Cyber resilience across the federal government has barely improved over the past three years, with dozens of agencies still yet to heed the Australian Signals Directorate’s supposedly mandatory information security controls.
The government’s latest protective security policy framework (PSPF) compliance report, quietly released on Tuesday, reveals almost 40 percent of agencies were still to fully-implement ASD’s top four cyber mitigation strategies in 2017-18.
The strategies, which are considered the best way to avoid at least 85 percent of cyber intrusions, have been mandatory for non-corporate Commonwealth entities (NCCEs) since April 2013, though a more exhaustive list containing additional voluntary controls has since been issued.
The report from the Attorney-General’s Department shows the number of agencies compliant with the top four or ‘INFOSEC-4’ has barely improved over the last three years, climbing just three points between 2015-16 and 2017-18.
At just under 62 percent in 2017-18, top four compliance by the 94 NCCEs required to self-assess against the PSPF is called out in the report as “the lowest of all 36 mandatory requirements”.
“Levels of compliance with INFOSEC-4, relating to cyber and ICT system security, including the ASD’s strategies to mitigate targeted cyber incidents, remain relatively steady, but continue to present an area of risk for the Australian Government with a level of compliance at 61.70 percent,” the report [pdf] states.
The result represents a “marginal” improvement on 2016-17 compliance levels, which sat at just over 60 percent. As revealed by iTnews in 2017, compliance levels were just over 59 percent in 2015-16 and 48 percent in 2014-15.
During this time, a number of Canberra’s largest service delivery agencies have become fully compliant with the top four, including the Services Australia (previously the Department of Human Services) and the Australian Taxation Office.
The latest report also confirms cyber resilience improvements across the Australian Public Sector have slowed since the government’s increased focus on bolstering cyber security was brought about in the 2016 cyber security strategy.
The lack of improvement has led a number of agencies to question the effectiveness of the government's approach to cyber security, which – while mandatory rules remain unenforced – is creating a 'patchwork' of resilience.
This is notwithstanding recent efforts by ASD to uplift the cyber posture of 25 agencies in the wake of the state-sponsored cyber attack against Parliament House, which has been labelled Australia’s first “first national cyber crisis”.
The mass uplift followed an undisclosed amount of funding in the 2019 budget for the creation of new cyber sprint teams within the ACSC to “mitigate potential cyber threats through enhanced monitoring and response capabilities”.
Yes, but at least it didn't go backwards
While the increased focus on cyber security hasn’t necessarily resulted in any real change in compliance levels since the release of the government’s cyber security strategy, there is some suggestion that it has led to more accurate reporting.
This was a concerns held by the Australian National Audit Office in a 2017 cyber security audit, which found some agencies were non-compliant with some controls despite self-reporting as compliant.
“With increased awareness of cyber security risks and efforts highlighting appropriate risk mitigation strategies in 2016-17, entities were more considered in their assessment against the information security requirement recording no significant improvement in NCCE compliance with information security requirements in 2017-18,” the latest report said.
This may explain why another PSPF information security requirement mandating that entities “implement policies and procedures for the security classification and protective control of information assets” actually went backwards during 2017-18.
The level of compliance with the requirement, dubbed INFOSEC-3, managed to decrease by more than five percent, which the report has put down to gaps in some of the approaches taken by agencies.
“This change is attributed to some entities identifying gaps in their approaches following review of their policies and security measures regarding appropriate levels of protection for information assets,” there report states.
“Also, with the introduction of new information assets, such as information platforms (windows tablets with voice and video conferencing capabilities), these affected entities are reviewing their policies and procedures with respect to security classification and protective control of these new information assets.”
However, the report notes that the relevant entities “have measures in place to mitigate the associated risks from their non-compliance”.
Both INFOSEC-3 and INFOSEC-4 are the main contributors to information security continuing to be the key risk for agencies out of all the four PSPF requirements.
“Continuing advances in technology contribute to the dynamic environment of information security and the diverse threats encountered by the Australian Government in securing its information,” the report states.
“As such, information security arrangements are an important element in an entity’s effective protective security regime but a particularly challenging one.
“Compliance with information security requirements remains an area of focus for all NCCEs.”
Compliance harder to spot from next year
The 2017-18 report will be the last to assess compliance against the old PSPF framework, which was replaced in October last year following a review that found it contributed to a ’tick-the-box’ compliance’ culture.
The new PSPF ‘maturity model’ has consolidated the currently set of 36 requirements down to 16 core requirements that no longer require a yes/no response, which the government says will “improve clarity, reduce unnecessary ‘red tape’ and foster a strengthened security culture”.
“From 2018–19, entities will report on their PSPF implementation using a security maturity model to assess the maturity of their protective security practices instead of a compliance model,” the report states.
“A security maturity model aims to embed a stronger security culture by encouraging entities to continuously engage in identifying and assessing the risks present in their security environment.
“It also provides entities with the tools to assess their security performance in a more graded and relevant way, including how effectively they manage key risks and vulnerabilities.”