Parliament's 'unique' IT needs blamed for ASD Essential Eight shortfall

The Department of Parliamentary Services has blamed its 'unique' need to offer flexibility to parliamentarians and their staff for not implementing all Essential Eight cyber mitigation strategies.

It’s a decision that the department is now re-evaluating in the wake of the malicious attack against the parliamentary computing network by a state-sponsored actor last month.

In a submission [pdf] to the cyber resilience inquiry, published on Thursday, the DPS confirmed it had implemented all Top Four cyber mitigation strategies at the time of the attack that also affected Australia’s largest political parties.

But it conceded not all of the Essential Eight – now considered the baseline for cyber security by the Australian Signals Directorate (ASD) – had been implemented.

This is despite asserting that “effective cyber resilience extends beyond the ASD's Top Four and Essential Eight”.

“For the four remaining strategies in the Essential Eight, one has been fully implemented, one has been implemented to level of approximately 70 percent and one is currently in pilot,” DPS said.

The department charged its responsibility to offer parliamentarians a “highly varied” amount of software and services for not implementing the missing Essential Eight strategy in part or in full.

It put this down to the “impact this would have on the flexibility of systems and software used by parliamentarians” on a network that spans more than 5000 users across Parliament House, electorate and Commonwealth parliamentary offices, and DPS itself.

However it noted that the missing coverage was “being risk manged to the extent this is possible”.

“The Australian Parliament is a unique environment where there is a high demand for flexibility which much be balanced against the need to maintain a robust security posture,” DPS said.

“This presents a greater challenge compared to government departments where controls and restrictions are easier to implement and enforce to achieve cyber resilience.”

The department said “re-evaluation of all controls within the Essential Eight is being undertaken to ensure maximum protection of the environment”.

It is also continuing to “proactively mitigate threats before they reach [the] network” through its “industry leading threat intelligence platform”

New details on parliament hack

DPS' submission also provides new details on the way the department went about responding to the security breach against the parliamentary network, which includes 5000 desktops and laptops, 1000 servers and over 2000 mobile devices.

It said that the intrusion, which was “detected early and addressed rapidly”, resulted in the network being offline for less than three hours on the morning of February 8.

DPS used this fact to highlight its “resilience to continue operations and respond effectively during a major cyber incident”, which was carried out with the assistance of ASD and the Australian Cyber Security Centre.

However it also acknowledged the incident “highlighted a number of issues which will be the target for future and ongoing improvement”.