Services Australia reported 20 security incidents to the ACSC in 2019-20
Services Australia has told Senate Estimates that it reported a total of 20 cybersecurity incidents to the Australian Cyber Security Centre (ACSC) in 2019-20, covering its responsibility across the Department of Social Services, the National Disability Insurance Agency, and the Department of Veteran’s Affairs, in addition to its own IT shop.
The ACSC reported receiving a total of 436 notifications from government entities.
Services Australia CEO Rebecca Skinner said while it wouldn’t be appropriate to discuss the nature of the incidents, her agency did not have breaches of Australian citizen data.
As one of the largest government entities, Services Australia has its own security operation centre (SOC) that, since 2017, has been responsible for protecting all of its systems, including the ones that hold Centrelink, Medicare, and child support information.
“We are always undertaking security reviews, upgrades, patches — those sorts of things to maintain our responsibilities against [the] ASD essential eight security arrangements,” she added.
Skinner said the agency’s cybersecurity division blocks about 14 million suspicious emails a month.
“If something looks strange, people do something,” she said, noting the division also detects multiple campaigns attempting to attack its systems. “We’re monitoring all of those.”
Services Australia chief information officer Michael McNamara said the SOC also “runs its own testing, in terms of the dark web”.
“We have our own internal capability … that routinely works through that and identifies issues in that domain,” he told Senators. “We can’t discuss any individual cases, But we do work very, very closely with the AFP and the ACSC and ASD.”
McNamara said that while a lot of its data is not classified with a national security classification, it is all treated the same as the agency’s most sensitive and important datasets.
“They reside, if you like, in physical security centres that are equivalent to the sorts that you would protect national security information in, it’s just technically, they don’t have a national security classification,” he explained.
“We have a very robust data security framework inside the agency … [including] a data integrity framework, which looks at training our staff on the use of data on the inappropriate and appropriate use of data, distribution of data. We do that on a regular basis.”
He said there are also a number of access controls in place, such as monitoring tools, in addition to multifactor authentication across the agency and the systems it controls.
“Our systems, as you can imagine, are secure by their very nature and design, and the data is encrypted at rest,” he added. “As that data is moved, we will use our monitoring tools to control the movement, the distribution of that data, particularly if it leaves the agency.”
He said the same requirements are placed on its biggest contractors — Telstra, Microsoft, and IBM.