Govt agencies struggle to keep up with patching load

Canberra's IT chiefs have been hauled before Australia's parliament to explain why so many have struggled to meet the Australian Signals Directorate’s guidelines for information security, revealing an uphill battle against ageing infrastructure and a flood of software patches.

Last week, the parliament's public accounts and audit committee convened to find out what agencies were doing to bolster their response to the cyber threat, after a June 2013 report out of the Australian National Audit Office (ANAO) found that seven of the largest entities were unlikely to achieve full compliance with the ASD’s core cyber security demands by its June 2014 deadline.

Appearing before the committee, Department of Human Services CIO Gary Sterrenberg described the challenges his agencies faced as they attempted to tick the box on all four of the ASD’s top cyber mitigation strategies.

“[Over] the last year we have patched 2.5 million devices," he told the committee. "Our patching policy is a 30-day rotation, so at any one point in time it is likely a certain part of our fleet will not meet a certain patch level.

“I have never seen anything like [the rates of patching we need to do], and I was in a bank for 12 years. The level of patching we are getting from Microsoft is double what it was 10 years ago.

Sterrenberg said application whitelisting has now been completed across all DHS desktops, but he was facing “technical difficulties” doing the same across his Unix Solaris services because it was not a function built into the operating system.

Australian Customs and Border Protection security boss, Stephen Hayward, reported his agency is “certainly in a better position than we were” prior to the ANAO review, detailing how the agency has introduced new information security guidelines and dedicated resources for mitigation strategies like patching.

His counterpart at the Australian Taxation Office, Daniel Keys, predicted the ATO will be compliant in terms of application whitelisting by the end of 2014 and well on its way towards patching compliance and heightened access controls by the middle of 2015.

ASD cyber security chief Major General Stephen Day expressed some sympathy with the bureacrat’s plight, describing the deadline as “optimistic”.

“Defence, for example, will have to totally redo its operating system, and that will take some years to adapt to. In summary, it did not surprise me and I think it will take some years before we are at a relatively mature state.”

Major Day said that in a public sector context, 80 percent of all cyber strikes attempted on the Australian Government can be traced back to foreign intelligence sources, with the remainder made up of organised crime rings and ‘hacktivists’.

He explained that different antagonists would tend to go after different types of government agencies.

“If you are an organisation of state or industry that has a lot of money, then the people that are most interested in you are serious and organised crime. A lot of that comes out of Eastern Europe.

“If you are a more traditional department of state, then you are more likely to be targeted by foreign intelligence services.”

In 2011, the ASD picked up 1200 attempts to intrude on Australian Government systems, a figure which escalated to 1700 in 2012 and 2100 in 2013. Day acknowledged that some of the increase can be put down to improved detection techniques, but said his “sense” was that the rate of attacks was also on the rise.