John Hilvert | Canberra
The Joint Committee of Public Accounts and Audit’s (JCPAA) inquiry into continuing non-compliance by major agencies with cyber security has been informed that public service culture undermines effective cyber security.
Prompted by the Auditor-General’s report 42 (2016-17) which found the Australian Tax Office (ATO) and the Department of Immigration and Border Protection (DIBP) were still not assessed as cyber resilient, the Government’s cyber security strategy implementation appears under fire.
“The report flunked them on mandatory whitelisting and software patching requirements”
The ANAO has found “fundamental” obstacles for these agencies’ due to lack of: effective governance arrangements; strategic prioritisation for cyber security; or a clear and effective cyber security strategy.
The report flunked them on mandatory whitelisting and software patching requirements propounded by the Australian Signals Directorate. Application whitelisting protects ICT systems against unauthorised applications running on them.
The ATO submission defended its failure to patch and whitelist due to its recent SAN (storage area network) hardware issues. Whitelisting on some servers had to be disabled and be re-enabled. It added patching cycles had since recommenced and the majority of its servers will have whitelisting re-enabled by June 2017.
At the time of writing, the DIBP was yet to make a submission to the Inquiry.
Other submissions explored whether the requirement for whitelisting may be “counterproductive” at the expense of pressing for a full set of security controls instead.
“The current top mandatory strategy is to implement a very aggressive form of whitelisting,” observed Ian Brightwell, an ICT executive and consultant with for over 30 years.
He argued whitelisting controls across every device in a typical agency would be “impossible” and potentially counterproductive. In Brightwell's opinion it would could cause more disruption than benefit and take valuable resources away from implementing more appropriate ICT general controls, which would be more beneficial for improving agency cyber security posture.
Whitelisting was more easily implemented in agencies with limited number of Standard Operating Environments (SOE)s which do not change regularly, he wrote.
“This is at odds with the needs of typical agencies have groups of users who need a flexible environment that is incompatible with whitelisting.”
A weak Privacy Commissioner was another potential reason for major agencies’ failing cyber resilience tests, according to a submission from Peter Clarke, Barrister at Law.
“The Privacy Commissioner has been, in the main, a timid regulator,” Clarke wrote, “even when funding was reasonable by wrongly focussing on education over enforcement.”
“Educate till you nauseate seems to be the office mantra. It is necessary to do both,” Clarke stated.
These issues may be pursued further in JCPAA public hearing in Canberra, scheduled for 12 May.