A new report by the New South Wales auditor-general, Margaret Crawford, says that state government agencies’ ability to detect and respond to cyber security incidents “needs to improve significantly and quickly”.
The audit examined a number of (unnamed) government agencies as well as the role of the Department of Finance, Services and Innovation (DFSI).
“There is no whole-of-government capability to detect and respond effectively to cyber security incidents,” the report states.
“There is limited sharing of information on incidents amongst agencies, and some of the agencies we reviewed have poor detection and response practices and procedures.”
“I am concerned that incidents will go undetected longer than they should, and opportunities to contain and restrict the damage will be lost,” Crawford said.
“'The NSW government needs to establish a clear whole-of-government responsibility for cyber security that is appropriately resourced to ensure agencies report incidents, information on threats is shared and the public sector responds in a coordinated way,” the auditor-general added.
The report’s key findings include:
• Most IT service providers are not contractually obliged to report incidents to government agencies.
• The 10 agencies scrutinised for the report could only offer “limited evidence of what cyber security training had been provided to their staff”.
• There is limited sharing of security incidents. Two of the agencies did not report incidents to the DFSI “even though it is mandatory for them to do so”.
• The DFSI “does not have a clear mandate or capability to ensure effective detection and response across the NSW public sector”.
The report’s seven top-line recommendations include that the DFSI should, as a matter of priority, “develop whole-of-government procedures, protocol and supporting systems to effectively share reported threats and respond to cyber security incidents impacting multiple agencies, including post-incident reviews and communicating lessons learnt”.
It also called for the department to assist government agencies to improve their ability to detect and respond to incidents, including through training programs, developing better practice guidelines, outlining role requirements and responsibilities across government, and creating a support model for agencies with limited capabilities.
Agencies should also be directed to included standard clauses in contracts that require IT service providers to report security incidents within a reasonable timeframe. Mandatory reporting of incidents under the Digital Information Security Policy and Event Reporting Protocol should be extended to cover all government agencies, including state-owned corporations.
The department should also develop an effective tool for incident reporting, the report said. In addition it should “enhance NSW public sector threat intelligence gathering and sharing including formal links with Australian Government security agencies, other states and the private sector”.
The report noted that the state government last year created a chief information security officer role, recruiting AUSTRAC’s former chief innovation officer, Dr Maria Milosavljevic, to develop a whole-of-government security strategy.
“We take the report’s findings very seriously and will endeavour to implement its recommendations,” said a statement issued by minister for finance, services and property Victor Dominello.
“We acknowledge that more must be done to protect our systems and ensure they are resilient and fit-for-purpose in the digital age.”
The minister said that the creation of the CISO role will help improve cyber security co-ordination and support across government.
“We have also injected additional funding recently to help bolster the Government’s cyber security capabilities,” the statement said.
Last year the state government announced an $11.4 million, three-year agreement with the CSIRO’s Data61. The government said cyber security would be an early focus of the deal, which gives NSW access to Data61’s data science expertise.
In February the government said it would back a new network that brings together researchers at major NSW-based universities to boost infosec R&D.