DFAT, ATO and AFP still failing to follow cyber security policy requirements, ANAO report finds

The Foreign Affairs Department, along with the Australian Taxation Office and the Australia Federal Police, were all marked as having "not fully effective" cyber security arrangements by the Australian National Audit Office in a report released on Wednesday.

It comes a week after Home Affairs Minister Clare O'Neil unveiled a panel of experts would develop a new cyber security strategy in a bid to make Australia the most secure nation in the world, having become "unnecessarily vulnerable".

The Auditor-General's latest report follows repeated warnings over the years, indicating a majority of government agencies remained vulnerable to cyber major cyber attacks and regularly fell short of security expectations.

Across the markers of risk and contract management, the three agencies scored between "ad hoc" - the lowest mark - and "developing" - a step above the lowest mark.

All agencies had self-assessed themselves as "managing" across the main requirements - the second-highest rating.

The marks are rated against the government's mandatory protective security policy framework, which forces agencies to self-assess against cyber security requirements and procurement administration, including the monitoring and treatment of non-compliance by the private companies it contracts to undertake cyber security work.

DFAT and AFP had no processes in place to assess and manage procurement cyber security risks, the audit report outlined.

The two also did not have processes to manage whether a cyber security contractor was compliant with the government's security policy, nor what it would do if it found out a supplier was non-compliant.

While the tax office fared marginally better in the audit office's eyes in assessing and managing cyber security contractor risks, it fell down on providing documents to show how it verified information by contractors on compliance or how it dealt with non-compliance.

READ MORE:

None of the agencies required their procurement teams to consult with cyber security specialists over a potential procurement's cyber security risks or when considering the government's mandatory security requirements.

Across the federal government, a total of 19,270 contracts worth around $14.8 billion were entered into during the 2021-22 financial year to provide information communications technology work.

The audit office said the sheer number and cost of contracting these private providers showed the government's reliance on the sector and presented risks to its supply chains.

"The limited influence and control over outsourced service providers of information communications technology (ICT) and cyber security services increases the cyber security risks arising from an entity's supply chain," the report said.

"The management of cyber security risks within procurements continues to be challenging for NCEs [non-corporate entities] with 51 per cent being reported in AGD's PSPF Assessment Report 2020-21 as not fully implementing Policy 6.

"This dependency on contractors for ICT capabilities and the increase in malicious cyber activities against contractors who hold government information increases the risks associated with government supply chains."

The ATO and DFAT agreed to all audit report's recommendations to improve processes so the holes were plugged while the federal police agreed in part, noting it already had "significant insights" as the only agency able to investigate cyber crime.

The latest audit report follows a series of earlier findings revealing a number of agencies had rated themselves higher on cyber security policy adherence than external auditors.

In December 2020, the audit office warned nearly three-quarters of government agencies had cyber security ratings deemed as "ad hoc" and were vulnerable to major cyber threats.

Auditor-General Grant Hehir last year said the public sector's implementation of cyber security gave "little assurance" to the government or the parliament that agencies were adhering to mandatory requirements.

Audits of procurement also showed "the sector's approach regularly falls short of expectations", he said.

Two major cyber attacks have rocked the country in the months following the Labor government's win at the election.

Major telco Optus revealed in September more than 2.1 million customers had their ID documents exposed following a massive data breach.

Meanwhile, private insurer Medibank was hacked by a Russian ransomware group the following month, which has stolen data from millions of current and former Medibank customers.