Resource constraints, competing operational priorities, and lack of access to specialist ICT skills have been cited as the key impediments to implementing recommended strategies to guard against cyber attacks by the Federal government agencies which were subject to adverse findings in a national audit of agency ICT security. The findings come only weeks after an independent review blamed the Department of Immigration and Border Protection (DIBP) for a data security breach that has caused the Government significant reputational damage.
The Australian National Audit Office (ANAO) last month released a report, entitled ‘Cyber Attacks: Securing Agencies’ ICT Systems’, which assessed the degree to which seven agencies have followed the Government’s directive to implement the top four of 35 ICT security strategies outlined by the Australian Signals Directorate (ASD).
The ANAO selected the Australian Bureau of Statistics (ABS), the Australian Customs and Border Protection Service (Customs), the Australian Financial Security Authority (AFSA), the Australian Taxation Office (ATO), the Department of Foreign Affairs and Trade (DFAT), the Department of Human Services (DHS), and IP Australia for the audit.
Together, these agencies manage sensitive economic, policy, national security and personal information, alongside information related to program and service delivery.
“Between January and December 2012, there were over 1,790 security incidents against Australian government agencies. Of these, 685 [almost 40%] were considered serious enough to warrant a Cyber Security Operations Centre (CSOC) response,” the ANAO report said.
Despite being given a target date of July 2014 for the full implementation of these four strategies, the Auditor-General Ian McPhee found that the agencies will not reach full compliance with these strategies, claiming that agencies have not been sufficiently responsive to the “ever-present and ever-changing risks” that government systems are exposed to.
“The selected agencies’ overall ICT security posture was assessed as providing a reasonable level of protection from breaches and disclosures of information from internal sources, with vulnerabilities remaining against attacks from external sources to agency ICT systems,” the report stated.
The top four mitigation strategies mandated by the Federal government in January 2013 are:
- Application whitelisting in order to protect against unauthorised and malicious programs executing on a computer;
- Patching applications and devices;
- Deploying critical security patching to operating systems to mitigate extreme risk vulnerabilities; and
- Restricting administrative privileges to ensure fewer users can make changes to their operating environment.
According to the ASD, compliance with these four strategies is expected to prevent at least 85% of targeted cyber intrusions to agency ICT systems.
While the report found that all seven agencies are “internally secure”, it found they remain vulnerable to external attacks and disclosures of information.
With the deadline for implementing the strategies fast approaching, the ANAO found that the audited agencies had employed an ad hoc approach to patching applications and security systems, and made little effort to monitor the actions of privileged users in agency systems in order to ward off external risks.
“Those risks can range from threats to national security through to the disclosure of sensitive personal information. Unauthorised access through electronic means, also known as cyber intrusions, can result from the actions of outside individuals or organisations,” the report states.
Although the agencies agreed to implement the audit’s recommendations, they cited resource constraints, competing operational priorities, and lack of access to specialist ICT skills as the biggest impediments to carrying out the strategies.
Immigration flunks the security test
Preventing the disclosure of sensitive personal information to external sources has proven to be high on the government’s agenda following the DIBP‘s leak which saw 10,000 asylum seekers’ personal details made readily available online in February this year.
The leak, which is also being investigated by the Privacy Commissioner, was subject to an external review by KPMG. Its report, released in June, placed the blame for the problem squarely on the Department, after the asylum seeker’s personal information was accessed 123 times across 16 countries, including China, Egypt, Malaysia, Pakistan and Russia.
The report revealed that the document containing the asylum seeker information was approved for publication by an Assistant Secretary at DIBP, with the document’s authors and those responsible for approval being “generally unaware that the IT security risk which led to this incident could occur and were therefore not mindful of checking for indicators of this risk.”
This finding was reiterated in the ANAO audit, which emphasised the need for agencies to “promote security awareness and accountability within the agency, recognising that security is a shared responsibility.”
The KPMG review recommended a number of measures to avoid a repeat of the DIBP incident. Among these recommendations are:
- The development of an IT security training program for all those handling private or sensitive data;
- Holding online publishing workshops with all those involved in the creation of material that may be published online;
- The development of a process to normalise and cleanse data being extracted for analysis in a secure environment; and
- Updating online publishing quality assurance checklists.
The ANAO and KPMG reports are particularly timely, given the acknowledgement from the Federal government that ICT security is a priority in the digital age.