iTnews

Govt mulls stricter cyber security accountability for agencies

By Justin Hendry on Jul 3, 2020 12:33PM
Govt mulls stricter cyber security accountability for agencies

After years of apathy.

The Attorney-General’s Department has flagged that stricter cyber security accountability mechanisms could be on the way for federal government agencies following a string of worrying cyber resilience audits.

But the government remains tight-lipped on whether cyber security controls would be enforced, like it is reportedly considering for the private sector as part of the country's next cyber security strategy.

This is despite years of subpar compliance with the Australian Signals Directorate's mandatory Top Four cyber mitigation strategies across government, as repeatedly revealed by the Australian National Audit Office.

The Top Four form part of the government’s protective security policy (PSPF) framework, which requires that agencies self-assess against 16 core requirements each year using a to ‘maturity model’ and report the results to the AGD.

The maturity model was introduced in October 2018 following a review that found the former ‘compliance model’ contributed to a ’tick-the-box’ compliance culture.

But early results from that reporting indicates that compliance remains relatively unchanged, with 73 percent of agencies reporting either ‘ad hoc’ (13 percent) or ‘developing’ (60 percent) levels of maturity in 2018-19 protective security policy framework (PSPF) reporting.

Speaking at a parliamentary inquiry into cyber resilience on Thursday, AGD’s integrity and international group deputy secretary Sarah Chidgey on Thursday said the department was now looking at further improving the framework to drive compliance.

“We have already flagged as part of the government’s security committee … that we want to work on arrangements that would add to that self-assessment moderation option to check agencies’ rating and support them as part of that assessment process,” she said.

“So that is something we have in our work program at the moment. We’re conscious that we’ve just had the first year of maturity reporting, and are now looking at how we can improve that building on the results we got from this year.”

When asked by Liberal Party MP and committee chair Lucy Wicks whether these discussions had considered benchmarking agencies against other similar agencies to compare cyber resilience, Chidgey said “yes”.

“I think that is what we’re looking at, particularly in that adding to the framework we’ve got more of an external moderation or benchmarking process,” she said.

“What we’ve got with the maturity model already improves our comparative ability to a degree across agencies, but we are considering how we further enhance that by also an external mechanism.

“Whether we do it by agencies cross-assessing each other or central arrangements for going in and assessing or moderating agencies’ assessment results is something we’re working through and have some initial conversations with colleagues, for example, in New Zealand.”

The comments come as the government talks up introducing tighter regulation of cyber security protections for the private sector, particularly banks, healthcare, utilities and other critical infrastructure.

The minimum cyber security standards for businesses, which could be set “industry-by-industry”, would likely be introduced later this year as part of the government's cyber security strategy. 

But Labor Party MP and deputy committee chair Julian Hill said that introducing enforceable standards in the private sector when the government was struggling to enforce its own cyber security standards under the PSPF, could be seen as hypocritical.

“So we’ve got this situation in the Commonwealth where there’s no regulator or enforcement for Commonwealth entities’ compliance with the government’s standards,” he said.

“And yet the government is out there floating there about to put some teeth into regulating the private sector. Why the distinction?”

In response, Department of Home Affairs’s cyber, digital and technology policy first assistant secretary Hamish Hansford said “there are a range of different regulatory options” that the government was considering as part of the upcoming cyber security strategy.

“In the context of regulation, obviously a matter for the government is to look at how, if and when or why they would regulate, and the extent to which government would be included in any regulatory reform or any holistic response to cyber security,” he said.

Hansford also said that the government, as part of the cyber security strategy, was looking at the “biggest question” of “how do you defend at scale”.

“How do you prevent cyber security attacks at scale across the Commonwealth, across all of our entities, what does that look like, and how do you look at aggregation more generally, and how do you look at the holistic network of government operations,” he said.

“And that’s really a key issue from a macro cyber security policy that the department is looking at really closely with the Digital Transformation Agency.

“And as I’ve indicated previously, the government will have something to say about government cyber security in this regard in the coming months.”

Questions also remain over the level of accountability that agencies have to Parliament, given that attempts by Labor to solicit answers around Top Four and Essential Eight compliance last year were met with the same blanket response. 

In these responses, the agencies - or most probably the ASD and Home Affairs - said publicly reporting individual agency compliance with the Essential Eight “may provide a heat map for vulnerabilities “ that could “increase an agency’s risk of cyber incidents ”.

As Shadow Assistant Minister for Cyber Security Tim Watts noted that by not reporting these details in a public forum, or ASD’s anonymised cyber security posture report to parliament, the government had opted for “security in obscurity”.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
asd cyber cyber security essential eight governmentit home affairs protective security policy framework pspf security strategy top 4 top four

Partner Content

Beat the DDoS blackmails in 2021
Partner Content Beat the DDoS blackmails in 2021
Why companies fail at picking cloud modernisation partners
Partner Content Why companies fail at picking cloud modernisation partners
Shut the door on ransomware
Partner Content Shut the door on ransomware
MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics

Sponsored Whitepapers

Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution
Effectively addressing advanced threats
Effectively addressing advanced threats
The risky business of open source
The risky business of open source
Ensure your e-signatures are legally binding
Ensure your e-signatures are legally binding
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
  • Beat the DDoS blackmailers in 2021
By Justin Hendry
Jul 3 2020
12:33PM
0 Comments

Related Articles

  • Govt agencies face annual cyber security audits for next five years
  • From zero to hero: Geoscience Australia nears cyber resiliency
  • ASD says cyber resilience still far too low across govt
  • Govt has never considered a bug bounty program, says ASD
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Telstra blasts plan to 'set aside' mobile spectrum for Optus and TPG, but not it

Australia Post is building a digital twin of its delivery network

Australia Post is building a digital twin of its delivery network

Trump pardons former Google self-driving car engineer

Trump pardons former Google self-driving car engineer

Google threatens to withdraw search engine in Australia

Google threatens to withdraw search engine in Australia

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.