NSW govt agencies to face cyber security inquiry

A parliamentary inquiry will scrutinise the NSW government’s handling of cyber security incidents, as well as its measures to protect digital infrastructure more generally, following a spate of cyber attacks.

The NSW upper house premier and finance committee quietly opened the probe by self-referral earlier this month, just weeks after Labor public services minister Sophie Cotsis called for such an inquiry.

The inquiry will look into “cyber security and digital information management in NSW”, including the number of cyber incidents and data breaches experienced by government agencies and the financial cost of those incidents.

It follows a series of cyber attacks against the NSW government, which reportedly prompted Prime Minister Scott Morrison’s warning to the nation in June that a “sophisticated state-based cyber actor” was responsible for a surge in malicious activity.

However, just how many agencies have been impacted is not well publicised as there is currently no requirement for them to report data breaches to affected persons, though this is set to change after the government pledged to introduce a mandatory notification scheme.

Service NSW - which was hit by an email compromise attack in April that affected the accounts of 47 staff members and information of an unknown number of citizens - is one such agency that has been impacted by malicious cyber activity in recent months.

The “policies and procedures underpinning the management of digital information”, including the monitoring and response to incidents and data breaches, will also be considered as part of the inquiry, as well as everyday “systems management” within agencies.

As revealed by the NSW auditor last year, agencies are struggling to implement the Australian Signals Directorate’s essential eight controls, which became mandatory under the government’s cyber security policy last year.

More than half of the 62 agency assessments submitted to the whole-of-government cyber security office were found to fall into the maturity level zero category for three essential eight controls, leading the auditor to warn that cyber resilience needs “urgent attention”.

Another aspect of the government’s cyber security management to fall under the inquiry’s terms of reference is its “expenditure on cyber security, digital services and digital infrastructure”, which climbed $800 million to $3.8 billion in the 2017-18 financial year.

The government’s appetite for outsourcing will similarly be investigated, including the “extent and impact of outsourcing of government information systems” and the security risks involved in doing so.

The inquiry's other terms of reference include:

• Contractual arrangements between the government and providers of digital services and infrastructure, including provisions relating to cyber security
• Cyber security support provided by the government to local councils and other organisations
• The government’s response to cybercrime in the community