Australian Federal Police fails cybersecurity health check

10

news The Federal Auditor-General has criticised the Australian Federal Police for not meeting federal cyber-security standards, in a wide-ranging audit that exposed a number of issues with the law enforcement agency’s ability to secure its own IT systems.

The chief standard used to secure the IT systems of Federal Government is the Australian Government Information Security Manual (ISM), published by the Australian Signals Directorate within the Department of Defence.

The Australian National Audit Office (ANAO) has previously examined implementation of the mandatory strategies in this document, as part of a review published in June 2014.

Following that review, Federal Parliament’s Joint Committee of Public Accounts and Audit asked the ANAO to conduct a follow-up audit of compliance levels of various government departments and agencies with the ISM.

This week the ANAO tabled its report on that topic in Parliament (PDF). The report examines four agencies. Two — AUSTRAC and the Department of Agriculture and Water Resources — achieved compliance with the ISM, while two – the Australian Federal Police and the Department of Industry, Innovation and Science — did not.

In general, the ANAO found that the AFP was “resilient” against internal attackers on its systems, but needed further work to be what it called “externally resilient”. The Industry Department is in a similar situation.

“Australian Federal Police and the Department of Industry, Innovation and Science did not achieve compliance with the ISM,” the report stated.

“These entities had security controls in place to provide a level of protection from breaches and unauthorised disclosures of information from internal sources. There was insufficient protection against cyber attacks from external sources. Further initiatives are required from these two entities to achieve compliance with the ISM.”

The Auditor did not reveal what specific issues the AFP or any other department or agency suffered, due to security concerns about releasing such information publicly.

However, some of the issues listed in the report in general included not setting application whitelisting on servers, some security patches not having been applied, weakness in the security controls around accounts on various systems, weaknesses around capturing audit logs and monitoring privileged accounts, and more.

The news will not come as a surprise to many who work on IT security within Australia’s public sector.

A series of similar audit reports produced at the State and Federal Government level over the past half-decade have continually found major IT security weaknesses in Australia’s public sector.

For example, the Western Australian Auditor-General repeatedly warned the WA State Government of IT security problems over a period of several years. The problems culminated in both the WA State Parliament and the WA Public Transport Authority recently suffering attacks on their IT infrastructure.

At a Federal level, Prime Minister Malcolm Turnbull recently acknowledged upon the launch of the Government’s new cyber-security strategy that both the Federal Parliament and the Bureau of Meteorology had been broken into.

opinion/analysis
This is a bit rich, isn’t it? The AFP wants unwarranted access to all Australians’ metadata, but can’t secure its own IT systems?

10 COMMENTS

  1. “The AFP wants unwarranted access to all Australians’ metadata, but can’t secure its own IT systems?”
    We live in the information age. Information free-for-all*!

    *Unless you’re a peasant

  2. leaving the doors open everywhere for the chinese army of hackers to get in for their target. Escalated attacks on military like the BOM attack. How else did they get in and steal the ASIO building blueprints ?

    Terrorism wins elections I believe so more important. Locking people up without charge is more important meanwhile being cyber criminals themselves unleashing malware on the population.

    These duds in government have left the whole country exposes and data retention is simply handing our data up to everyone on a plate.

  3. I’d love to slag off the AFP and etc here, but unfortunately I can’t.

    How many entities–private or public–can actually say and prove they have “resilient” IT systems? The fact is there are too many successful attacks on very important systems, where common sense would indicate there should have been much better security. To say a system is “internally resilient” or “externally resilient” is a nonsense: it is “resilient” or it is “not resilient”.

    But the fact that entities of this importance do not have robust security is especially appalling. I can understand a family box being a bit undernourished; and, TBH, small and middle business probably have more than enough on their plates to worry about something vague and nebulous like data theft or even pay a security firm to put something in place. However there is no excuse for large businesses and government departments to tolerate leaky IT systems.

    Our government seems to have backed away from “breach reporting”, which smart people see as being just as necessary as mandatory disease reporting in the medical world. So if the government doesn’t want to invest in public IT health, then why should anybody else worry about it?

    • Have to agree with you here Gordon – if large enterprise and government can’t get their houses in order, what hope is there for SMBs? What hope do we have as individual citizens and customers that our private data, that we must agree to share in order to access services or even live in a country, will remain secure, or that anyone is doing any more than paying lip service to security best practices? What confidence can we have that our data isn’t already out there, being traded by criminals? Or that huge government database hacks won’t bring our entire system of data integrity crashing down and it will be impossible to guarantee that the person claiming to be a specific person is indeed that person. Because one major problem with hyoerconverged data – it’s not just theft of the data that’s the problem, but guaranteeing that hacked systems remain unedited.

    • I think you guys are missing the point. If AUSTRAC and the Department of Agriculture and Water Resources can get it right, then the service tasked with protecting OUR data should lift it’s game.

      • AUSTRAC and DAWS need a pat on the head. It is not difficult–tedious, I will accept–to armour-plate an IT system.

        I disagree we are missing the point. The point is that a great many entities should lift their games, and the Feds don’t seem to care. What was that hospital that got all their XP machines infected? That should never have happened. Why was it allowed to happen? And who allowed it to happen?

        We need a universal mandatory data-breach reporting policy, and we need it NOW. We also need universal unannounced external cyber-security health checkups, and we need them NOW.

        • We need a universal mandatory data-breach reporting policy, and we need it NOW. We also need universal unannounced external cyber-security health checkups, and we need them NOW.

          Fully agree there mate ;o)

  4. This is a bit rich, isn’t it? The AFP wants unwarranted access to all Australians’ metadata, but can’t secure its own IT systems?

    No Renai, I don”t think it’s rich. I think it’s a fucking travesty…

  5. “This is a bit rich, isn’t it? The AFP wants unwarranted access to all Australians’ metadata, but can’t secure its own IT systems?”

    So easy to throw stones.

Comments are closed.