'

​Commonwealth cybersecurity compliance to be probed by parliamentary committee

A joint committee has announced an inquiry into the cybersecurity compliance of Australian government departments.

The Joint Committee of Public Accounts and Audit (JCPAA) has launched an inquiry into the cybersecurity compliance of Australian government departments as part of its examination of Auditor-General reports.

Committee Chair, Senator Dean Smith, said that, as Parliament's joint public administration committee, the JCPAA has an important role in holding Commonwealth agencies to account.

"Cybersecurity is integral to protect government systems and secure the continued delivery of government business," Smith said in a statement on Friday.

"Government entities are required to implement mitigation strategies to reduce the risk of cyber intrusions. The committee is continuing its oversight of entities' compliance with the mandated strategies with the launch of this inquiry."

The committee's inquiry is based on the 2016-17 Auditor-General Report No. 42 Cybersecurity Follow-up Audit, in which the Australian National Audit Office (ANAO) declared the Department of Human Services (DHS) last month as reaching its highest designated "cyber resilient" level, but found the Australian Taxation Office (ATO) and Department of Immigration and Border Protection (DIBP) lacking on the information security front.

While capable of handling internal threats, the ATO and DIBP had "insufficient protection" against external threats, the ANAO said.

The assessment followed the ANAO's 2014 report that found all of the seven Commonwealth agencies it examined did not meet the top four security strategies made mandatory by the Australian government in 2013: Application whitelisting, patching applications, patching operating systems, and minimising administrative privileges.

The ANAO found that overall, only DHS was assessed as having effectively implemented application whitelisting, and while DIBP had an application whitelisting strategy, the ANAO found the department had deviated from it. The ATO only developed an application whitelisting strategy during the course of the audit, ANAO said.

Similarly, DHS was the only entity that effectively implemented applications and operating systems patching.

The audit found that all three entities had improved their cyber resilience -- to various degrees -- since the 2014 audit, but the ANAO said both the ATO and DIBP were under the belief that they were doing better than they were.

DHS had security controls in place to provide protection from external attacks, internal breaches, and unauthorised information disclosures; while the ATO and DIBP had security controls that provided a reasonable level of protection from breaches and unauthorised disclosures of information from internal sources. However, there was insufficient protection against cyber attacks from external sources, the ANAO noted.

As a result of its probe, the ANAO made two recommendations to the government entities, which included that the three periodically assess their cybersecurity activities to provide assurance that they are accurately aligned with the outcomes of the Top Four mitigation strategies and their own security objectives; and that they can report on them accurately.

One of the duties of the JCPAA is to examine all reports of the Auditor-General that are tabled in each House of the Parliament, and report to both Houses of the Parliament. It should do so with any comment it thinks fit on any items or matters in those reports or any circumstances connected with them that it believes should be drawn to the attention of the Parliament, the committee explained.

Submissions to the inquiry close on April 27, 2017.