Dozens of agencies across the federal government remain vulnerable to cyber attack more than four years after mandatory minimum cyber security requirements were first introduced.
But the Australian public service, on the whole, is slowly improving its cyber security posture year-on-year, with more than ten new agencies reporting full compliance with mandatory threat mitigation strategies in the most recent reporting period.
Documents obtained by iTnews under freedom of information laws for the first time paint a picture of the federal government's ongoing ability to comply with the Australian Signals Directorate’s (ASD) 'top four strategies to mitigate targeted cyber intrusions'.
The top four became mandatory for agencies in April 2013. They require non-corporate agencies to report on their compliance with the strategies as part of their annual protective security policy framework (PSPF) self-reporting commitments.
The FOI documents show that more than a third of the 105 reporting agencies entities failed to meet one or more of the top four strategies in the latest compliance report [pdf] compiled by the Attorney-General’s Department.
However, just which agencies failed to comply remains unknown as iTnews was refused access to the 237 pages of supporting documentation that accompanied the report, including individual compliance reports, on national security grounds.
“Information security continues to represent the highest level of overall non-compliance and remains an area of ongoing risk for the Australian government,” the 2015-16 PSPF compliance report states.
“Entities continue to find it challenging to implement ASD’s ‘top four’ strategies to mitigate targeted cyber intrusion.”
This enduring non-compliance by individual agencies indicates a lack of urgency to implement a series of strategies that the ASD says is the best way to avoid at least 85 percent of cyber intrusions.
The top four component of the broader PSPF security framework remains the most difficult for agencies to meet; the number of agencies reporting non-compliance only with the top four grew from 13 percent to 20 percent in the last year.
However, the overall level of compliance with the top four has improved on 2014: 65 percent of agencies are compliant with the top four at last count, compared to 53 percent in 2014-15.
The 2014-15 report - also obtained by iTnews [pdf] - acknowledged the “escalating risk” this presented to the federal government, and noted it would “require additional government efforts to mitigate security risks”.
“Achieving or maintaining higher levels of compliance against this requirement should be a priority for agencies in the next reporting period, to the extent practicable, taking into account business requirements,” the report states.
Despite this, only 12 of the 49 agencies that reported non-compliance with the top four in 2014-15 achieved full compliance a year later.
The inability of agencies to implement the top four was brought to the fore in March this year when an audit of the Immigration, Human Services, and Tax agencies found that only DHS was fully compliant.
The ATO and Immigration were found to have varying degrees of compliance, both failing to properly implement application whitelisting or to adequately patch operation systems and applications.
Immigration blamed its audit failure on the highly complex IT environment that arose when it merged with Customs in July 2015, while the ATO put its failure down to the SAN difficulties that put a dent in its overall IT security profile.
The audit later became the subject of a parliamentary inquiry which recently recommended mandating the new ‘essential eight’ cybersecurity strategies for all corporate and non-corporate Commonwealth entities by June 2018.
The ATO says it intends to be compliant by the end of this month, while Immigration has not yet set a date.
Time for change?
Evaluation of the PSPF conducted as part of the Belcher Review in 2015 found there was "confusion between mandatory and guidance elements" and a culture of "‘tick-the-box’ compliance, hampering effective engagement with risk”.
A further review was later conducted by the AGD, but it took until May 2017 – only two months after the auditor's report thrust the cyber security failing into the limelight – that the federal Secretaries’ Board considered the review and endorsed the suggested reforms.
The AGD is currently finalising a revised and simplified report into PSPF compliance, and plans to introduce it in July 2018.
The Prime Minister's cyber security special adviser Alastair MacGibbon also weighed into the debate earlier this year when he suggested that the use of compliance audits only highlighted a snapshot in time, stressing that compliance was only part of ensuring cyber resilience.
He also echoed the Belcher Review findings by suggesting that the fear of audit failure was fuelling a ‘tick box’ compliance culture in Canberra.