The ACT Auditor-General has found that the ACT Government’s cybersecurity policy is lacking, with a low level of data security awareness among staff.
The Auditor-General’s report was presented to the speaker of the Legislative Assembly on the same day the Australian Government revealed it was the target of a sophisticated cyber-attack, although Chief Minister Andrew Barr said he was not aware of any successful cyberattack against ACT infrastructure.
“While we are probably not as high profile as Sydney and Melbourne, we would be higher up the list because of the presence of Australian Government institutions and a lot of multinational companies, [and] Australian defence and security companies who have their headquarters here in Canberra,” Mr Barr said.
“I do not know that the ACT Government itself is a particularly high-risk target, but we are a target and that is why we have a cybersecurity team within our [information and communication technology] operations.”
Mr Barr assured Canberrans that their data was safe; however, the Auditor General found that 89 per cent of critical ICT systems did not have a current system security risk management plan, and “there is a low level of data security awareness among staff in most agencies examined in the audit”.
“This increases the likelihood of a data breach and its potential impact,” the report said.
“A lack of awareness has been demonstrated in a lack of understanding on how to share data securely, as well as to recognise when a data breach has occurred and needs to be reported.
“Agencies have not clearly understood their data security risks and requirements.”
It took Shared Services – which delivers core corporate and IT services to all ACT Government agencies – an average of three months to commence a critical system security assessment, and it takes around eight months to complete a critical system security risk management plan.
When asked if the ACT experienced an unsuccessful attack from the same state actor as alluded to today by the Prime Minister, Mr Barr said he “was not at liberty to go into those sorts of details” as they were the “subject of quite considerable national security implications”.
“A lot of data that we store, frankly, is of low interest. I am not sure that those who want to hack into our systems are after people’s library card numbers, for example, but there are areas of ACT Government data that are higher risk.
“Health records and financial transactions, in particular, are the sorts of things we are conscious [about].”
Prime Minister Scott Morrison said the attack targeted “a range of sectors, including all levels of government, industry, political organisations, education, health, essential service providers and operators of other critical infrastructure” and was a state-actor.
“There are not a large number of state-based actors that can engage in this type of activity and it is clear that this has been done by a state-based actor with very, very significant capabilities,” he said.
“We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used.”
Mr Barr flagged that more needs to be done in the sector, but said the ACT Government continues to invest in cybersecurity.
“Clearly the auditor has highlighted areas for improvement and they have been working closely with the audit office,” he said.
“We need to improve that [89 per cent] and that is part of why we have performance audits. We have plans but the question the auditor wants to know is are they constantly updated.
“We also do [invest more in this area], every year.”
National Cabinet is expected to be briefed further by Australian cybersecurity officials at next Friday’s meeting.