Wednesday, 9 December 2020
Public Accounts and Audit Committee; Report
On behalf of the Joint Committee of Public Accounts and Audit, I present report No. 485 entitled Cyber resilience: inquiry into Auditor-General's reports 1 and 13 (2019-20).
Report made a parliamentary paper in accordance with standing order 39(e).
by leave—I present report No. 485 of the Joint Committee of Public Accounts and Audit, entitled Cyber resilience. This report details the committee's findings from its inquiry into two Auditor-General's reports of 2019-20, including report No. 1, Cyber resilience of government business enterprises and corporate Commonwealth entities, and report 13, Implementation of the My Health Record system. The purpose of the committee's inquiry was to consider the effectiveness of the management of cyber-risks and the implementation of cybersecurity measures in various agencies. It also examined the Auditor-General's findings on the extent to which Commonwealth entities had embedded a cyber-resilience culture.
The report contains six recommendations targeting a number of core areas. In the interests of time, I'll broadly outline some of the key themes. The first of those concerns the importance of the development of a cyber-resilience culture within entities. The committee noted that the ANAO has developed a detailed framework of 13 behaviours and practices that could assist in the implementation and improvement of culture. These are covered under four headings: governance and risk management, roles and responsibilities, technical support, and monitoring compliance. The committee outlines in recommendation 3 that these practices and behaviours should play a greater role in the implementation and improvement of a cyber-resilience culture within Commonwealth entities.
Further, the committee noted that the Protective Security Policy Framework, commonly known as the PSPF, addresses the development of a positive security culture. However, specific references to the 13 behaviours and practices under the title outlined by the Auditor-General within the PSPF could not be found. Recommendation 3 seeks to help to address this by outlining that the PSPF should be amended to reflect or incorporate, where needed, the ANAO's framework. It also recommends that a dedicated section be created within the annual PSPF self-assessment questionnaire addressing these 13 criteria.
Further, in recommendation 4, the committee outlines that the Australian National Audit Office should consider conducting an annual limited assurance review into the cyber-resilience of Commonwealth entities and that this could include examining the extent to which entities have embedded a cyber-resilience culture and compliance with the essential eight mitigation strategies in the Information Security Manual. To enable time for implementation, the committee recommends that this review commence from June 2022 and be conducted yearly for five years.
Other recommendations outlined in this report are specific to relevant Commonwealth entities. Recommendation 5 requests that Australia Post provide an update on progress in implementing controls in line with the top four and essential eight mitigation strategies and how a cyber-resilience culture is being further embedded in the organisation. Recommendation 6 requests that the Australian Digital Health Agency provide an update on a number of key aspects of its ANAO My Health Record performance audit implementation plan.
Finally, other recommendations address broad improvements to existing frameworks and are directed to the Attorney-General's Department. Recommendation 1 requests that the department provide an update to the committee on its implementation of external moderation models and benchmarking processes to verify entities' reported compliance with cybersecurity requirements. Recommendation 2 is also directed to the Attorney-General's Department and seeks an update on the levels of cybersecurity maturity within Commonwealth entities and the feasibility of mandating the essential eight mitigation strategies across Commonwealth entities. It also recommends that the Attorney-General's Department report back on any impediments to mandating the top four strategies for government business enterprises and corporate Commonwealth entities.
Finally, I'd like to very much thank those agencies that participated in the inquiry and those who appeared at public hearings. I would also like to note that this is a consensus report of the committee and thank all committee members for their willingness to work collaboratively on this very important inquiry. I commend the report to the House.
by leave—I join the chair of the committee in congratulating members for the way they engaged in this very important inquiry and also join the chair in thanking the secretariat staff for their assistance with this report. I really think this report shows the parliament at its best—parliamentarians working together across party lines, outside the media spotlight, on complex issues of national importance. I'd like to first acknowledge the work of members of the Joint Committee of Public Accounts of Audit on this report, particularly the member for Robertson in her role as chair and the member for Bruce in his role as deputy chair.
I've been very pleased since joining the JCPAA to see parliamentarians genuinely working together on matters that are important but that sometimes don't attract the media attention they deserve. This report deserves attention, though—from the media, parliamentarians and the government—because its findings are, frankly, alarming. It's an indictment of this government's ongoing failure to ensure the cybersecurity of its own departments. In fact, it's so bad that the committee has recommended that a new oversight regime is needed, one that will ensure that our vital government services and the data of Australian citizens that is held by Commonwealth entities are appropriately protected at a time of dramatically increasing cyber threats. The reason this intervention has been necessary is that for years we have seen a staggeringly high rate of noncompliance from the Commonwealth government with its own cybersecurity framework. Just over one in four Commonwealth entities that were audited by the ANAO have implemented the top four cybersecurity measures recommended by the Australian Signals Directorate, six years after they became mandatory.
The cyberthreats to Commonwealth departments are very real and growing, and the lack of compliance and cyber-resilience has been the subject of a series of audits and inquiries from both the ANAO and the JCPAA over the last seven years. The government's own cybersecurity posture report in 2019 found that implementation of the ASD's top four cybersecurity measures 'remains at low levels across the Australian government'. That's the government's own report. The Auditor-General highlighted these ongoing failures in his mid-term report, noting, 'With cybersecurity being an area of priority for many years, these findings are disappointing.' Despite the warning, the Morrison government has failed to do the basics, and I should note that the Morrison government has currently introduced legislation into this parliament to require private sector companies in critical infrastructure sectors to significantly lift their cybersecurity practices and behaviours, but, unless the Commonwealth government lifts its game, as identified in this report, the government risks being accused of telling private sector Australian businesses 'to do what I say and not what I do'. This Prime Minister has never missed a photo opportunity on his many announcements when it comes to talking about the cybersecurity threats faced by our nation, but he hasn't been there for the follow-up to ensure cyber-resilience inside his own government in the face of these increasing threats.
A core part of the problem here is the absence of any real form of accountability for government entities that fail to do what is required to be cyber-resilient. Each Commonwealth entity is currently responsible for its own cyber-resilience, but there's no-one marking their homework to ensure that they are compliant. Each year, non-corporate Commonwealth entities are required to conduct a self-assessment of their compliance with the Protective Security Policy Framework and the Information Security Manual within it. This self-assessment is then provided to the Attorney-General's Department and its portfolio minister. But the committee heard evidence that this is the total extent of accountability. When a Commonwealth entity is noncompliant with the ASD's mandatory top four all they have to do is tell their minister and the Attorney-General's Department, and nothing happens. There's no way for parliament to hold a Commonwealth entity accountable for ongoing failures on their own self-assessments and for the cybersecurity vulnerabilities within these Commonwealth entities.
And they are not publicly disclosed. Even the annual cybersecurity posture report provided to the parliament in response to a previous JCPAA report's plea for parliamentary scrutiny and accountability only provides aggregated information about this performance. It's a model that hides failure within individual Commonwealth entities and does nothing to drive the important cultural change that we need to see.
The only way we have learned of the widespread failures of cyber-resilience within the Commonwealth has been the ANAO's outstanding cyber-resilience audits. This is why the JCPAA has been forced to recommend the ANAO be funded to undertake a limited assurance cyber-resilience audit across all Commonwealth entities every year for five years and to report on the findings to the JCPAA. This annual cyber-resilience review would operate in a similar way to another JCPAA oversight mechanism targeting a similar accountability problem: the annual defence main projects review. It's an unprecedented level of oversight that recognises the scale of the ongoing failure to build cyber-resilience within the Commonwealth government. It would help drive culture change at a time of dramatically increasing cyberthreats.
Members and senators from all sides of politics have recognised the seriousness of the need for Commonwealth entities to be cyber-resilient and the failing of the current accountability framework to deliver this outcome. I call on the Morrison government to hear the call of this report—an outstanding report, a consensus report from parliamentarians on all sides of politics—and to immediately accept and act on this report's recommendations.