ASD Essential Eight cybersecurity controls not essential: Canberra

The Australian government demonstrates its can't-do attitude to computering yet again. Requiring all agencies to follow the Australian Signals Directorate's 'best advice' is just too hard.
Written by Stilgherrian , Contributor

The Australian Signals Directorate (ASD), through its Australian Cyber Security Centre (ACSC), recommends that all organisations implement its Essential Eight controls for mitigating cyber attacks. The clue is in the name.

But for the Australian government as a whole, not so much.

whole-of-government response to a long-running parliamentary inquiry, released early this month, merely "notes" the inquiry's recommendation to mandate the Essential Eight controls for all government agencies, but declines to move beyond "strongly recommending" just four of them.

"The Essential Eight represents ASD's best advice on the measures an entity can take to mitigate the threat of a cyber incident and manage their risks. However, the government will consider mandating the Essential Eight when cyber security maturity has increased across entities," the response said.

"The cybersecurity maturity and implementation of the Essential Eight strategies within entities is currently both a compliance and risk management issue for each accountable authority, due to the unique risk environments and operations of each entity."

The decision not to mandate the highly regarded cybersecurity controls is at odds with the response's positioning statements.

"Protecting Australia from cyber threats is one of our greatest national security challenges," the response said.

"The government is committed to ensuring all Commonwealth entities raise their level of cybersecurity and understand the risks they face."

It's also at odds with the positioning of the controls within the government cybersecurity framework.

How the Essential Eight become essential, and then not

The Essential Eight was published in February 2017, and is an extension of the ASD's award-winning Top Four strategies of 2011. Both priority lists for cybersecurity controls were developed following the ASD's analysis of real-world data.

"The ACSC recommends that all organisations implement the Essential Eight as a baseline, and additional mitigation strategies from the 37 Strategies beyond that, based on risk exposure and cybersecurity threats of most concern to their business," the agency wrote in 2017.

By December 2018, the Essential Eight had become a core part of the government's new Information Security Manual (ISM), and in February 2019 the ACSC's Essential Eight Maturity Model mandated full implementation of the controls for total compliance with the ISM.

Meanwhile, a Joint Committee of Public Accounts and Audit (JCPAA) inquiry had been set up in early 2017 to look into a disappointing cybersecurity audit by the Australian National Audit Office (ANAO).

Of three critical government agencies audited, only the Department of Human Services (DHS) was compliant with the Top Four strategies, which are mandated by the Attorney-General's Department's Protective Security Policy Framework (PSPF).

DHS was the only agency that had correctly self-assessed against the Top Four. It was also the only one that was "cyber resilient", or able to "continue providing services while deterring and responding to cyber attacks".

The Department of Immigration and Border Protection (DIBP), now part of the Department of Home Affairs (DHA), and the Australian Taxation Office (ATO), were deemed to be "internally resilient", but not compliant overall.

In October 2017, JCPAA released its reportCybersecurity Compliance Inquiry based on Auditor-General's report 42 (2016-17).

The committee reached the not unreasonable conclusion that essential means essential.

Six of the committee's eight recommendations were agreed to in this month's government response. All were uncontroversial matters to do with reporting arrangements. A seventh recommendation was referred to ANAO because it's an independent agency.

So why was the recommendation to mandate the Essential Eight passed over?

Yes, cybersecurity maturity needs to be "increased across entities", but surely setting targets is good strategic management, even if agencies are given easy timelines to achieve them?

The Essential Eight Maturity Model even gives agencies a three-stage process to follow.

detailed analysis at public sector site The Mandarin provides some clues.

"Some members of the committee think having stronger compulsory requirements now -- or at least greater urgency about meeting the existing ones -- might encourage cyber maturity to improve faster," The Mandarin reported.

But as JCPAA member Gai Brodtmann noted during a more recent hearing, "obviously, mandatory is not explicit enough for our government agencies".

"Obviously, the government needs to articulate that we need 100 percent compliance, and that, as part of that process, it is mandatory; it's not an optional extra that people have been kicking down the road for the last five years," she said.

Agencies reported that they may not have the resources or expertise, complaining of "stretched budgets" and a "patchwork approach" to government cybersecurity.

DHA has previously blamed the challenges of "consolidating legacy ICT environments".

Reading this analysis, your writer couldn't help but think this isn't exactly a can-do attitude. It's more a can't-do. And that's not good enough.

Like all parliamentary committees, the JCPAA has been dissolved before the forthcoming federal election on May 18, and its inquiry has lapsed.

However, its chair has said in a statement [PDF] that the committee "expects to continue its inquiry into cyber resilience and hold further public hearings over coming months".

Related Coverage

86% of Australia's top websites can't detect bot attacks: Research

Automated credential stuffing attacks give the bad guys a great return on investment, according to security firm Kasada, but most organisations can't spot them.

Australian Budget 2019: Whole-of-government cyber uplift to create 'cyber sprint teams'

Australia's cybersecurity overhaul will include updates to government systems for the 2019 federal election, as well as creating 'cyber sprint teams' under the ACSC and a Cyber Security Response Fund.

Kaspersky CEO: Open your source codes to win governments' trust

Governments harbouring security concerns about systems manufactured by foreign tech companies should ask these vendors to open up their source codes for inspection, just like technology players such as Huawei and Kaspersky have done for their customers, says Eugene Kaspersky.

Windows 10 security: A guide for business leaders

Protecting Windows 10 PCs from common security problems requires ongoing vigilance and effort. This ebook explains what steps to take and what risks you should watch out for.

Editorial standards