Signals Directorate Says Government’s Cyber Protection Still Too Low
The Australian Signals Directorate - ASD - has released a report stating that most government agencies are coming up short when it comes to cyber security, with more than 70% reporting ‘below baseline’ levels of protections, in spite of the fact they house remarkably sensitive data.
The ASD is the agency responsible for defending against foreign intelligence and cyber security threats against Australian businesses and individuals, and is warning that if left unaddressed, these pose a massive risk to the integrity of sensitive data, and a potential pay-day for hackers.
The report, which can be accessed here was presented to parliament three years after the national auditor presented its findings that critical data infrastructure in Australia remained extremely vulnerable. The report found that 73% of the agencies studied had either ‘ad hoc’ or ‘developing’ levels of cyber security maturity.
Ad hoc is the lowest possible score under its criteria, indicating only a “partial or basic implementation and management” of the top four principles. The ASD has published that 67% of NCCE’s have acknowledged the “need to raise the maturity of their cyber security against at least one of the top four strategies” as they move into the future.
These top four principles of cyber security have since been consolidated with the addition of four more, amounting to eight essential strategies that the ASD says is mandatory in order for NCCEs to mitigate the threat of a breach, or the damage of a data breach for the institution, but also members of the public that could potentially have their data accessed by an unauthorised third party.
What are the ASD’s Essential Eight?
Configure Microsoft Office Macro Settings
User Application Hardening
Restrict Administrative Privileges
Patch Operation Systems
A developing rating is said to mean the agency has a “substantial, but not fully effective” implementation of the top four. “Complete and effective implementation and management” of the top four amounts to a ‘managing’ rating, of which just 25% of Australia’s NCCEs received for “excelling at implementation of better practice guidance.”
The ASD says that the implementation of its ‘top four’ cybersecurity measures and strategies remains at “low levels across the Australian government,” which have been mandatory for a total of seven years now at non-corporate Commonwealth entities- NCCEs for short.
Authors of the report have stated that “in 2019, implementation of the essential eight across Commonwealth entities improved slightly in comparison to previous years. More entitled are taking steps to apply the baseline strategies and increase the maturity of their implementation.”
The report drew on data and information provided by the Australian Cyber Security Centre’s cybersecurity survey, which found that 50% of agency respondents had “progressed from partly to mostly aligned with the essential eight strategies on user application hardening,” between the years 2018-19. “This helps reduce the potential attack surface of Commonwealth workstations, as well as limiting adversaries’ ability to bypass other security controls,” the ASD wrote.
“While all of the Commonwealth entities assessed through the cyber uplift sprints were found to be taking positive and proactive steps to improve their cybersecurity, the ACSC assessed that they had not yet achieved the recommended maturity level for the essential eight.”
“As a result, these entities are vulnerable to current cyber threats targeting the Australian government,” it concluded.
The report concludes with a list of recommendations for agencies that, as they move into the future, they must focus on, including:
Continuing to review the ACSC’s cyber security advice.
Ensuring it is applicable, practical and effective for Commonwealth entities ensuring the recommended cyber security measures keep pace with new and emerging technologies and constantly evolving cyber threats.
Driving the modernisation of the Australian Government’s ICT systems to support the necessary cyber security posture, including stimulating and diversifying the ICT-skills pipeline.
Ensuring that baseline cyber security recommendations include detection and response readiness measures appropriate to the current cyber threat environment.
Providing security reports, tools and supporting infrastructure to Commonwealth entities to supplement their detection capabilities and improve resilience against cyber threats.
Increasing the situational awareness of the scope and scale of malicious activity impacting Australia, including increased monitoring, technical security controls and identifying known vulnerabilities of the networks of Commonwealth entities.