NSW agencies fear cyberattacks after report finds ‘significant weaknesses’

Significant weaknesses and noncompliance were found in an audit of nine New South Wales state government agencies, according to the latest Audit Office of New South Wales report on cybersecurity compliance. The audit was done against the NSW Cyber Security policy (CSP).

The agencies audited were Department of Premier and Cabinet; Department of Communities and Justice; Department of Customer Service; Department of Education; Department of Planning, Industry, and Environment; Department of Regional NSW; Ministry of Health; Treasury; and Transport for NSW, specifically the former functions of Roads and Maritime Services.

Audit findings show poor cybersecurity efforts by NSW agencies

The audit assessed nine agencies’ compliance with the NSW CSP in 2020 as of 30 June 2020. The NSW CSP replaced the NSW Digital Information Security Policy on 1 February 2019.

The audit found deficiencies in reporting, self-assessment, maturity levels, and actions taken. Some of the findings suggest agencies provided their assessments but without careful consideration of what they were expected to do. Some of the findings that suggest this include attestations did not accurately reflect whether agencies implemented the requirements. Of the nine participating agencies, seven did not modify the pro forma wording in their attestation to reflect their actual situation, with only two agencies changing the wording to reflect their actual situation.

Participating agencies did not support all their self-assessments with evidence and had overstated their maturity assessments, limiting the effectiveness of agency risk-management approaches. Agencies’ self-assessments across government exposed poor levels of maturity in implementing the mandatory requirements and the Essential Eight controls.

The audit points out that the NSW Cyber Security Policy gives much leeway to the agencies in implementing the Essential Eight mitigation strategies, IDC senior analyst John Feng told CSO Australia. (Cyber Security NSW modified the ACSC model for implementation of the Essential Eight.)

“With self-assessment, it is easy to overlook certain weaknesses because familiarity makes it feel right. Combined this with the cybersecurity skills shortage and other competing digital priorities, it is not a surprise the adoption of the Essential Eight model is less than satisfactory,” Feng said. Still, “the audit report is a good wake-up call. The road to improvement starts with objective, accurate assessment of the cybersecurity posture and maturity level relating to the NSW Cyber Security Policy.”

Other findings in the audit include the CSP allowing agencies to determine their own level of maturity to implement the mandatory requirements can lead to not practicing a policy requirement or implementing a policy requirement on an ad hoc basis. These determinations do not need to be justified.

Some comparable jurisdictions require formal risk-acceptance decisions where requirements are not implemented. The NSW CSP does not require that the records of how agencies considered and decided which measures to adopt to be documented and auditable, limiting transparency and accountability of decisions made.

All the participating agencies had implemented one or more of the mandatory requirements in an ad hoc or inconsistent basis. None of the participating agencies has implemented all the Essential Eight controls at Level 1, and eight of the nine agencies audited had not implemented any of the Essential Eight strategies to Level 3.

Of the 104 agencies in the NSW public sector that self-assessed their maturity implementing the mandatory requirements, only five assessed their maturity at Level 3 or above on the five-point maturity scale. Which for the auditor general means that 99 agencies practiced requirements within the framework in what the CSP’s maturity model describes as an ad hoc manner, or that they did not practice the requirement at all. “Cyber Security NSW and NSW government agencies need to prioritise improvements to their cybersecurity and resilience as a matter of priority,” wrote NSW Auditor General Margaret Crawford in the report.

Despite the poor result of the audit report, IDC’s Feng sees that understanding of cybersecurity is gradually maturing in Australia, and not only in government, with the topic routinely listed as one of the top concerns for CIOs and other senior executives. “Government respondents in IDC ANZ IT Services Ecosystem Survey 2020 indicated that cybersecurity services are the top priority in technology deployment plans, and security management is to enjoy the most net increase in number of government organizations lifting their budgets,” he said. “This shows that IT leaders are taking cybersecurity seriously and are willing to allocate more resources to it.”

Agencies asked that specific findings not be reported to Parliament

The nine agencies requesting the findings not be reported to Parliament, as it would expose their weaknesses to threat actors. As a result, the auditor general modified the final report to anonymise the agencies, even though the findings were more than a year old.

Auditor General Crawford said she agreed to this request “reluctantly” because the vulnerabilities identified have not yet been remedied. She said that time, leadership, and prioritised action should have been sufficient for the agencies to improve their cybersecurity safeguards, and she believes that transparency and accountability to the Parliament is part of the solution, not the problem.

The request for anonymity is not an indication of agencies trying to shy away from failing to meeting the mandated cybersecurity requirements, IDC’s Feng said. “The report assesses the maturity level of implementing NSW Cyber Security Policy mandatory requirements.” Agreeing with the agencies’ rationale for not revealing where specifically the deficiencies lie, he said, “Detailing how mature a specific agency is in each of the areas could give cyber adversaries a more targeted view of that agency’s cybersecurity stance, hence increase the potential threat.”

NSW auditor general repeats previous recommendations

In her report, for the third time, the auditor general is making the same recommendation to the state agencies as before: They need to prioritise improvements to cybersecurity resilience as a matter of urgency. She wrote in the report’s foreword:

The poor levels of cybersecurity maturity are a significant concern. Improvement requires dedicated leadership and resourcing. To comply with some elements of the government’s policy, agencies will have to invest in technical uplift, and some measures may take time to implement. However, other elements of the policy do not require any investment in technology. They simply require leadership and management commitment to improve cyber literacy and culture. And they require accountability and transparency. Transparent reporting of performance is a key means to improve performance.

The report recommended that Cyber Security NSW monitor and report compliance with the CSP, require agencies to report the target and achieved levels of maturity, require agencies to justify why it is appropriate to target a low level of maturity, require the agency head to formally accept the residual risk, and challenge agencies to target maturity levels.

The impact on private organisations and services providers

With the Essential Eight’s use growing due to state governments choosing it as one method to help agencies self-assess and decrease the risk of cyberattacks, private organisations providing services to state agencies may begin implementing Essential Eight as well. For example, the Attorney General’s Department has signalled its intent to strengthen provisions in the Protective Security Policy Framework (PSPF), so all noncorporate government entities will be mandated to implement the Essential Eight.

“It’s not unreasonable to expect Australian government organisations that are subject to more stringent requirements under the PSPF will in turn seek to ratchet up commercial obligations on private organisations that are collecting, storing, processing, and disclosing government or citizen data in the delivery of services,” Gartner analyst Richard Addiscott told CSO Australia. “Strengthened commercial obligations could make them demonstrate how their cybersecurity controls environment aligns to the Essential Eight, with a view that they achieve an agreed maturity implementation level, if they’re haven’t already.”

This same pressure could apply to private organisations providing upstream or downstream services to critical infrastructure providers, as they seek to demonstrate a positive security obligation in accordance with the amendments to the Security of Critical Infrastructure Act 2018 being considered by the Senate in November 2020, Addiscott said.

He said that Gartner clients have shared that the Essential Eight is increasingly a topic discussed at the board level., with 88% of all boards now considering cybersecurity to be a business risk, not a technology or IT risk. “This is likely to be a welcome trend for CISOs.” But compliance with the Essential Eight should not be viewed as a guarantee of a security job being complete and shouldn’t be regarded “as the endgame for the enterprise cybersecurity program”, he added.