NSW gets poor score in security audit
Auditor-General says the state’s ability to detect and respond to cybersecurity incidents needs to improve quickly.
The NSW Government lacks a whole-of-government capability to respond effectively to cybersecurity incidents, with coordination stymied by “very limited” sharing of information on incidents among agencies.
This is the key finding of a report from the Auditor-General of New South Wales into the state government’s ability to detect and respond to security breaches.
The audit stated that the NSW public sector’s ability to detect and respond to incidents “needs to improve significantly and quickly” in light of the findings.
“I am concerned that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage will be lost,” Auditor-General Margaret Crawford said.
“'The NSW Government needs to establish a clear whole-of-government responsibility for cybersecurity that is appropriately resourced to ensure agencies report incidents, information on threats is shared and the public sector responds in a coordinated way.”
No clear capability
The audit focused on the role of the Department of Finance, Services and Innovation (DFSI), which oversees the state’s Information Security Community of Practice, the Information Security Event Reporting Protocol and the Digital Information Security Policy (DISP).
It found that the DFSI does not have a clear capability to ensure effective detection and response of cybersecurity incidents across the public sector. While the DISP sets out a range of requirements for agencies regarding detection and response, there is a lack of adherence by agencies and the DFSI lacks a clear mandate to enforce the requirements.
In addition, the department has no mandate to assess whether agencies have an acceptable detection and response capability, or to ensure agencies report incidents to enable effective sharing of information across the public sector.
The DFSI has not allocated resources to gather or process incoming threat intelligence and disseminate it across government, but has started to build this capacity, the audit found.
Among 10 case study agencies evaluated for the audit, only two have good detection and response processes, and a further four have a low capability to detect and respond to incidents in a timely manner.
Most agencies have an automated security information and event management tool in place for detecting and alerting IT administrators to a suspected incident, but in some agencies only a few IT systems are covered by this tool. The agencies that lack such a tool are relying on periodical or ad hoc monitoring of logs to detect incidences.
Some agencies, meanwhile, have no incident response procedures at all, and others lack guidance on who to notify and when in the event of an incident. Eight of the 10 agencies have also not tested their procedures, representing a risk that they may not work well during a real cyber incident.
Two of the agencies covered did not report incidents to the DFSI at all despite this being a requirement, and none of the agencies’ procedures include a requirement to report incidents to the department.
This is partly the fault of the DFSI, as its guidelines contain poor information on which incidents should be reported and when, and lack a reporting template to help agencies report incidents in a consistent and timely way, the audit found.
When incidents have been reported to the DFSI, it has not provided agencies with dedicated resources to guide them and coordinate a whole-of-government response. As a result, agencies consider that there is little benefit in reporting incidents to the department.
Compounding this issue, there are no requirements for the DFSI to respond to incidents impacting multiple agencies and no guidance on a central response coordination in the event of such incidents. There is also little to no post-incident review into security breaches.
Only two of the 10 agencies had contractual requirements with their IT service providers obliging the providers to report incidents in a timely manner, and only one of these had a contractual requirement to report significant incidents within two days of resolution.
Finally, the audit found that the 10 case study agencies are providing only limited cybersecurity training to their staff — most indicated that their key staff had been trained in incident procedures, but only one was able to provide training records to support its claims.
Few agencies undertake regular awareness training to reduce the risk of incidents such as opening fraudulent websites or emails, and the agencies could provide little documentation on the role requirements and responsibilities of their staff in terms of detection and incident response.
The Auditor-General has made a series of recommendations for the DFSI in response to the findings.
The first priority should be the development of whole-of-government procedures, protocols and support systems to share information on reported threats and respond to security incidents impacting multiple agencies. These procedures should include post-incident reviews, and lessons learned from these reviews should be communicated to agencies.
The DFSI should also help agencies improve their detection and response with better practice guidelines for incident detection, response and reporting, training and awareness programs, set role requirements and responsibilities for cybersecurity across government and a support model for agencies with limited detection and response capabilities.
The audit also recommends that the DISP and Event Reporting Protocol be revised to clarify what security incidents must be reported to the DFSI. Mandatory reporting requirements should also be extended to agencies not covered by the existing policies, including state-owned companies.
Finally, the DFSI should develop a means such as a secure online template for agencies to report incidents in a more effective measure; enhance NSW public sector threat intelligence gathering and sharing; direct agencies to include clauses in contracts requiring all IT service providers to report security incidents in a reasonable time frame; and review a sample of agencies’ incident reporting procedures each year.
NSW Minister for Finance, Services and Property Victor Dominello welcomed the findings of the audit and said the government acknowledges that more must be done to protect the state’s systems and ensure they are fit for purpose for the digital age.
“Cybersecurity is an evolving threat, which is why we created the position of Government Chief Information Security Officer (GCISO) to improve cybersecurity coordination and support across government. The GCISO is also working with federal bodies including the Australian Cyber Security Centre to share information and best practice,” he said.
University of Canberra adjunct professor and former AUSTRAC CIO and CISO Dr Maria Milosavljevic was appointed as the state’s first GCISO in March last year.
The government has also injected $11.4 million into a partnership agreement with the CSIRO’s Data61 to help tackle state technology challenges including security and in February announced a $2 million investment into a planned new NSW Cyber Security Network of scientists and engineers from across seven of the state’s universities.
Ahead of the curve
Macquarie Government Managing Director Aidan Tudehope said the report highlights the need for governments worldwide to improve coordinated detection and reporting of cybersecurity events.
“Sadly, this report, while deeply disturbing, is not a surprise. Governments everywhere are struggling to come to terms with the huge, ever-changing and growing task of dealing with cybersecurity risks and attacks,” he said.
“The NSW Government is actually arguably ahead of the curve because it has at least systematically tried to investigate and report on the depth of its problems.”
Tudehope also praised the Auditor’s decision to benchmark the performance of NSW agencies against the Information Security Manual standards developed by the Australian Signals Directorate for federal government agencies.
“The Directorate is the leading source of expertise in government cybersecurity standards and practices in Australia,” he said.
“Requiring state agencies to operate against these standards that the ASD has developed for the federal government over many years is the quickest, most effective way to bring consistency to all the public-sector services that citizens rely on — no matter which tier of government is responsible.”
In our annual Leaders in Technology series, we ask the experts what the year ahead holds. Today...
The sheer volume and distribution of internet-connected OT devices increases the attack surface...
While the Essential Eight has been welcomed by the public and private sector as an initiative to...