The Federal Government’s cyber security agency has said that a number of government agencies and departments, along with private companies have failed at implementing even the most basic of security measures.
The Australian National Audit Office in 2018 published a review on three government departments or agencies, auditing their cyber resilience in the face of a targeted attack; it was the office’s fourth cyber security report.
In that audit, the ANAO noted “low levels of effectiveness” when it came to “managing cyber risks” exhibited by the Treasury Department and the National Archives and Geoscience.
Amongst its list of other offenders in previous audits, the ANAO said that the Australian Taxation Office and the Australian Federal Police had failed to adhere to best cybersecurity practices to keep their networks safe.
The ANAO’s three previous audits found “high rates of non-compliance” from as many as 11 government agencies and departments, signalling the need for these agencies to increase their cyber security practices.
According to a report from the ABC, “since 2014, failures have been found for a host of measures, including patching for known vulnerabilities like those which have made the latest attack possible.”
The Australian Signals Directorate (ASD) has mandated that government entities apply these patches.
Last Friday, Scott Morrison told reporters in Canberra that a “sophisticated state-based actor with very significant capabilities” was targeting Australian businesses and government agencies.
Shortly after the announcement, the Australian Cyber Security Centre issued a statement stating that “all exploits used by the actor in the course of this campaign were publicly known and had patches or mitigations available,” suggesting that if each agency had updated their systems with the latest patches and updates, their networks could have been protected from the widespread hack.
The ACSC has said the main method that hackers had previously compromised networks was through software called Telerik UI, which has been known since March of 2019, with patches having been made available for more than a year now.
It released an advisory on the potential dangers of outdated software and the importance of regularly checking for, and installing patches on networks to keep them secure.
Greg Austin, fellow at the International Institute for Strategic Studies added that “we know from the Auditor-General’s reports that Australian government departments are pretty bad at patching.”
“So I think that we have to ask some questions about how many departments have been affected and in what way, and how many departments actually patched the Telerik systems for vulnerabilities that have been known about since February last year,” Austin concluded.
A spokesperson for the Treasury Department has said that the department has put “appropriate technical mitigations in place to protect our network and systems.”
A spokesperson for the Australian Federal Police said that the audit detailing its lack of protections was more than four-years old, and that the agency’s “ICT systems are now more resilient to malicious cyber activity.”
The ATO added that its main “focus is on maintaining a strong cyber security posture, including compliance with mandatory Top 4 cyber security mitigations,” and the National Archives added that it “takes cyber security seriously, and has been working to address issues raised by the ANAO.”
Professor Rory Medcalf, head of the National Security College at the Australian National University has warned that in spite of the warnings from cyber security watchdogs, “there was obviously a degree of complacency about previous warnings.”
He added that it was likely that a number of government agencies believed cyber security to be the primary responsibility of the ASD, and they failed to be vigilant.
“The message is to say that, like with pandemic preparedness, cyber security is everyone’s problem and government can only be effective if all elements of society contribute and do their part,” he said.