Victorian agencies unpatched, blind to online threats: Report

Not implementing strategies recommended by national security agencies, failing to have a process in place to inform ministers of attacks, and failing to conduct proper penetration tests are just some of the auditor-general's findings.
Written by Michael Lee, Contributor on

The Victorian auditor-general has released a damning report into the status of information security measures and communication across a range of state-run agencies.

The audit covered 11 public sector agencies, and found that they failed to take proper security precautions in terms of policies, adoption of standards, and protection mechanisms.

"Agencies undertake only limited monitoring of suspicious internal network activity, and they do not have a capability to detect an intrusion into sensitive public sector systems," state Auditor-General John Doyle wrote in his report to parliament.

Certain "whole-of-Victorian-government" (WoVG) agencies are required to implement the Australian Signals Directorate's (ASD) Top 4 strategies — those likely to block more than 85 percent of all attacks — but the report found actual circumstances to be vastly different.

"We found that all four strategies were poorly implemented within both the inner and outer WoVG agencies examined," the report said.

Although all agencies examined indicated that they had conducted some form of penetration testing on their IT systems, the audit found that some of the tests were too narrowly scoped to identify any significant issues, and in some instances where issues were identified, they were not being remediated.

Another important issue identified in the audit was a lack of centralised reporting or security response coordination.

The report stated that while the federal government relies on central agencies to learn about the status of threats and how its systems are handling attacks, Victoria has no such central reporting body or coordinating system.

Instead, individual agencies report their issues separately to the ASD, effectively bypassing the state Department of Premier and Cabinet, or any other central body that could coordinate the dissemination of information.

The lack of a central coordinating body also creates problems in distributing information back down the chain from the ASD and partner agencies.

"If there was an external cyber attack or a cyber alert issued by an Australian government national security agency, there would be no coordinated understanding of the threat or its impact across the state's public sector ICT systems, because central agencies do not conduct follow-up actions after a cyber alert is disseminated."

Furthermore, no arrangements have been made to brief state ministers if a major IT attack results in a disruption to state services.

Shadow Minister for Technology Adem Somyurek slammed the incumbent government's handling of the situation, saying that Victorian Premier Denis Napthine and Technology Minister Gordon Rich-Phillips had "failed to take the threat of cybersecurity seriously".

Somyurek pointed out that Rich-Phillips had only announced the development of the state's cybersecurity strategy last week, ahead of the auditor-general tabling his report, and claimed that Napthine had been "spooked into action" by the results of the audit.

"The Napthine government should act immediately to implement the auditor-general's recommendations to ensure there is a whole-of-government approach to coordinating cyberthreats," Somyurek said in a statement.

Editorial standards