For years now, Crikey has kept a lonely vigil over one of the more bemusing administrative scandals of recent times in the Australian Public Service: the failure of departments and major agencies to meet the most basic requirements of cybersecurity put in place back when Labor was last in government in 2013 (you can find a history of the saga here).
When we last checked in March 2021, the auditor-general had busted Prime Minister and Cabinet, and Attorney-General — two departments you’d kinda sorta wanna think might be pretty focused on security — not just for not being compliant with the original “top four” requirements put in place back in 2013, but for claiming they were compliant when they weren’t.
Since then the top four has been expanded to the more alliterative “essential eight” and enshrined in the Protective Security Policy Framework Policy 10, “Safeguarding data from cyber threats”. Throughout that time, progress to meeting either the four or the eight by most departments has been ridiculously slow — and attempts by bureaucrats to explain away their failures when MPs like Labor’s Tim Watts pursued them just ridiculous.
The repeated failure to comply with cybersecurity basics grew so embarrassing, departments began criticising the Australian National Audit Office (ANAO) for drawing attention to the fact that they were vulnerable, and insisted it no longer report departments’ failures individually — a classic case of national security being invoked to spare the blushes of officials.
This week, in its sixth look at the issue, in the context of one of its regular reports on the key financial controls of departments and major government entities, the ANAO has checked in on progress, looking at cybersecurity basics in relation to the preparation of financial statements. The result is a sense of resigned exasperation from the auditors:
Since 2013, the ANAO has conducted a series of performance audits focused on assessing entities’ implementation of the PSPF cybersecurity requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cybersecurity requirements and concerns in annual self-assessments by entities. The ANAO has reported its concern that there is little evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cybersecurity risks since 2013.
Has 2022 seen a turnaround? Yeah … nah. For the 19 departments and agencies examined, there’s been progress in achieving most of the eight, but off a low base. The most widely complied-with requirement, restricting administrator privileges, hasn’t improved in the last year, and remains at 12 of the 19; barely a quarter of agencies report having complied with some other requirements.
Two agencies actually reported that they went backwards. “Of the 19 entities assessed, two had self-assessed as achieving a Managing maturity level,” ANAO reported.
Its conclusion?
The PSPF cybersecurity requirements have been in place since 2013, with the March 2022 update mandating the implementation of all Essential Eight mitigation strategies. Entities’ inability to meet previous requirements indicates a weakness in implementing and maintaining strong cybersecurity controls over time. Previous ANAO audits of entity compliance with PSPF cybersecurity requirements have not found a significant improvement over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.
For a public service increasingly unable to perform the basics of policy administration, it’s a potent symbol of decline.
But just watch if there is a Chinese or Russian hack into one of these departments in the next few weeks. Dutton / Murdoch will be declaring it to be ALL Albo’s fault!
There’s no if: It’s routine 24/7. The Chinese have been a threat ever since they got hold of robodebt technology. The invisible French sub still has them foxed, but. And Dutton’s red herrings have them pulling their hair out. Go the green and gold!
A secret report I found in their bin shows ASIO thinks the Chinese are concentrating on finding this Judice bloke, the one with all the subs. That was reassuring news, until I read further to find that ASIO are looking for him too. The Russians say they already have him, but that’s just Putin talking, they think. The Americans are now worried; to them it sounds Italian – and you know what that means – but they’re more into coffee machines, and they don’t do nuclear, so it’s probably OK. Unless ‘coffee‘ is a code word… which could mean that Mr Long Black is also the Black Russian, and maybe the Aussies are thinking of buying Russian subs, ex seafloor off Murmansk? Cheaper’n hot dogs and preloaded with MIRVs and we know that Bolsano guy didn’t buy them all. Holy cow, I need a break.
Bolsanaro.
Not sure why anyone is surprised by this. Each department is their own IT infrastructure, each with a unique mix of technologies and skillsets. Each attempt at implementation has to not only be tailored to the individual needs of each department (some with technology going back decades), but has to compete with the business needs of IT that pays the bills for each IT department. Working systems that meet a critical business function is going to win out against a hypothetical attack any day.
No wonder so much of IT is outsourced. It doesn’t make things any better, but it at least fobs the problem off to a third party.
Yawn. Nothing new here. State and Federal Public Service IT structures are all appalling and excessively costly to the taxpayer. Each Minister has his/her own siloed IT Division. What is needed is a non-aligned IT Department that cuts across all PS Divisions and ensures that a baseline of Hardware, Operating Systems, Software and Security is put in place and managed accordingly. It’s called “Shared Services” in the private sector and works quite well IME.
And while we’re at it, some standards pertaining to the quality of government websites would be appreciated… It’d sure be nice if you weren’t guaranteed to find an absolute dumpster fire anywhere in .gov.au…
I’m flabbergasted.
My gast is way past flabbering………….
Love how BK covers this dry technocratic, policy stuff but also does routine politics with (fair and balanced) snark. Even manages to point out Dutton’s good side!