Committee hits roadblock in probing Commonwealth cybersecurity performance

It's a complex accountability tree, but there's no central mechanism allowing a transparent view of where each Commonwealth entity is at with cybersecurity.

In an attempt to find the direct lines of accountability within Australian government entities where cybersecurity is concerned, the Joint Committee of Public Accounts and Audit (JCPAA) on Thursday was sent running in circles like a dog chasing its tail.

Australian government entities are required to comply with the Australian Signals Directorate's (ASD) Top Four mitigation strategies for cybersecurity compliance, despite there being an Essential Eight.

Commonwealth entities are responsible for their own assessments against the Top Four, and as the JCPAA previously requested -- a request that was agreed to by the government -- entities are required to report on their performance and compliance annually. 

This annual assessment is provided to the Attorney-General's Department (AGD) and the Department of Home Affairs, through the ASD, and that data is then aggregated and anonymised before being thrown together as an overall performance report.

But as Shadow Assistant Minister for Cyber Security Tim Watts has pointed out at length before, there is no mechanism that allows the individual performance of Commonwealth entities to be probed.

"The issue with having publicly available detail on cybersecurity vulnerabilities is that it itself creates a vulnerability and the purpose of the cybersecurity posture report is to provide that at a non-detailed entity level," Sarah Chidgey from the AGD said in response.

When asked how individual Commonwealth entities are accountable to the Australian Parliament for their compliance with mandatory cybersecurity measures contained within the Protective Security Policy Framework (PSPF), Chidgey said it was a matter for Parliament as to what mechanisms they would choose to use.

"At present, is there no way that the Parliament can hold individual Commonwealth entities accountable for seven years of failing to comply with mandatory ASD cybersecurity requirements?" Watts asked, receiving no further answers from those providing testimony to the JPCAA.

Although there is no mechanism to probe accountability, Chidgey said the AGD was fairly confident in the level of cybersecurity maturity within Commonwealth entities, conceding however that there were opportunities to improve.

The reporting mechanism within the PSPF has also changed, so Chidgey said it was hard to compare previous reports with the new model for 2018-19. The first report, she said, would "provide a more comprehensive nuanced view of cybersecurity posture and a lot more information for us to consider".

Despite this, the Top Four has been mandatory for seven years. The committee argued this should now result in high-level compliance across all entities.

The plan was to up the requirements from the Top Four to include some more of the Essential Eight when maturity levels increased. Chidgey was asked when this was going to happen, as that promise was made back in 2017.

"We always continue to consider it … we require agencies to report across all Essential Eight," she said. "We just have not mandated all eight just yet … it remains under consideration."

"We are looking where we can expand what is mandatory, but at this time we feel it is most focused and prioritised to have the policy reflect mandatory requirements of the Top Four and not to do that for the Essential Eight and beyond that just yet," Chidgey added.

Australian National Audit Office (ANAO) Auditor-General Grant Hehir had a different take. He attributed the poor performance within Commonwealth entities when it came to cybersecurity to culture.

"Broadly, what we identify is around the prioritisation and culture developed from the leadership of organisations," he said on Thursday.

"Where you see within organisations the strong focus on developing cyber resilience and a willingness to privilege investment in that area, invest in the infrastructure needed to provide greater cyber resilience happens, if its lower down the priority list of an entity, it doesn't happen.

"It's not much more complicated than that."

The committee was then pointed to the Australian Cyber Security Centre's (ACSC) Cyber Uplift Program, with ACSC head Abagail Bradshaw saying it "informed a heightened awareness of the Essential Eight". She also said it gave participants a better cyber posture and that she's experienced much better logging and patching practices, as well as a better culture of approaching the ACSC for advice, following forum attendance.

Watts said of the 25 entities that participated in the Cyber Uplift Program, none were assessed to have met the recommended cyber maturity level at the conclusion.

The conversation centred early on who is responsible for cybersecurity within government. Bradshaw gave her interpretation, as did Hehir, but Hamish Hansford from Home Affairs asked if he could clarify the record with his succinct explanation.

"Attorney-General's is responsible for the PSPF. Home Affairs is responsible for Australia's cyber policy coordination and setting the strategic direction of the government's cyber effort. Obviously, Home Affairs has a range of operational agencies under its portfolio. Defence, which includes the Australian Signals Directorate, is the lead on our operational cybersecurity arrangements, and within ASD, obviously, and we've got members from the Australian Cyber Security Centre here. For completeness, Foreign Affairs leads our Australian whole-of-government international engagement effort to protect and advance our security policy in trade, and it has an interest in cyberspace as well. Our industry, science and technology portfolio is responsible for cybersecurity industry development, cybersecurity research and development, and cybersecurity advice for Australia's small to medium enterprises. Obviously, connectivity is there with operational advice from the Australian Signals Directorate and the Australian Cyber Security Centre. DTA, the Digital Transformation Agency, has a strong role in coordinating all things digital within the Australian government and have a particular focus at the moment. From a Home Affairs perspective, we're working with them on the cybersecurity and digital agenda. Under that, we've also got state and territory responsibilities. In terms of the Minister for Communications, Cyber Safety and the Arts, they have responsibility for online safety as distinct from cybersecurity."  

As each entity is responsible for the security of their own systems, Chidgey said this means agency and department heads are given the onus to make decisions on implementation and are accountable for reporting on them, as well as compliance.

Patrick Fair Associates provides an Australian Cyber Security Infrastructure Chart for a more structured view of cybersecurity within the Commonwealth.

No agency has complete oversight of the cybersecurity of Commonwealth entities. But the AGD does meet occasionally with entities, when they have an issue.

"We engage always one-on-one as that entity is affected," Chidgey said.

"Then there are the CIO forums where the nature of the technical vulnerabilities are discussed on a regular basis; there is a government security committee which is chaired by AGD which the nature of threats and vulnerabilities are discussed broadly across a range of agencies. Of course, advice on threat levels is given to various secretary meetings and there are information technology security advisor meetings which also occur on a regular basis."

There's also a handful of different forums where department heads meet, but no one-on-one discussions are had with secretaries of each entity.

"We do quite a lot of work to uplift cybersecurity posture," Chidgey said.

There's also the delayed 2020 Cyber Security Strategy, but that won't outline how Commonwealth entities can focus on their own cybersecurity, rather it will set an overarching goal of how to protect the nation from cyber threats. 

The committee also heard there was a cybersecurity cultural survey that asks specific questions in relation to how often the board discusses cybersecurity posture and receive threat briefings. Updating the ISM on a monthly basis is also aimed at improving culture, ASD said. 

The committee also discussed how Dan Tehan, when he was Australia's Minister Assisting the Prime Minister on Cyber Security, had considered writing a letter to portfolio heads to up their cybersecurity game, but there was no further action taken.  

Chidgey added that the AGD has done a number of things to improve cybersecurity culture, such as highlighting the importance of having a CISO and hosting bi-annually forums, as well as sending out a newsletter. Hansford said there was also a number of components within the 2016 Cyber Security Strategy that helped boost the focus on cybersecurity within Commonwealth entities. He also said working in the field day to day there has been an uplift in awareness.

The buzzwords are all there, as are "forums" for department heads to chat about security, and there's also the cryptic policy documents and an Essential Eight list of security guidelines that aren't essential. But there's no mechanism for accountability or overarching capability to ensure each government entity has their cyber ducks in line.

RELATED COVERAGE