“Persistent optimism bias” in cybersecurity reporting by Commonwealth entities is muddying government oversight of the issues, with a parliamentary committee now calling for self-assessments to be subject to an external assurance process.
A Joint Committee of Public Accounts and Audit report, released on Thursday afternoon, called on the government to consider implementing “an assurance regime on agencies’ self-reporting to government on the cybersecurity aspects of the Protective Security Policy Framework (PSPF)”.
If not applied across the board, then the assurance process should apply on a risk basis to provide government a more accurate description of cybersecurity capabilities across non-corporate Commonwealth entities.
The committee argues that depending on self-assessments of the cybersecurity framework, compliance is “likely to remain inadequate regardless of any enhanced guidance or changes to the framework”.
The committee inquiry focused on the Australian National Audit Office’s (ANAO) 2021-22 financial statements audit, which included a focus on Commonwealth entities’ compliance with the PSPF — an ongoing struggle for the government since the framework was designed a decade ago.
In particular, the inquiry report flagged that of the 144 ‘relevant’ assessed entities in ANAO’s audit, 53 did not have a policy or timeline regarding the removal of user access once they had left the entity.
Committee chair and Labor MP Julian Hill said he was disappointed by the findings of the ANAO and called for immediate reform to curb the optimism bias present in self-reporting.
“This issue has gone on for too long, and it’s time government consider implementing an assurance regime on agencies’ self-reporting on cybersecurity compliance,” Mr Hill said.
“Agencies should not be able to disguise the true situation from the government in relation to public sector cybersecurity vulnerabilities.”
In a committee hearing in May, ACSC acting head Dr Derek Bopping said that optimism bias in cybersecurity self-assessments was due to misunderstandings around the Essential Eight, ensuring entities have a full understanding of their IT environment, and “nuances within internal systems that are not vulnerabilities from the outside”.
The Essential Eight is a set of baseline cybersecurity risk mitigation strategies developed by the Australian Signals Directorate to mitigate the most common and damaging cyber threats to government organisations. They include application whitelisting, multi-factor authentication and patching.
Since 2022, the Attorney-General’s Department (AGD) has mandated the implementation of the Essential Eight to a maturity level of ‘managing’, alongside four additional strategies. Before this change, only the Top Four controls were mandatory.
A voluntary peer-review process pilot on cybersecurity self-assessments was run by the AGD — which manages PSPF compliance — for the 2021-22 reporting period but the committee said it’s not considered a substitute for “robust external assurance process”.
The AGD also noted that PSPF Policy 10 – requiring entities to mitigate their exposure to cyber security risks – had the most frequent ‘ad-hoc’ ratings, the lowest level of compliance, of the 16 policies.
According to the most recent PSPF assessment report published in August 2022, Policy 10 was tied for the second highest proportion of ad-hoc ratings. It also highlighted that only 28 per cent of entities “had implemented these strategies to a ‘Managing’ or ‘Embedded’ level”.
Through a 2021 audit, the ANAO similarly noted that “implementation of cyber security risk mitigation strategies by the selected entities was not fully effective and did not fully meet the mandatory requirements of PSPF Policy 10”.
That audit also found that no Commonwealth entity had fully implemented the Essential Eight mandatory cyber security risk mitigation strategies.
The committee also backed the adoption of appropriate assurance measures at the AGD as recommended in an ANAO report released in May.
Another recommendation from the committee is to include performance measures in the annual performance statement of the AGD on the effectiveness of promoting compliance with the cybersecurity components of the PSPF. This is to improve “parliamentary and public visibility” of the department’s work.
The federal government announced it would establish a National Office for Cyber Security within the Department of Home Affairs’ Cyber and Infrastructure Security Group in March, committing $46.5 million in the 2023-24 federal budget.
The office will be led by national cybersecurity coordinator, Air Vice-Marshall Darren Goldie, who will coordinate the government’s response to major cyber incidents, building of the Commonwealth’s cybersecurity capability, and support Cybersecurity minister Clare O’Neil with policy development.
A new cybersecurity strategy will be released later this year in a bid to transform Australia in to “the world’s most cyber-secure country by 2030”, according to Ms O’Neil.
Ms O’Neil has repeatedly described the government’s cybersecurity policy as being five years behind where it should be, but that the Albanese government was helping Australia wake from its “cyber slumber”.
