Wednesday, 9 December 2020
Public Accounts and Audit Committee; Report
by leave—I join the chair of the committee in congratulating members for the way they engaged in this very important inquiry and also join the chair in thanking the secretariat staff for their assistance with this report. I really think this report shows the parliament at its best—parliamentarians working together across party lines, outside the media spotlight, on complex issues of national importance. I'd like to first acknowledge the work of members of the Joint Committee of Public Accounts of Audit on this report, particularly the member for Robertson in her role as chair and the member for Bruce in his role as deputy chair.
I've been very pleased since joining the JCPAA to see parliamentarians genuinely working together on matters that are important but that sometimes don't attract the media attention they deserve. This report deserves attention, though—from the media, parliamentarians and the government—because its findings are, frankly, alarming. It's an indictment of this government's ongoing failure to ensure the cybersecurity of its own departments. In fact, it's so bad that the committee has recommended that a new oversight regime is needed, one that will ensure that our vital government services and the data of Australian citizens that is held by Commonwealth entities are appropriately protected at a time of dramatically increasing cyber threats. The reason this intervention has been necessary is that for years we have seen a staggeringly high rate of noncompliance from the Commonwealth government with its own cybersecurity framework. Just over one in four Commonwealth entities that were audited by the ANAO have implemented the top four cybersecurity measures recommended by the Australian Signals Directorate, six years after they became mandatory.
The cyberthreats to Commonwealth departments are very real and growing, and the lack of compliance and cyber-resilience has been the subject of a series of audits and inquiries from both the ANAO and the JCPAA over the last seven years. The government's own cybersecurity posture report in 2019 found that implementation of the ASD's top four cybersecurity measures 'remains at low levels across the Australian government'. That's the government's own report. The Auditor-General highlighted these ongoing failures in his mid-term report, noting, 'With cybersecurity being an area of priority for many years, these findings are disappointing.' Despite the warning, the Morrison government has failed to do the basics, and I should note that the Morrison government has currently introduced legislation into this parliament to require private sector companies in critical infrastructure sectors to significantly lift their cybersecurity practices and behaviours, but, unless the Commonwealth government lifts its game, as identified in this report, the government risks being accused of telling private sector Australian businesses 'to do what I say and not what I do'. This Prime Minister has never missed a photo opportunity on his many announcements when it comes to talking about the cybersecurity threats faced by our nation, but he hasn't been there for the follow-up to ensure cyber-resilience inside his own government in the face of these increasing threats.
A core part of the problem here is the absence of any real form of accountability for government entities that fail to do what is required to be cyber-resilient. Each Commonwealth entity is currently responsible for its own cyber-resilience, but there's no-one marking their homework to ensure that they are compliant. Each year, non-corporate Commonwealth entities are required to conduct a self-assessment of their compliance with the Protective Security Policy Framework and the Information Security Manual within it. This self-assessment is then provided to the Attorney-General's Department and its portfolio minister. But the committee heard evidence that this is the total extent of accountability. When a Commonwealth entity is noncompliant with the ASD's mandatory top four all they have to do is tell their minister and the Attorney-General's Department, and nothing happens. There's no way for parliament to hold a Commonwealth entity accountable for ongoing failures on their own self-assessments and for the cybersecurity vulnerabilities within these Commonwealth entities.
And they are not publicly disclosed. Even the annual cybersecurity posture report provided to the parliament in response to a previous JCPAA report's plea for parliamentary scrutiny and accountability only provides aggregated information about this performance. It's a model that hides failure within individual Commonwealth entities and does nothing to drive the important cultural change that we need to see.
The only way we have learned of the widespread failures of cyber-resilience within the Commonwealth has been the ANAO's outstanding cyber-resilience audits. This is why the JCPAA has been forced to recommend the ANAO be funded to undertake a limited assurance cyber-resilience audit across all Commonwealth entities every year for five years and to report on the findings to the JCPAA. This annual cyber-resilience review would operate in a similar way to another JCPAA oversight mechanism targeting a similar accountability problem: the annual defence main projects review. It's an unprecedented level of oversight that recognises the scale of the ongoing failure to build cyber-resilience within the Commonwealth government. It would help drive culture change at a time of dramatically increasing cyberthreats.
Members and senators from all sides of politics have recognised the seriousness of the need for Commonwealth entities to be cyber-resilient and the failing of the current accountability framework to deliver this outcome. I call on the Morrison government to hear the call of this report—an outstanding report, a consensus report from parliamentarians on all sides of politics—and to immediately accept and act on this report's recommendations.