TIM WATTS MP
SHADOW ASSISTANT MINISTER FOR COMMUNICATIONS
SHADOW ASSISTANT MINISTER FOR CYBER SECURITY
MEMBER FOR GELLIBRAND
MORRISON GOVERNMENT STILL DODGING ACCOUNTABILITY ON CYBER SECURITY
Evidence heard by the Public Accounts and Audit Committee in its Cyber Resilience hearing today confirmed that after six years the Morrison Government is still failing to ensure Commonwealth entities implement mandatory cyber security measures.
The Committee also heard that the Morrison Government is refusing to be transparent about these compliance failures to the Parliament on security grounds, even when the Australian National Audit Office (ANAO) has been been willing to publicly disclose this information about itself. In fact, it’s the only government entity to do so.
Indeed, when asked about the Government invoking security grounds when refusing to publicly reveal non-compliant agencies, the Auditor-General said that assessed entities “never reported a level of detail which we believed would put, particularly, any entity at risk”.
Today’s hearings confirm again that the cyber security of Commonwealth entities is poor, and that no-one seems to be held accountable for it. In fact, these entities are still being asked to mark their own homework with little external oversight. Unsurprisingly, they are vastly over-estimating their ability. Two years after the ANAO recommended reform to this self assessment process, little progress has been made.
It feels like Groundhog Day.
When asked if the frequency of cyber audits was reflective of the ANAO’s level of concern, the Auditor-General said: “We wouldn’t be auditing as much as we do if we had seen a progressive improvement through time”.
But we already knew this. The ANAO’s five audits in six years of 16 different government agencies have consistently shown poor compliance with mandatory cyber security protocols. Despite the Australian Signals Directorate’s ‘Top Four’ mitigations being mandatory since April 2013, late last year we learnt that nearly four in ten Australian government entities had still failed to implement these basic cyber security measures (61.7% compliance) six years later.
It’s unsurprising that the Morrison Government has consistently dodged accountability on cyber security. It has refused to answer questions in Senate Estimates, and thwarted transparency by providing anonymised data in its Commonwealth Cyber Security Posture in 2019 report.
It was only last week that a recent Defence Department review of mobilisation and national military preparedness was disclosed under Freedom of Information law, and which recognised Australia’s unpreparedness for cyber war.
The warnings are clear. So is our vulnerability. To improve our national cyber resilience, the Morrison Government must stop dodging accountability and provide leadership.
TUESDAY, 19 MAY 2020
MEDIA CONTACT: MARTIN MCKENZIE-MURRAY 0423 850 035
Authorised by Paul Erickson, ALP, Canberra.