy applies only to central government departments and bodies, and not to more than 500 statutory bodies and state-owned enterprises.
Those 500 agencies are responsible for "significant sources of state revenue, and control billions of dollars of financial assets” and operating IT systems “critical to public safety, or systems holding sensitive personal data with potential value to third parties”, the report said.
Nor are these outer government bodies on the list of agencies receiving ASD threat alerts distributed by the DSDBI, meaning they could well be left in the dark about an imminent attack.
The auditor has recommended this group be brought into the fold immediately.
Ahead of the report's release today, last week Victorian IT minister Gordon Rich-Phillips announced work would soon begin on a whole-of-government cyber security strategy, to be directed by Alastair MacGibbon from the Centre for Internet Safety.
The auditor-general also acknowledged that new emergency response legislation before the Victorian Parliament designates clear leadership roles to DSDBI and the Department of Premier and Cabinet to analyse a cyber threat and comprehensively brief the government on cyber incidents.