Cybersecurity the responsibility of agencies, not us, AGD and ASD say
During a hearing held by the Joint Committee on Public Accounts and Audit last month into the cybersecurity resilience of Commonwealth entities, the federal opposition poked holes in current reporting requirements and highlighted a lack of accountability for when Commonwealth entities come up short.
The Australian National Audit Office (ANAO) faced the firing line, with the committee asking why the Protective Security Policy Framework (PSPF) has not been made mandatory for all Commonwealth entities, and why, given they’re called the Essential Eight, only the Top Four is looked at.
“It’s not uncommon within the Commonwealth public sector that mandated rules from the centre apply to the non-corporate sector, but not to all of the corporate sector,” Auditor-General Grant Hehir said at the time. “You’ll find that across a lot of areas like procurement, grants, and in the [PSPF].”
In 2019, ANAO cyber-resilience audits had found 29% of agencies audited were compliant with the Top Four, whereas 60% of departmental self-assessments found themselves to be compliant.
Shadow Assistant Minister for Cyber Security Tim Watts called it an inaccurate self-assessment.
“If you look at the evidence from our audits, one conclusion we can draw is that the framework that was in place wasn’t driving the behavioural change to ensure that the regulatory stance was robust enough,” Hehir said.
“I think they are questions more to the organisations responsible for setting the framework rather than us. But we’d like to see the framework being implemented resulting in cybersecurity, and if it’s not then the argument is why not? Some of that has to go to the robustness of the regulatory framework.”
The Attorney-General’s Department (AGD) and the Department of Home Affairs are the key regulatory entities. The AGD is responsible for setting government protective security policy guidance, including for information security, through the PSPF.
Providing a submission [PDF] to the committee in the aftermath of the hearing, AGD said cybersecurity is an important priority for the Australian government.
“The PSPF assists Commonwealth entities to protect their people, information, and assets, at home and overseas. The core requirements for information security are set out in policies eight to 11 of the PSPF, covering sensitive and classified information, access to information, safeguarding information from cyber threats and robust ICT systems,” it told the committee.
It also said the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) leads the Australian government’s operational cybersecurity capability and said it was the responsibility of the ACSC to produce the Australian government Information Security Manual (ISM), which is referenced in the PSPF as the key source of guidance for organisations safeguarding information from cyber threats and developing “robust” IT systems.
“The purpose of the ISM is to outline a cybersecurity framework that organisations can apply, using their risk management framework, to protect their information and systems from cyber threats,” AGD wrote.
AGD said the PSPF requires non-corporate Commonwealth entities to implement four of the ACSC’s eight essential mitigation strategies and “strongly recommends the adoption of all eight”.
“Entities must also consider other strategies included in the ACSC’s Strategies to Mitigate Cyber Security Incidents,” it added.
It also said any questions about specific entities and their cyber posture should be directed to them.
“As individual Commonwealth entities are responsible for their assessment in light of their risk environment, questions regarding PSPF implementation within an individual entity are best directed to that entity,” it wrote.
Also providing a submission [PDF] following last month’s probe of ANAO, was the Department of Defence, on behalf of the ASD.
Defence pointed to the Report to Parliament on the Commonwealth’s Cyber Security Posture in 2019 and said it provided the latest information on the cybersecurity posture of Commonwealth entities.
“The report highlights that the overall cybersecurity of Commonwealth entities continues to improve,” it wrote. “It acknowledges that, in the context of a dynamic and evolving threat environment, cybersecurity is an ongoing task.”
It said that while ASD regularly engages with Commonwealth entities to provide cybersecurity advice and assistance, individual entities are responsible for the security of their own network and information.
“Cybersecurity maturity is a compliance and risk management issue for each accountable authority to balance in the context of their unique risk environment and the complexities of their operations,” the submission continued.
“Questions regarding the cybersecurity posture of individual Commonwealth entities are better directed to the relevant entity.”