Australian Department of Human Services CIO Gary Sterrenberg has said that the agency is moving towards reducing the threat of attack on its systems, following an Australian National Audit Office (ANAO) report that called for the agency to improve its security.
In June, the ANAOthat assessed the department, along with several other Commonwealth government agencies, against the top four security strategies made mandatory by the Australian government last year. It found that the agencies were insufficiently protected against external attacks.
The report recommended that agencies ensure they use application whitelisting, so that only approved programs and software libraries can be executed, as well as strengthening access controls and improving software patching for applications and operating systems.
Speaking in a parliamentary Estimates hearing late last week, Sterrenberg said that the department has made good progress on acting on the recommendations, but it would still be some time before all are completed.
"There are three key dates that we have provided: The whitelisting is the end of 2014, if my memory serves me correctly; the access is 2015; and the patching is 2016," Sterrenberg said.
"I would contextualise the dates by the fact that we have patched 2.5 million devices this year alone. It is a large fleet, and, as you pointed out, the level of global attack against cyber has required us to do continuous patching. Of course, we do have our regular patching routines of our patching Microsoft every 30 days, and, obviously, patching our Unix and our Solaris servers every three months. Of course, where there are incidents like the Bash incident, or the most recent one, called Poodle, we have to do emergency patching to make sure that we all are secure."
Sterrenberg said that the department had not incurred any reduction in staffing as part of cost-saving measures by the department.
The agency will also be moving toward overhauling its, now unfortunately named, system known as ISIS. The department flagged in the 2013-14 Budget that it was developing a first-pass business case for AU$16.2 million to look at replacing or upgrading the Income Security Integrated System (ISIS), which is used to send out welfare and family support payments, letters, income assessments, and other notifications for 100 programs.
A contract to maintain the system was signed during the last term of the Howard government, locking the agency into ISIS for 10 years, and now, with the contracts expiring in 2014, the system is up for overhaul or replacement. A decision on whether to fund this overhaul, with the government indicating that it would be considered after the Budget, which, five months later, has yet to pass through the parliament.
The department has signed contract extensions for the next three years to potentially cover the shift over to the new platform, and department Secretary Kathryn Campbell said it would likely take more than three years to move away from ISIS.
"Often, some of the changes might take longer than anyone would expect, because of the way the code is written and the need to change the hard coding to test those systems and to have them released as part of a well-organised and structured release," she said.
One of the issues is that ISIS is separated out into different states, with one for New South Wales, one for Queensland, and one each for every other state. Campbell said that Human Services has an underlying software platform to bring it together, but the complexity of the system makes it difficult for the agency to build new applications or make changes to existing programs.
Campbell said that while the department is working with the government to the timeline it has outlined for overhauling the system, it would likely take longer than expected.
"We have a very complex system with all these payments, and there is a citizen, a costumer [sic], who may access a number of payments and they have to go off to different databases. If the system was more simple and the citizen only was accessing one or two payments, it would be better to build a new system, where the integrity of the data was assured rather than going through a variety of routes to get to that data, to have direct links to a more simple system," she said.
A change in one place can have consequences in unexpected areas, Campbell said.
"Sometimes, we will make a change in one place, and, because the code has links elsewhere which may have been developed 20 or 30 years ago, which may not be well documented, it has inadvertent consequences," she said.
"One example a couple of years ago is that we made some changes to make disaster-recovery payments. We made those payments, and it inadvertently stopped someone getting their family tax benefit the next week. That was because there had been some sort of link, which we had not been aware of and it had not been documented.
"We do not have many other people using Model 204 in the world. It is sort of patched together. It takes longer, as I said, than ministers and governments would expect for us to make changes in those systems."
Sterrenberg said that the Department of Human Services would follow the Commonwealth Bank's lead in looking at putting together technology building blocks in replacing ISIS.
"If the government should proceed with this, clearly one of the major issues that will need to be confronted is the sequence of how the technology building blocks will need to be put together. It is not something you can do just randomly. The choices of that sequence will, in a large way, drive the outcomes that we get," he said.
"Another issue is around data. We store enormous amounts of data in the system. But probably the most challenging one is going to be the transition — to carefully think through the transition steps to make sure that we are able to continue to provide services to the Australian public. We have to make sure that the timelines of implementation of each of the pieces of the new system are aligned with the various payment cycles, and there are various other technical things that we have to do."