Federal Parliamentary Computer Network set for its "most significant" upgrade

The federal Parliamentary Computer Network (PCN) will receive its “most significant” upgrade since being built, targeting improvements in information security and cyber resilience.

The Department of Parliamentary Services (DPS) revealed details of the major upgrade in response to a cyber security audit [pdf].

As reported by iTnews in mid-May, DPS received an unknown amount of money in the most recent federal budget “to deliver necessary enhancements for Parliament’s critical information technology systems.”

The amount of funding is still unknown, but appears to be a multi-year investment, with DPS secretary Jaala Hinchcliffe saying it is “commencing” from this financial year.

The formal name of the upgrade project is the Parliamentary Information and Cyber Resilience or PICR.

“The PICR project reflects our view that the historic [PCN] system design is no longer fit-for-purpose and will address the underpinning system design to improve critical cyber, information security and operational resilience risks to ensure effective functioning of the PCN,” Hinchcliffe wrote.

“The current PCN is outdated, unsegmented, and increasingly vulnerable to interference and disruptive cyber events”.

Focus on the PCN was elevated after a malicious attack in early 2019 that forced a mass reset of access credentials.

Through the PICR project, the PCN is anticipated to become operationally more resilient, to have a “materially reduced blast radius”, and improved compliance with the mandatory security standards - the Essential Eight - that governments departments and agencies must meet.

“The PICR project will be the most significant uplift in the PCN since its establishment and will strengthen cyber security, information protection and operational resilience across the network,” Hinchcliffe wrote.

The latest cyber security audit of the DPS and its assets paints a familiar picture, with a persistent gap in how the department assesses its cyber maturity, compared to how an outside auditor sees it.

The auditor’s main issue was with “compensating controls” - basically, a vulnerability management platform and a security and information event management (SIEM) platform - that are relied on to de-risk DPS and its environment, to get it closer to Essential Eight compliance.

The auditor said that where it marked down DPS, that its “assessment primarily related to deficiencies with the intended compensating controls that DPS relied upon for risk-managed elements.”

The PCN is the network used by parliamentarians, senators and staff. It also connects Parliament House to ministerial and electorate offices around the country.