Australia's Minister Assisting the Prime Minister on Cyber Security Dan Tehan said on Wednesday that a centralised approach to cybersecurity is dangerous, and it is preferable for departments to take care of themselves instead.
"My view is we want each individual department and agency to take responsibility themselves, and the best way we can do that is just remind them of the need for them to take this issue incredibly seriously," Tehan said at the launch of the Weakest Links: Cyber governance and the threat to mid-sized enterprises report developed by Australian National University and Macquarie Telecom.
"What we want to develop is a culture with all departments and agencies within government that they have the mechanisms in place to make sure they are as cyber-secure as they possibly can be, and if there is capability shortfalls, that they reach out to see how they can get them addressed by other agencies who can help in this regard."
The minister said departments and agencies needed to understand their requirements, but also their limitations that could be addressed by other parts of government.
According to the 22 government agencies sampled for the report, no agency said it reviews its cybersecurity risk management monthly or weekly, with only 50 percent of executive teams provided with threat reports monthly or more regularly. The report said 15 percent of agencies had no person responsible for cybersecurity, and 41 percent of agency respondents regarded their executive teams as having poor or limited knowledge of information security risks.
Despite these results, Tehan dismissed the idea of any edict from government to force agencies to up their security game.
"I think if we go over the top ... sort of a centralised approach, I think that presents dangers," he said. "I don't think mandating is the way to go, I think making sure we remind them of their responsibilities.
"As a former public servant, I think reminding public servants or agencies of their responsibilities often does tend to make the gears and the wheels turn pretty quickly."
The federal government alone could not protect Australia's infrastructure from online attacks, Tehan said.
"When it comes to Australia's critical infrastructure, the states have as key a role to play, if not more of a key role to play," the minister said.
"Making sure we protect our critical infrastructure and making sure we understand states, local government in some instances, and federal government has a role is also crucial."
Tehan said he hoped the experience of the Australian Bureau of Statistics (ABS) during Census night will be the wake up call the government agencies need.
The minister also said there were recommendations concerning the ABS before Cabinet.
Amongst the findings of the report, only 21 percent of the 36 medium-sized business sampled said they would report a breach, even if legally compelled to do so.
"This is probably compounded by the fact that there is a low level of awareness of the government agencies who are available to assist them," Aidan Tudehope, managing director of Macquarie Government, said. "The report makes clear that, for a crucial part of the government and business community, cybersecurity is not treated as a core management business.
"The weak management practices in these medium-sized organisations represents the weakest link in our national cybersecurity defence, and there is a real risk they will become an unwitting 'honey pot' for all manner of malicious online actors."
For the third time in recent years, the Australian Parliament is in the process of passing mandatory data breach notification laws.
Notification laws would only apply to companies covered by the Privacy Act, and would exempt intelligence agencies, small businesses with turnover of less than AU$3 million, and political parties from needing to disclose breaches. E-health providers are still subject to the mandatory data breach notification scheme under the My Health Records Act.
Those covered by the laws will need to notify the Australian Information Commissioner and affected individuals if there are reasonable grounds to believe that a serious data breach has occurred. If it is not certain that a breach has occurred, the affected entity has 30 days to investigate whether notification is needed.
Penalties for non-compliance with the laws would see the Information Commissioner able to initiate investigations, make determinations, seek enforceable undertakings, and pursue civil penalties for serious or repeated interferences with privacy.
Tehan said on Wednesday he hopes the laws are passed sooner rather than later. The minister assisting the prime minister on cyber security took the additional responsibility in July.
The country is currently without data breach notification laws, despite the Joint Parliamentary Committee on Intelligence and Security recommending in February 2015 that Australia have breach notification laws in place before the end of 2015, prior to the implementation phase of the mandatory data-retention laws.