ACT audit praises IT security; without testing it


news The ACT Auditor-General’s Office has published a report praising the security of the territorial government’s IT systems, basing its conclusions on the evidence presented by government staff, but without actually testing that security, as some State Governments have done over the past several years.

The report published late last week by the auditor (PDF), is entitled Whole-of-Government Information and Communication Technology Security Management and Services. The stated objective of the audit was to provide an independent opinion to the ACT’s Legislative Assembly on whether procedures around IT security were well-defined, managed and communicated within the territorial government.

In general, the audit report found that they were. “The protection of the ACT Government network is robust,” the report stated. “Shared Services ICT Security Section’s security regime has successfully defended against over one million attempts to access the ACT Government’s network in the nine month period to 31 March 2012 … the administrative structures and processes that support whole-of-government ICT policies and procedures are overall satisfactory”.

However, the auditor also disclosed in the report that no actual penetration testing of the ACT Government’s IT infrastructure had taken place as part of the report.

In its report, the auditor wrote that its approach to the project consisted of reviewing literature and work undertaken on the subject by other jurisdictions; identifying those agencies who are responsible for whole-of-government policies and procedures and determining their administrative role and assessing the degree to which they fulfilled their functions; and briefings, interviews, correspondence and reporting with and to relevant agency staff.

“The audit did not examine individual ICT security systems,” the report found. “Conclusions on the adequacy of controls over unique systems cannot therefore be extended to systems that were not subject to audit … A future discrete audit of directorates’ and agencies’ application of ICT security may be worthwhile once any recommendations from this audit are implemented.”

This non-technical approach differed markedly from the approach taken by other Australian Government jurisdictions such as the State of Western Australia, when carrying out similar IT security audits over the past several years. In June 2011, WA Auditor-General Colin Murphy published an extensive audit of the State Government’s IT security, finding that none of a wide range of government departments and agencies in the state were currently able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place.

Murphy revealed his office recently conducted “benign” cyber-attacks on 15 different departments and agencies in the state, including major departments such as the Departments of Education and Health, those with sensitive information such as Legal Aid WA and the Department of the Attorney-General, and others such as Lotterywest. The first wave of attacks saw preliminary scans conducted on agencies’ networks by the Security Research Centre at Edith Cowan University, using publicly available software downloaded for free from the Internet. “These preliminary scans were deliberately hostile (prolonged and continuous) in a best effort to have our activity detected without making the test a denial of service (DoS),” the report states.

The second stage, which attacked three agencies, saw information gained from the scan used to exploit security vulnerabilities, with the aim of accessing government information. In a separate attack, the Office of the Auditor-General took a different approach, physically scattering 25 USB keys around 15 different departments and agencies, with about half left in areas open to the public such as in reception or cafeteria, and half left in are not accessible to the public.

If a government worker plugged one of the USB keys into their PC, read one of the files on it and then launched a program, the USB key would then “phone home” to the Office of the Auditor-General, telling it its location and sending back some basic network information.

The results of the overall audit were stark. “Fourteen of fifteen agencies failed to detect, prevent or respond to any of our hostile scans,” the report stated at the time. The WA Auditor-General noted that eight agencies actually picked up the USB keys left lying around their offices, plugged them in and activated the software contained therein, despite the fact that the message contained on the USB devices, and the steps required to run the software, should have made staff “suspicious and wary”.

Similar reports have been published in Queensland and New South Wales over the past several years, with both finding that each state had significant problems guaranteeing basic IT security to their departments and agencies.

The ACT’s audit this week did note some shortcomings with the territorial government’s IT security practices. For example, it noted that a website hosted outside the ACT Government’s network had been compromised, and that it was important that the ACT Government’s IT security advisor role be reinforced and supported across government, in order to help ensure that departments and agencies were complying with IT security guidelines.

In addition, it noted that few IT systems had a security plan. “Despite it being a requirement, only 5% of the ACT Government’s 1025 information management systems have a system security plan; and even fewer, some 2.24% have a threat and risk assessment. The reasons for this were not able to be ascertained. This is an issue that needs to be addressed.” In addition, the chances that ACT Government information could be extracted were enhanced by the fact that the ACT Government does not have an electronic records management system — making it hard to track the flow of information and who could access it.

Despite the lack of IT security testing in the report, the ACT Auditor-General’s Office issued a media release (PDF) noting that “the protection of the ACT Government network is robust.”

Do I believe that the ACT Government’s IT security is “robust”? No, I don’t. Not for an instant.

Personally, I believe that most State and Territorial Governments right around Australia have woeful IT security right now — security that would be pathetically easy to break through — as easy as dropping a few USB keys loaded with malware in a handful of government facilities in each state. Eventually, as was proven in Western Australia, a few bureaucrats would plug the keys into a PC, and whoops! There goes the network.

The ACT Government doesn’t have an electronic records management system and it doesn’t have security strategies for the vast majority of its IT systems. Its claim that it has defended “over one million” attempts to breach its network in a nine month period is laughable. No doubt the overwhelming majority of those attempts were automated spam or malware sent into the Government’s email system, or relatively harmless pings of its web servers. I highly doubt that any really serious attempt to breach the ACT Government’s IT systems would be met with substantial resistance.

I would be extremely happy to be proven wrong with respect to my opinion — it would be fantastic if the ACT Government’s IT systems were indeed “robust”. But in the absence of evidence to the contrary, I choose to believe that the WA Government’s Auditor-General has the more accurate view of public sector IT security at this point. I suggest that the ACT Auditor-General’s Office should review the available literature. If it does, it will likely find that its brother and sister auditing organisations in states and territories around Australia have very little confidence in the IT security of their client governments. And without any actual testing having been conducted, in the ACT we have to assume the same.


  1. Did you talk to Peter Major at ACT Shared Services before wrting up your opinion?

    I agree the written for politicians report is laughable, especially the attacks defended metric, but you’ve not included any comment from anyone on the ground. Sounds like reporting by press release to me. Your opinion may be (probably is) spot on, but I think you can do better.

    • You’re right, the article would have been better with comment from the IT guys on the ground, and I apologise for this, but unfortunately I don’t always have enough time for that. It’s the sad reality of operating a small media outlet ;) Usually people will come out of the woodwork on their own and get in contact if they think the issue is important enough. My life was easier when I had a dedicated team of journalists at ZDNet to allocate to get comment on every issue; but that was then, and this is now ;)

  2. This is further to your recent article on my Office’s report on security management and services in the ACT Government. Your article accurately reports that my report dealt with policies and procedures around IT security. These were at the high whole-of-government level. This contrasts with the approach of other jurisdictions, where specific systems were subject to so-called benign cyber attack.

    Several of our recommendations are mentioned by you, notably those relating to system security plans, the status of the ACT’s information security advisor and the need for an electronic records management system. Implementation of these recommendations will reduce the risk of the sorts of problems that my counterparts in the States have discovered, and which have been quoted in your article. As was stated, a future discrete audit of directorates’ and agencies’ application of ICT security may be worthwhile once any recommendations from this audit are implemented.

  3. I pinged the ACT chief minister Katy Galagher on Twitter for a comment and here is what I received (FWIW):
    “systems tested for ICT security and there is an audit regime. Internally hosted websites are rigorously tested for compliance”

Comments are closed.