Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities
Entities Audited: Australian Postal Corporation
ASC Pty Ltd
Reserve Bank of Australia
Introduction
2.1
The Reserve Bank of Australia (Reserve Bank) is a corporate Commonwealth entity. The Australian Postal Corporation (Australia Post) and ASC Pty Ltd (ASC; formerly the Australian Submarine Corporation) are government business enterprises (GBEs).
2.2
Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), non-corporate Commonwealth entities are required to apply the Australian Government Protective Security Policy Framework (PSPF), which states that they must mitigate common and emerging cyber threats. The framework mandates that non-corporate Commonwealth entities implement the Top Four cyber security mitigation strategies detailed in the Australian Government Information Security Manual (ISM). These four mandatory strategies, in combination with a further four non-mandatory strategies, are known as the Essential Eight. It is not mandatory for GBEs and corporate Commonwealth entities to apply the PSPF or the Top Four mitigation strategies from the ISM. However, the PSPF and the ISM currently represent ‘better practice’ for such entities.
Audit Rationale
2.3
The audit was undertaken to ‘enable comparison with GBEs and corporate Commonwealth entities, and provide information to help strengthen the regulatory framework and improve cyber resilience of Commonwealth entities’.
Audit Objective and Criteria
2.4
The audit objective was to assess the effectiveness of the management of cyber security risks by Australia Post, ASC and the Reserve Bank. To form a conclusion against this objective, the ANAO adopted three high-level criteria:
Have entities managed cyber security risks in line with their own risk arrangements? Have entities managed cyber security risks in line with key aspects of the ISM? Do entities have a culture of cyber security resilience?
Overall Audit Conclusion
2.5
The audit found that the Reserve Bank and ASC had ‘effectively managed cyber security risks’ but that Australia Post had ‘not effectively managed cyber security risks, and should continue to implement its cyber security improvement program and key controls across all its critical assets to enable cyber risks to be within its tolerance level’.
2.6
All three entities ‘have a fit for purpose cyber security risk management framework’. ASC and the Reserve Bank had ‘met the requirements of their respective frameworks by implementing the specified information and communications technology (ICT) controls that support desktop computers, ICT servers and systems’. Australia Post had ‘not met the requirements of its framework, having not implemented all specified key controls’.
2.7
Although the Top Four mitigation strategies from the ISM are not mandatory for GBEs or corporate Commonwealth entities, the Reserve Bank and ASC had implemented controls in line with the Top Four and other mitigation strategies in the Essential Eight. However, Australia Post had ‘not fully implemented controls’ in line with the Top Four and the Essential Eight. All three entities had ‘implemented mitigation strategies beyond the requirements of the Essential Eight, such as the Reserve Bank using machine learning and analytics to detect cyber threats’.
2.8
The audit further found that the Reserve Bank and ASC are ‘cyber resilient, with high levels of resilience compared to 15 other entities audited over the past five years’, while Australia Post is ‘not cyber resilient but is internally resilient’. The Reserve Bank has a ‘strong cyber resilience culture’, ASC is ‘developing this culture’, and Australia Post is ‘working towards embedding a cyber resilience culture within its organisation’.
2.9
The audit recommended that Australia Post conduct risk assessments for all its critical assets where it has not already done so and take immediate action to address any identified extreme risks to those assets and supporting networks and databases. Australia Post agreed to the recommendation.
Cyber Security Risk Management Framework
2.10
The audit concluded that all three entities ‘have a fit for purpose cyber security risk management framework’. Each specific framework either includes the ISM or incorporates elements of it, with Australia Post and the Reserve Bank also adopting aspects of recognised national and international cyber security frameworks applicable to their industry and regulatory environment.
2.11
The ANAO has developed six criteria to assess the effectiveness of entity cyber security arrangements. The Reserve Bank had ‘fully established’ all six arrangements. ASC and Australia Post had ‘established three of the six arrangements and partially or largely established the other three arrangements’.
2.12
Noting that the audit recommendation focused on Australia Post, the three arrangements that Australia Post had partially or largely established were: ICT operational staff understand vulnerabilities and cyber threats to the system; integrated and documented architecture for data, systems and security controls; and systematic approach to managing cyber risks.
2.13
The ANAO also reviewed a sample of controls supporting desktop computers, ICT servers and systems in the Reserve Bank, ASC and Australia Post. The audit found that the Reserve Bank and ASC had ‘met the requirements for implementing ICT controls contained in their cyber security risk management framework’. Australia Post had ‘not met the requirements for ICT controls in its framework, having not implemented all specified key controls’. The audit found that, in Australia Post, ‘only half of the sampled controls (five of 10) were designed and implemented as specified in its cyber security risk management framework. Three of the 10 sampled controls were partly implemented and two controls were not implemented’.
2.14
Australia Post provided an update on progress in implementing the audit recommendation that it conduct risk assessments for all its critical assets where it had not already done so and take immediate action to address any identified extreme risks to those assets. Australia Post confirmed that ‘we’ve been working over the last six months to conduct a formal risk assessment against our critical assets that were identified as a gap in the report’, including ‘updating assessments for those assets already assessed but also taking immediate action to address any identified concerns’. An approach and methodology review had also been completed by Australia Post internal audit. Australia Post emphasised that it was ‘working very quickly to establish that baseline of controls against our critical applications, have the appropriate risks raised and have the appropriate actions taken where we’re finding critical gaps’. Implementation monitoring will be managed through Australia Post’s information security risk management and compliance programs, and ‘reported up through senior management and to our board through our audit and risk committee’. Australia Post’s cyber security program, ‘Securing Tomorrow’, is also focused on reducing cyber risks to within its risk tolerance by 2020. Australia Post confirmed that the program was due by 30 June 2020 and on schedule.
2.15
Asked about the current assessment of Australia Post’s cyberthreat environment, the Acting Chief Information Security Officer at Australia Post stated:
I have dedicated information security officers continually reviewing and adjusting our tools and our processes to ensure that we have the strength and protection in place to prevent those cyberattacks. Some of those techniques include ensuring that we have the best-of-breed next generation tooling in place to limit risk and impact of cyberthreats, such as ransomware … We’re regularly doing simulated [phishing] campaigns with our employees to train them and educate them … there is the mandatory annual cybertraining for employees.
2.16
In terms of cyber data, Australia Post confirmed that, between 1 January and 30 March 2020, ‘we had no extreme or high incidents, but we did respond to over 300 individual cyber-incidents that we saw in our systems’, mostly SMS and email phishing campaigns. As to whether any of these incidents had been escalated to the ACSC, Australia Post stated that its ‘cyber-emergency response function is regularly talking to the likes of ACSC around … threat intel, threat landscape, but also the information security industry do share intel and help each other defend against threats that we’re seeing in the landscape’.
Alignment with ISM Risk Mitigation Strategies
2.17
In establishing specific risk management frameworks for cyber security, the Reserve Bank, ASC and Australia Post adopted mitigation strategies from the ISM, despite not being mandated to do so. The audit therefore examined whether these entities had implemented controls in line with the ISM, noting that ‘it is better practice for such entities to implement the Top Four and other Essential Eight mitigation strategies in the ISM’. The audit found that the Reserve Bank and ASC had ‘implemented controls in line with the requirements of the ISM, including the Top Four and other mitigation strategies in the Essential Eight’.
2.18
Australia Post had ‘not fully implemented controls in line with either the Top Four or the four non-mandatory strategies in the Essential Eight’.
2.19
Australia Post had implemented two of the Top Four mitigation strategies: patching applications and restricting administrative privileges. Australia Post’s submission provided details of initiatives to address this matter, including implementing ‘ISM accreditation for a number of Australia Post services’, as well as ‘application whitelisting controls supporting its retail and deliveries environments’ and ‘the deliveries security uplift project, which is enhancing controls on critical deliveries systems (including whitelisting)’.
2.20
Australia Post had implemented one of the four non-mandatory mitigation strategies in the Essential Eight: daily backups. Australia Post’s submission provided details of initiatives to address this matter, including having conducted a ‘maturity level assessment’ against the Essential Eight mitigation strategies.
2.21
In its response to the audit, the Reserve Bank stated that it would ‘continue to align with the security controls outlined in the ... ISM and relevant industry security standards’. In its response to the audit, Australia Post stated that, while it is ‘not required to apply or comply with the Manual or its Top Four mitigation strategies’, it has ‘voluntarily chosen to incorporate aspects of the Manual into its cyber security framework—together with other industry-leading frameworks … as a matter of best practice’. As Australia Post further observed at the public hearing—‘it is clearly not something that we are required to do. However, we certainly see it as sound practice … As a consequence, we’ve been gradually working through our cyber-risks and building towards the Essential Eight’.
Cyber Security Resilience
2.22
The audit found that the Reserve Bank and ASC were ‘cyber resilient, with high levels of resilience compared to 15 other entities audited over the past five years’. The Reserve Bank and ASC respectively had the highest and equal third highest level of cyber resilience of 17 entities examined by the ANAO over the past five years.
2.23
The audit found that Australia Post was ‘not cyber resilient but is internally resilient, which is similar to many of the previously audited entities’.
2.24
The ANAO assessed the three entities’ culture of cyber resilience against 13 behaviours and practices across the areas of governance and risk management; roles and responsibilities; technical support; and monitoring compliance.
2.25
The audit found that the Reserve Bank has a ‘strong cyber resilience culture, having established all 13 assessed behaviours and practices in the areas of cyber security governance and risk management, roles and responsibilities, technical support and monitoring compliance’. At the public hearing, the Reserve Bank confirmed its strong commitment to cyber security resilience, emphasising that its approach to managing cyber security had ‘multiple prongs’:
It’s not a cookie-cutter approach—it can’t be in the current world where a lot of our adversaries are changing their tactics and techniques on a daily basis and we have to have the ability to respond … we take our security standards very seriously, based on the information security management manual from the government, and we embed them into every aspect of our system delivery and system maintenance. The second prong … is the activity we undertake around intelligence gathering, sharing of information and collaborating with those within the bank and with other people in the financial services sector … to make sure we’re on top of the broader landscape. We take a three lines of defence model when it comes to risk management, which extends from our business system owners and our IT system owners as the first line, through our chief information officer and our chief information security officer as the second line and then to the internal audit department as the third line … We also do a lot of reporting across the bank about cybersecurity events and the control, so that it’s got that visibility.
2.26
The audit found that ASC is ‘developing a cyber resilience culture, having embedded seven of the assessed behaviours and practices and working to more fully establish the other six cyber security behaviours and practices within its business processes’. The ASC confirmed that it is ‘working to mature and improve … cyber security related behaviours and practices, as highlighted in the report’.
2.27
The audit found that Australia Post is ‘working towards embedding a cyber resilience culture’—while having embedded eight of the 13 assessed behaviours and practices, it has ‘not systematically managed cyber risks’.
2.28
At the public hearing, the Auditor-General emphasised that cyber resilience ‘goes beyond just having a cybersecurity capacity’—‘resilience goes more to the cultural aspect and the broader frameworks in place’. As the Auditor-General further explained, ‘the reason we focus on culture is that successful implementation happens when it’s important to the leadership of the organisation and they invest in it’. Over time, the ANAO had constructed a framework of 13 behaviours and practices as an indicator of culture and how that resilient culture operates, to test ‘whether the leadership of an organisation goes beyond putting out an instruction saying that something should happen and into whether they’re embedding it in the day-to-day management and practices of the entity’.
2.29
The Reserve Bank similarly observed that ‘a strong cyber culture is fundamental to embedding effective cyber-resilience’:
we’ve got ourselves to a position where an understanding of cyber-risks and how we respond to them is part of our DNA. We talk about it regularly, from the governor and the deputy governor all the way down through the organisation. It’s part of the way we do business … People understand it and recognise it for that, and therefore they start to embed the practices that we are talking about in their daily activities … it’s fundamental to having an effective cyber-resilience posture. You can have all the standards in the world, but if people don’t live and breathe them, understand them and employ them in what they’re doing every day then they’re really not worth anything.
2.30
The Reserve Bank explained that it used a ‘multiplicity of tools’, from formal training to email campaigns and events, to embed its cyber resilient culture. Its activities therefore ‘go beyond’ training—‘training is certainly critical for key roles at the bank, and we do offer baseline training for all staff’, but the Reserve Bank also focuses ‘on education, which is more about giving a general awareness of cyber-risks’. More recently, the Reserve Bank has further shifted the focus to ‘now also focus on literacy, which is really just making sure the language of cyber-risk … is known and understood at meaningful levels, including the leadership of the bank as well’.
2.31
Australia Post provided information about how it was building a stronger cyber resilience culture, emphasising that this matter ‘gets discussed all the way from the board through to the executive and management committee … to raise that awareness as we see external threats constantly adjusting’.
Concluding Comment
2.32
The Committee notes the audit finding that the Reserve Bank, ASC and Australia Post have a fit-for-purpose cyber security risk management framework.
2.33
The Reserve Bank and ASC had met the requirements of their respective frameworks by implementing the specified ICT controls.
2.34
Australia Post had not met the requirements of its framework, having not implemented all specified key controls. The audit therefore recommended that Australia Post conduct risk assessments for all its critical assets where it has not already done so and take immediate action to address any identified extreme risks to those assets. The Committee acknowledges that, during the inquiry, Australia Post provided an update on its implementation of this recommendation, including its cyber security program, ‘Securing Tomorrow’, focused on reducing cyber risks to within its risk tolerance by 2020.
2.35
All three entities incorporated mitigation strategies and controls from the ISM in their cyber security risk management frameworks, despite not being mandated to do so. The Reserve Bank and ASC had implemented controls in line with the Top Four and other mitigation strategies in the Essential Eight. Australia Post had implemented two of the Top Four mitigation strategies and controls for one of the four other mitigation strategies in the Essential Eight. Australia Post provided an update to the Committee on its progress in implementing all of these strategies, including that it was implementing ISM accreditation for a number of Australia Post services and had conducted a maturity level assessment against the Essential Eight mitigation strategies.
2.36
The Committee notes that all three entities had implemented mitigation strategies beyond the requirements of the Essential Eight, and that the Reserve Bank and Australia Post had also adopted aspects of recognised and international cyber security frameworks applicable to their industry and regulatory environments.
2.37
The audit found that the Reserve Bank and ASC are cyber resilient, having effectively managed cyber security risks. In particular, the Committee recognises that the Reserve Bank and ASC respectively had the highest and equal third highest level of cyber resilience of 17 entities examined by the ANAO over the past five years. The audit concluded that the Reserve Bank has a strong cyber resilience culture and ASC is developing this culture. The Committee appreciated the examples of best practice in this area, as provided at the public hearing by the Reserve Bank.
2.38
The audit found that Australia Post is not cyber resilient but is internally resilient. The Committee notes Australia Post’s work towards embedding a cyber resilience culture within its organisation.
2.39
Despite it not being mandatory for GBEs and corporate Commonwealth entities to implement the Top Four mitigation strategies in the ISM, it is ‘better practice’ for such entities to do so. Accordingly, the Committee sees merit in Australia Post providing an update on how it is implementing controls in line with the Top Four and other mitigation strategies in the Essential Eight to reflect better practice, and how a cyber resilience culture is being further embedded in the organisation.
2.40
The Committee recommends that Australia Post provide an update on:
progress in implementing controls in line with the Top Four and other mitigation strategies in the Essential Eight (in confidence, if required); and
how a cyber resilience culture is being further embedded in the organisation.