news An audit of the Victorian Government’s IT security defences and ability to respond to major cyber-attacks has found it woefully unprepared, with its IT systems suffering over 100 “serious breaches” and the state unprepared for any serious online attack.
In a statement issued last week, the state’s Auditor-General John Doyle said the security of Victoria’s whole-of-government information and communications technology (ICT) systems was “inadequate” and was “vulnerable to existing and emerging cyber threats”.
An Auditor-General’s report, WoVG Information Security Management Framework, tabled in Parliament last week and available online, found that “there has been inadequate central oversight of the ability of public sector systems to resist cyber attack”. Victorian Government agencies, according to the report are “generally unaware” of how their ICT systems would perform if subjected to a cyber attack.
The state’s auditor’s office conducted technical testing of a range of selected ICT systems as part of the audit and identified “well over 100 serious breaches and lapses in information security”.
Doyle said: “There are no cohesive arrangements in place in Victoria to brief ministers if a major cyber threat was to affect the public sector’s ability to continue to deliver services”.
In its statement, the auditor noted that it was not in the public interest to publicly disclose its findings in detail, but it had written to each of the agencies subject to the audit and sought their urgent attention to rectify the issues. “I am pleased to say that a number of the more critical findings have already been addressed by some agencies,” Doyle said.
The government has recently taken two actions that should start to address these deficiencies. Firstly, the Emergency Management Bill 2013, which was introduced into Parliament in late October, proposes that the new State Crisis and Resilience Council will be able to analyse the cyber threat and comprehensively brief government on cyber incidents. And secondly, a new cyber security strategy will be developed to clarify lines of accountability and governance structures for cyber security in the Victorian public sector.
While these initiatives are positive, their effective implementation is ‘critical to their success in addressing the serious issues and vulnerabilities detected by this audit,’ Doyle said.
It is extremely common for Australian State and Local Governments to have woeful IT security practices. For example, a report produced by the Queensland Audit Office several weeks ago found that it would be relatively easy to break into Brisbane’s traffic management systems.
In June 2011, Western Australia’s auditor-general handed down a landmark report which detailed the fact that none of a wide range of government departments and agencies in the state were then able to prevent basic cyber-attacks against their IT infrastructure — or even detect that they had taken place. Similar reports have also been published in other states such as Queensland and New South Wales.
Business as usual for the Victorian Government, one of Australia’s acknowledged centres for IT incompetence. Can’t build major IT systems, can’t run em, is it any surprise that it can’t secure them?