The Attorney-General’s Department has flagged that stricter cyber security accountability mechanisms could be on the way for federal government agencies following a string of worrying cyber resilience audits.
But the government remains tight-lipped on whether cyber security controls would be enforced, like it is reportedly considering for the private sector as part of the country's next cyber security strategy.
This is despite years of subpar compliance with the Australian Signals Directorate's mandatory Top Four cyber mitigation strategies across government, as repeatedly revealed by the Australian National Audit Office.
The Top Four form part of the government’s protective security policy (PSPF) framework, which requires that agencies self-assess against 16 core requirements each year using a to ‘maturity model’ and report the results to the AGD.
The maturity model was introduced in October 2018 following a review that found the former ‘compliance model’ contributed to a ’tick-the-box’ compliance culture.
But early results from that reporting indicates that compliance remains relatively unchanged, with 73 percent of agencies reporting either ‘ad hoc’ (13 percent) or ‘developing’ (60 percent) levels of maturity in 2018-19 protective security policy framework (PSPF) reporting.
Speaking at a parliamentary inquiry into cyber resilience on Thursday, AGD’s integrity and international group deputy secretary Sarah Chidgey on Thursday said the department was now looking at further improving the framework to drive compliance.
“We have already flagged as part of the government’s security committee … that we want to work on arrangements that would add to that self-assessment moderation option to check agencies’ rating and support them as part of that assessment process,” she said.
“So that is something we have in our work program at the moment. We’re conscious that we’ve just had the first year of maturity reporting, and are now looking at how we can improve that building on the results we got from this year.”
When asked by Liberal Party MP and committee chair Lucy Wicks whether these discussions had considered benchmarking agencies against other similar agencies to compare cyber resilience, Chidgey said “yes”.
“I think that is what we’re looking at, particularly in that adding to the framework we’ve got more of an external moderation or benchmarking process,” she said.
“What we’ve got with the maturity model already improves our comparative ability to a degree across agencies, but we are considering how we further enhance that by also an external mechanism.
“Whether we do it by agencies cross-assessing each other or central arrangements for going in and assessing or moderating agencies’ assessment results is something we’re working through and have some initial conversations with colleagues, for example, in New Zealand.”
The comments come as the government talks up introducing tighter regulation of cyber security protections for the private sector, particularly banks, healthcare, utilities and other critical infrastructure.
The minimum cyber security standards for businesses, which could be set “industry-by-industry”, would likely be introduced later this year as part of the government's cyber security strategy.
But Labor Party MP and deputy committee chair Julian Hill said that introducing enforceable standards in the private sector when the government was struggling to enforce its own cyber security standards under the PSPF, could be seen as hypocritical.
“So we’ve got this situation in the Commonwealth where there’s no regulator or enforcement for Commonwealth entities’ compliance with the government’s standards,” he said.
“And yet the government is out there floating there about to put some teeth into regulating the private sector. Why the distinction?”
In response, Department of Home Affairs’s cyber, digital and technology policy first assistant secretary Hamish Hansford said “there are a range of different regulatory options” that the government was considering as part of the upcoming cyber security strategy.
“In the context of regulation, obviously a matter for the government is to look at how, if and when or why they would regulate, and the extent to which government would be included in any regulatory reform or any holistic response to cyber security,” he said.
Hansford also said that the government, as part of the cyber security strategy, was looking at the “biggest question” of “how do you defend at scale”.
“How do you prevent cyber security attacks at scale across the Commonwealth, across all of our entities, what does that look like, and how do you look at aggregation more generally, and how do you look at the holistic network of government operations,” he said.
“And that’s really a key issue from a macro cyber security policy that the department is looking at really closely with the Digital Transformation Agency.
“And as I’ve indicated previously, the government will have something to say about government cyber security in this regard in the coming months.”
Questions also remain over the level of accountability that agencies have to Parliament, given that attempts by Labor to solicit answers around Top Four and Essential Eight compliance last year were met with the same blanket response.
In these responses, the agencies - or most probably the ASD and Home Affairs - said publicly reporting individual agency compliance with the Essential Eight “may provide a heat map for vulnerabilities “ that could “increase an agency’s risk of cyber incidents ”.
As Shadow Assistant Minister for Cyber Security Tim Watts noted that by not reporting these details in a public forum, or ASD’s anonymised cyber security posture report to parliament, the government had opted for “security in obscurity”.