Gai Brodtmann (Canberra, Australian Labor Party, Shadow Parliamentary Secretary for Defence) Share this | Link to this | Hansard source

Last night I was with the Minister Assisting the Prime Minister for Cyber Security at the Australian Strategic Policy Institute launch of the report assessing the government's progress against the goals set out in the Cyber Security Strategy released just over 12 months ago. The event provided a valuable opportunity to respond to the report—and I commend Zoe Hawkins and Liam Nevill on an excellent contribution—and to discuss issues that Labor has been pursuing on our nation's cybersecurity. Like national security, cybersecurity is largely a bipartisan issue, but that does not mean that Labor will not hold the government to account to ensure Australians continue to enjoy as safe and secure a cybersecurity environment as possible.

There were a number of areas I discussed last night: crisis communication, small business cybersecurity, the need for appropriate and measurable KPIs, and the cybersecurity of government agencies. The report by ASPI is spot on when it comes to the assessment of the cybersecurity of government agencies. We still have a long way to go before our government agencies become the exemplar for private and public sector organisations in Australia.

In its most recent cyber-resilience follow-up review, the Australian National Audit Office found that two out of the three government agencies audited had insufficient protections against cyberattacks from external sources. Two of the three had not effectively implemented application whitelists, which meant that users could install and run applications and bypass the whitelist completely. Only one of the three agencies audited complied with the governments mandated mitigation strategy and was found to be cyber-resilient. This was despite the fact that all three assured the Joint Committee of Public accounts and Audit that they would achieve compliance during 2016 after the first damning audit in 2014.

A great deal more work needs to be done in this space and urgently. The public has a right to know that government agencies holding their personal information are secure. We need greater and regular transparency of performance so the cyber-resilience or nonresilience of our government agencies is not exposed through the occasional audit. Consideration should be given to how we achieve this. Should we have greater transparency through monthly reports to the minister on performance, in annual reports or in a quarterly report to the parliament by the minister? We should also consider what happens if government agencies do not implement their cyber-resilience strategies in accordance with the government mandated guidelines, like the outcome of the ANAO audit. These are all interesting questions that I will be considering at the JCPAA's public hearing into cyber-resilience of government agencies tomorrow.