​Australian Taxation Office happy to go it alone with cybersecurity

Despite the Australian Signals Directorate last week stating that those not seeking its help with security aren't taking the matter seriously, the Australian Taxation Office has backed its in-house approach.
Written by Asha Barbaschow, Contributor

The Australian Taxation Office (ATO) on Friday told a Senate committee it has a dedicated team that handles cybersecurity-related concerns, in particular around pen-testing and protecting against vulnerabilities, and as a result, it doesn't need to always seek the assistance of the likes of the Australian Signals Directorate (ASD).

While the ASD is a government entity responsible for foreign intelligence collection and information security, the ATO's CIO Ramez Katf and CDO John Dardo backed its own approach, saying its team handles cybersecurity across its organisation.

"[It is] a group that is separate from developers to make sure they provide that assurance to me across all of our systems," Katf told the committee looking into the digital delivery of government services.

Pointing to the ATO's Cyber Security Operations Centre (CSOC) that was commissioned in August 2016 to provide the organisation with an enhanced security monitoring capability, the pair said the CSOC has the specific remit of "tracking, monitoring, and being vigilant to any of that".

In attempt to "architect for resilience", the ATO has changed up the way its front-end applications talk to its legacy systems, as well as adopted cloud technologies "as much as possible and where appropriate" to provide some of that infrastructure.

Read also: ATO called out for not tracking costs in digital transformation program

"You'd understand how difficult that transition is and in fusing that into that," Ratf said to the committee.

"We've already migrated three of our major application channels into a cloud environment. The ato.gov.au new website for example is hosted in a cloud environment and has had 100 percent availability ever since then."

The 2016-17 financial year was a tumultuous one for the ATO where IT infrastructure was concerned, having suffered a handful of outages during the period from "one-of-a-kind" SAN outages to mainframe reboots.

The department responded with promises of "smooth operating" IT, as well as the assurance of a more "connected and bulletproof" system than ever before.

It's also come under the microscope for spending AU$333m on employment outsourcing during the period.

In discussing the outages with the Finance and Public Administration References Committee on Friday, Katf and Dardo said they have, however, been in dialogue with the ASD folk recently for "a range of reasons".

The ATO is not alone. Australian government organisations have tended to operate in a somewhat devolved manner when it comes to cybersecurity, which is the result of the way business within government has previously run.

Such a system leaves agencies and departments to fend for themselves, for the most part, calling in the likes of the ASD when it gets too heavy for their internal expertise.

Facing the same committee last week was ASD Director-General Mike Burgess, who said departmental chiefs do ask the ASD to conduct pen-testing to determine what level of security is present.

"There is a possibility that those who aren't taking this seriously don't ask for our help," he conceded.

"That would be a risky strategy for any chief executive because things get found out other ways ... there are many criminals out there who are attempting to break into systems, including government systems, all the time and most of those do become public and are found out."

Burgess put department bosses on notice for not seeking help where it is needed, confirming his agency is in the business of intelligence collection. He also confirmed it does have intelligence systems that draw its attention to systems in Australia that are having security problems.

"We do go knocking on doors sometimes ... those who were not seeking help, we would, through other means, find out there are problems, and then we help," he said.

"There is good advice coming from my agency, but what is missing is, are senior executives know the value of their data and understand who has access to it, where it is, how it's being protected from a data security point of view.

"It's not just a privacy or confidentiality of information that's the problem, it's also the availability of systems that could be impacted."


Editorial standards