Victorian Government unprepared for cyberattacks

Victorian government agencies are underprepared to deal with cyberattacks on their ICT systems, according to a report from the state’s auditor-general.

“The audit examined 11 public sector agencies and found that the policy, standards and protection mechanisms for the security of the state's information and communications technology (ICT) systems and data have not been effectively applied,” wrote Auditor-General John Doyle, who authored the report alongside an audit team.

Doyle noted a lack of vigilance at individual agencies in terms of monitoring, awareness of the effects of an attack on ICT systems and adherence to state infosec policies.

“Agencies undertake only limited monitoring of suspicious internal network activity, and they do not have a capability to detect an intrusion into sensitive public sector systems,” Doyle wrote.

“The audit found there was a low level of awareness of how each agency’s ICT systems would likely perform if subjected to a cyberattack. We undertook penetration tests of selected ICT systems which identified well over 100 breaches and lapses in information security practice,” he wrote.

The report said, “Agencies have not effectively implemented Victorian Government information security policy and standards. Agencies are potentially exposed to cyberattacks, primarily because of inadequate ICT security controls and immature operational processes.

“The current information security policy has not been endorsed by government and there are no current arrangements to brief ministers if a major cyberthreat affects the public sector’s ability to deliver services,” it said.

The report went on to recommend that “the application and coverage of the government’s information security policy and standards … be reviewed”.

Specifically, the report said that while the content of the mandated information security procedures is appropriate, it only applies to 20 “inner” government agencies - and not the more than 500 “outer” government agencies.

Doyle also noted a lack of coordination across the public sector when it came to assessing cyberthreats.

“Disappointingly, I found that to date there has been inadequate central oversight of the ability of public sector systems to resist cyberattack and the follow-up of the status of emerging or known cyberthreats. Also, there are no cohesive arrangements in place in Victoria to brief ministers if a major cyberthreat was to affect the public sector’s ability to continue to deliver services,” he wrote.

“I also found that if there was an external cyberattack or a cyberalert issued by an Australian Government national security agency, there would be no coordinated understanding of the threat or its impact across the state’s public sector ICT systems, because central agencies do not conduct follow-up actions after a cyberalert is disseminated,” he wrote.

However, Doyle did note that the Victorian Government has recently made two announcements that he said “are likely to start to address these deficiencies”: the Emergency Management Bill 2013 and the development of a new cybersecurity strategy “which proposes to clarify lines of accountability and governance structures for cybersecurity within the Victorian public sector”.

He said that it was not in the public interest to reveal details of specific agencies’ security failures, presumably because this would open them up to attack.

But he added, “I have written separately to each of the agencies subject to this audit and sought their urgent attention in rectifying these issues. I am pleased to say that a number of the more critical findings have already been addressed by some agencies, and I have been advised of the practical time frames for addressing the remainder. I will be monitoring the implementation of those actions very closely.”

The report made 16 specific recommendations for improving cybersecurity across state agencies.