Two key departments have refused to implement even the most basic cybersecurity requirements and wrongly claimed to have done so, a new report from the auditor-general shows — elevating what has been a long-running public service debacle into open defiance by bureaucrats.
As Crikey has reported for years now, few government departments or agencies has ever complied with the four basic Australian Signals Directorate (ASD) cybersecurity requirements mandated for government in 2013.
Nearly eight years later, what are called the “Top Four” basic requirements remained widely unimplemented across departments and agencies. In 2017, they were rolled into a longer list, and it was decided to stop referring to “compliance” with the requirements — given there was no apparent need for that word — and instead referred to “maturity”.
The Australian National Audit Office (ANAO) has issued five reports detailing the failure of agencies to comply over the years — on top of reports by Parliament’s Joint Committee for Public Accounts and Audit, where Labor’s Tim Watts has been pursuing the issue.
But Friday’s ANAO report takes the bureaucrats’ non-compliance to a new level. It examined not merely levels of compliance, but checked the agencies that claimed they had complied, and looked at how the government internally monitored compliance.
Problems began early on when the ANAO found that Christian Porter’s Attorney-General’s Department (AGD) had mistakenly given itself a higher level of assessment of compliance, forcing it to downgrade itself. AGD then claimed to have fully implemented two of the Top Four but when the ANAO checked, it found it was only fully compliant with one.
Prime Minister and Cabinet (PM&C), as befits the lead public service department, claims to be fully compliant. The ANAO checked and found it had only got three out of four. “Weaknesses in PM&C’s validation processes increases the risk that a cyber intrusion could result in an adversary acquiring privileged access to its systems and subsequently change and bypass other security measures to compromise the system.”
Over at the Future Fund, which claims to be compliant with just two of the four, ANAO found they were correct in their assessment. Of the three agencies, the Future Fund was the only one that ANAO didn’t think was “vulnerable” overall.
Meanwhile the government lectures business and the community about the need for cybersecurity measures and theatrically claims “Australia is under attack” as part of its array of media management tools.
Of the other departments and agencies examined, most had a strategy for becoming compliant — years late — but half of them didn’t have a timeframe for doing so, which in public service terms means it won’t happen.
The ANAO examined how the government was internally trying to improve compliance — driven by ASD, Home Affairs and, hilariously, AGD itself. Finally there was some good news — since its last report, the three agencies had lifted their game in terms of pushing departments to comply, though the shift to a “maturity” model has made implementation requirements less clear.
Worse, the lead agencies didn’t have any system for checking whether departments’ claims about compliance were true or not — understandably given AGD itself wrongly claimed to be compliant.
In classic Canberra style, AGD said it didn’t have the capacity to check if departments were telling the truth, while ASD, which does have the capacity, said it wasn’t its job to check.
The ANAO also pointed out that lack of transparency is part of the problem.
The status of entities’ cyber security posture is not transparent due to the policy and operational entities’ concerns about increasing security risks following the disclosure of individual entities’ cyber security maturity level. The cyber policy and operational entities have not established processes to improve the accountability of entities’ cyber security posture. The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements.
National security is being invoked to hide the widespread failure of government agencies to do the most basic cybersecurity requirements.
This is a failure that has occurred over the life of the Coalition government. It has never been a priority for ministers. But cybersecurity is an issue that should be front of mind for public service leaders, especially given the government’s overblown rhetoric on the subject.
As head of the public service, and of one of the offending departments, PM&C’s Phil Gaetjens has failed to provide leadership on a critical national security issue. Instead, senior bureaucrats have openly defied mandated requirements and dragged their heels — continue to drag their heels — on taking basic measures, meaning that our most important departments remain, in the words of the auditor-general, “vulnerable”. Including one of the agencies that is supposed to be making sure other departments comply.
How very Canberra.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.