For years now, Crikey has kept a lonely vigil over one of the more bemusing administrative scandals of recent times in the Australian Public Service: the failure of departments and major agencies to meet the most basic requirements of cybersecurity put in place back when Labor was last in government in 2013 (you can find a history of the saga here).
When we last checked in March 2021, the auditor-general had busted Prime Minister and Cabinet, and Attorney-General — two departments you’d kinda sorta wanna think might be pretty focused on security — not just for not being compliant with the original “top four” requirements put in place back in 2013, but for claiming they were compliant when they weren’t.
Since then the top four has been expanded to the more alliterative “essential eight” and enshrined in the Protective Security Policy Framework Policy 10, “Safeguarding data from cyber threats”. Throughout that time, progress to meeting either the four or the eight by most departments has been ridiculously slow — and attempts by bureaucrats to explain away their failures when MPs like Labor’s Tim Watts pursued them just ridiculous.
The repeated failure to comply with cybersecurity basics grew so embarrassing, departments began criticising the Australian National Audit Office (ANAO) for drawing attention to the fact that they were vulnerable, and insisted it no longer report departments’ failures individually — a classic case of national security being invoked to spare the blushes of officials.
This week, in its sixth look at the issue, in the context of one of its regular reports on the key financial controls of departments and major government entities, the ANAO has checked in on progress, looking at cybersecurity basics in relation to the preparation of financial statements. The result is a sense of resigned exasperation from the auditors:
Since 2013, the ANAO has conducted a series of performance audits focused on assessing entities’ implementation of the PSPF cybersecurity requirements. These performance audits continue to identify low levels of compliance with mandatory PSPF cybersecurity requirements and concerns in annual self-assessments by entities. The ANAO has reported its concern that there is little evidence through the series of audits that the regulatory framework had driven sufficient improvement in entities mitigating their cybersecurity risks since 2013.
Has 2022 seen a turnaround? Yeah … nah. For the 19 departments and agencies examined, there’s been progress in achieving most of the eight, but off a low base. The most widely complied-with requirement, restricting administrator privileges, hasn’t improved in the last year, and remains at 12 of the 19; barely a quarter of agencies report having complied with some other requirements.
Two agencies actually reported that they went backwards. “Of the 19 entities assessed, two had self-assessed as achieving a Managing maturity level,” ANAO reported.
Its conclusion?
The PSPF cybersecurity requirements have been in place since 2013, with the March 2022 update mandating the implementation of all Essential Eight mitigation strategies. Entities’ inability to meet previous requirements indicates a weakness in implementing and maintaining strong cybersecurity controls over time. Previous ANAO audits of entity compliance with PSPF cybersecurity requirements have not found a significant improvement over time. The work undertaken as part of this review indicates that this pattern continues, with limited improvements.
For a public service increasingly unable to perform the basics of policy administration, it’s a potent symbol of decline.
