19 March 2021

Commonwealth Government Cybersecurity

You can, of counsel trust your government. The ANAO report Cyber Security Strategies of Non-Corporate Commonwealth Entities (No. 32 OF 2020–21) comments 

 Malicious cyber activity has been identified as one of the most significant threats affecting government entities, businesses and individuals. Previous ANAO audits have identified low levels of compliance with mandatory cyber security requirements under the Protective Security Policy Framework (PSPF). The Joint Committee of Public Accounts and Audit has expressed its concern about entity implementation of these requirements. 

Policy 10 of the revised PSPF outlines the mandatory requirements for entities to safeguard information from cyber threats. Entities assess their maturity under the PSPF against four maturity levels representing their assessed level of implementation of the requirements: Ad hoc, Developing, Managing and Embedded. The Attorney-General’s Department (AGD), the Australian Signals Directorate (ASD) and the Department of Home Affairs have responsibilities in relation to cyber security policy and operational capability. 

The implementation of cyber security risk mitigation strategies by the selected entities was not fully effective, and did not fully meet the mandatory requirements of PSPF Policy 10. Two of three entities did not accurately self-assess implementation of one of the Top Four mitigation strategies for which they reported full implementation. None of these three entities were cyber resilient. 

The majority of the entities examined that had self-assessed a maturity level of ‘Ad hoc’ or ‘Developing’ have established strategies to progress toward a ‘Managing’ maturity level for PSPF Policy 10. AGD, ASD and Home Affairs could do more to improve support for the implementation of cyber security requirements.

24% of non-corporate Commonwealth entities were compliant with the mandatory Top Four mitigation strategies in ANAO performance audits since 2014. 72% of non-corporate Commonwealth entities reported not fully implementing PSPF Policy 10 in 2018–19.  

ANAO accordingly made 

thirteen recommendations aimed at improving entities' cyber security maturity levels, and the support and assurance provided by the three cyber policy and operational entities. 436 cyber security incidents reported by Australian Government entities to ASD in 2019–20. 

The report states

Background 

1. The security of government information communications technology (ICT) systems, networks and data supports Australia’s social, economic and national security interests as well as the privacy of its citizens. Malicious cyber activity has been identified as one of the most significant threats affecting Australians. The frequency, scale and sophistication of malicious cyber activity is reported to be increasing, with cyber threats considered to be an increasing risk across Australian Government entities. The management of cyber security risk within the Australian Government public sector is the responsibility of individual entities. 

2. Three Australian Government entities have responsibilities in relation to whole-of-government cyber security policy and operational support. In relation to cyber security: the Attorney-General’s Department (AGD) is responsible for administering the Protective Security Policy Framework (PSPF), which provides the framework for Australian Government entities to achieve four protective security outcomes — governance, information security, personnel security and physical security; the Australian Signals Directorate (ASD) developed the Top Four mitigation strategies mandated by the PSPF and is a technical operational agency that provides material, advice and other assistance to Australian governments, business, communities and individuals on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means; and the Department of Home Affairs (Home Affairs) is responsible for the development and coordination of the Australian Government’s cyber security policy, and coordinating the implementation of Australia’s Cyber Security Strategy 2020. 

3. In February 2017, ASD re-issued its Strategies to Mitigate Cyber Security Incidents, which outlines 37 prioritised mitigation strategies to help protect entities from cyber threats. ASD has recommended that entities implement eight of these mitigation strategies, known as the Essential Eight, as a cyber security baseline. ASD also developed the Essential Eight Maturity Model to provide guidance to entities on how to implement the Essential Eight mitigation strategies and how to self-assess the maturity of their Essential Eight implementation. There are three maturity levels in the current Essential Eight Maturity Model — ‘Maturity Level One’, ‘Maturity Level Two’ and ‘Maturity Level Three’. ASD recommends that entities should aim to reach ‘Maturity Level Three’ for each mitigation strategy as a baseline. 

4. A revised PSPF commenced on 1 October 2018, outlining 16 core requirements that non-corporate Commonwealth entities must apply to achieve the four protective security outcomes. Non-corporate Commonwealth entities are to apply the revised PSPF using a security risk management approach. Policy 10 of the revised PSPF outlines the mandatory requirements for entities to safeguard information from common and emerging cyber threats. Policy 10 mandates the implementation of the Top Four mitigation strategies and that entities consider the implementation of the other mitigation strategies from ASD’s Strategies to Mitigate Cyber Security Incidents that are relevant to their operational and risk environment. While not mandatory under Policy 10, AGD strongly recommends that entities implement the remaining four strategies that comprise the Essential Eight mitigation strategies. 

5. Nine non-corporate Commonwealth entities were included in this audit:

  • Attorney-General’s Department; 

  • Australian Signals Directorate; 

  • Department of Home Affairs; 

  • Department of the Prime Minister and Cabinet (PM&C); 

  • Future Fund Management Agency (Future Fund); 

  • Australian Trade and Investment Commission (Austrade); 

  • Department of Education, Skills and Employment (DESE); 

  • Department of Health (Health); and 

  • IP Australia. 

Rationale for undertaking the audit 

6. Since 2013, the Australian Government has mandated the implementation of the Top Four mitigation strategies by non-corporate Commonwealth entities under the PSPF. The Australian Government has identified malicious cyber activity as one of the most significant threats affecting government entities, businesses and individuals. Previous ANAO audits have identified low levels of compliance with mandatory cyber security requirements under the PSPF. The Joint Committee of Public Accounts and Audit (JCPAA) has expressed its concern about entity implementation of mandatory cyber security requirements. 

7. This audit seeks to address a recommendation made by the JCPAA in Report 467: Cybersecurity Compliance, for the Auditor-General to consider conducting an audit of the effectiveness of the PSPF self-assessment and reporting requirements for cyber security compliance. The audit also follows up on the recommendation made in Auditor-General Report No.53 2017–18 Cyber Resilience, for the responsible cyber policy and operational entities (AGD, ASD and Home Affairs) to work together to improve entities’ compliance with mandatory cyber security requirements under the PSPF. 

Audit objective and criteria 

8. The objective of the audit was to assess the effectiveness of cyber security risk mitigation strategies implemented by selected non-corporate Commonwealth entities to meet mandatory requirements under the PSPF, and the support provided by the responsible cyber policy and operational entities. 

9. To form a conclusion against the audit objective, the ANAO adopted the following two high-level criteria: Have the selected entities fully implemented the Top Four cyber security risk mitigation strategies or otherwise adopted strategies and actions to progress towards full implementation? Have the entities responsible for cyber policy and operational capability worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cyber security requirements under the PSPF? 

Engagement with the Australian Signals Directorate 

10. Independent timely reporting on the implementation of the cyber policy framework supports public accountability by providing an evidence base for the Parliament to hold the executive government and individual entities to account. Previous ANAO reports on cyber security have drawn to the attention of Parliament and relevant entities the need for change in entity implementation of mandatory cyber security requirements, at both the individual entity and framework levels. 

11. In preparing audit reports to the Parliament on cyber security in government entities, the interests of accountability and transparency must be balanced with the need to manage cyber security risks. The Australian Signals Directorate has advised the ANAO that adversaries use publicly available information about cyber vulnerabilities to more effectively target their malicious activities. 

12. The extent to which this report details the cyber security vulnerabilities of individual entities was a matter of careful consideration during the course of this audit. To assist in appropriately balancing the interests of accountability and potential risk exposure through transparent audit reporting, the ANAO engaged with the ASD to better understand the evolving nature and extent of risk exposure that may arise through the disclosure of technical information in the audit report. This report therefore focuses on matters material to the audit findings against the objective and criteria and contains less detailed technical information than previous audits. Detailed technical information flowing from the audit was provided to the relevant accountable authorities during the audit process to assist them to gain their own assurance that their remediation plans are focussed on improving cyber resilience as required and support reliable reporting through the existing cyber security framework. 

Conclusion 

13. The implementation of cyber security risk mitigation strategies by selected non-corporate Commonwealth entities under this audit was not fully effective. The selected entities have not met all mandatory requirements of PSPF Policy 10 in safeguarding information from cyber threats. While the three cyber policy and operational entities have provided more support to entities to meet the mandatory PSPF Policy 10 requirements following Auditor-General Report No.53 2017–18 Cyber Resilience, additional ongoing work will be required to assist entities in achieving a more mature and resilient cyber security posture. 

14. None of the seven selected entities examined have fully implemented all the mandatory Top Four mitigation strategies.6 For the three entities that had self-assessed full implementation for one or more of the Top Four mitigation strategies in their 2018–19 PSPF assessment, two had not done so accurately. None of these three entities were cyber resilient. Five of six selected entities that had self-assessed to have not fully implemented any of the Top Four mitigation strategies have established strategies and implemented activities to manage their cyber risks and to progress toward a ‘Managing’ maturity level for PSPF Policy 10. 

15. The cyber policy and operational entities have worked together to provide more guidance following Auditor-General Report No.53 2017–18 Cyber Resilience to support non-corporate Commonwealth entities’ self-assessment of their implementation of cyber security requirements under the PSPF. There is scope to further improve the accuracy of entities’ PSPF Policy 10 assessments and strengthen arrangements to hold entities to account for the implementation of cyber security mandatory requirements. Robust accountability arrangements are particularly important in absence of public accountability through reporting to the Parliament. 

Implementation of cyber security risk mitigation strategies 

16. PM&C and AGD have each not accurately self-assessed their implementation of one of the Top Four mitigation strategies. PM&C has not fully implemented the mitigation strategy for restricting administrative privileges. AGD has not fully implemented the mitigation strategy for patching operating systems. Future Fund has accurately self-assessed the two Top Four mitigation strategies for which it reported full implementation. None of the three entities were assessed as cyber resilient. Under the cyber security framework, PM&C and AGD are categorised as vulnerable to cyber security incidents as they have not fully implemented all the Top Four mitigation strategies and are continuing to strengthen the controls for managing cyber security incidents. Future Fund has not fully implemented all of the Top Four mitigation strategies, but is internally resilient as it has effective controls in place to support its ability to detect and recover from a cyber security incident. 

17. Of the six entities that had reported not fully implementing all the Top Four mitigation strategies, five have established strategies and activities to progress their PSPF Policy 10 maturity level to ‘Managing’. The five entities have also included the implementation of the remaining four strategies that comprise the Essential Eight in their cyber security improvement programs. Three of the six entities had not set a corresponding timeframe to improve their PSPF Policy 10 maturity level to ‘Managing’. There is scope for four of the entities to improve monitoring of the implementation progress of their cyber security program to ensure that the entity is meeting the timeframe to improve its cyber security maturity. 

Support provided by the cyber policy and operational entities 

18. The revised PSPF maturity assessment model has incorporated more guidance to support entities’ self-assessment of their implementation of Policy 10 cyber security requirements. The AGD-developed PSPF Policy 10 guidance cross-references to multiple technical guidance developed by ASD, including guidance on the implementation of the Essential Eight mitigation strategies and the underlying security controls within the Australian Government Information Security Manual. There is scope to further improve the alignment of the maturity models for the PSPF and Essential Eight, and the clarity of the guidance to ensure more accurate PSPF Policy 10 self-assessments. 

19. The cyber policy and operational entities have not developed processes to verify the accuracy of entities’ PSPF Policy 10 self-assessed reporting. ASD has commenced the development of software tools that provide technical reporting to support entities in performing more accurate self-assessments of their Essential Eight implementation. While AGD and ASD have been sharing the results of the PSPF self-assessment reports and the ASD’s ACSC Cyber Security Survey, the sharing of data has not yet resulted in obtaining assurance on the accuracy of the self-assessments and facilitating policy and technical assistance for entities. 

20. With the release of the whole-of-government PSPF assessment reports by AGD and the annual Australian Government’s cyber security posture report by ASD, there has been increased public reporting on non-corporate Commonwealth entities’ implementation and maturity level of the Essential Eight mitigation strategies. However, the status of entities’ cyber security posture is not transparent due to the policy and operational entities’ concerns about increasing security risks following the disclosure of individual entities’ cyber security maturity level. The cyber policy and operational entities have not established processes to improve the accountability of entities’ cyber security posture. The current framework to support responsible Ministers in holding entities accountable within Government is not sufficient to drive improvements in the implementation of mandatory requirements.

ANAO's recommendations are 

Recommendation no.1  The Department of the Prime Minister and Cabinet strengthens its validation of privileged user access, specifically documenting the confirmation of the requirement for access from those that are responsible for approving privileged access. Department of the Prime Minister and Cabinet response: Agreed. 

Recommendation no.2  The Attorney-General’s Department performs and documents risk assessments for any patches not implemented in accordance with the requirements of the Australian Government Information Security Manual and its policies, including defining an action plan for managing the risks associated with not implementing those patches. Attorney-General’s Department response: Agreed. 

Recommendation no.3  The Department of the Prime Minister and Cabinet: improve its risk assessment of security events; and improve testing of security configurations and reviews of user access to ensure that the configurations are operating as intended. Department of the Prime Minister and Cabinet response: Agreed. 

Recommendation no.4  The Attorney-General’s Department improves the processes for documenting risk assessments and monitoring cyber security events, to assure itself that actions taken against cyber security events are performed consistently and appropriately. Attorney-General’s Department response: Agreed. 

Recommendation no.5  The Australian Trade and Investment Commission: sets a timeframe to improve its cyber security maturity to the ‘Managing’ level for PSPF Policy 10; and monitors the progress of the projects within its Cyber Security Work Program against the timeframe set for improving its PSPF Policy 10 maturity level. Australian Trade and Investment Commission response: Agreed. 

Recommendation no.6 Paragraph 2.62 The Department of Education, Skills and Employment: sets a timeframe to improve its cyber security maturity to the ‘Managing’ level for PSPF Policy 10; and monitors the progress of its Cyber Security Essential Eight Work Plan against the timeframe set for improving its PSPF Policy 10 maturity level. Department of Education, Skills and Employment response: Agreed. 

Recommendation no.7  The Attorney-General’s Department: develops a strategy and sets a timeframe to improve its cyber security maturity to the ’Managing’ level for PSPF Policy 10; provides clear reporting to its governance committees to enable oversight on the progress of its work to improve its Essential Eight maturity; and monitors the progress of its work to improve its Essential Eight maturity against the set timeframe and through appropriate governance structures. Attorney-General’s Department response: Agreed. 

Recommendation no.8  The Future Fund Management Agency monitors the progress of its Essential Eight improvement activities against the timeframe set for improving its PSPF Policy 10 maturity level. Future Fund Management Agency response: Agreed. 

Recommendation no.9  The Attorney-General’s Department reviews the existing maturity levels under the PSPF maturity assessment model to determine if the maturity levels are fit-for-purpose and effectively aligned with the Essential Eight Maturity Model, having regard to the Australian Signals Directorate’s proposed update to the Essential Eight Maturity Model. Attorney-General’s Department response: Agreed. 

Recommendation no.10  The Attorney-General’s Department further improves the guidance on PSPF Policy 10 to clarify: the correlation of the maturity levels in the PSPF and Essential Eight maturity models, and their implementation requirements; the scope of the maturity level calculation suggested by the reporting portal and how entities can more accurately determine their selected PSPF maturity level; and the assessment against the requirement to consider the implementation of the remaining 29 mitigation strategies, and the merit of its inclusion in the PSPF Policy 10 maturity level calculation. Attorney-General’s Department response: Agreed. 

Recommendation no.11   The Attorney-General’s Department implements arrangements to obtain an appropriate level of assurance on the accuracy of entities’ PSPF Policy 10 self-assessment results. Attorney-General’s Department response: Agreed in principle. 

Recommendation no.12  As part of its technical advice and assistance to the Attorney-General’s Department, the Australian Signals Directorate draw on its technical tools in addition to its existing capabilities to support the Attorney-General’s Department’s assurance processes on entities’ PSPF Policy 10 self-assessment results. Australian Signals Directorate response: Agreed. 

Recommendation no.13  The Australian Government strengthens arrangements to hold entities to account for the implementation of mandatory cyber security requirements. Attorney-General’s Department response: Noted. Australian Signals Directorate response: Noted. Department of Home Affairs response: Noted.

The institutional enthusiasm is palpable.