Tabling JCPAA Report 467: Cybersecurity Compliance
The release of the report into Cyber Security Compliance by the Joint Committee of Public Accounts and Audit is welcomed by Labor.
It highlights the continuing negligence of the Turnbull Government when it comes to ensuring our departments and agencies are safe from cyber-attack.
Since the creation of the cyber security portfolio in 2016, Labor has been consistently calling on the government to take this issue seriously.
So far, the only thing the Turnbull Government has done to fix this mess is send a letter.
A letter to each head of department, asking them to please take cyber security: “Very seriously”.
This is pathetic, and it’s a serious concern for our national security.
When it was revealed in 2014 that not one of the seven departments investigated by the Australian National Audit Office were compliant with their cyber security requirements, action should have been taken.
Instead, here we are at the end of 2017 and all we can say definitively is that only one of those seven departments have met their security requirements.
The rest are all still at risk of serious cyber-attacks and data breaches.
This is simply unacceptable.
This issue has been ignored far too long by the Turnbull Government and action needs to be taken.
Deadlines need to be set and consequences need to be enforced for those who continue to ignore this threat.
As we speak, large government departments such as the Australian Taxation Office and the Department of Immigration and Border Protection are still not compliant with their cyber security responsibilities.
We are talking about the systems and networks which collect and store personal information on every Australian citizen.
That manage this country’s most important public services.
That protect this country’s borders and run our national security operations.
The recommendations provided in this report are loud and clear –
Compliance with cyber security standards is not optional.
As holders of detailed and sensitive information, all government departments mustmaintain a strong cyber security posture.
There is no excuse for any department or agency to ignore mandated security requirements.
And there is certainly no excuse for the Turnbull Government to continue to ignore this problem.
It will not be tolerated.
This blasé approach to cyber security must change.
This report reveals a long history of prolonged negligence and a lack of concern for the significant threat cyber-attack poses.
In October 2014, a public hearing was held to examine the disastrous findings earlier that year by the ANAO that not one of the departments they investigated were cyber resilient.
Three of the seven audited entities —
The Australian Taxation Office,
The Department of Human Services,
And the then Australian Customs and Border Protection Service —
Appeared before the hearing to explain their plans and timetables to achieve compliance.
They each gave assurances to the Committee that compliance with the Top Four mitigation strategies would be achieved during 2016.
The follow up report published in March this year revealed that despite those assurances in 2016, only the Department of Human Services had met their mandated requirements and could be deemed ‘cyber resilient’.
Both the Australian Taxation Office and the Department of Immigration and Border Protection failed to meet the requirements and achieve their own deadline for compliance.
They failed to meet it in 2014, and they failed again in 2016.
So far, the only consequences that have come from this repeated failure is a letter by the Minister Assisting the Prime Minister asking that they take cyber security ‘very seriously’, almost a year ago.
This is simply unacceptable.
The fact that only one out of the three of the largest Australian government agencies are meeting their mandated cyber security requirements is absolutely shocking.
This is a huge risk to our national security and it needs to be treated as such.
Why is the government so blasé about this?
At a time when significant data breaches and cyber-attacks are an almost daily occurrence, the revelation that our own government agencies are failing to meet basic standards should come as a wakeup call.
It should be ringing alarm bells for the government.
Through its electronic lodgement systems, the Australian Taxation Office collects over $440 billion in gross tax revenue annually.
The Department of Immigration and Border Protection electronically processes around seven million visas annually, and inspects and examines around two million air and sea cargo imports and exports every year.
The collection and storage of this and other personally identifiable information can be used to identify, contact, locate, or impersonate an individual.
It includes information such as birth dates, bank account details, driver’s licence numbers, tax file numbers and biometric data.
By failing to be cyber resilient, these departments are putting this data at great risk, with potentially significant consequences for Australian citizens.
Each of the ten recommendations in today’s report will ensure the cyber resilience of government departments and agencies are brought up to speed.
These recommendations offer significant improvements including:
- Introducing tangible deadlines for compliance
- Updating the Top 4 strategies to the newer and comprehensive Essential Eight cyber security strategies
- Annual audits reviewing departmental compliance with these requirements
- Mandating that all agencies complete and return the annual ASD cyber security survey
- And mandating the Internet Gateway Reduction Program to reduce the number of attack vectors into government systems.
On this last point, the Internet Gateway Reduction Program was started in 2009.
It was meant to reduce the patchwork of over one hundred and twenty different internet gateway services being used across government, down to a manageable and auditable eight.
The program was designed to reduce the attack surface into government systems.
Eight years on and this policy is still being side-stepped by many smaller agencies who are choosing to ignore the program.
And what has the Turnbull Government done to address this issue?
Similarly, the Australian Signals Directorate sends out an annual cyber security survey to the heads of all major government agencies to assess their cyber risks.
These surveys are rarely completed and sent back to the ASD, which has a significant impact on the ASD’s ability to accurately assess the risk within these departments. As the report says:
The results of the ASD survey are reported to a secretaries’ cyber security board, coordinated by PM&C – the Prime Minister’s own department.
The results of the surveys provide a list of high-risk entities, for which ASD can then focus its resources on assisting.
However – the ASD has no capacity to compel agencies to complete the survey. For this year’s survey, as at 23 June, fewer than 40 percent of agencies had completed the survey. In 2016, fewer than 30 percent completed the non-mandatory survey.
There is a pattern of negligence here.
Of ignoring cyber security.
The recommendations in this report seek to directly address these issues.
They are proactive steps we must take to fixing this tick-box compliance culture.
A culture that ignores responsibility and gets away with it.
The Turnbull Government must sit up and take notice of this report.
They must adopt the recommendations in it and they must do so quickly.
The recommendations it makes are urgently required to ensure our nation and our nation’s data are safe and secure.
We cannot afford to continue turning a blind eye to cyber security, especially in our own government departments and agencies.
We must be the standard from which others in the community measure themselves.
Cyber security is everyone’s responsibility and none more so than the government and heads of government departments.
It is not acceptable for Australian government departments to just ignore their security requirements.
‘All too hard; can’t be bothered,’ even though these are mandated requirements.
This government needs to start taking cyber security seriously.
I implore the Turnbull Government to accept all the recommendations in this report.
I implore the Turnbull Government to accept all the recommendations in this report today.