Federal agencies miss mandatory infosec deadline: ANAO


At least seven major federal agencies and departments will miss a mandatory security compliance deadline to bolster defences against cyber attacks that is due come into effect on 1st July 2014, according to a new report from the Australian National Audit Office.

As the tempo of attempted criminal and foreign government incursions into Australian government systems increases, the ANAO has cautioned compliance with essential security measures set down by cyber watchdogs at the Attorney General’s Department and the Australian Signals Directorate (formerly the Defence Signals Directorate) in 2013 is still wanting, although progress is being made.

The findings relate to a crucial amendment that was issued to agencies in April 2013 under the Protective Security Policy Framework (PSPF), which is the government’s main security guidebook and administered by the Attorney General’s Department.

The amendment mandated the immediate implementation of what are known as the ‘top four’ mitigation strategies to protect government computer systems from attack, as defined by ASD, with a compliance deadline of July 2014. [see the ‘top four’ strategies at the end of this story]

But after doing an audit sweep of selected departments, the ANAO found “the selected agencies had not yet achieved full compliance with the top four mitigation strategies mandated by the Australian Government in 2013; a requirement reflecting heightened government expectations in response to the risk of cyber attack.”

“Further, none of the selected agencies are expected to achieve full compliance by the Government’s target date of mid–2014, notwithstanding their advice regarding further initiatives which, when implemented, would strengthen ICT security controls and protection against cyber attacks.”

Those put under the microscope include technology-reliant giants the Australian Taxation Office and the Department of Human Services as well as the highly sensitive (and recently split) Department of Foreign Affairs and Trade and the Australian Customs and Border Protection Service.

Others scrutinized were the Australian Bureau of Statistics, Australian Financial Security Authority and IP Australia.

Such is the sensitivity surrounding potential government information technology security weaknesses that the ANAO broke with its longstanding tradition of specifically calling out the shortcomings individual agencies.

“In this audit, the ANAO departed from its usual practice of identifying agencies on individual issues due to the risk of disclosing sensitive information about agency ICT systems,” the Audit report said, adding that “security weaknesses are only addressed at an aggregate level.”

However the Audit office  was far more forthcoming on the growing cost of cyber attacks and the price of keeping them in check.

“It is estimated that in 2012, 5.4 million Australians fell victim to [cyber-related] crimes, with an estimated cost to the economy of $1.65 billion,” the ANAO said, adding that “national cyber security expenditure was approximately $480 million in 2011–12, representing approximately 13.9 per cent of Australian Government Homeland and Border security expenditure.”

Citing Australian Signals Directorate (ASD) estimates, the ANAO report said that that between January and December 2012 “there were over 1790 security incidents against Australian Government agencies.”

“Of these, 685 were considered serious enough to warrant a Cyber Security Operations Centre response.”

The current Top Four IT security mitigation strategies:

•    Application Whitelisting: designed to protect against unauthorised and malicious programs executing on a computer. This strategy aims to ensure that only specifically selected programs can be executed;

•    Patching Applications: applying patches to applications and devices to ensure the security of systems;

•    Patching Operating Systems: deploying critical security patching to operating systems to mitigate extreme risk vulnerabilities; and

•    Minimising Administrative Privileges: restricting administrative privileges provides an environment that is more stable, predictable, and easier to administer and support as fewer users can make changes to their operating environment.

Source: ANAO, Attorney General’s Department, ASD.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter

Leave a comment:

Your email address will not be published. All fields are required