This morning, the Joint Committee on Public Accounts and Audit held hearings for its Cyber Resilience Inquiry.
It was important and more interesting than it sounds.
The evidence we heard highlights serious and on-going issues with Commonwealth entities’ compliance with mandatory cyber security measures and the lack of accountability and transparency that enables it.
Believe it or not, there have been five ANAO reports on Cyber Resilience in Commonwealth agencies in the last six years and three JCPAA inquiries?
It’s a problem and there’s not much evidence that it’s getting better.
As the ANAO noted in the opening paragraphs of its fifth Cyber Resilience report and that the committee considered today:
Just over one in four entities audited by the ANAO have implemented the MANDATORY cyber security measures developed by the ASD known as the Top Four – six years after they became mandatory.
This mirror’s the findings of the Cyber Security Posture report which found that implementation of the ASD’s Top Four cyber security measures ‘remains at low levels across the Australian Government’ – more than six years after they became mandatory.
Part of the problem here is transparency and accountability.
On the transparency front, Commonwealth entities have individual responsibility for their own cyber security.
So Labor Senators asked every Cth entity about their compliance with the ASD’s top 4 in Senate Estimates.
We got a blanket refusal to answer..
The first part of the non-answer we got back from Commonwealth entities was:
But despite the Commonwealth Cyber Security Posture Report being prepared in response to a previous JCPAA report to provide ‘increased transparency in cyber security reporting’ to Parliament, all of its data is ‘anonymised and provided in aggregate’. 🙈🙉🙊
There is no public reporting of Commonwealth agencies’ compliance with mandatory ASD cyber security requirements.
The second part of the standard government response to questions asked by Labor Senators to every commonwealth entity about their compliance with the ASD’s Top Four was:
But…. one Commonwealth entity didn’t hide under this blanket response and actually provided an answer.
The ANAO answered each of these questions in full.
Clearly it doesn’t believe that responding to questions about Top Four compliance increases its cyber security risk in an unacceptable way.
Indeed, transparency could increase cyber security by creating incentives for improved performance through public accountability ie the name and shame approach.
On top of these transparency problems, there’s an accountability problem too.
Namely, Commonwealth entities get to mark their own homework.
Unsurprisingly, when agencies mark they own homework, they give themselves higher grades than when someone else (eg the ANAO) marks them.
Indeed, about 60% of agencies give themselves the Top 4 compliance tick, while the ANAO has only found 29% of the agencies it’s audited compliant.
AGD has told us through Senate Estimates that it doesn’t believe this is a problem because these processes were ‘not directly comparable. The methodology used by the ANAO differs from the self-assessments agencies are requires to complete under the PSPF.’
This is a fudge.
The ANAO was unable to think of a substantive difference between its methodology for assessing top for compliance and agencies’ self-assessment processes.
The ANAO recommended a series of changes to this self-assessment process two years ago, but while there have been tweaks to the guidance to agencies about how to do these assessments, there hasn’t been much progress on spot checks of compliance.
And the ANAO’s recommendations on transparency?
Well we’ve covered the government’s approach to that already.
Helpfully, the ANAO has said that it will be looking again at the self-assessment process in its current cyber resilience audits.
What’s the upshot?
The current approach to cyber resilience in Cth entities isn’t working and hasn’t been working for a long time.
At a time when the threats to our National Cyber Resilience have probably never been greater, this is a problem.