1. Introduction

Introduction

1.1
The Joint Committee of Public Accounts and Audit (JCPAA) has a statutory responsibility to examine all reports of the Auditor-General presented to the Australian Parliament.1

About the Inquiry

1.2
On 5 February 2020, the Committee resolved to conduct an inquiry into cyber resilience based on the following Auditor-General Reports:
No. 1 (2019-20), Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities
No. 13 (2019-20), Implementation of the My Health Record System

Inquiry Conduct

1.3
On 7 February 2020, the Committee issued a media release announcing the inquiry and inviting submissions. The Committee also invited submissions from the audited agencies. The inquiry received ten submissions, as listed at Appendix A.
1.4
Public hearings were held on 19 May 2020 and 2 July 2020. A list of witnesses and organisations is at Appendix B.
1.5
A copy of this report, transcripts of public hearings and submissions received are available at the Committee’s website at www.aph.gov.au/Parliamentary_Business/Committees/Joint/Public_Accounts_and_Audit.

Report Outline

1.6
Chapter 1 provides background on the inquiry. It also considers the Australian Government cyber security regulatory framework for Commonwealth entities, as matters relating to this area are relevant to both Audit Report No. 1 (2019-20) and Audit Report No. 13 (2019-20). At the time of the Committee’s inquiry, the Australian National Audit Office (ANAO) was conducting an audit on cyber security strategies of non-corporate Commonwealth entities. The proposed audit criteria included examining whether ‘the three entities responsible for cyber policy in the Commonwealth (the Australian Signals Directorate, the Attorney-General’s Department and the Department of Home Affairs) have worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cyber security requirements under the Protective Security Policy Framework’.2 As this audit was not completed concurrent with the Committee’s inquiry, this report does not consider the findings of the audit.
1.7
Chapter 2 considers Audit Report No. 1 (2019-20), which assessed the effectiveness of management of cyber security risks by the Australian Postal Corporation, the Reserve Bank of Australia and ASC Pty Ltd.
1.8
Chapter 3 considers Audit Report No. 13 (2019-20), which assessed the effectiveness of implementation of the My Health Record system under the opt-out model by the Australian Digital Health Agency and the Department of Health.

Cyber Security Framework

1.9
Three Commonwealth entities have oversight responsibilities for cyber security—the Department of Home Affairs (Home Affairs); the Attorney-General’s Department (AGD); and the Australian Signals Directorate (ASD) and Australian Cyber Security Centre (ACSC), within ASD.
1.10
Home Affairs is responsible for ‘Australia’s cyber policy coordination and setting the strategic direction of the government’s cyber effort’.3
1.11
AGD is responsible for setting Australian Government protective security policy guidance.4 AGD produces the Protective Security Policy Framework (PSPF). The core requirements for information security are set out in policies 8 to 11 of the PSPF.5 An October 2018 Directive reiterated the requirement for ‘all non-corporate Commonwealth entities to apply the PSPF as it relates to their risk environment’, with the PSPF representing ‘better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies’.6
1.12
The ACSC, within ASD, leads the Australian Government’s operational cyber security capability.7 The ACSC produces the Australian Government Information Security Manual (ISM), which is referenced in the PSPF as the key source of guidance for Commonwealth entities in applying policies 10 and 11. The PSPF requires non-corporate Commonwealth entities to implement four mitigation strategies (known as the Top Four) of eight essential mitigation strategies (known as the Essential Eight), as referenced in the ISM.
1.13
The Commonwealth Cyber Security Posture in 2019: Report to Parliament provides information on Commonwealth entities’ cyber resilience in an aggregated form, based on information obtained through the ASD annual cyber security survey and 2018-19 PSPF maturity reporting, combined with the results of the whole-of-government Cyber Uplift.8 The Cyber Uplift aims to ‘strengthen the cyber security of Australian Government networks through enhanced technical guidance, improved verification, and increased transparency and accountability’.9 The Cyber Uplift included ACSC teams conducting ‘sprint’ programs to assess and improve the cyber maturity of 25 Commonwealth entities in implementing the Essential Eight, and the creation of an ongoing forum for Chief Information Officers and Chief Information Security Officers from across entities (the CIO/CISO forum).10
1.14
Each Commonwealth entity must complete the ASD annual cyber security survey and report any significant or reportable security incident at the time they occur to AGD.11 Under the PSPF, non-corporate Commonwealth entities are also required to ‘submit annual reports to their portfolio minister and AGD, detailing their implementation of PSPF requirements’, including the Essential Eight.12 As part of the 2018 PSPF reforms, annual reporting has now shifted from a compliance-based assessment model to a new maturity self-assessment model, based on a risk management approach.

Regulatory Framework Overview

1.15
Auditor-General Report No. 38 (2019-20), Interim Report on Key Financial Controls of Major Entities (28 May 2020), included a review of the self-assessed level of compliance with mandatory cyber security controls of 18 Commonwealth entities.13 In its submission to the inquiry, the ANAO noted that ‘the maturity levels for the majority of the entities reviewed were below the required PSPF … level of “Managing”’, with ‘one rated as achieving a “Managing” maturity level across all mandatory controls’.14
1.16
Since 2013-14, there have been five cyber based audits:
Auditor-General Report No. 50 (2013-14), Cyber Attacks: Securing Agencies’ ICT Systems
Auditor-General Report No. 37 (2015-16), Cyber Resilience
Auditor-General Report No. 42 (2016-17), Cybersecurity Follow-up Audit
Auditor-General Report No. 53 (2017-18), Cyber Resilience
Auditor-General Report No. 1 (2019-20), Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities15
1.17
In terms of its four cyber audits of 14 non-corporate Commonwealth entities, the ANAO identified that ‘four entities (29 per cent) had complied with mandatory PSPF requirements for information security (Top Four mitigation strategies)’.16 With regard to the five audits, the ANAO stated that ‘Australian Government entities’ compliance with mandatory requirements of the … PSPF for information security remained low, and that the regulatory framework had not driven sufficient improvement in cyber security’.17
1.18
The Auditor-General noted at the 19 May 2020 public hearing that ‘we wouldn’t be auditing as much as we do if we had seen a progressive improvement through time … the level of work we do is a reflection of our concerns about the level of compliance within the sector. It goes not just to individual entities but to the effectiveness of the framework’.18 However, the Auditor-General added that ‘there has been a new framework put in place which has additional oversight arrangements and that may be more successful, but we are not in a position to comment on that yet’.19 As the Auditor-General also observed, ‘more recently there have been changes to the framework to try and improve that assessment’:
ASD has been running what they call ‘sprint tests’ across a number of entities, where they come in and do a detailed review of compliance … while we haven’t finished auditing in that space, that is a step forward in the overarching framework and in the quality of review work that is going on … … …
[I]f you look at the evidence from our audits, one conclusion we can draw is that the framework that was in place wasn’t driving the behavioural change to ensure that the regulatory stance was robust enough. Since that time there have been changes in that stance with respect to the provision of information, more review. Some moved to verification type processes; that is an area that could be stronger … … …
Internally, within government, I think that when we started down this path there was very little oversight of the internal compliance reporting with respect to the whole of the PSPF … through time, the transparency and oversight of that internal reporting has become stronger, and that’s part of the change in the framework in the last year or so. There has been a bit more oversight of those things.20
1.19
At the 2 July 2020 public hearing, the Auditor-General further noted that ‘we haven’t really done an assessment of the technical supporting of the self-assessment framework, particularly since the new framework was established last year’.21
1.20
Asked about the regulatory framework, AGD stated that it ‘does not consider there is a “failure of the framework”. The results from the 2018-19 PSPF assessment reports and the 2019 Commonwealth Cyber Security Posture Report indicate that there are improvements in entities’ cyber security’, with reforms to the PSPF also having been ‘made in 2018’.22 As to whether further development of the regulatory framework was required to drive improvements in cyber security, AGD highlighted that ‘part of the reforms to the broad PSPF … and particularly the changes to maturity reporting, are designed to better support that continuous improvement’:
We work with the ACSC on that particular technical and practical support to agencies to lift cybersecurity resilience as well. In the future, we’re looking to add to the maturity reporting moderation models … Clearly, there’s variability, as reflected in the cybersecurity posture report, and there are definitely areas where agencies need to do better in lifting their cybersecurity performance. By no means do we think the framework is a failure, but we will continue to work to improve cybersecurity posture.23
1.21
AGD provided additional information on some of the PSPF reforms, including that ‘we have the first results that we’re compiling from 2018-19 maturity reporting under the reformed PSPF. That will provide a more comprehensive nuanced view of cybersecurity posture and a lot more information for us to consider’.24 In addition, ASD outlined the roles of the Cyber Uplift program, as well as the ‘sprint’ program and the CIO/CISO forum.25 ASD noted that the ‘sprints’ informed ‘a heightened awareness amongst all 25 agencies of the Essential Eight, a better practical understanding of how to apply measures and, certainly, an increased and alert posture’.26 AGD further outlined that, ‘in administering the Cyber Security Response Fund, which is that after-care, we have now provided additional services to those 25 core agencies to improve specific elements that were identified in the uplift and upped their maturity model’.27 Home Affairs also pointed to its ‘continuing to work on the Cyber Security Strategy’, noting that ‘we see a cybersecurity uplift within government as a key component of that strategy’.28
1.22
As to whether these initiatives would see an increase in entity compliance with the mandatory requirements of the PSPF, with this being reflected in future cyber audits, AGD observed that ‘the intent of the changes we made to the PSPF and the approach to maturity reporting is that we expect it will provide a framework that will support greater improvement’.29 Similarly, ASD emphasised, with reference to the 2019 Commonwealth Cyber Security Posture, that there was ‘evidence of continual improvement, although an acceptance that additional work would be required’—in particular, ‘there was an improvement in comparison to previous years of … implementation of the Essential Eight’.30
1.23
The 2019 Commonwealth Cyber Security Posture stated that ‘baseline adoption of the Essential Eight across the Australian Government still requires further improvement’ and ‘entities’ self-assessed implementation of the Top Four remains at low levels across the Australian Government’, with ‘73 per cent of non-corporate Commonwealth entities reporting ad hoc or developing levels of maturity’.31 AGD noted that, as outlined in the 2019 Commonwealth Cyber Security Posture, ‘the overall cyber security of Australian Government agencies continued to improve through:
increased capability to identify cyber security events and incidents;
improvements in organisational cyber security practices, including cyber incident management plans and procedures;
improved implementation of malicious email mitigation strategies across the Commonwealth; and
increased visibility and understanding of Commonwealth systems, data holdings and networks.32
1.24
The 2019 Commonwealth Cyber Security Posture stated that ‘Commonwealth entities continue to improve their cyber security’; ‘in 2019, implementation of the Essential Eight across Commonwealth entities improved slightly in comparison to previous years’; and ‘the Cyber Uplift program has improved entities’ cyber security posture’.33 Further, to assist entities in strengthening their cyber security, AGD noted that ‘the Australian Government has made a substantial investment in the capabilities of the ASD and ACSC to identify emerging cyber threats and respond to cyber threats on a national scale, including tailored advice and assistance about how to mitigate cyber threats’.34
1.25
As announced on 30 June 2020, the Australian Government is investing $1.35 billion over the next decade through the Cyber Enhanced Situational Awareness and Response package, to enhance the cyber security capabilities, working through ASD and the ACSC.35 As to how this initiative would improve compliance with the mandatory Top Four, ASD responded:
by having a much better national picture of the threat—and with the fact that the threat changes the types of vectors or the type of technology being used—enabling us to send that message to all government agencies, who are all ACSC partners and recipients of our advice, much more quickly and hopefully with much more scale and technical detail, it would … have a positive impact on the resilience of government agencies … uplifting awareness, whether that’s through more or better quality advice, assists all Commonwealth agencies and broader government to lift their cybersecurity hygiene … it’s directed at ASD so that we can give better advice to government and the whole of economy to improve cyberhygiene writ large, which includes the capacity, through our advice and our assistance, of government agencies as well as individuals and small businesses to implement the mandatory four and the Essential Eight.36
1.26
Another matter discussed was the June 2020 cyber incident,37 and specific actions to drive improvements in entity compliance with mandatory cybersecurity requirements since that incident. ASD explained ‘the advice that we’ve given and the engagement that we’ve had with agencies occurred both in the lead-up to the Prime Minister’s statement and subsequently’, and that includes ‘working with every agency that may have been targeted’, including ‘giving specific measures of care, both technical and advisory, to agencies, not only when they have been targeted but to those that we anticipate might be at a higher level of risk because of the risk environment at the moment’.38
1.27
A further matter discussed at the public hearing was enforcement of compliance. Since 2018-19, entities have reported on their PSPF compliance using a maturity model, including self-assessment of their implementation level of the Top Four mitigation strategies.39 As AGD explained, ‘the new PSPF maturity model replaces point in time compliance reporting with ongoing monitoring of security maturity and implementation of PSPF requirements, with the reporting informed by the entity’s overall security position within its specific risk environment and risk tolerances’:
Under this compliance model, when ANAO audited the entity on its self-rated compliance level, this could be some time after the point in time information was provided, and the entity’s position may have changed. Further, to support more nuanced reporting, the PSPF reporting portal guides entities through a series of questions to assess and demonstrate their level of implementation for each PSPF requirement. Entities that assess themselves as ad hoc or developing are required to provide additional information on how they will improve their maturity during the coming year, before they can submit their annual report.40
1.28
AGD stated that maturity model reporting should ‘considerably improve the quality of the information we have on agencies’ protective security posture generally’—‘we’re conscious that we’ve just had the first year of maturity reporting and are now looking at how we can improve building on the results we got from this year’.41 AGD provided information on how these new arrangements were communicated to entities, including through guidance material and workshops.42
1.29
Asked whether there might be scope for a greater focus on enforcement of compliance with the Essential Eight, AGD responded: ‘we have already flagged, as part of the government Security Committee … that we want to work on arrangements that would add to that self-assessment moderation option to check agencies’ ratings and support them as part of that assessment process. That is something we have in our work program at the moment’.43 The department further observed that it was exploring an ‘external moderation or benchmarking process’, to enable comparison between entities—‘whether we do it with agencies cross-assessing each other or having central arrangements going in and assessing or moderating agencies’ results is something we’re working through’.44 In providing further information about its response to a previous audit recommendation that AGD, Home Affairs and ASD work together to improve compliance with the PSPF by developing a program for verifying entities’ reported compliance with mandatory cybersecurity requirements,45 AGD similarly noted that it was ‘exploring moderation models that could be adopted as part of the PSPF to moderate or review entities’ security assessments for different PSPF requirements. This includes consideration of moderation models that include peer review, benchmarks or other arrangements’.46
1.30
AGD emphasised that the PSPF places particular responsibility, aligned with the PGPA Act, on the accountable authority (agency and department heads) to ‘make decisions about the implementation of all of those requirements, and they’re accountable for reporting on them, as well as compliance’.47 On this point, the Auditor-General stated:
there’s been lots of commentary about how, under our framework, the accountable authority from an entity is responsible for the implementation of the policy, which is absolutely correct, but I think a key part of an accountability framework … is that the owner of the policy also needs to take responsibility for whether the policy is successful.48
1.31
Asked whether there might be a role for a more centralised approach, Home Affairs responded:
One of the things that the Commonwealth is looking at is: how do you build aggregation, how do you look at scaling a response and how do you support agencies who might have less capability in terms of cybersecurity, even though they’ve got their own individual responsibilities? How do you actually build capacity across a large Commonwealth set of networks and a complicated network? … Despite the fact that agencies are responsible for their own cybersecurity, the government is actively looking at a whole range of different options and is actively continuing to look at its own cybersecurity posture from a policy perspective, from a protective security perspective, from an operational perspective and from support to industry and the whole-of-nation effort.49
1.32
At the time of the Committee’s inquiry, the ANAO was conducting an audit on cyber security strategies of non-corporate Commonwealth entities.50 The proposed audit criteria included examining whether ‘the three entities responsible for cyber policy in the Commonwealth (ASD, AGD and Home Affairs) have worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cyber security requirements under the PSPF’.51 As the Auditor-General further explained at the public hearing:
we haven’t really done an assessment of the technical supporting of the self-assessment framework, particularly since the new framework was established last year. The audit we’re undertaking at the moment is going to that, to some degree, because a key part of the changes that happened was to change the self-assessment framework and to put in place some arrangements to assist agencies to develop that.52

Cyber Security and Organisational Culture

1.33
The Auditor-General outlined that audit reports over time had provided insights into why some Commonwealth entities have more compliant frameworks than others, including an emphasis on cyber resilient culture:
broadly, what we identify is around the prioritisation and culture developed from the leadership of organisations. Where you see a strong focus within organisations on developing cyber-resilience and a willingness to privilege investment in that area, investing in the infrastructure needed to provide greater cyber-resilience, it happens. If it’s lower down the priority lists of an entity, it doesn’t happen.53
1.34
ASD similarly noted that the 2019 Commonwealth Cyber Security Posture emphasised ‘the importance of progressing cybersecurity culture to improve the cybersecurity posture’, with it being ‘critical that good cybersecurity practices become part of core business’.54 ASD has a ‘range of services dedicated to supporting and improving cybersecurity culture within organisations’, including through its cyber security survey.55
1.35
ASD also seeks to ‘change the cybersecurity culture’ through updating its ISM on a monthly basis ‘to ensure that organisations consider cybersecurity as a hygiene component rather than a docking endpoint once a year’, and by providing ‘additional advice and guidance’ through the CIO forums.56
1.36
AGD also stated that ‘we think cybersecurity culture … is very important, and we’ve done a number of things to support improvements in culture’, such as the Security Culture Community of Practice, regular CISO newsletter, biannual CIO/CISO forums and sharing of ‘best practice’, including the development of ‘a cultural transformation strategy’ to build a stronger protective security culture.57
1.37
Home Affairs further commented that, ‘in the four years since the 2016 Cyber Security Strategy and the establishment of the Australian Cyber Security Centre in 2013, there has been a broader cultural recognition of cybersecurity more generally across government’, particularly through:
the level of engagement, the level of awareness across government of cybersecurity issues, the collaborations we’ve seen in some of the forums … and even on a policy level, the colocation of the Home Affairs policy team with the operational activities in the Australian Cyber Security Centre, we sit side by side. So even at a policy level, the connectivity between operations and policy is there on a day-to-day basis … the secretaries board’s awareness of the issues continues to mature.58

Auditor-General Report No. 1 (2019-20)

1.38
Chapter 4 of Auditor-General Report No. 1 (2019-20) focused on whether the entities examined had a culture of cyber resilience by assessing performance against 13 behaviours and practices under four key headings:
Governance and risk management
Roles and responsibilities
Technical support
Monitoring compliance
1.39
The ‘Governance and risk management’ section included examination of the role of leadership from senior executives in prioritising cyber security, and the role of governance, audit and risk committees in reviewing vulnerabilities and staff security awareness.59
1.40
‘Roles and responsibilities’ included discussion of core security roles such as the Chief Information Security Officer within each entity.60
1.41
‘Technical support’ included assessing whether each entity had established a Cyber Incident Response Plan.61
1.42
The final section on ‘Monitoring compliance’ assessed whether entities were aligning with cyber security requirements, including through the engagement of external parties to validate internal reports.62
1.43
The ANAO assessed each entities performance against these criteria, and through reference to the Top Four strategies.

ANAO Submission 6.1

1.44
In its submission to the inquiry, the ANAO outlined key features of a cyber resilience culture. This involves the development of shared attitudes, behaviours and practices, and includes establishing effective Information and Communication Technology (ICT) general controls.63 These controls provide a strong foundation for the development of further controls and in turn the implementation of the Top Four cyber security risk mitigation strategies contained in the ISM.64

Cyber Resilience and the ANAO’s 13 Behaviours and Practices

1.45
The Auditor-General outlined that cyber-resilience is an agency’s ability ‘to continue providing services while deterring and responding to a cyber intrusion’ and that ‘resilience goes more to the cultural aspect and the broader frameworks in place’ rather than testing of controls and cybersecurity measures.65
1.46
The ANAO‘s 13 behaviours and practices that may indicate a cyber resilience culture were identified through a ‘review of relevant guidance, reports and consultation with policy and audited entities’.66 The ANAO noted that this framework ‘can be used to measure culture, but this does not necessarily mean that an organisation that exhibits these behaviours is cyber resilient’.67
1.47
The ANAO further stated that:
having a good culture helps achieve compliance. The behaviours should be read in context with our assessment against the PSPF Policy 10 requirements and IT general controls … which are the other factors that were considered by ANAO for assessing cyber resilience.68
1.48
The 13 behaviours and practices were first published in Auditor-General Report No. 53 (2017-18).69 These include:
Governance and risk management
1
Establish a business model and ICT governance that incorporates ICT security into strategy, planning and delivery of services.
2
Manage cyber risks systematically, including through assessments of the effectiveness of controls and security awareness training.
3
Task enterprise-wide governance arrangements to have awareness of cyber vulnerabilities and threats.
4
Adopt a risk-based approach to prioritise improvements to cyber security and to ensure higher vulnerabilities are addressed.
Roles and responsibilities
5
Assign information security roles to relevant staff and communicate the responsibilities.
6
Develop the capabilities of ICT operational staff to ensure they understand the vulnerabilities and cyber threats to the system.
7
Ensure management understand their roles and responsibilities to enhance security initiatives for the services for which they are accountable. This includes senior management understanding the need to oversight and challenge strategies and activities aimed at ensuring the entity complies with mandatory security requirements.
8
Embed security awareness as part of the enterprise culture, including expected behaviours in the event of a cyber incident.
9
Assign data ownership to key business areas, including the role to classify the data, and grant or revoke access to shared data by other entities.
Technical support
10
Develop and implement an integrated and documented architecture for data, systems and security controls.
11
Identify and analyse security risks to their information and system, including documenting ICT assets requiring protection.
12
Establish a Cyber Incident Response Plan, informed by a comprehensive risk assessment and business continuity plan, including a priority list of services (not ICT systems) to be recovered.
Monitoring compliance
13
Develop an approach to verify the accuracy of self-assessments of compliance with mandatory cyber security requirements.70

Measuring a Cyber Resilience Culture

1.49
Evidence taken in public hearings from lead policy entities highlighted that they found culture hard to empirically assess. In response to a question from the Committee regarding the whether culture could be measured, Home Affairs observed that ‘culture is really difficult to measure. But one thing you can do is put forward vignettes about where things are working … You look at how departments of state and agencies are making changes and you can look at the culture within agencies’.71 Similarly, AGD agreed that:
it is very hard to empirically measure culture. But one thing that agencies do that we do in Attorney-General’s Department is annual protective security training for staff … We have often asked staff to complete a series of questions that also measure the extent to which they fully appreciate the range of their protective security obligations, which … is not a perfect measure of culture but contributes to an assessment.72

Cyber Resilience Culture and the PSPF

1.50
The PSPF focuses broadly on assisting government entities to protect their people, information and assets through the key areas of security governance; information security; personnel security; and physical security.73 It details how accountable authorities should encourage collective responsibility among personnel, and outlines that the Chief Security Officer should provide leadership in the area of organisational culture.74
1.51
The PSPF also sets out a number of aspects that indicate a ‘positive security culture’, including that security is prioritised by leadership; risks are identified and managed; security awareness training is implemented for personnel and contractors; incidents and breaches are managed appropriately; and security improvements are encouraged within the agency.75
1.52
The PSPF does not provide reference to the 13 behaviours and practices identified by the ANAO as assisting in the establishment of a cyber resilient culture.
1.53
In its submission, AGD stated that, ‘while the PSPF does not directly apply the ANAO’s framework, the requirements in the security governance outcome of the PSPF are similar to the strategies and structures outlined in the ANAO’s framework’.76 As to whether the ANAO’s framework might be used by entities as a guide, AGD responded:
the ANAO’s framework is a useful additional resource for Commonwealth entities to consider in building a strong cyber-resilient culture. The PSPF includes a range of requirements that assist entities to establish appropriate governance arrangements to support protective security culture, of which a cyber-resilient culture is one part. The PSPF takes a holistic and integrated approach to protective security and security culture, encompassing information, people and physical security. AGD has established a Security Culture Community of Practice to enhance and strengthen security culture across Australian Government entities, and has worked with that Community of Practice to produce a Cultural Transformation Strategy to support entities with their obligation to foster a positive security culture.77
1.54
At the public hearing, the ANAO outlined that, whilst it is not their role to mandate which framework should be utilised, it was clear that the framework currently being used ‘wasn’t driving the behavioural change to ensure the regulatory stance was robust enough’.78
1.55
In explaining how the ANAO had addressed this matter in its reporting, the Auditor-General stated that ‘normally we audit against the framework set by regulators. In this case there isn’t one, so we’ve built a framework that tries to provide through a definition of what a strong resilient culture is through to indicators of those things and then measures of them’.79 As the Auditor-General further explained:
What we’re trying to look at in our reporting is what agencies are doing to become cyber resilient. A key focus of that is given that mandatory arrangements are a minimum standard, you would expect to see compliance. After that we look at what are the cultural aspects that build resilience? … It goes to elements that we’ve identified for developing an effective culture through the governance and risk framework, the roles and responsibilities being clear, the technical support arrangements and monitoring and compliance. We’ve built this framework so that we can build a measure or an indicator of the strength of the organisation’s resilience, which is driven by culture. If you don’t have a go at measuring it or defining it in a way that is measurable, it actually doesn’t add much value to the conversation. To say culture is important but not what that means is not a very valuable thing to contribute.80
1.56
The ANAO elaborated that the 13 behaviours and practices were developed to test whether organisational leadership goes beyond simply instructing personnel on security measures to embedding cyber resilience into the ‘day-to-day management and practices of the entity’.81

Top Four and Essential Eight Implementation

1.57
Under the PGPA Act, non-corporate Commonwealth entities are required to apply the PSPF, which states that they must mitigate common and emerging cyber threats. The framework mandates that non-corporate Commonwealth entities implement the Top Four cyber security mitigation strategies detailed in the ISM. These four mandatory strategies, in combination with a further four non-mandatory strategies, are known as the Essential Eight. It is not mandatory for GBEs and corporate Commonwealth entities to apply the PSPF or the ISM, including the Top Four. However, the PSPF and the ISM currently represent ‘better practice’ for such entities.82
1.58
JCPAA Report 467, Cybersecurity Compliance, recommended that the Australian Government mandate the ASD’s Essential Eight cybersecurity strategies for all PGPA Act entities, by June 2018.83 The Government response to this recommendation stated that ‘the Government will consider mandating the Essential Eight when cyber security maturity has increased across entities’.84
1.59
Asked at the public hearing whether cyber security maturity had increased across entities since the Committee made its recommendation, AGD explained that the ‘reporting model’ under the PSPF had changed, ‘so we can’t compare the 2017-18 reporting directly with the reporting we got from 2018-19’.85 However, AGD observed ‘we do have information to indicate that there have been improvements, that there’s clearly still room for more improvement and that there is variability across agencies’.86 As to whether, consistent with the Government response, there would be consideration given to mandating the Essential Eight when cyber security maturity had increased across entities, AGD stated that:
the issue of mandating all Essential Eight mitigations in the PSPF remains under consideration by AGD having regard to cyber security maturity levels across entities and ASD’s technical advice … AGD continues to keep the mandatory requirements under review and the new reporting from all entities about their implementation of the Essential Eight will assist in consideration of this issue.87
1.60
In terms of the rationale for only the Top Four of the Essential Eight mitigation strategies being mandatory, ASD explained that ‘decisions around what’s mandatory and what’s not are policy decisions’.88 ASD further observed that the focus on the mandatory Top Four is ‘informed by technical advice, and our technical advice is that those Top Four provide the greatest defence and are of greatest import’.89 Similarly, AGD stated that ‘from the perspective of the policy decision to have the Top Four as mandatory and then asking agencies to assess themselves … against the Essential Eight ... We consider that approach, with ASD and Home Affairs, as appropriate at this time’.90 As ASD further advised, ‘at this point we feel it is most focused and prioritised to have the policy reflect the mandatory requirements of the Top Four and not to do that for the full Essential Eight or indeed beyond that’.91
1.61
As to why it is not mandatory for GBEs and corporate Commonwealth entities to apply the Top Four mitigation strategies, the Auditor-General observed:
it’s not uncommon within the Commonwealth public sector that mandated rules from the centre apply to the non-corporate sector but not to all of the corporate sector. You’ll find that across a lot of areas like procurement, grants and in the PSPF. We’d think that there probably could be more consistency in how those frameworks are put in place … whether a dividing line of corporate is the right one is something that we’ve raised in other spaces.92

Transparency and Accountability to the Australian Parliament

1.62
JCPAA Report 467, Cybersecurity Compliance, recommended that AGD and ASD report annually on the Commonwealth’s cyber security posture to the Parliament.93 The Commonwealth Cyber Security Posture in 2019: Report to Parliament responds to this recommendation.94
1.63
The 2019 Commonwealth Cyber Security Posture states that ‘identifying the cyber security posture or vulnerabilities of individual Commonwealth entities may increase their risk of being targeted by malicious cyber actors. This Report, therefore, does not identify specific entities—all data has been anonymised and provided in aggregate’.95 As ASD observed, the 2019 Commonwealth Cyber Security Posture ‘includes aggregated results of the status on the Commonwealth’s cyber security posture … ASD does not identify the cyber security posture or vulnerabilities of individual Commonwealth entities as this may increase their risk of being targeted by malicious cyber actors’.96 AGD similarly noted that having publicly available details on cybersecurity vulnerabilities ‘itself creates a vulnerability, and the purpose of the cybersecurity posture report is to provide that information at a non-detailed entity level for members of parliament and others. Clearly, the ANAO report provides some level of information as well on entities’.97
1.64
In terms of individual Commonwealth entities being held accountable to the Australian Parliament for their compliance with mandatory cybersecurity measures, AGD advised that this ‘might require classified forums with security classified, in-confidence arrangements … the issue with providing detail publicly on specific agencies’ cybersecurity arrangements and potential vulnerabilities is that it could make them more vulnerable to cyber threat’.98 AGD further stated that ‘we understand parliamentary committees can make arrangements to receive information in private having regard to the requirements of security’.99 AGD also noted that the ‘PSPF mandates that each entity must report on security each financial year to their portfolio minister. AGD provides an annual report to the Attorney-General and publishes a whole of government assessment report on its website’.100
1.65
There was interest in how the ANAO takes account of sensitivities regarding the amount of detail provided in audit reports on the cyber resilience of audited entities. The Auditor-General explained that:
Our methodology for dealing with that in the cyberspace is the same as we use for all security type information. We prepare reports that, in the first instance, include all the details of our findings. We provide it to the entity and then have a discussion with them about where they see security type issues. We usually work through to an agreed conclusion as to the level of detail that we disclose … We tend to take a collaborative stance on it. In general, my position would be that if an agency raised significant concerns, we wouldn’t disclose.101
1.66
On this matter, AGD stated that ‘ANAO audits are conducted at a single point of time across a small sample of entities. Providing detailed information … on cyber security vulnerabilities for all individual Commonwealth entities would significantly increase the risk that vulnerabilities could be exploited. The aggregation of the information would in effect provide adversaries with a heat-map of the Commonwealth’s entire cyber security posture’.102

Concluding Comment

1.67
Three Commonwealth entities have oversight responsibilities for cyber security—Home Affairs, AGD, and ASD, along with the ACSC. During the inquiry, the Committee received advice about the Australian Government protective security policy framework and guidance, including the PSPF and ISM.
1.68
With regard to the five cyber based audits since 2013-14, the ANAO stated that Australian Government entities’ compliance with mandatory requirements of the PSPF for information security ‘remained low’, and that ‘the regulatory framework had not driven sufficient improvement in cyber security’.103 However, at the public hearings, the Auditor-General noted that ‘there has been a new framework put in place which has additional oversight arrangements and that may be more successful, but we are not in a position to comment on that yet’,104 and that ‘we haven’t really done an assessment of the technical supporting of the self-assessment framework, particularly since the new framework was established last year’.105
1.69
On the new framework, AGD stated that the results from the 2018-19 PSPF assessment reports and the 2019 Commonwealth Cyber Security Posture Report indicate that there are ‘improvements in entities’ cyber security’,106 and that the recent PSPF reforms and the changes to maturity reporting have been designed to ‘provide a framework that will support greater improvement’.107 AGD provided the Committee with information on the PSPF reforms, including the Cyber Uplift program and accompanying ‘sprint’ program; the CIO/CISO forums; and the new maturity reporting, which replaces point in time compliance reporting with ongoing monitoring of security maturity and implementation of PSPF requirements.108 The Committee further notes the release of the 2020 Cyber Security Strategy and June 2020 Australian Government Cyber Enhanced Situational Awareness and Response package.
1.70
The 2019 Commonwealth Cyber Security Posture stated that ‘baseline adoption of the Essential Eight across the Australian Government still requires further improvement’ but noted that ‘Commonwealth entities continue to improve their cyber security’.109
1.71
At the time of the Committee’s inquiry, the ANAO was conducting an audit on cyber security strategies of non-corporate Commonwealth entities. The proposed audit criteria included examining whether ‘the three entities responsible for cyber policy in the Commonwealth (ASD, AGD and Home Affairs) have worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cyber security requirements under the PSPF’.110 As the audit was not completed concurrent with the inquiry, it does not form part of the Committee’s report. The Committee will consider the audit findings in due course, and therefore does not make any specific recommendations in this area at this time.
1.72
The Committee understands that AGD is currently exploring external moderation models and benchmarking processes, to verify entities’ reported compliance with cybersecurity requirements and enable comparison between entities.111

Recommendation 1

1.73
The Committee recommends that the Attorney-General’s Department provide an update on its implementation of external moderation models/benchmarking processes, to verify Commonwealth entities’ reported compliance with cybersecurity requirements, including implementation timeframes.
1.74
JCPAA Report 467, Cybersecurity Compliance, recommended that the Australian Government mandate the ASD’s Essential Eight cybersecurity strategies for all PGPA Act entities, by June 2018.112 The Government response to this recommendation stated that ‘the Government will consider mandating the Essential Eight when cyber security maturity has increased across entities’.113
1.75
The Committee heard evidence from AGD, ASD and Home Affairs of increasing cyber security maturity levels throughout this inquiry.
1.76
In light of this, and the increasingly acute cyber security threat environment confronting Commonwealth entities, the Committee considers it appropriate that the Government revisit its response to this recommendation and update the Committee on its intended approach.

Recommendation 2

1.77
The Committee recommends that the Attorney-General’s Department:
provide an update on the levels of cyber security maturity within Commonwealth entities and the feasibility of mandating the Essential Eight across Commonwealth entities, including the threshold of cyber security maturity required by Government to impose this mandate, and expected timeframes; and
report back on any impediments to mandating the Top Four mitigation strategies for government business enterprises and corporate Commonwealth entities.
1.78
The Committee notes that the ANAO has identified 13 behaviours and practices as key to a strong cyber resilient culture, and is auditing against this framework.114 The Committee believes these factors provide a useful indication of the key steps agencies should take in the implementation or improvement of culture.
1.79
It is the Committee’s view that there would appear to be no formal framework or implementation plans for the adoption of the 13 behaviours and practices the Auditor General has outlined as assisting to establish a cyber resilient culture.
1.80
While the PSPF outlines the importance of fostering a positive security culture, it makes no reference to cyber resilience culture. The PSPF recommends that the maturity of an entity’s security culture should be measured, and appropriate metrics should be utilised.115 However, during the public hearing, it was clear that accountability mechanisms to ensure agencies are complying with the PSPF are limited and that each accountable authority must ensure their own compliance with mandatory frameworks.116
1.81
The current accountability framework for the cyber security practices of individual entities under the PSPF was described in evidence to the Committee by AGD:
The reporting agencies provide [self-assessment reports on compliance with mandatory cybersecurity measures in the PSPF] to their own minister. Obviously, within the agency, it goes to the head of the agency. It has to be provided to their minister, and it's provided centrally as well to the Attorney-General's Department. On cybersecurity, we in turn share that with the ACSC. So it directs our efforts on working with agencies on improvements, but it has been made visible at a ministerial level as well. Then it informs the program of ongoing work to improve cyber-resilience.117
1.82
The Committee has long held a strong bipartisan consensus that this government accountability framework be supported by Parliamentary accountability on cybersecurity.
1.83
JCPAA Report 467, Cybersecurity Compliance, emphasised that, ‘as a strategic priority, it is crucial that Commonwealth entities be accountable to the Australian Parliament’ on cybersecurity’.118
1.84
On this basis, the Committee recommended that AGD and ASD ‘report annually on the Commonwealth’s cybersecurity posture to the Parliament, such as through the Parliamentary Joint Committee on Intelligence and Security’.119
1.85
The Government agreed to this recommendation and in response published the first Commonwealth Cyber Security Posture report in 2019. However, the publication of this report highlights the challenges inherent between the benefits of public accountability of the cyber security practices of individual departments and the potential for the publication of vulnerabilities within Commonwealth entities to exacerbate existing security risks. The Government has sought to resolve this tension in the Commonwealth Cyber Security Posture report by publishing information on an aggregated basis only.
1.86
The Commonwealth Cyber Security Posture in 2019: Report to Parliament responds to a previous JCPAA recommendation that AGD and ASD report annually on the Commonwealth’s cyber security posture to the Parliament. The Committee appreciates the sensitivities involved in reporting on the cyber security posture of individual Commonwealth entities, in terms of potentially increasing their risk of being targeted by malicious cyber actors. The Australian Parliament has a number of mechanisms to receive information on the cyber security position of individual Commonwealth entities, to ensure transparency and accountability while having regard to security requirements, including through: ANAO cyber audits on individual entities tabled in the Parliament; security classified, in-confidence briefings; and in-camera parliamentary committee arrangements. The Committee also notes that each Commonwealth entity must report on security each financial year to their portfolio minister, with AGD publishing a whole of government assessment report on its website.120 The Committee will continue to monitor the effectiveness of the Commonwealth cyber security posture reporting to the Parliament.
1.87
The Committee notes that Commonwealth entities range significantly in size and risk profile and the mandating of specific cyber security strategies must be tailored to, and conscious of, those differences.

Recommendation 3

1.88
The Committee recommends that the Australian Government (the Attorney-General’s Department) ensure that the framework of 13 behaviours and practices developed by the Australian National Audit Office (ANAO) play a greater role in the implementation and improvement of a cyber resilience culture within Commonwealth entities, including that:
the Protective Security Policy Framework (PSPF) be amended to reflect or incorporate the behaviours and practices framework, including for auditing purposes, to maximise alignment between the PSPF and the ANAO’s audit framework; and
a dedicated section be created within the annual PSPF self-assessment questionnaire addressing the ANAO’s 13 behaviours and practices that facilitate a cyber resilience culture.
1.89
The Committee considers that greater transparency in the implementation of a cyber resilience culture within corporate and non-corporate Commonwealth entities is required.
1.90
The Committee recommends that this be achieved through an annual limited assurance review into the cyber resilience of entities, undertaken by the ANAO on behalf of the Parliament.
1.91
The ANAO could work with each relevant entity to review and report back on the extent to which they have developed cyber resilience. The Committee recognises the concerns raised in evidence to the inquiry highlighted that individual vulnerabilities within Commonwealth entities could exacerbate existing cyber security risks. In light of this, the Committee proposes that published limited assurance reviews provide no more granular public information than is published in existing ANAO cyber resilience audits. The published report can also provide advice on identified impediments to agencies implementing the 13 behaviours and practices and the Essential Eight mitigation strategies, noting that the provision exists for confidential reporting to Ministers and the JCPAA where required.
1.92
Compliance of corporate and non-corporate entities with cyber security measures could be assessed against the Essential Eight mitigation strategies in the ISM, with a particular focus on the Top Four strategies. Cyber resilience culture should also be assessed according to the ANAO’s 13 behaviours and practices as outlined above.
1.93
During the period of this inquiry, the Auditor-General released his Mid-Term Report, reflecting on key issues in public sector accountability that have characterised his time in the role so far.
1.94
The Committee notes that this Mid-Term Report highlighted that:
the category which consistently has the most number of financial audit findings raised relates to the information technology control environment, with the most common area relating to weaknesses in security management. These findings are consistent with the conclusions in performance audits of cyber security, which have also consistently identified non-compliance. With cyber security being an area of government priority for many years, these findings are disappointing.121
1.95
The Auditor-General continued:
There are almost no formal mechanisms in these frameworks to provide assurance on compliance. Often the ANAO is the only source of compliance reporting and our resources mean that coverage is quite limited. While I agree that accountable authorities must be responsible for entities’ compliance, it is also clear that policy owners need to be held accountable if the regulatory frameworks they put in place for the public sector do not result in an acceptable level of compliance. For this to occur, they should at least have processes in place to identify the level of compliance and be willing to modify their regulatory approach if it is not working. Unfortunately, this has not been a common approach.122

Recommendation 4

1.96
The Committee recommends that the Australian National Audit Office (ANAO) consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities, with the cost to be met by the responsible policy agencies or Government. The review should examine and report on the extent to which entities have embedded a cyber resilience culture though alignment with the ANAO’s framework of 13 behaviours and practices. The review should also examine the compliance of corporate and non-corporate entities with the Essential Eight mitigation strategies in the Information Security Manual and be conducted for 5 years, commencing from June 2022 (to enable time for implementation).
  • 1
    Section 8(1)(c), Public Accounts and Audit Committee Act 1951.
  • 2
    ANAO website <www.anao.gov.au/work/performance-audit> See also ANAO, Submission 6.1, p. 2.
  • 3
    Mr Hamish Hansford, First Assistant Secretary, Cyber, Digital and Technology Policy Division, Home Affairs, Committee Hansard, 2 July 2020, p. 6.
  • 4
    AGD, Submission 7, p. 1.
  • 5
    PSPF Policy 8, ‘Sensitive and classified information’; PSPF Policy 9, ‘Access to information’; PSPF Policy 10, ‘Safeguarding information from cyber threats’; and PSPF Policy 11, ‘Robust ICT systems’—see AGD website, <www.protectivesecurity.gov.au>.
  • 6
    ‘Directive on the Security of Government Business’, Attorney-General, October 2018—AGD website, <www.protectivesecurity.gov.au/PSPF annual reporting>.
  • 7
    AGD, Submission 7, p. 1.
  • 8
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 4.
  • 9
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 5.
  • 10
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 5.
  • 11
    Home Affairs, Submission 10, p. 1.
  • 12
    AGD, Submission 7.1, p. 1.
  • 13
    Auditor-General Report No. 38 (2019-20), Interim Report on Key Financial Controls of Major Entities, pp. 29-32. See also ANAO, Submission 6.1, pp. 5-6.
  • 14
    ANAO, Submission 6.1, p. 6. From 2018-19, Commonwealth entities have reported on their PSPF compliance using a maturity model. There are four maturity levels: Ad hoc; Developing; Managing; and Embedded—Maturity Level Three, ‘Managing’, is achieved where an entity has implemented all Top Four strategies, p 6.
  • 15
    ANAO, Submission 6.1, p. 1.
  • 16
    ANAO, Submission 6.1, p. 2.
  • 17
    ANAO, Submission 6.1, p. 1.
  • 18
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 13.
  • 19
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 13.
  • 20
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 13, p. 14, p. 15.
  • 21
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 13.
  • 22
    AGD, Submission 7.2, p. 3.
  • 23
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 9.
  • 24
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 2.
  • 25
    Ms Abigail Bradshaw, Head, ACSC, ASD, Committee Hansard, 2 July 2020, p. 7.
  • 26
    Ms Abigail Bradshaw, Head, ACSC, ASD, Committee Hansard, 2 July 2020, p. 7.
  • 27
    Ms Jessica Hunter, Acting First Assistant Director-General, Protect, Assure and Enable, ASD, Committee Hansard, 2 July 2020, p. 8. ASD indicated that it would continue to conduct similar Cyber Uplift initiatives ‘as part of the $1.35 billion … investment in cyber security recently announced by the Prime Minister’, ASD, Submission 9, p. 8.
  • 28
    Mr Hamish Hansford, First Assistant Secretary, Cyber, Digital and Technology Policy Division, Home Affairs, Committee Hansard, 2 July 2020, p. 4. See, for example, Australia’s Cyber Security Strategy 2020, August 2020.
  • 29
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 4.
  • 30
    Ms Abigail Bradshaw, Head, ACSC, ASD, Committee Hansard, 2 July 2020, p. 3. See also Minister for Defence, ‘the [Commonwealth Cyber Security Posture] Report highlights that the overall cyber security of Commonwealth entities continues to improve’, Submission 8, p. 1.
  • 31
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 9, p. 10.
  • 32
    AGD, Submission 7.2, p. 1.
  • 33
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 9, p. 11.
  • 34
    AGD, Submission 7.2, p. 1.
  • 35
    ‘Cyber Enhanced Situational Awareness and Response package’, Media statement, Prime Minister, Minister for Home Affairs, Minister for Defence, 30 June 2020.
  • 36
    Ms Abigail Bradshaw, Head, ACSC, ASD, Committee Hansard, 2 July 2020, p. 20.
  • 37
    ‘Statement on malicious cyber act against Australian networks’, Media statement, Prime Minister, Minister for Home Affairs, Minister for Defence, 19 June 2020.
  • 38
    Ms Abigail Bradshaw, Head, ACSC, ASD, Committee Hansard, 2 July 2020, p. 10.
  • 39
    There are four maturity levels: Ad hoc; Developing; Managing; and Embedded. Maturity Level Three, ‘Managing’, is achieved where an entity has implemented all Top Four strategies, ANAO, Submission 6.1, p. 6.
  • 40
    AGD, Submission 7.2, p. 5. As to any differences between the way that a Commonwealth entity self-assesses compliance with the Top Four mitigations and the way that the ANAO assesses this matter as part of an audit, the Auditor-General stated that, ‘in terms of the substance of testing, the criteria are the same … we’re looking at whether the mandatory four are implemented. So there is no substantive difference, I don’t think, in that’, Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 14.
  • 41
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 13.
  • 42
    Ms Liz Brayshaw, Assistant Secretary, Security Law and Policy Branch, AGD, Committee Hansard, 2 July 2020, pp 13-14.
  • 43
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 13.
  • 44
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 14.
  • 45
    Auditor-General Report No. 53 (2017-18), Cyber Resilience, p. 8.
  • 46
    AGD, Submission 7.2, p. 6.
  • 47
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 6.
  • 48
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 14.
  • 49
    Mr Hamish Hansford, First Assistant Secretary, Cyber, Digital and Technology Policy Division, Home Affairs, Committee Hansard, 2 July 2020, pp. 18-19.
  • 50
    As this audit was not completed concurrent with the Committee’s inquiry, this report does not consider the findings of this audit. (JCPAA Report 467, Cybersecurity Compliance, recommended that ‘the Auditor-General consider conducting an audit of the effectiveness of the self-assessment and reporting regime under the PSPF’ (October 2017), p. vii.)
  • 51
    ANAO website <www.anao.gov.au/work/performance-audit> See also ANAO, Submission 6.1, p. 2.
  • 52
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 13.
  • 53
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 5. See also on this point Mr Hehir, Committee Hansard, 19 May 2020, p. 21.
  • 54
    Ms Jessica Hunter, Acting First Assistant Director-General, Protect, Assure and Enable, ASD, Committee Hansard, 2 July 2020, p. 16.
  • 55
    Ms Jessica Hunter, Acting First Assistant Director-General, Protect, Assure and Enable, ASD, Committee Hansard, 2 July 2020, p. 16.
  • 56
    Ms Jessica Hunter, Acting First Assistant Director-General, Protect, Assure and Enable, ASD, Committee Hansard, 2 July 2020, p. 16.
  • 57
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 11, p. 16.
  • 58
    Mr Hamish Hansford, First Assistant Secretary, Cyber, Digital and Technology Policy Division, Home Affairs, Committee Hansard, 2 July 2020, pp. 16-17.
  • 59
    Auditor-General Report No. 1 (2019-20), pp. 38-39.
  • 60
    Auditor-General Report No. 1 (2019-20), p. 40.
  • 61
    Auditor-General Report No. 1 (2019-20), p. 41.
  • 62
    Auditor-General Report No. 1 (2019-20), p. 42.
  • 63
    ANAO, Submission 6.1, p. 1.
  • 64
    ANAO, Submission 6.1, p. 1.
  • 65
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 12.
  • 66
    ANAO, Submission 6.2, p. 2. The ANAO provided further information about the guidance, reports and organisations consulted, pp. 1-2. (The ANAO’s framework reflected a recommendation of JCPAA Report No. 467, Cybersecurity Compliance, that, in future audits on cybersecurity compliance, the ANAO ‘outline the behaviours and practices it would expect in a cyber resilient entity and assess against these’, October 2017, p. viii.)
  • 67
    ANAO, Submission 6.2, p. 1.
  • 68
    ANAO, Submission 6.2, p. 1.
  • 69
    Auditor-General Report No. 53 (2017-18), Cyber Resilience.
  • 70
    Auditor-General Report No. 1 (2019-20), pp. 38-42.
  • 71
    Mr Hamish Hansford, First Assistant Secretary, Cyber, Digital and Technology Policy Division, Home Affairs, Committee Hansard, 2 July 2020, p. 17.
  • 72
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 17.
  • 73
    PSPF, ‘Management structures and responsibilities’ (v2020.1), pp. 5-6.
  • 74
    PSPF, ‘Management structures and responsibilities’, (v2020.1), p. 12.
  • 75
    PSPF, ‘Management structures and responsibilities’, (v2020.1), p. 12.
  • 76
    AGD, Submission 7.2, p. 1. By way of example, AGD noted that ‘the PSPF includes requirements such as appointing a Chief Security Officer, forming a security plan and putting in place appropriate governance structures for their security environments. Entities are required to report against these requirements annually’, p. 1.
  • 77
    AGD, Submission 7.2, pp. 10-11.
  • 78
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 14.
  • 79
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 17.
  • 80
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 17.
  • 81
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 17.
  • 82
    ‘Directive on the Security of Government Business’, Attorney-General, October 2018—AGD website, <www.protectivesecurity.gov.au/PSPF annual reporting>.
  • 83
    JCPAA Report 467, Cybersecurity Compliance, October 2017, p. vii.
  • 84
    Australian Government, Response to JCPAA Report 467, April 2019, p. 5.
  • 85
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 11.
  • 86
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 11.
  • 87
    AGD, Submission 7.2, p. 2.
  • 88
    Ms Abigail Bradshaw, Head, ACSC, ASD, Committee Hansard, 2 July 2020, p. 5.
  • 89
    Ms Abigail Bradshaw, Head, ACSC, ASD, Committee Hansard, 2 July 2020, p. 5.
  • 90
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 5.
  • 91
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 5.
  • 92
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 12.
  • 93
    JCPAA Report 467, Cybersecurity Compliance, October 2017, p. viii.
  • 94
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 4.
  • 95
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 4.
  • 96
    ASD, Submission 9, p. 4.
  • 97
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 15. Similarly, the Minister for Defence stated that the content of the posture report ‘balances the need for transparency with the need to carefully protect the security of Government systems’, Minister for Defence, Submission 8, p. 1.
  • 98
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 15.
  • 99
    AGD, Submission 7.2, p. 8.
  • 100
    AGD, Submission 7.2, p. 8.
  • 101
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 7. See also Mr Hehir, Committee Hansard, 19 May 2020, p. 16.
  • 102
    AGD, Submission 7.2, p. 7.
  • 103
    ANAO, Submission 6.1, p. 1.
  • 104
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 13, p. 14, p. 15.
  • 105
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 13.
  • 106
    AGD, Submission 7.2, p. 3.
  • 107
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 4.
  • 108
    AGD, Submission 7.2, p. 5. Under the compliance model, ‘when ANAO audited the entity on its self-rated compliance level, this could be some time after the point in time information was provided, and the entity’s position may have changed’, p. 5.
  • 109
    Commonwealth Cyber Security Posture in 2019: Report to Parliament, March 2020, p. 9, p. 11.
  • 110
    ANAO website <www.anao.gov.au/work/performance-audit> See also ANAO, Submission 6.1, p. 2.
  • 111
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 13 and AGD, Submission 7.2, p. 6.
  • 112
    JCPAA Report 467, Cybersecurity Compliance, October 2017, p. vii.
  • 113
    Australian Government, Response to JCPAA Report 467, April 2019, p. 5.
  • 114
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 2 July 2020, p. 17
  • 115
    PSPF, ‘Management structures and responsibilities’ (v2020.1), p. 12.
  • 116
    Mr Grant Hehir, Auditor-General, ANAO, Committee Hansard, 19 May 2020, p. 16.
  • 117
    Ms Sarah Chidgey, Deputy Secretary, Integrity and International Group, AGD, Committee Hansard, 2 July 2020, p. 12.
  • 118
    JCPAA Report 467, Cybersecurity Compliance (October 2017), p. 13.
  • 119
    JCPAA Report 467, Cybersecurity Compliance (October 2017), p. 13.
  • 120
    AGD, Submission 7.2, p. 8.
  • 121
    ANAO, Auditor-General’s Mid-Term Report (2020), p. 5.
  • 122
    ANAO, Auditor-General’s Mid-Term Report (2020), p. 5.

 |  Contents  | 

About this inquiry

Joint Committee of Public Accounts and Audit is conducting an inquiry into matters contained and associated with Auditor-General’s Reports 1 and 13 (2019-20)



Past Public Hearings

02 Jul 2020: Canberra
19 May 2020: Canberra