news The Federal Auditor-General has criticised the Australian Federal Police for not meeting federal cyber-security standards, in a wide-ranging audit that exposed a number of issues with the law enforcement agency’s ability to secure its own IT systems.
The chief standard used to secure the IT systems of Federal Government is the Australian Government Information Security Manual (ISM), published by the Australian Signals Directorate within the Department of Defence.
The Australian National Audit Office (ANAO) has previously examined implementation of the mandatory strategies in this document, as part of a review published in June 2014.
Following that review, Federal Parliament’s Joint Committee of Public Accounts and Audit asked the ANAO to conduct a follow-up audit of compliance levels of various government departments and agencies with the ISM.
This week the ANAO tabled its report on that topic in Parliament (PDF). The report examines four agencies. Two — AUSTRAC and the Department of Agriculture and Water Resources — achieved compliance with the ISM, while two – the Australian Federal Police and the Department of Industry, Innovation and Science — did not.
In general, the ANAO found that the AFP was “resilient” against internal attackers on its systems, but needed further work to be what it called “externally resilient”. The Industry Department is in a similar situation.
“Australian Federal Police and the Department of Industry, Innovation and Science did not achieve compliance with the ISM,” the report stated.
“These entities had security controls in place to provide a level of protection from breaches and unauthorised disclosures of information from internal sources. There was insufficient protection against cyber attacks from external sources. Further initiatives are required from these two entities to achieve compliance with the ISM.”
The Auditor did not reveal what specific issues the AFP or any other department or agency suffered, due to security concerns about releasing such information publicly.
However, some of the issues listed in the report in general included not setting application whitelisting on servers, some security patches not having been applied, weakness in the security controls around accounts on various systems, weaknesses around capturing audit logs and monitoring privileged accounts, and more.
The news will not come as a surprise to many who work on IT security within Australia’s public sector.
A series of similar audit reports produced at the State and Federal Government level over the past half-decade have continually found major IT security weaknesses in Australia’s public sector.
For example, the Western Australian Auditor-General repeatedly warned the WA State Government of IT security problems over a period of several years. The problems culminated in both the WA State Parliament and the WA Public Transport Authority recently suffering attacks on their IT infrastructure.
At a Federal level, Prime Minister Malcolm Turnbull recently acknowledged upon the launch of the Government’s new cyber-security strategy that both the Federal Parliament and the Bureau of Meteorology had been broken into.
This is a bit rich, isn’t it? The AFP wants unwarranted access to all Australians’ metadata, but can’t secure its own IT systems?