Two key departments have refused to implement even the most basic cybersecurity requirements and wrongly claimed to have done so, a new report from the auditor-general shows — elevating what has been a long-running public service debacle into open defiance by bureaucrats.
As Crikey has reported for years now, few government departments or agencies has ever complied with the four basic Australian Signals Directorate (ASD) cybersecurity requirements mandated for government in 2013.
Nearly eight years later, what are called the “Top Four” basic requirements remained widely unimplemented across departments and agencies. In 2017, they were rolled into a longer list, and it was decided to stop referring to “compliance” with the requirements — given there was no apparent need for that word — and instead referred to “maturity”.
The Australian National Audit Office (ANAO) has issued five reports detailing the failure of agencies to comply over the years — on top of reports by Parliament’s Joint Committee for Public Accounts and Audit, where Labor’s Tim Watts has been pursuing the issue.
But Friday’s ANAO report takes the bureaucrats’ non-compliance to a new level. It examined not merely levels of compliance, but checked the agencies that claimed they had complied, and looked at how the government internally monitored compliance.
Problems began early on when the ANAO found that Christian Porter’s Attorney-General’s Department (AGD) had mistakenly given itself a higher level of assessment of compliance, forcing it to downgrade itself. AGD then claimed to have fully implemented two of the Top Four but when the ANAO checked, it found it was only fully compliant with one.
Prime Minister and Cabinet (PM&C), as befits the lead public service department, claims to be fully compliant. The ANAO checked and found it had only got three out of four. “Weaknesses in PM&C’s validation processes increases the risk that a cyber intrusion could result in an adversary acquiring privileged access to its systems and subsequently change and bypass other security measures to compromise the system.”
Over at the Future Fund, which claims to be compliant with just two of the four, ANAO found they were correct in their assessment. Of the three agencies, the Future Fund was the only one that ANAO didn’t think was “vulnerable” overall.
Meanwhile the government lectures business and the community about the need for cybersecurity measures and theatrically claims “Australia is under attack” as part of its array of media management tools.
Of the other departments and agencies examined, most had a strategy for becoming compliant — years late — but half of them didn’t have a timeframe for doing so, which in public service terms means it won’t happen.
The ANAO examined how the government was internally trying to improve compliance — driven by ASD, Home Affairs and, hilariously, AGD itself. Finally there was some good news — since its last report, the three agencies had lifted their game in terms of pushing departments to comply, though the shift to a “maturity” model has made implementation requirements less clear.
Worse, the lead agencies didn’t have any system for checking whether departments’ claims about compliance were true or not — understandably given AGD itself wrongly claimed to be compliant.
In classic Canberra style, AGD said it didn’t have the capacity to check if departments were telling the truth, while ASD, which does have the capacity, said it wasn’t its job to check.
The ANAO also pointed out that lack of transparency is part of the problem.
The status of entities’ cyber security posture is not transparent due to the policy and operational entities’ concerns about increasing security risks following the disclosure of individual entities’ cyber security maturity level. The cyber policy and operational entities have not established processes to improve the accountability of entities’ cyber security posture. The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements.
National security is being invoked to hide the widespread failure of government agencies to do the most basic cybersecurity requirements.
This is a failure that has occurred over the life of the Coalition government. It has never been a priority for ministers. But cybersecurity is an issue that should be front of mind for public service leaders, especially given the government’s overblown rhetoric on the subject.
As head of the public service, and of one of the offending departments, PM&C’s Phil Gaetjens has failed to provide leadership on a critical national security issue. Instead, senior bureaucrats have openly defied mandated requirements and dragged their heels — continue to drag their heels — on taking basic measures, meaning that our most important departments remain, in the words of the auditor-general, “vulnerable”. Including one of the agencies that is supposed to be making sure other departments comply.
How very Canberra.
Agree with everything BK except those last three words. I am a Canberran and, along with almost everyone I know in Canberra, I find the many many failures of the federal government around IT security, and a very long list of other matters, to be appalling.
Just because the PM likes to invoke the Canberra bubble when he does not want to answer questions does not mean others should follow his lazy, self-indulgent and self-exonerating example.
Put the blame where it’s due – on the people who are elected to the federal parliament and their sidekicks.
“How very bubble”??
This is what you get when you farm out as much public administration as you can get away with to private companies and then put political appointees into senior positions in what is left.
A government that sees the value in frank and fearless advice from a competent and well resourced public service is necessary now before there is nothing left to build upon.
Let us hope for our sake that we never have to pretend to fight China with such a crowd of losers and tossers.
According to Greg Austin, a cybersecurity expert at the University of New South Wales (UNSW), “The government is showing no interest in innovative approaches to privacy protection. It is showing a high degree of incompetence in protecting its own systems. It manifests a low degree of cybersecurity across the board. We simply can’t trust them to protect this information”.
As the Electronic Frontier Foundation said in a statement in 2015: “any ‘backdoor’ into our communications [created by this Misgovernment] will inevitably (and perhaps primarily) be used for illegal and repressive purposes rather than lawful ones”.
It is appalling that Telstra rent phone lines to saboteurs. I get calls every day from scammers testing my security. The biggest communications company in our country rent them the path way in. If my bank can call me before I have left the shop in Bali with a large cc purchase, then Telstra can tell who the scam callers are.
Canberra is not just its polllies and senior (contracted) public servants.. real people live and work there also. I am heartily fed up with Canberra folk as a whole being tarred with the same brush as the pollies by a lazy and monopolistic media
The problem is that Canberra was only created to service the Federal Government and be the Capital of Oz. It’s hard for most people to understand that there may be other things going on there as well.