A NSW cybersecurity agency whose taxpayer funding was recently increased by 300% has failed to ensure the government follows its own anti-hack policies, a new report has found.
The minister responsible for the agency refused to comment following the NSW auditor-general’s scathing report.
Cyber Security NSW was criticised by the auditor-general, Margaret Crawford, for not making sure other agencies comply with policies meant to protect people’s personal data.
“Cyber Security NSW has a remit to carry out audits of agencies’ self-assessments, but it has not carried out these audits and does not seek its own assurance of the results of these self-assessments,” Crawford wrote in the report.
“It is not sufficiently addressing previously identified inconsistencies and inaccuracies in how those self-assessments are performed and reported.”
Crawford also said the agency “does not clearly and consistently communicate its key objectives” nor reliably or meaningfully measure progress on them.
The report also found councils and other agencies were confused as to what specific services Cyber Security NSW provided, and that in any case, the cyber agency “cannot mandate action and does not have a strategic approach guiding its efforts”.
It comes after several high-profile hacks in recent years that compromised the personal information of NSW residents.
In March 2020, Cyber Security NSW’s parent agency Service NSW was hit by a cyber attack that resulted in the leak of data belonging to more than 100,000 individuals.
NSW Health and Transport for NSW have also had data compromised in hacks in recent years.
Cyber Security NSW has received $60 million in funding over the past three financial years, a 300% increase from its previous yearly funding of $5 million.
Staff numbers were expected to quadruple in the same period, from 25 to 100.
NSW Customer Service Minister Victor Dominello said at the time of the funding boost that it would be the “biggest single cybersecurity investment in national history and will strengthen the government’s capacity to detect and respond to the fast-moving cyber threat landscape”.
Dominello’s office did not respond to repeated requests for comments from Crikey on Wednesday and Thursday.
When a spokesperson for the minister finally responded to a message on Thursday morning it was only to say: “Minister won’t be commenting.”
A Cyber Security NSW spokesperson said the agency accepted all the recommendations made by Crawford and that it was “developing an assurance methodology to support NSW government agencies to consistently assess and report their compliance with” security policies.
“NSW government has invested $315 million to bolster cybersecurity in the state,” the spokesperson said.
“In 2022 CSNSW hosted the 2022 Cyber Insights Series: Beyond Essential Eight … a recurring theme throughout the discussion was that no one framework could serve as the “be all and end all” for robust cybersecurity.
“It is crucial each organisation pursues cybersecurity uplift which considers their own risk profile and resources.”
Labor’s customer service spokesperson Yasmin Catley said she was “concerned” that the agency’s opt-in approach “will leave local councils with unmanaged cybersecurity risks”.
“Addressing this issue should be a priority for the next Parliament,” she said.
“The auditor-general’s finding that Cyber Security NSW have failed to audit agency self-assessments of their compliance with the NSW Cyber Security Policy is deeply concerning.
“Labor understands with the continued digitisation of government services and now shared data between the state and federal governments, it is critical that cybersecurity is a priority policy and investment area for all governments. We must ensure we maintain the trust of citizens that we can protect their data.”
throwing public funds at badly designed systems full of middle men parasites dies not protect victims or the vulnerable
Dominello, by his inactivity and basic backwardness, is one of a long queue of conservative inert, posing, dodging, ducking non-achievers…
Not just funding but lacking any robust regulation a la EU GDPR including penalties for suboptimal data security which any entity’s IT head or CIO, should be on top of, basics of IT or systems management? Begs the question, why so many loopholes and/or incompetence?
Seems like Cybersecurity NSW is as useful as that other triumph, Resilience NSW ( or whatever * NSW it was called)
NSW is not alone; the previous Federal Govt had an enviable record with electronic technology. Did I mention the NBN.. or the Covid app.. or the Digital Return app? Shambles all. I’m hoping the current Federal Govt is a better informed about technology – starting with the panic about Chinese surveillance cameras. Can someone please explain how they would secretly send data back to China? If our defence and security services have such poor network security that the cameras can tunnel through to the outside world… WTF? Like many popular conspiracy theories, there’s an air-gap between the glib, ill-informed theories and the actuality of what’s technically possible. My suggestion is to prohibit politicians from having any jurisdiction over things they don’t comprehend. Unfortunately that means they wouldn’t be able to stop the 5G towers from spreading Covid, but you win some, you lose some.