Thursday, 10 December 2020
Public Accounts and Audit Committee; Report
Hello again, Deputy Speaker Freelander. I want to make a few remarks on this report. Many would say cyber-resilience is not the most sexy of topics, but it's incredibly important. I've been on the Public Accounts and Audit Committee as deputy chair for 4½ years now, and this report is very significant. There are some thematic recommendations that I think bring together work that the committee has done over the last few years and work that the Auditor-General has done for probably seven or eight years, with growing degrees of frustration. I stress that this is a set of bipartisan recommendations. Continuing the general tradition of the audit committee, all members of the committee have signed up to this report and these recommendations. I thank the chair and government members as well for their constructive contribution. In particular, though, the member for Gellibrand, who has particular expertise and passion about this area, made really substantive contributions.
This discussion occurs in the context, of course, of serious and growing cyberthreats to our nation, not just to the private sector but also to the public sector. I believe government should be an exemplar, not just because the operations of government themselves are critical to our national security, continuity of government, the welfare of the populace and so on, but also because government, in this area and in so many others, should be setting the example, the gold standard, for the private sector to follow.
So I put the question: how is the government going? Given my 4½ years looking at it and probably seven or eight years where this has been a real focus for the Audit Office, I have to say, depressingly, that not very well is the succinct answer. This report—signed off by all government members—is in many senses a damning indictment on the Morrison government's failure to ensure the cybersecurity of its own departments and agencies. There are a few that have come through, I would say, that are doing very well. Defence generally seems pretty good. The Australian Taxation Office is good. The Reserve Bank is good. But it falls away fast in terms of actual performance. There are staggeringly high rates—report after report—of noncompliance from the Commonwealth government with its own cybersecurity framework. As the years go on, you sit through these cyber inquiries and you feel like the proverbial goldfish going round in the bowl—here we go again. You hear the same excuses, 'Sorry, we didn't quite comply with the framework', 'We didn't quite get the mandatory four' or 'We haven't really got to the essential eight standards.' There are a series of recommendations, I think, that really start to suggest change.
I want to read into the Hansard a quote from the Auditor-General from his mid-term report. He's been in the role for five years. I nerded out a few weekends ago and spent a Sunday morning reading his mid-term report, and I'm very glad I did. It provides some really, really sharp insights from the person responsible for auditing the performance of the public sector for the last five years. He said:
… the category which consistently has the most number of financial audit findings raised relates to the information technology control environment, with the most common area relating to weaknesses in security management. These findings are consistent with the conclusions in performance audits of cyber security, which have also consistently identified non-compliance.
With cyber security being an area of government priority for many years, these findings are disappointing.
Now, if you read audit reports, the word 'disappointing' is very high in the lexicon of 'not good, bad, bad-bad'. It's Auditor-General language for 'this ain't good enough'. He continued:
The public sector operates largely under a self-regulatory approach. Policy owners—for example the Department of Finance for resource management … the Attorney-General's and Home Affairs departments for cyber security; and the Australian Public Service Commission for integrity—establish the rules of operation and then largely leave it to entities' accountable authorities to be responsible for compliance.
That's generally it. You find that the department sets the rules and then it's up to the other departments to follow the rules. Good luck! He continued:
There are almost no formal mechanisms in these frameworks to provide assurance on compliance. Often the ANAO is the only source of compliance reporting and our resources mean that coverage is quite limited. While I agree that accountable authorities must be responsible for entities' compliance, it is also clear that policy owners need to be held accountable if the regulatory frameworks they put in place for the public sector do not result in an acceptable level of compliance. For this to occur, they should at least have processes in place to identify the level of compliance and be willing to modify their regulatory approach if it is not working. Unfortunately, this has not been a common approach.
In plain English, what the Auditor-General's saying is that Home Affairs and AGD are responsible for the cybersecurity standards, and then they say, 'That's it. It's not our fault.' Well, we've had year after year of failure, where government departments fail the government's own cybersecurity standards, and this can't go on in the current threat environment. It can't go on. We cannot, year after year, have the same failed audit reports where things are not done properly.
Actually, it's not largely a problem with the rules, although we have suggested a few changes; it's a problem with culture. Cyber-resilience is about the application of the cybersecurity framework, and that goes to culture. Are these rules being operationalised in departments? It's nerdy stuff, but it's incredibly important.
What we found was that only just over one in four Commonwealth entities audited by the Australian National Audit Office had implemented the top four security measures recommended by the Signals Directorate—six years after they'd become mandatory. Six years on, one in four has implemented the top four mandatory rules. That's just not good enough. The government has had seven years of audit reports from the Audit Office and its own Public Accounts and Audit Committee, and they've failed to fix this. Despite the warning, the Morrison government hasn't done the basics. It's not good enough just to announce you've got a new framework. He's always there at the cybersecurity centres, popping up to say, 'We're going to impose new rules on the banks and new rules on the infrastructure providers.' Well, you've got to get your own house in order. You can't just be there for the photo op and not there for the follow-up. You can't just make the announcement of a new policy but not actually do the hard work of making sure all of the government's own departments, after seven years, comply with the most basic of standards. And the threats are growing.
I'll just mention three of the recommendations. First, we are saying that it is time. The Attorney-General's Department made this recommendation two years ago and the government went waffle, waffle, waffle. It is time the Attorney-General's Department came back and said, 'Why can't we mandate the essential eight?' There are the top four and there are these other ones that are more than good to have now. We want a report back to the committee on why we can't have all of those eight as mandatory and why we can't at least apply the top four to government business enterprises and the corporate Commonwealth entities. There are different sets of rules for the GBEs and for the public sector non-corporate entities.
Second is the protective security framework which sets the rules that the government adopts. This is something the Chair has been very interested in, and we support her in this. A few years ago the Audit Office thought, 'We need to put some more attention to this.' They looked at the rules and said, 'Actually, this isn't quite right for an audit framework.' So they've come up with a fantastic audit framework that the National Audit Office now use to audit cyber-resilience. It looks at behaviours—what's actually happening—not just what the rules are. We think that there's a need to align and harmonise those two frameworks so that some of the excellent insights that the Audit Office have gathered from their work and the behavioural stuff get back-engineered into the framework of the harmonisation, and the annual self-assessment questionnaire, which all the entities have to do, needs to actually pick up on this. It would make the whole auditing and accountability process much more transparent and much more streamlined if there were a more robust set of criteria that the agencies had to respond to. This is a very significant report. It will cost money. Someone's going to have to pay, but we've said, 'Enough is enough.' We cannot keep going on in the current threat environment. When we have a look at state actors, non-state actors and random hackers around the world, we cannot keep going on like this and having the same sets of repeated failures.
About 10 or 12 years ago, under the former Labor government, there was a degree of frustration from the parliament about major projects in Defence; parliamentarians were frustrated with this. The public accounts and audit committee then recommended the establishment of the Defence Major Projects Report, which the then Labor government, to its credit, funded. It's not always comfortable for governments to fund these things, because they're going to point out some of the government's own shortcomings, but it's the right thing to do from an audit methodology point of view if you're serious about integrity. It's now continued for 12 years, and it's a good report. Every year, out comes the Defence Major Projects Report. It's a limited-assurance audit report, where the public accounts and audit committee sets the rules each year for this and Defence and the Audit Office go and do it together. Defence gets value out of it, and the Auditor-General comes back to the parliament and says: 'Out of the major projects that you've put on the list, these ones are going well, for these ones we reckon there's not the evidence behind them, and we've got some problems with these ones.' It's a good report and it has improved Defence major projects.
We think it's time that we look at having the same limited-assurance audit report for cybersecurity, where, every year, the Auditor-General would do a limited-audit assurance report across all of the major public-sector entities and provide that advice to government. In this instance—a bit like Defence, but it would probably be a bit more so—there are national security sensitivities about identifying where the vulnerabilities are, so there might need to be a sort of sealed section of the report that goes off to ministers and the executive, or that the committee is briefed on in-camera, and the published version.
I commend this report. It is nerdy stuff, but it's incredibly important. I thank all of the committee members for taking this topic seriously and actually looking at some systemic recommendations, rather than just whacking the latest agency through the door.