Recent research into the cybersecurity readiness of Australian Federal Government agencies has found gaps in the public sector’s preparedness for cyber attacks or major data breaches, contributing to a focus in 2024 on improving their cyber readiness.
An audit of two government agencies, Services Australia and AUSTRAC, released in 2024, found that these agencies are not well prepared to recover from a significant cyberattack, while an earlier government-wide survey found gaps in some areas of agency cyber maturity.
The Australian Government’s Cybersecurity Strategy 2023-2030 states that the federal government should “hold the same standard it expects from industry”. In 2024, one of the Australian Signals Directorate’s goals is to improve cybersecurity skills across government agencies.
Australian government entities are unprepared for a heightened cyber threat environment
Australian public sector bodies are prime targets for cybercriminals because of the data they hold. For example, the Australian Taxation Office revealed in 2024 that it faces 4.7 million attacks per month because of the 50 petabytes of data it holds, while a significant number of individuals’ data was accessed when South Australia’s superannuation fund operator Super SA was compromised in 2023.
Attacks faced by Australian government entities in 2022-23
Official statistics based on incidents reported to the ASD show that government entities remain attractive targets for cybercriminals, with a high volume of attacks. In 2022-2023:
- Approximately 31% of cybersecurity incidents reported to the Australian Signals Directorate originated from Australian Government entities.
- More than 40% of these were low-level, coordinated malicious cyberattacks targeting the federal government, government shared services, or regulated critical infrastructure.
- Ransomware is the most significant cyber threat and poses a significant risk to Australian Government entities, businesses and individuals.
WATCH: Can Australia ever overcome its cybersecurity skills shortage?
The current stance of government entities on cybersecurity
The ASD’s 2023 Cybersecurity Posture Report, which assesses the maturity level of all government agencies, stated that “the overall level of maturity across all entities remained low in 2023.” The report concluded:
- Twenty-five percent of entities assessed themselves at Maturity Level two across all eight ASD essential mitigation strategies. The eight essential framework includes four maturity levels, with Maturity Level zero being the lowest and Level three considered best practice.
- The majority of public sector entities (71%) assessed themselves at Maturity Level two for the eight-essential mitigation strategy “Regular backups.” This indicated a potential issue with the ability to recover from a major cyberattack.
- Only 82% had an incident response plan, although this was an improvement from 2022. Of these, 90% said their plan had last been updated within the past two years and 69% indicated it had been enacted at least every two years.
Previous audits of public sector bodies including the Australian Federal Police, the Australian Taxation Office and the Department of Foreign Affairs and Trade by the Australian National Audit Office had also “identified low levels of cyber resilience at the entities”.
AUSTRAC and Services Australia expose cybersecurity shortcomings
An ANAO report on cybersecurity incident management at Services Australia and AUSTRAC in June 2024 concluded that their measures were only “partially effective” and that none of them were well positioned to ensure business continuity or disaster recovery following a significant cybersecurity incident.
Services Australia, which provides services and makes payments to citizens, and AUSTRAC, which is responsible for stopping criminal abuse of the financial system, are both custodians of economic or business information and personal information, and are classified as national security or critical infrastructure.
AUSTRAC
The ANAO report found that AUSTRAC's procedures supporting incident recovery processes did not include security and testing of backup solutions, nor did they detail the systems, applications and servers supporting critical business processes.
Furthermore, it did not detail the CISO’s responsibilities (their approach to continuous monitoring and improvement reporting) or define reporting timelines. Furthermore, the organization did not have an event logging policy or document its analysis of all cybersecurity events, which violated ASD guidelines.
WATCH: Australian CISOs urged to take a closer look at data breach risks
Services Australia
Services Australia is only “partially effective” in designing cybersecurity incident management procedures, as it does not have a documented approach to threat and vulnerability assessments. It also does not have a timeline for triage and escalation, or a defined approach to investigations.
The agency had “partially implemented effective recovery processes,” including regular backups. However, its plans did not include all systems and applications supporting critical business processes, and the agency does not test the recoverability of backups.
What is Australia’s national cybersecurity strategy?
The Australian government is aware of the need for agencies to improve their level of cybersecurity readiness and resilience. In the Cybersecurity Strategy 2023-2030, for example, the government writes that as the owner and operator of critical infrastructure and responsible for the custody of some of the most sensitive data about Australia’s population, economy and national security, “government must be held to the same standard it holds industry to.”
As part of the strategy, the government has committed to:
- Strengthening the cyber maturity of government departments and agencies.
- Identifying and protecting critical systems across government.
- Improving the cyber skills of the Australian public service.
The ASD said it is playing a role in stepping up security at government agencies in 2024 through the use of additional funding. This includes introducing more technical capabilities into departments and providing more experts to help agencies strengthen their networks against cybercriminals.
The private sector demands that public sector security standards be raised
The private sector will welcome measures aimed at improving cybersecurity in the public sector.
In a recent submission to the government on proposed cybersecurity legislative reforms, the Technology Council of Australia, representing the technology industry, urged the Australian Government to enhance and safeguard its own information security practices and methods to ensure that all information provided to it by private sector organisations, as part of proposed mandatory cyber incident information sharing measures, is done so in secure environments and transfer channels.
Amazon Web Services suggested that the government should formally include its own critical infrastructure and “systems of government importance” within the scope of the Critical Infrastructure Security Act or another legislative framework.
“This would set important enforceable benchmarks for the government,” AWS wrote, “and send an important signal to industry that the government truly sees itself as an equal partner in the country’s cyber improvement.”