19 June 2020

Cybersecurity audit criticises ACT Government on the same day PM reveals national cyber attack

| Dominic Giannini
Join the conversation
Chief Minister Andrew Barr

A new report by the ACT’s Audit Office is highly critical of the ACT Government’s cyber and data security policy. Photo: Michelle Kroll.

The ACT Auditor-General has found that the ACT Government’s cybersecurity policy is lacking, with a low level of data security awareness among staff.

The Auditor-General’s report was presented to the speaker of the Legislative Assembly on the same day the Australian Government revealed it was the target of a sophisticated cyber-attack, although Chief Minister Andrew Barr said he was not aware of any successful cyberattack against ACT infrastructure.

“While we are probably not as high profile as Sydney and Melbourne, we would be higher up the list because of the presence of Australian Government institutions and a lot of multinational companies, [and] Australian defence and security companies who have their headquarters here in Canberra,” Mr Barr said.

“I do not know that the ACT Government itself is a particularly high-risk target, but we are a target and that is why we have a cybersecurity team within our [information and communication technology] operations.”

Mr Barr assured Canberrans that their data was safe; however, the Auditor General found that 89 per cent of critical ICT systems did not have a current system security risk management plan, and “there is a low level of data security awareness among staff in most agencies examined in the audit”.

“This increases the likelihood of a data breach and its potential impact,” the report said.

“A lack of awareness has been demonstrated in a lack of understanding on how to share data securely, as well as to recognise when a data breach has occurred and needs to be reported.

“Agencies have not clearly understood their data security risks and requirements.”

It took Shared Services – which delivers core corporate and IT services to all ACT Government agencies – an average of three months to commence a critical system security assessment, and it takes around eight months to complete a critical system security risk management plan.

When asked if the ACT experienced an unsuccessful attack from the same state actor as alluded to today by the Prime Minister, Mr Barr said he “was not at liberty to go into those sorts of details” as they were the “subject of quite considerable national security implications”.

“A lot of data that we store, frankly, is of low interest. I am not sure that those who want to hack into our systems are after people’s library card numbers, for example, but there are areas of ACT Government data that are higher risk.

“Health records and financial transactions, in particular, are the sorts of things we are conscious [about].”

Prime Minister Scott Morrison said the attack targeted “a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure” and was a state-actor.

“There are not a large number of state-based actors that can engage in this type of activity and it is clear that this has been done by a state-based actor with very, very significant capabilities,” he said.

“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used.”

Mr Barr flagged that more needs to be done in the sector, but said the ACT Government continues to invest in cybersecurity.

“Clearly the auditor has highlighted areas for improvement and they have been working closely with the audit office,” he said.

“We need to improve that [89 per cent] and that is part of why we have performance audits. We have plans but the question the auditor wants to know is are they constantly updated.

“We also do [invest more in this area], every year.”

National Cabinet is expected to be briefed further by Australian cybersecurity officials at next Friday’s meeting.

Join the conversation

All Comments
  • All Comments
  • Website Comments

Totally naive response: Mr Barr said “I do not know that the ACT Government itself is a particularly high-risk target…”
Hasn’t he heard of ransomware, designed to shut down any system and lock out users until a payment is extorted?

Andrew Smith5:54 pm 20 Jun 20

It would seem either Chief Minister Barr has been poorly advised, or he may not yet have received more appropriate advice with “We don’t have valuable data”. Some understanding of the many City and Council Governments in the USA who were successful targets for cyber criminals last year would do well to improve his understanding of the threat. The data may well be trivial, but the inability to operate Government services and collect (substantial rates) revenue is potentially at risk.

Daily Digest

Want the best Canberra news delivered daily? Every day we package the most popular Riotact stories and send them straight to your inbox. Sign-up now for trusted local news that will never be behind a paywall.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.