ANAO finds Services Australia lacking in cyber and cost aspects of WPIT
Australian National Audit Office (ANAO) on Thursday handed down its examination of the Services Australia Welfare Payment Infrastructure Transformation (WPIT) program, finding the agency had “largely appropriate arrangements” in many areas, but was lacking on the cyber and cost monitoring fronts.
Kicked off in 2015, WPIT was originally slated to cost around AU$1.5 billion and run from 2015 to 2022, with one of the core reasons for the program being to replace the then-30-year-old Income Security Integrated System (ISIS).
“In June 2020, the decommissioning of this key element of the system was confirmed to be the main goal of the welfare payment system redeployment,” ANAO wrote.
“However, almost half of the decommissioning was not expected to be completed by the end of the program.”
Internal reports at the agency detailed that the decommissioning of ISIS was “not achievable within the funding envelope or timeframe”, and a process to determine if this was possible would not be started until a replacement was commissioned, ANAO said in its report.
Services Australia told ANAO that 13% of ISIS functionality had transitioned to its SAP CRM instance while a further 39% would be transitioned by the end of June 2020, leaving almost half its functionality in place.
“Delays to replacement and decommissioning have put at risk the ability to deliver on the original objectives of the WPIT Programme, and delay or negate realisation of all the expected benefits of the welfare payment system redevelopment,” ANAO wrote.
The agency also had issues in documenting the functionality of the system, telling the audit office that functionality was in the system’s programming.
“Services Australia advised the ANAO that while it had recorded functionality in source code, there were historical gaps in its separate documentation of detailed functionality, dating back to the system’s introduction in the 1980s,” the report said.
“Attempts were made to develop complete specifications for some elements of ISIS, but this was not done consistently across the system due to cost.”
ANAO said Services Australia was relying on “knowledgeable staff”, which obviously leaves it vulnerable to workers leaving, and explained in the report that the agency tried, in 2016, to extract its business rules from the code.
“Services Australia subsequently considered automated analysis of the source code in ISIS, which incorporates existing business rules, as the most practical approach to identifying the complete range of current functionality required to inform future requirements,” the report said.
“In late 2019, Services Australia outsourced source code analysis as part of a contract to design and build the [Entitlements Calculation Engine].”
That outsourcing was handed to Infosys in November.
Services Australia further told the office that the cost of maintaining ISIS was around AU$98 million each year, but that was a guesstimate.
“While Services Australia stated that it tracks overall ICT expenditure, it cannot disaggregate all of the system element costs and did not monitor the cost of operating the current welfare payment system,” the report said.
“These costs could include hardware and software capital costs and depreciation, expenses for employees working on the system, costs associated with operating the system, costs associated with changing the system, and amounts paid to contractors.
“As a result, Services Australia was unable to breakdown these costs, monitor trends over time, or assess the ongoing value for money of this expenditure.”
In response, the agency said it was working towards having “improved visibility of the costs of maintaining different payment platforms”.
ANAO further found that Services Australia does not have plans to migrate data to a completed WPIT system, although it did try once, but failed.
On the cyber front, the report found there were no cybersecurity plans specific to each element of the system.
“However, Services Australia self-assessed that it ‘has measures in place for the underpinning components including monitoring of vulnerabilities and appropriate patching, monitoring of system administrative and privileged access, and penetration testing of outward facing systems’,” the ANAO wrote.
“The ANAO did not separately audit the accuracy of this self-assessment, or its applicability to the welfare payment system.”
An internal audit in May 2016 found that six of 118 systems used by the agency had proper cyber accreditation, and by February 2019, another internal audit reported the number had increased to 21.
“Services Australia’s self-assessment of risk control effectiveness was inaccurate in light of the lack of cybersecurity risk assessment or accreditation for the welfare payment system, and internal audit findings that most systems across the agency did not have accreditation,” the report said.
“A recent external assessment had not been conducted of the effectiveness of controls listed in the Top Four and Essential Eight strategies for all elements of the welfare payment system. Previous internal audit reports of ICT systems found the implementation status of the Top Four strategies at Services Australia was lower than what had been self-assessed by the agency.”
For disaster recovery, Services Australia used a pair of data centres, but they were physically in close proximity and so were vulnerable to location-specific risks, ANAO wrote. The data centres also failed to provide the geographic dispersal as required by the Australian Government Information Security Manual.
“The ANAO examined disaster recovery arrangements at one of the data centres, and brought certain physical security deficiencies to the attention of Services Australia,” it wrote.
Overall, the report made five recommendations relating to the issues raised, all of which Services Australia agreed with.
Former Opposition Leader and now Shadow Minister for Government Services Bill Shorten latched onto the report in order to criticise his counterpart, Stuart Robert.
“Mr Robert, who blamed imaginary hackers for one of the MyGov crashes he presided over, should have been paying more attention to genuine cybersecurity risks,” he said.
“Clearly Mr Robert is what online gamers would call a ‘noob’, someone who has absolutely no idea what they are doing.
“Australians are sick of the endless tech bungles from this digital noob.”