Almost Four in Ten Government Entities Fail to Implement Basic Cyber Security Measures — Six Years After They Became Mandatory!

19 November 2019

The Mandarin

The latest Protective Security Policy Framework (PSPF) compliance report confirms that the Morrison government has fallen asleep at the wheel when it comes to cyber security with almost 40% of government entities still not implementing basic cyber security measures.

The report was released last week but the third term, Morrison government is hoping you didn’t notice.

The compliance report includes a scorecard of how agencies are implementing the Australian Signals Directorate’s ‘Top Four’ mitigation strategies — the most fundamental cyber security measures that government entities can implement.

The Top Four are simple steps departments can take to protect government held data and systems. The Top Four are:

· Using application whitelisting to help prevent malicious software and unapproved programs from running;

· Patching applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office;

· Patching operating system vulnerabilities; and

· Restricting administrative privileges to operating systems and applications based on user duties.

The ASD has repeatedly highlighted the importance of the Top Four strategies, saying:

“While no single strategy can prevent malicious activity, the effectiveness of implementing the Top 4 Strategies remains very high. At least 85% of intrusion techniques that ASD responds to involves adversaries using unsophisticated techniques that would have been mitigated by implementing the Top 4 mitigation strategies as a package”.

These strategies have been mandatory since April 2013, but last week’s report confirms that after three terms of Coalition government, nearly four in ten Australian government entities have failed to implement these basic cyber security measures (61.7% compliance with the Top Four).

Even worse, the compliance rate has barely moved since 2016–17, confirming that progress on cyber resilience across government entities has slowed over the last three years.

The 2016 Cyber Security Strategy set the goal of government being an exemplar when it comes to cyber security. In this context, sixty percent compliance after six years simply isn’t good enough.

On top of this, the Auditor General has raised concerns about the accuracy of the self — assessment and reporting on cyber security in the PSPF Compliance report.

Five years of independent, Australian National Audit Office audits of government departments found that 29% were compliant with the Top 4. In comparison, when government entities were asked to assess their own compliance with the Top 4 through the PSPF, the compliance rate mysteriously doubled to 60%. This disparity between the results of independent, external audits and internal self-assessments raises serious questions about the robustness of the self-assessment process.

The Auditor General told the Joint Committee of Public Accounts and Audit earlier this year that a stronger form of oversight was required to push agencies towards 100% compliance with the Top 4.

But where will this stronger form of oversight come from?

Cyber security has been leaderless in the third term Morrison government since the Prime Minister abolished dedicated ministerial responsibility for the field.

To complicate things further, tracking progress toward compliance with the Top 4 is likely to be harder from next year as the existing PSPF compliance approach is replaced with a ‘maturity model’ or risk-based approach.

The move toward a risk-based approach for the PSPF was recommended by a 2015 Belcher ‘red tape’ review. Cutting red tape is a noble pursuit but we need to ensure that transparency and effectiveness of security in government isn’t compromised. As it stands, the move to the new framework looks more like moving the goal posts instead of lifting government cyber resilience.

Minister Dutton has been quick to question the private sector’s ability to defend vital systems from the highest end threats. But the government must make sure its own house is in order before it can credibly lecture others about their own levels of cyber resilience.