John Williams (NSW, National Party) Share this | Link to this | Hansard source

On behalf of the Chair of the Joint Committee of Public Accounts and Audit, I present reports Nos 467 and 468, together with the executive minutes to various reports. I move:

That the Senate take note of the reports.

I seek leave to have the tabling statement incorporated into Hansard.

Leave granted.

The document read as follows—

Tabling Statement Report 467—Cybersecurity Compliance: Inquiry based on Auditor-General's report 42 (2016-17)

Mr President, I present the report from the Joint Committee of Public Accounts and Audit, titled Cybersecurity Compliance: Inquiry based on Auditor-General's report 42 (2016-17).

Cybersecurity is a strategic priority for the Australian Government. In 2013, the Australian Government set 30 June 2014 as the target date for entities to achieve compliance with the Top Four mitigation strategies.

The Top Four strategies represent the minimum cybersecurity requirement for Government entities, and according to the Australian Signals Directorate will stop 85% of cyber intrusions if implemented. The Committee is deeply concerned with the 2015-16 result whereby only 65% of non-corporate Commonwealth entities reported compliance.

Furthermore, three years and two Auditor-General reports later, neither the ATO nor the Department of Immigration and Border Protection are compliant with the Top Four strategies and are not cyber resilient. This is most concerning to the Committee as previous assurances had been made that compliance would be achieved during 2016. During the inquiry, the Committee also heard that the Immigration department was unable to provide a date for when full compliance with all Top Four strategies would be achieved.

The Committee also draws attention to the issue of the ATO and the Department of Immigration and Border Protection inaccurately self-assessing their compliance.

The Committee has recommended that both agencies report back on their progress to achieving full compliance with the mandatory cybersecurity strategies, as well as progress implementing the two Auditor-General recommendations. The Committee is also of the opinion that the self-assessment and reporting regime under the Government's framework requires further scrutiny, and recommended that the Auditor-General consider conducting a comprehensive audit to assess the regime's effectiveness.

This year the Australian Signals Directorate updated its cybersecurity strategies from the Top Four to the Essential Eight in response to the increasing threat of ransomware—such as the recent WannaCry virus. The Signals Directorate considers the Essential Eight as a cybersecurity `baseline' for all organisations. In this light, the Committee recommended that the Government mandate the Essential Eight strategies for all Commonwealth entities.

The Committee also wishes to highlight that secure internet gateways add a valuable later of cybersecurity. Acknowledging that Internet Gateways are complementary to other cybersecurity resilience, they too provide a sound baseline of protection within an entity's broader cyber resilience strategy. As such, the Committee has also recommended that the Internet Gateway Reduction Program is made mandatory for all Commonwealth entities.

As a strategic priority, it is crucial that Commonwealth entities are accountable to the Australian Parliament for their management of cybersecurity. The Inquiry found a number of key gaps in this area. To enhance accountability and transparency, the Committee has recommended:

The Committee recognises that cyber resilience is not solely ascertained through compliance with the Top Four or the Essential Eight strategies or the implementation of a secure internet gateway. The Committee stresses that good governance and a strong culture of prioritising cybersecurity within the context of entity-wide strategic objectives are essential elements to an entity achieving the goal of cyber resilience.

In conclusion, I would like to extend my thanks to all members of the Committee for their deliberations during this Inquiry.

I commend the report to the Senate.

Debate adjourned.