ATO and Immigration beaten by pilloried Human Services in cyber audit

If there is an upside to the Centrelink debacle, it is that at least the IT systems are not run by the Tax Office or Department of Immigration and Border Protection.
Written by Chris Duckett, Contributor

The Australian National Audit Office (ANAO) has declared the Department of Human Services (DHS) as reaching its highest designated "cyber resilient" level, while the Australian Taxation Office (ATO) and Department of Immigration and Border Protection (DIBP) have found themselves still lacking on the information security front.

While capable of handling internal threats, the ATO and DIBP had "insufficient protection" against external threats, the ANAO said.

ANAO announced its assessment in a follow-up report to its 2014 report that found all of the seven Commonwealth agencies it examined did not meet the top four security strategies made mandatory by the Australian government in 2013.

Each of the three agencies examined in 2017 said they would be compliant come 2016.

According to ANAO, the "cyber resilient" label means an agency is able to "continue providing services while deterring and responding to cyber attacks", as well as lowering the chances of a successful attack on its systems.

Although all three agencies had improved their computer security, the ANAO said both the ATO and DIBP were under the belief that they were doing better than they were.

"The Australian Taxation Office's and the Department of Immigration and Border Protection's self-assessments both reported compliance against three of the Top Four mitigation strategies," the report said.

"The ANAO assessed that the Australian Taxation Office and the Department of Immigration and Border Protection complied with only two and one of the Top Four mandatory strategies respectively."

Only DHS was found to have implemented application whitelisting correctly, with the other two failing to have it implemented effectively on servers, and in the case of DIBP, failing on the desktop front as well.

"This contravenes the Information Security Manual and the entities' own ICT security policies," ANAO said.

Similarly, DHS was the only agency that patched correctly.

"While all entities had automatic patching processes for the Windows environment, entities with a UNIX/Linux environment were yet to automate and streamline patching processes, despite tools being available to do this," the report stated.

"In the ATO, the number of UNIX/Linux servers tripled in a year. The ATO had not anticipated this change and had not developed a process for deploying security patches across their servers. The increased number of servers complicated the deployment of security patches."

Often agencies had chosen to keep servers online rather than take them down for updating, the ANAO said, and pointed to the example of DHS being able to maintain services while deploying security updates.

In the area of privileged user access management, all agencies had room to improve monitoring, the report said.

During its audit, ANAO reported finding many outdated installations of common exploit vectors such as Microsoft Office, Adobe Flash, Adobe Reader, and Java on desktops.

In response to the report, the ATO said it would reach "cyber resilience" in 2017.

"The ATO is committed to meeting community expectations for data security and privacy protection and to providing improved services," the tax office said.

However, yesterday Fairfax publications reported the ATO had handed personal details of its own staff over to a private company in order to determine which way they would vote on industrial agreements.

Fairfax reported the ATO believes its actions are legal, but unions said they would report the ATO's actions to the Australian Privacy Commissioner.

For its part, the DIBP said its systems had become more complex since its inception in 2015, and was only two years into an IT investment program.

"In comparing DIBP with the agencies, subjected to this audit is important to recognise the relevant position of each agency on the ICT investment curve," DIBP said. "This in turn has a direct implication and relationship to the maturity of their respective cybersecurity initiatives."

The ANAO though, seemed to disregard the excuses of DIBP.

"Since the first audit in 2014, all three entities have undergone strategic business changes, such as machinery of government changes or upgrading and transforming core ICT systems that support government service delivery," it said.

"These changes are common in the public sector landscape and entities must maintain business continuity, including ensuring the integrity and availability of their systems, data and information."

Despite the tick from ANAO, DHS has been labelled as an agency in crisis by the Community and Public Sector Union (CPSU) following a reduction in funding and the deployment of an automated debt-recovery system.

"This new approach which removes or reduces human oversight of suspected overpayments and reduces employees' roles at a range of elements of the system has been an absolute disaster for many Centrelink users, but also for the workers charged with implementing a system they know to be deeply flawed and unfair," CPSU National Secretary Nadine Flood said last week.

"If we want to look at where robodebt has come from, it is a fairly obvious consequence of a department that no longer has the resources to provide effective services."

Last year, the ATO announced it would extend its voice biometrics authentication service to its mobile app, and fell victim to what it claimed was an unprecedented storage crash on its Hewlett Packard Enterprise equipment.

The ATO's storage-induced woes continued into the early months of 2017 with services going down again in February.

In 2015, Immigration revamped its information management practices after it had sent personal details of G20 world leaders to Asian Cup organisers.

A year prior, the Office of the Australian Information Commissioner found DIBP was in violation of the Privacy Act by unlawfully disclosing personal information when it published the details of approximately 9,250 asylum seekers in 2014.

The source of the privacy breach was determined to be the copying and pasting of a chart from Microsoft Excel into Microsoft Word by a DIBP staff member, which resulted in the underlying data to render the chart being embedded in the Word document.

Editorial standards