An inspection by the Australian National Audit Office (ANAO) has exposed the failure of government organizations to implement cybersecurity requirements.
The ANAO’s fourth report on the cyber resilience of government departments and agencies states that except the Treasury Department both the National Archives and Geoscience Australia failed to implement the top four mandatory cybersecurity strategies instructed by the Australian Signals Directorate (ASD).
“This audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the Top Four mitigation strategies. None of the three entities had implemented the four non-mandatory strategies in the Essential Eight and were largely at early stages of consideration and implementation. These findings provide further evidence that the implementation of the current framework is not achieving compliance with cybersecurity requirements and needs to be strengthened.” the ANAO said in its report.
The top four mandatory strategies include application whitelisting, application patching, OS patching, and the control of administration rights. Also, there are four non-mandatory but recommended cybersecurity mitigation strategies for all the government bodies. According to ANAO, execution of these four measures has been mandatory since April 2013.
The ANAO also revealed that Geoscience Australia is vulnerable to cyberattacks due its lack of compliance with any of the essential eight cybersecurity guidelines.
“Geoscience Australia was assessed as vulnerable, with a high level of exposure and opportunity for external attacks and internal breaches and unauthorized disclosures of information. Geoscience Australia has traditionally had a culture of scientific independence that it had allowed to override resilience considerations,” the report found.
Agreeing to the ANAO’s recommendations, Geoscience Australia responded to the report stating “Geoscience Australia is committed to improving its security compliance and cyber resilience to a level of appropriate for a government organization that plays a role in providing scientific information and services to industry and the broader community,” the agency said in a statement.
A parliamentary committee has also suggested making it mandatory for government bodies to implement Australian Signal Directorate’s essential eight cybersecurity guidelines to create a positive cyber resilience culture.