The ATO, which holds the financial details of all tax-paying Australians, has failed to meet cyber security standards.
The Joint Committee of Public Accounts and Audit Report 467: Cybersecurity Compliance has found that the Australian Taxation Office (ATO), as well as the Department of Immigration and Boarder Protection (DIBP), are still not compliant with the ‘Top Four’ mitigation strategies, mandated in 2014 – and thus not cyber resilient.
The report said the ATO is expected to be fully compliant with these strategies by November 2017. DIBP has not confirmed a date of compliance, despite having expected to have been compliant by December 2016.
Ten recommendations have also been made for all government entities to strengthen their “cyber security posture”. This includes making it mandatory for all Commonwealth entities to comply with the Australian Signals Directorate’s (ASD) Essential Eight cyber security strategies, join the Internet Gateway Reduction Program, and participate in the ASD’s annual cyber security survey.
The Committee also recommended both the Attorney-General’s Department and the ASD annually report the Commonwealth’s cyber security stance to the Parliament.
Committee Chair Senator Dean Smith said cybersecurity should be a top priority for all Government entities.
“Achieving compliance with the mandatory cyber mitigation strategies is one way entities improve their cyber resilience and mitigate cyber incidents, alongside good governance, and a strong culture of prioritising cybersecurity within the context of entity-wide strategic objectives,” he said.
In addition, the report said that in 2015–16, only 65% of non-corporate Commonwealth entities reported compliance with the Top Four mitigation strategies, despite being the minimum requirement for entities.
The Opposition also has called on the Government to ensure its entities comply with mandated cyber security standards, saying government agencies must be the standard from which others in the community measure themselves.
Shadow Assistant Minister for Cyber Security and Defence, Gai Brodtmann, said that at a time when significant data breaches and cyber attacks are an almost daily occurrence, the revelation our own government agencies are failing to meet mandated standards should be ringing alarm bells for the Turnbull Government.
“These are government agencies that collect and store the information of Australians, protect our borders and run our national security operations.
"Ignoring these warnings means the Turnbull Government is putting this data at risk, with potentially significant consequences for Australians,” he said.