The Joint Committee of Public Accounts and Audit on Thursday heard that Geoscience Australia had an executable file found on its system back in 2017 that had been sitting there for "some months".
The file was found by the Australian Signals Directorate (ASD) at the time, with Geoscience Australia CEO Dr James Johnson saying it was the only instance he was aware of that constituted a cyber incident.
"We have had executable files found within our system -- on one occasion I am aware of -- whereby it was found and it had been resident within our system for some months," he said. "It hadn't actually developed into a major problem and it was identified for us by the ASD and we acted accordingly to rectify that."
While Johnson could not give an exact timeline, he said it was in "approximately 2017", and conceded there was a lag between when it was placed and when it was identified.
"Where we have identified something on our network that we are unsure about, we engage with the [Australian Cyber Security Centre] fairly quickly and also with our service provider for ICT services," added Trent Rawlings, who in addition to being Geoscience Australia's chief operating officer is also in charge of cybersecurity.
"We're certainly increasing the maturity in that area of our monitoring and response capability, but certainly there has been nothing to date that has caused significant impact to our organisation that we're aware of."
In a report on cyber resilience from the Australian National Audit Office (ANAO) that was published a year after the executable file was found, Geoscience Australia was labelled as lacking where the Australian government's Top 4 mitigation strategies were concerned.
In early 2017, the Top 4 was expanded to the Essential Eight.
Following the ANAO probe, Geoscience Australia agreed to up its security posture, with Johnson telling the committee on Thursday that his agency would be compliant with the Top 4 come June 30, 2019.
"We agreed with the ANAO findings and have implemented a security improvement program to address those findings and to meet our compliance obligations, and improve overall governance and management of cybersecurity," he said.
"We are well more cyber resilient than at the time of the audit last year."
The security program, Johnson explained, will implement the Top 4 cyber mitigation strategies on essential systems -- user work stations, emails systems, and authentication systems -- as priorities, and "enhance governance and support arrangements to ensure their effective operation".
Johnson admitted that cybersecurity was not previously a priority for the government agency.
"As an organisation that openly shares the majority of its information, Geoscience Australia has historically placed a higher priority on supporting scientific endeavours than cybersecurity. This was based on the presumption that a cyber threat seriously impacting on the organisation was low," he said.
"The importance of and reliance on ICT systems has increased rapidly and has changed the risk profile of the organisation, we are therefore changing our practices."
While Geoscience Australia makes almost all of the information it holds publicly available, there is still the potential for the personal information of staff to be breached, for the IP of other scientific organisations it engages with to be targeted, or that Geoscience Australia is itself used as a conduit into other government entities that have a higher level of security classification.
In addition to Geoscience Australia being compliant with the Top 4 in the coming months, Johnson told the committee it has also implemented a handful of tangible measures, such as reducing the number of staff with administrator access, trialling and procuring a whitelisting solution, and implementing an awareness raising campaign within the organisation.
The ANAO probed two other Commonwealth entities in addition to Geoscience Australia in its June 2018 report: Treasury and the National Archives of Australia. It found Treasury was compliant and National Archives, like Geoscience Australia, was lacking.
At the time, ANAO said it had found only four government entities compliant with the Top 4 requirement when it was made mandatory in April 2013, from the 14 organisations it had examined.
- Australian political parties also hit by state actor in parliamentary network attack: PM
- Australian government computing network reset following security 'incident'
- ASD reveals rules for keeping vulnerabilities secret
- ACSC tightens access controls for Australian government systems
- Australian government lags UK in deploying DMARC email spoofing prevention
- CISOs given cyber leadership role in Australia's new Information Security Manual
- Australia needs more cyber in the middle
- ATO claims cyber compliance with ASD Top 4 strategies since November
- 5 ways to enforce company security (TechRepublic)