The federal opposition has raised concerns with the lack of transparency from Commonwealth entities where cybersecurity is concerned.
During a hearing held by the Joint Committee on Public Accounts and Audit on Tuesday, representatives from the Australian National Audit Office (ANAO) were probed on the reasons why Commonwealth entities are continually performing low in audits of cybersecurity resilience.
Poking holes in the current reporting requirements, and highlighting a lack of accountability when Commonwealth entities come up short, Shadow Assistant Minister for Cyber Security Tim Watts said the cybersecurity of Commonwealth entities is poor, and that no one seems to be held accountable for it.
He said the entities in question are still being asked to “mark their own homework” with little external oversight.
ANAO was asked why the Protective Security Policy Framework is not mandatory for all Commonwealth entities, and why, given they’re called the Essential Eight, only the Top Four is looked at.
“It’s not uncommon within the Commonwealth public sector that mandated rules from the centre apply to the non-corporate sector, but not to all of the corporate sector,” Auditor-General Grant Hehir said. “You’ll find that across a lot of areas like procurement, grants, and in the [Protective Security Policy Framework].
“We’d think that there probably could be more consistency in how those frameworks are put in place.”
On the not-so essential Essential Eight, Hehir said it’s mostly to do with the transition from the previous method that was in place since 2013.
See also: ASD Essential Eight cybersecurity controls not essential: Canberra
In 2019, ANAO cyber-resilience audits had found that 29% of agencies audited were compliant with the Top Four, whereas 60% of departmental self-assessments found themselves to be compliant.
Watts called it an inaccurate self-assessment.
“If you look at the evidence from our audits, one conclusion we can draw is that the framework that was in place wasn’t driving the behavioural change to ensure that the regulatory stance was robust enough,” Hehir said.
“I think they are questions more to the organisations responsible for setting the framework rather than us. But we’d like to see the framework being implemented resulting in cybersecurity, and if it’s not then the argument is why not? Some of that has to go to the robustness of the regulatory framework.”
The Attorney-General’s Department (AGD) and the Department of Home Affairs are the key regulatory entities, but Watts said when the issue was put to the AGD during Senate estimates last year, the department didn’t believe that the different results found in Commonwealth entity self-assessments and in ANAO audits were a problem.
Watts asked if ANAO had concerns with the repeated poor performance of Commonwealth entities on the cyber resilience front. Hehir said cybersecurity is recognised as an important control for all government entities, but that ANAO wouldn’t be auditing so much if there was a massive improvement.
“We started our audit into this framework when it was implemented … we wouldn’t be auditing as much as we do if we had seen a progressive improvement through time,” he added.
“I don’t think you would be seeing us putting out an audit every year into this space — the level of work we do is a reflection of our concerns about the level of compliance within the sector. It goes not just to individual entities but to the effectiveness of the framework.”
On an increase in transparency from government entities where cybersecurity is concerned, the committee raised the concept of “naming and shaming” those consistently performing poorly, a way to light a fire underneath them to lift their posture.
There isn’t a way, ANAO said, that the committee could name and shame under the current arrangements, however.
ANAO was asked if there was any way the ministers overseeing Commonwealth agencies that have failed to implement basic cybersecurity measures could be held accountable. The committee also again called for public reporting on individual agencies’ compliance with the Essential Eight, saying previous testimony from departmental spokespeople missed the mark, claiming transparency “may provide a heat map for vulnerabilities in federal government networks which malicious actors may exploit and thus increase an agency’s risk of cyber incidents”
Watts said ANAO was the only Commonwealth entity that provided a response under previous questioning. He also dismissed the idea that doing so left it vulnerable.
“I think what we thought was that answering the question in as transparent a way as we could, with minimising that risk, was the appropriate thing for us to do. I can’t comment on what other agencies thought,” Hehir said.
Watts said transparency could increase cybersecurity by creating incentives for improved performance through public accountability.
“I get the fact that you can’t comment on individual instances. But when we start to see a pattern where it’s almost a get-out-of-jail-free card, when you’re asking agencies to comment on their cybersecurity posture and they say, ‘Oh, we can’t comment on that because it might risk our cybersecurity’ or, ‘We’ll only talk to you about that in secret’, it starts to undermine the whole intent of that transparency framework,” Labor MP and committee deputy chair Julian Hill added.
“I understand you can’t comment on the individual, but surely it raises concerns if we start to see a pattern.”
On accountability, Hehir said it’s the responsibility of each entity to ensure compliance with the mandatory frameworks.
“We’ve been travelling down this road for a few years,” Hehir said.
“We have built a framework, which is around 13 behaviours and practices that we assess against, for testing [cyber resilience]. What we’re trying to test, looking at those behaviours and practices, is, to some extent, whether the leadership of an organisation goes beyond putting out an instruction saying that something should happen and into whether they’re embedding it in the day-to-day management and practices of the entity.
“Like most compliance frameworks, if you want them to change their behaviour and achieve the objective, rather than ticking a box, you need to have leadership from the top saying and behaving as if it’s important.”
Hehir said it goes beyond people being sacked or not getting a performance bonus, but rather it goes to how they’re managed.
“It’s hard to measure that directly, so we’ve got this framework of 13 behaviours and practices that we try and get as an indicator of culture and how that resilient culture operates,” he said.