The Australian Department of Parliamentary Services (DPS) has self-assessed that everything is mostly fine with its infrastructure, following a leaked report that everything was not.
Last month, the ABC reported that an internal audit written by KPMG had given many elements of DPS the lowest cyber maturity rating possible.
At Senate Estimates on Monday morning, DPS secretary Rob Stefanik said the leaked report was a draft prepared after the advisory giant had completed its "preliminary field work".
"It wasn't until a process of validation and verification that a lot of the information presented in that draft was simply found to be incorrect and the final report that they had produced, which had an implementation plan in it, in July 2019, did not have the statements in it that the original draft did."
Stefanik said that instead of receiving the "ad hoc" rating -- the lowest possible rating on a scale that ranges from ad hoc to developing, to managing, to embedded as the highest rating -- the department bagged a "managing" rating in 85 of 88 criteria, with the remaining three being scored as "developing".
Labor Senator Kimberley Kitching asked to what extent the department was able to self-assess its cyber maturity.
"It's entirely self-assessment," Stefanik replied.
Senate President Scott Ryan said the final report would not be released, and senators could take their concerns to the private Senate Standing Committee on Appropriations, Staffing, and Security.
"It is not appropriate to release that report because it contains information that could be used to weaken our cybersecurity," he said.
"We have more lengthy discussions on these matters in a non-public forum to which all senators are entitled to attend and, having consulted officials, both in the Department of the Senate and in DPS, it is the view that that committee, which has a specific mandate regarding information technology in its terms of reference, is the appropriate place to discuss matters that should not be drawn to public attention or exposed to public."
In earlier remarks, Ryan said public sector networks were targeted across a four-day period in October.
"During this period, the investment that DPS made in cybersecurity has paid dividends," Ryan said.
"Our cybersecurity operation centre was able to leverage information from partners to be well prepared in advance of the campaign, and protective controls in place, blocked many attempts to inject malware into the environment."
The attackers also went after parliamentary staff on their personal email addresses in an attempt to gain access to the parliamentary network.
"I'm pleased to report that there was a high degree of co-operation by users during this period, combined with the maturing cybersecurity defences that have been put in place. They both ensured that the parliamentary environment was protected from this attack," the Senate President said.
"This is one example of many cases on a daily basis where parliament is targeted by malicious actors."
The parliamentary network and Australia's political parties were not successfully defended during an attack in February 2019.
For eight days, the attacker described as a state actor was able to remain on the network.
"While I do not propose to discuss operational security matters in detail, I can state that a small number of users visited a legitimate external website that had been compromised," Ryan said at the time.
"This caused malware to be injected into the Parliamentary Computing Network."
The incident highlighted the awful password practices present with Australia's parliament.
It took eight days to flush February's cyber attackers from Australia's parliamentary network. A procedure to authenticate staff asking to reset their boss' passwords only came another week later.
Ransomware infection impacted police car laptops for the Georgia State Patrol, Georgia Capitol Police, and the Georgia Motor Carrier Compliance Division.
The department admitted it has work to do on fighting external threats.
Department of Parliamentary Services says there is no evidence to suggest data has been taken or accessed, or that the incident is part of a plan to influence electoral processes.
Hackers have expanded their exploitation of the outbreak fears with hundreds of scams and operations.