NSW Auditor-General uncovers State's inconsistent approach to cybersecurity
The Auditor-General of New South Wales is concerned that the state’s public sector is falling behind in its ability to effectively detect and respond to cybersecurity incidents, stating there is no-whole-of-government capability to do so.
Earlier this month the NSW Auditor-General Margaret Crawford released a report titled Detecting and Responding to Cyber Security Incidents.
In the report, the shambolic and inconsistent policies across several government agencies became clear. She notes that there is limited information sharing about incidents between agencies. Some of those agencies have poor detection and response practices and procedures.
She also says that cybersecurity incidents can harm the government’s service delivery in a number of ways, including the theft of personal information, denial of access to critical technology, or hijacking systems for profit or malicious intent.
The NSW Government appointed its first Government Chief Information Security Officer (GCISO) Dr Maria Milosavljevic in March 2017 – but it seems she still has her work cut out for her.
The NSW Government also adheres to its own Digital Information Security Policy as part of its ICT Strategy. The Policy outlines requirements for agencies including breach reporting and information sharing.
“I am concerned that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage will be lost,” comments Crawford.
She believes that New South Wales’ public sector’s ability needs to improve significantly and quickly in order to properly protect and respond to incidents.
“The NSW Government needs to establish a clear whole-of-government responsibility for cybersecurity that is appropriately resourced to ensure agencies report incidents, information on threats is shared and the public sector responds in a coordinated way,” Crawford continues.
Her report found that while most agencies involved in the case study have incident response procedures, some aren’t clear about who to notify and when. Some agencies have no response procedures at all.
IT service providers are not obliged to report incidents to agencies – only two in the study had contractual arrangements that obliged providers to report incidents in a timely manner.
The report also states that there is limited evidence of the nature of cybersecurity training provided to staff; two agencies did not report incidents to the Department of Finance, Services and Innovation (DFSI) even though they are required to do so.
The DFSI itself does not have a clear mandate or capability to manage effective detection and response in the NSW public sector.
Macquarie Government managing director Aidan Tudehope says the report’s findings are ‘sobering’.
“Sadly, this report, while deeply disturbing, is not a surprise. Governments everywhere are struggling to come to terms with the huge, ever-changing and growing task of dealing with cybersecurity risks and attacks,” he explains.
“NSW Government should be commended for putting a spotlight on these problems and for taking a step toward addressing them by appointing a Chief Information Security Officer for the state.”
He notes that a positive aspect of the report was that it benchmarked the performance of NSW agencies it examined against standards for control of cybersecurity developed by the Australian Signals Directorate, the Information Security Manual (ISM).
“The NSW Government is actually arguably ahead of the curve because it has at least systematically tried to investigate and report on the depth of its problems,” Tudehope concludes.