Commonwealth Cyber Security Posture Report: Morrison Government Sticks Accountability Where the Sun Don’t Shine

14 April 2020

Today’s “Commonwealth Cyber Security Posture in 2019” report is an indictment of seven years of failure by the Abbott-Turnbull-Morrison government to ensure the cyber-resilience of Commonwealth agencies and its continuing efforts to avoid public scrutiny.

Despite the Australian Signals Directorate’s ‘Top Four’ mitigations being mandatory since April 2013, late last year we learnt that nearly four in ten Australian government entities had still failed to implement these basic cyber security measures (61.7% compliance) six years later.

Today’s report offers little comfort that the Morrison government is addressing this important national vulnerability, stating that implementation of the ASD’s Essential Eight ‘improved slightly’ in Commonwealth agencies this year but ‘still requires further improvement to meet the rapidly evolving cyber security threat environment’.

Extraordinarily, of the 25 Commonwealth entities that were prioritised for improvement as part of the Morrison government’s ‘Cyber Uplift’, none were assessed by the ACSC to have achieved their recommended cyber security maturity level. As a result, the report concluded that ‘these entities are vulnerable to current cyber threats targeting the Australian government’.

Most damningly of all, more than six years after the government made them mandatory, the report found that implementation of the ASD’s Top Four cyber security measures ‘remains at low levels across the Australian Government’.

Despite this ongoing failure of security governance, this report provides no transparency or accountability for these failures.

In 2019, the Auditor-General warned the Joint Committee of Public Accounts and Audit that a stronger form of oversight was required to push agencies towards 100% compliance with the Top 4.

Today’s report supposedly implements the Morrison government’s commitment to provide the Parliament with ‘increased transparency in cyber security reporting’.

Despite this, all data provided in the report is ‘anonymised and provided in aggregate’.

Following on from the Morrison government’s blanket refusal to answer questions about Commonwealth agencies’ cyber resilience through the Senate Estimates process, the scope for public accountability of this government’s cyber security posture is extremely limited.

The Australian public has no way to hold the Ministers overseeing Commonwealth agencies who have failed to implement these basic cyber security measures accountable.

Thankfully, the independent Australian National Audit Office is continuing its ongoing series of Performance Audits of individual entities’ cyber resilience, highlighting the importance of ensuring the cyber resilience of Commonwealth entities.

Labor will continue to work to hold the Morrison government accountable for these failures through the ongoing Joint Public Accounts and Audit Inquiry into the Cyber Resilience of Commonwealth Government Agencies.