National Archives of Australia concerned with capability to become cyber resilient

While the government entity is implementing a cyber resilience framework, its director-general has reservations around its capability to ensure full compliance.

The National Archives of Australia recently came under scrutiny from the Australian National Audit Office (ANAO) for lacking on the security front where the federal government's Top 4 mitigation strategies were concerned.

But while National Archives is currently working its way through the implementation of a cyber resilience framework, director-general David Fricker has concerns about the Commonwealth entity's capacity to achieve full compliance and measure such compliance accordingly.

"I am satisfied with the level of advice that we receive in terms of what is required to achieve that compliance, but I am concerned about our capability to achieve compliance and also our own qualification within the organisation to self-assess that we have achieved compliance," Fricker told the Joint Committee of Public Accounts and Audit on Thursday.

While he conceded that simply implementing the Essential Eight -- which is a government-mandated extension of the Top 4 -- should eliminate most of the risks his agency would face, Fricker is also cognisant of the need to not allow complacency.

"There is still a concern that, if we read too literally that advice, we tend to miss some major technical vulnerabilities and then we continue blissfully thinking we are compliant, but we're not," he explained.

"I think the advice we received is good; however, I do think the bigger point remains that with self-assessment and reliance on individual agencies, each with an uneven capability and an uneven technical knowledge, we're not going to achieve a consistent resilience across the Commonwealth.

"There are always going to be agencies among us which represent the weaker link in the chain ... my concern is that this will continue to be a 'best efforts' response. I never believe that we're 100 percent compliant, because I think complacency breeds neglect."

Fricker said National Archives does not have a system of certifying someone from within the organisation to properly assess cyber risks; rather, it has "computer professionals" who are "quite capable of running and administering networks".

He said, however, that they don't necessarily have specialist knowledge of cybersecurity.

This was apparent when National Archives headed down the whitelisting path.

"We do self-assess within the Archives, but we made an error in the interpretation of the guidelines around whitelisting, and as a result of that we overlooked an area on our network that should have had whitelisting implemented," Fricker said.

"During the audit, this was acknowledged as a bit of ambiguity in the wording of the advice, but a more qualified individual within our organisation would have picked up that ambiguity and responded to it with a much deeper understanding of the risk and the nature of the risk."

In response to the ANAO probe, National Archives has implemented a cybersecurity resilience framework, which agency assistant director-general information technology and CIO Yaso Arumugam said includes a three-year road map to help it gain a "proper cyber-resilience posture" that covers the Essential Eight.

She said National Archives has also made progress since the audit began to get to at least top-four compliance over the next couple of months.

When asked by the committee if budget matters were impeding National Archives' timeliness in implementing such measures, Fricker simply replied with "Yes".

RELATED COVERAGE

Geoscience Australia to be Top 4 compliant after discovery of unknown rogue file

Following a poor audit result and the discovery of a rogue file, the government entity will be compliant with the now superseded Top 4 mitigation strategies for cybersecurity come June 30, 2019.

ASD reveals rules for keeping vulnerabilities secret

When Australia's signals intelligence agency finds a cybersecurity vulnerability, it discloses it -- except in a few cases where it might help fulfil a "critical intelligence requirement".

5 ways to enforce company security (TechRepublic)

There are several actions companies can take to improve overall employee awareness about security. View the top five below.