Australian Government Fails Cybersecurity Targets
On June 19 this year Australian Prime Minister, Scott Morrison, alerted the nation to the fact they were undergoing cyber attack.
"Australian organisations are currently being targeted by a sophisticated state-based cyber actor, including all levels of government and political organisations," stated Morrison, adding that "this is ongoing activity. It hasn't just started. We have been dealing with security threats from state-based actors for some time."
Despite the PMs warning to the nation's 25 million citizens, official records reveal that in recent years numerous Australian government departments and entities have been found wanting in their cybersecurity due diligence, even when directives were issued by, among others, the Attorney-General’s Department (AGD).
The Australian Government's cybersecurity program began in 2010, when the Australian Signals Directorate (ASD) developed a list of 35 strategies aimed at helping Australian Government departments and entities achieve a level of control over their systems and reduce the risk of cyber intrusions.
In 2013, that list was narrowed down to the "top four cyber mitigation strategies" (application whitelisting, patching applications, patching operating systems, minimising administrative privileges), which were chosen as mandatory for all government departments and entities. The ASD believed that, if implemented, these four would prevent at least 85% of targeted cyber intrusions.
However, a 2013-2014 audit report by the Australian National Audit Office (ANAO) found that government entities were slow to implement these strategies.
"Three of the seven agencies did not deploy any security patches ... Of further concern is that these agencies did not conduct a risk assessment of the release notes of security patches as issued by the application vendors," stated the report. "For another group of three agencies, security patching was conducted on an ad hoc basis ... Patches were applied inconsistently ... (and) only one agency consistently deployed security patches for the sampled applications."
While it could be argued that the Top Four had not long been in place before the 2013-2014 audit, cybersecurity measures still hadn't improved by the time of the 2015-2016 ANAO audit, and of the four entities chosen, two didn't achieve compliance (one of them being the Australian Federal Police): "These entities had security controls in place to provide a level of protection from breaches and unauthorised disclosures of information from internal sources ... (but) insufficient protection against cyber attacks from external sources."
In 2016-2017, the ANAO audit noted that only one of three entities was compliant with the Top Four and the other two (Australian Taxation Office and Department of Immigration and Border Protection) "need to improve their governance arrangements and prioritise cybersecurity."
During the same period, the AGD's Protective Security Policy Framework (PSPF) noted that less than two thirds (60.2%) of non-corporate Commonwealth entities reported compliance with the Top Four, now three years since their implementation.
Despite the lack of compliance, the ASD added four non-mandatory strategies to the (mandatory) Top Four in 2017, to form the Essential Eight.
"The essential eight mitigation strategies have been developed to protect data, applications and users by keeping adversaries from inserting malware into (a) network," stated the ASD. "These mitigation strategies can help avoid malware infections and their associated costs."
Expanding the list from four to eight made very little difference and not much had changed by the time the 2017-2018 audit was released.
"This audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the Top Four mitigation strategies," said the ANAO. "None of the three entities had implemented the four non-mandatory strategies in the Essential Eight and were largely at early stages of consideration and implementation."
In March this year, when the Commonwealth Cyber Security Posture in 2019 was presented to the Australian Parliament, it was noted by the Australian Cyber Security Centre (ACSC) that, while all of the (25) Commonwealth entities assessed "were found to be taking positive and proactive steps to improve their cyber security", they hadn't "achieved the recommended maturity level for the Essential Eight" and "are vulnerable to current cyber threats targeting the Australian Government".
This was somewhat worrisome. The Essential Eight had been in place for two years and the 25 entities were chosen after what was described as "Australia's first national cyber crisis" in February 2019, when the national Parliament House was the subject of a state-sponsored cyber attack (many believe China was behind the attack but nothing was proven). No data was accessed but more than 4,000 parliamentarians and staff were forced to reset their passwords.
The lack of attention to cybersecurity within government departments over many years may seem alarming but perhaps not surprising. Entities had been left to self-assess their implementation of the Essential Eight and report annually to both the ASD and AGD.
"My view is we want each individual department and agency to take responsibility themselves, and the best way we can do that is just remind them of the need for them to take this issue incredibly seriously," said Australia's Minister Assisting the Prime Minister on Cyber Security in November 2016, adding that a centralised approach to cybersecurity was dangerous.
This view has now changed and centralising the management and operations of Commonwealth networks was outlined in the 2020 Cyber Security Strategy handed down by the Australian Government in August this year: "Centralisation could reduce the number of targets available to hostile actors such as nation states or state-sponsored adversaries, and allow the Australian Government to focus its cyber security investment on a smaller number of more secure networks."
Prior to this, and in the wake of the June 19 warning to the nation, the Government announced on June 30 the Cyber Enhanced Situational Awareness and Response (CESAR) package, containing a AU$1.35 billion promise to Australia's security agencies spread over 10 years. Another $320 million was added to this in the 2020 Cyber Security Strategy, bringing the total to $1.67 billion.
"The federal government's top priority is protecting our nation's economy, national security and sovereignty," stated Morrison at the time.
The 'COVID' Federal Budget, announced on October 6, brought with it the largest deficit - $213.7 billion - in Australia's history. However, there was some good news for cybersecurity: "The Government will provide an additional $201.5 million over four years from 2020-21 (and $40.5 million per year ongoing) for initiatives to implement the 2020 Cyber Security Strategy."
It now remains to be seen if the ever-increasing amount of cybersecurity incidents globally, or the injection of $1.7 billion, or a centralised cybersecurity 'command' will make a difference to the cybersecurity landscape within the Australian Government.
+ + +
Thanks for visiting SecAlerts and reading this story. We offer a CVE alert service which includes software updates and news relating to your software stack. Join more than 1,300 other users and sign up.