Wednesday, 25 October 2017
Public Accounts and Audit Committee; Report
On behalf of the Joint Committee of Public Accounts and Audit, I present the committee's report entitled Report 467: Cybersecurity compliance: inquiry based on Auditor-General's report 42 (2016-17).
Report made a parliamentary paper in accordance with standing order 39(e).
by leave—The release of the report into cybersecurity compliance by the Joint Committee of Public Accounts and Audit highlights the continuing negligence of the Turnbull government when it comes to ensuring our departments and agencies are safe from cyberattack. Since the creation of the cybersecurity portfolio in 2016, Labor has been consistently calling on the government to take this issue seriously. So far, the only thing the Turnbull government has done to fix this mess is send a letter to the heads of government agencies—a letter to each head of department asking them to please take cybersecurity 'very seriously'. This is pathetic and it's a serious concern for our national security.
When it was revealed in 2014 that not one of the seven departments investigated by the Australian National Audits Office was compliant with its cybersecurity requirements, action should have been taken then. Instead, here we are at the end of 2017 and all we can say definitively is that only one of those seven departments has met its security requirements—just one in 2017. The rest are all still at risk of serious cyberattacks and data breaches. This is simply unacceptable.
This issue has been ignored for far too long by the Turnbull government and action needs to be taken now. Deadlines need to be set and consequences need to be enforced for those who continue to ignore this threat. As we speak, large government departments such as the Australian Taxation Office and the Department of Immigration and Border Protection are still not compliant with their cybersecurity responsibilities—that's as we speak, right here and right now. We are talking about the systems and networks that collect and store personal information on every Australian citizen, that manage this country's most important public services and that protect this country's borders and run our national security operations.
The recommendations in this report are loud and clear: compliance with cybersecurity standards is not optional—it is not optional. As holders of detailed and sensitive information, all government departments must maintain a strong cybersecurity posture. There is simply no excuse for any department or agency to ignore mandated—and these are mandated—security requirements. And there is certainly no excuse for the Turnbull government to continue to ignore this problem. It cannot be tolerated. This blase approach to cybersecurity has got to stop; it has got to change.
This report reveals a long history of prolonged negligence and a lack of concern for the significant threat cyberattack poses. In October 2014, a public hearing was held to examine the disastrous findings earlier that year by the ANAO that not one of the departments that were investigated was cyber-resilient—not one in 2014.
Three of the seven audited entities—the Australian Taxation Office, the Department of Human Services and the then Australian Customs and Border Protection Service—appeared before the hearing to explain their plans and timetables to achieve compliance. They each gave assurances—big-time assurances—to the committee that compliance with the top four mitigation strategies would be achieved during 2016.
The follow-up report published in March this year revealed that, despite those assurances in 2016, only one department, the Department of Human Services, had met its mandated requirements—and I'm underscoring here 'mandated', because these are mandated cybersecurity requirements across government agencies. Only one federal government agency could be deemed cyber-resilient.
Both the Australian Taxation Office and the Department of Immigration and Border Protection failed to meet the requirements and achieve their own deadline for compliance. They failed to meet it in 2014, and they failed again in 2016. So far, the only consequences that have come from this repeated failure are a letter by the Minister Assisting the Prime Minister for Cyber Security asking government agencies to take cybersecurity 'very seriously', and that was almost a year ago.
It is simply unacceptable. The fact that only one out of three of the largest Australian government agencies is meeting its mandated cybersecurity requirements is absolutely shocking. This is a huge risk to our national security and it needs to be treated as such. Why is the government so blase about this? At a time when significant data breaches and cyberattacks are an almost daily occurrence, the revelation that our own government agencies are failing to meet basic, mandated standards should come as a wake-up call. It should be ringing alarm bells for the government.
Through its electronic lodgement systems, the Australian Taxation Office collects over $440 billion in gross tax revenue annually. The Department of Immigration and Border Protection electronically processes around seven million visas annually and inspects and examines around two million air and sea cargo imports and exports every year. The collection and storage of this and other personally identifiable data can be used to identify, contact, locate or impersonate an individual. It includes information such as birth dates, bank account details, driver's licence numbers, tax file numbers and biometric data. By failing to be cyber-resilient, these departments are putting this data at great risk, with potentially significant consequences for Australian citizens.
Each of the 10 recommendations in this report will ensure the cyber-resilience of government departments and agencies is brought up to speed, but only if they are actually adopted. These recommendations offer significant improvements including introducing tangible deadlines for compliance, updating the top four strategies to the newer and comprehensive Essential Eight cybersecurity strategies, annual audits reviewing departmental compliance with these requirements, mandating—and again I'm saying 'mandating' here, because we've had a mandated approach on this before, and I'm imploring the government to actually take this report seriously and make these government agencies comply with mandated requirements—that all agencies complete and return the annual ASD cybersecurity survey, and mandating the internet gateway reduction program to reduce the number of attack vectors into government systems.
On this last point, the internet gateway reduction program was started in 2009. It was meant to reduce the patchwork of over 120 different internet gateway services being used right across government, particularly in smaller agencies, down to a manageable and auditable eight. The program was designed to reduce the attack surface into government systems. Eight years on, this policy is still being sidestepped by many smaller agencies who are just choosing to ignore the problem. And what's the Turnbull government done to address this issue? Absolutely nothing.
Similarly, the Australian Signals Directorate sends out an annual cybersecurity survey to the heads of all major government agencies to assess their cyber risks. These surveys are rarely completed or sent back to the ASD, which has a significant impact on the ASD's ability to accurately assess the risk within these departments. As the report says:
The results of the ASD survey are reported to a secretaries' cyber security board, coordinated by PM&C—
the Prime Minister's own department.
The results of the surveys provide a list of high-risk entities, for which ASD can then focus its resources on assisting.
remember, this is meant to be mandated—
the ASD has no capacity to compel agencies to complete the survey. For this year's survey, as at 23 June, fewer than 40 per cent of agencies had completed the survey. In 2016, fewer than 30 per cent completed the non-mandatory survey.
Absolutely appalling! So, as at 23 June, for this year's survey, less than 40 per cent had completed it; and, in 2016, fewer than 30 per cent. These surveys are a vital way of assessing whether government agencies are keeping up to date with their cybersecurity risks and threats, and the fact that they're just treated in such an arbitrary way is breathtaking. It's breathtaking.
There is a pattern of negligence here, of ignoring cybersecurity. The recommendations in this report seek to directly address these issues. They are proactive steps we must take to fixing this tick-box compliance culture, a culture that ignores responsibility and that gets away with it under this government. The Turnbull government must sit up and take notice of this report. It must adopt—it must, must adopt—the recommendations in it, and it must do so quickly. The recommendations it makes are urgently required to ensure our nation and our nation's data are safe and secure. We cannot afford to continue to turn a blind eye to cybersecurity, especially in our own government agencies and departments. Government agencies must be the standard against which others in the community measure themselves.
Cybersecurity is everyone's responsibility and none more so than the government and heads of government departments. It is not acceptable—it's simply not acceptable—for Australian government departments to just ignore their security requirements: 'All too hard; can't be bothered,' even though these are mandated requirements.
This government needs to start taking cybersecurity seriously, and I implore the Turnbull government to accept all the recommendations in this report, and I implore the Turnbull government to accept all the recommendations in this report today.
That the House take note of the report.