Australian Government Departments Improperly Self-Reported Cyber Compliance, ANAO Finds
The Attorney-General’s Department and the Department of the Prime Minister and Cabinet were among the government entities that did not carefully self-report full implementation of the Top Four mitigation strategies.
On March 19th, the Australian National Audit Office (ANAO) has released a Performance Audit Report, publishing the results of an investigation into cybersecurity risk mitigation strategies effectiveness implemented by seven government entities. ANAO declared that none of these entities have fully met the mandatory requirements of PSPF Policy 10.
The Attorney-General’s Department (AGD), the Department of the Prime Minister and Cabinet (PM&C) Australian Trade and Investment Commission (Austrade), the Department of Education, Skills, and Employment, the Future Fund Management Agency, the Department of Health, and IP Australia were all under investigation.
Additionally, the Australian Signals Directorate (ASD) and Department of Home Affairs (DHA) were verified by ANAO in their roles as cyber policy and operational entities but were not included in this assessment.
This audit seeks to address a recommendation made by the JCPAA in Report 467: Cybersecurity Compliance, for the Auditor-General to consider conducting an audit of the effectiveness of the PSPF self-assessment and reporting requirements for cyber security compliance. The audit also follows up on the recommendation made in Auditor-General Report No.53 2017–18 Cyber Resilience, for the responsible cyber policy and operational entities (AGD, ASD, and Home Affairs) to work together to improve entities’ compliance with mandatory cyber security requirements under the PSPF.
Starting with 2013, the Australian Government has authorized non-corporate Commonwealth entities to undertake the implementation of the Top Four mitigation strategies under the Protective Security Policy Framework (PSPF). The Top Four mitigation strategies are application whitelisting, applications patching, restricting administrative privileges, and patching operating systems.
Malicious cyber activity has been identified as one of the most significant threats affecting government entities, businesses, and individuals.
Low levels of compliance with cybersecurity requirements under the PSPF have been identified in previous ANAO audits. The Office found that of the three entities that had self-assessed full implementation for one or more of the mitigation strategies in their 2018-19 PSPF assessment, the Attorney-General’s Department (AGD), the Department of the Prime Minister and Cabinet (PM&C), and Home Affairs, PM&C and AGD had not done so properly.
Although PM&C stated that it has fully implemented all the mandatory Top Four mitigation strategies in its 2018-19 PSPF self-assessment, ANAO discovered that requirements were only partially implemented for restricting administrative privileges.
While PM&C has a process for validating privileged access on an annual basis, it does not sufficiently ensure that privileged access is restricted to personnel that require it to undertake their duties. Weaknesses in PM&C’s validation processes increases the risk that a cyber intrusion could result in an adversary acquiring privileged access to its systems and subsequently change and bypass other security measures to compromise the system.
The same goes for AGD, which reported in its 2018-19 PSPF self-assessment that it had fully implemented two of the Top Four: patching operating systems and restricting administrative privileges. While conducting the audit, ANAO came to the conclusion that AGD has overall implemented the requirements for patching operating systems but additional improvements are needed to reach full implementation.
In addition, ANAO’s report revealed five of six selected entities that had self-assessed to have not fully implemented any of the Top Four mitigation strategies have decided to progress toward a “Managing” maturity level for their PSPF Policy.
Of the six entities that had reported not fully implementing all the Top Four mitigation strategies, five have established strategies and activities to progress their PSPF Policy 10 maturity level to ‘Managing’. The five entities have also included the implementation of the remaining four strategies that comprise the Essential Eight in their cyber security improvement programs. Three of the six entities had not set a corresponding timeframe to improve their PSPF Policy 10 maturity level to ‘Managing’. There is scope for four of the entities to improve monitoring of the implementation progress of their cyber security program to ensure that the entity is meeting the timeframe to improve its cyber security maturity.
Following its report, the Australian National Audit Office has made thirteen recommendations, including:
- asking AGD to ensure the maturity levels under the PSPF maturity assessment model are fit-for-purpose and effectively align with the maturity levels under ASD’s Essential Eight Maturity Model;
- asking AGD to provide additional clarity on the PSPF supporting guidance and implement measures to obtain assurance on the accuracy of entities’ PSPF self-assessments;
- asking ASD to provide assistance to AGD to support its assurance processes;
- recommended the Australian Government to strengthen arrangements to hold entities to account for the implementation of mandatory cybersecurity requirements.
Finally, the report noted that between July 2019 – June 2020, there were no less than 436 cybersecurity incidents reported to the Australian Cyber Security Centre by Australian government entities.