The variety of applications and services employed by MPs and their staff present a security challenge that is probably unique across the federal public sector, according to the Department of Parliamentary Services.
In a letter to a parliamentary committee scrutinising the cyber resilience of a number of Commonwealth entities, the department’s secretary, Rob Stefanic, said that DPS has faced limitations on its ability to implement the Australian Signals Directorate’s ‘Essential Eight’ security strategies.
The ASD in late 2017 unveiled the Essential Eight, building on the mandatory ‘Top 4’ mitigation strategies that the organisation says could prevent the overwhelming majority of security incidents it responds to. The Top 4 comprise OS and application patching, application whitelisting, and locking down administrative privileges based on user duties.
On top of those four, the Essential Eight adds limiting the use of Microsoft Office macros, using multi-factor authentication, daily backups, and user application hardening.
The challenge faced by the DPS is the heterogeneous collection of applications and services employed by MPs and their staff, according to Stefanic.
Stefanic said that although the department would not offer detail on the “specific security controls” it has implemented, it complies with the Top 4. DPS has a “priority program” to achieve level three maturity in those four strategies over the next 12 months.
Of the other strategies contained in the Essential Eight, one has been fully implemented, one has been “70%” implemented and one is in pilot.
The remaining strategy “has not been implemented” because of the impact it would have “on the flexibility of systems and software used by parliamentarians and is being risk managed to the extent this is possible”.
“Within our unique environment the variety of software and services utilised by parliamentarians is highly varied and most likely exceeds the volume and diversity evident in other Commonwealth agencies,” the DPS secretary wrote.
However, he added, “in light of recent events” the department is undertaking a re-evaluation of all controls in the Essential eight “to ensure maximum protection of the environment is enabled”.
The “recent events” referred to are a breach of the parliamentary network revealed in February.
The government has indicated there is no evidence that data was accessed during the incident. The government believes that the same unnamed state actor also penetrated the networks of the Liberal, National and Labor parties.
Prime Minister Scott Morrison said last month that he would not “go into the detail of these operational matters” but that experts believed a “sophisticated state actor is responsible for this malicious activity”.