Australia’s Department of Defence did not comply with its own guidelines for maintaining security authorisations for its information and communications technology (ICT) and has not briefed the defence minister on such authorisations in three years, an audit has found.
The report by the Australian National Audit Office (ANAO), released publicly on Wednesday, found Defence’s management of security authorisation was only “partly effective” and its work had not complied with its own Defence Security Principles Framework (DSPF).
The DSPF, which launched in 2018, states “all Defence ICT systems must be authorised prior to processing, storing or communicating official information”.
However, Defence was found to have not complied with its DSPF requirements and “omitted key system authorisation data”, according to the audit.
Defence’s arrangements for system authorisation were also found to be inconsistent with the government’s Protective Security Policy Framework (PSPF) and had not been regularly reviewed.
The ANAO made eight recommendations to Defence, which it said were aimed at improving “the review and update of assessment arrangements; training; the quality of supporting information; assurance and reporting arrangements; and compliance with authorisation requirements”.
In their response to the audit on 7 August, Defence acting secretary Matt Yannopoulus and acting Defence Force chief Robert Chipman said their department accepted all eight recommendations.
“Defence is committed to strengthening our approach to safeguard data from cyber threats and ensuring operation of ICT systems to protect the continuous delivery of Defence outcomes and capabilities,” they said.
The audit was carried out “to provide assurance to the Parliament on Defence’s arrangements”, the final report said.
It comes after Labor MPs Brendan O’Connor and Tim Watts requested an audit into Defence’s use of provisional authorisations in June 2021.
In September 2019, then-defence minister Linda Reynolds requested the department provide an update on any reduction of unapproved ICT systems, but “Defence did not address this request”, the audit found.
The current Minister for Defence and Deputy Prime Minister, Richard Marles, did not respond to a request for comment.
In a statement to Information Age, a Defence spokesperson said security authorisations were "only one layer of Defence’s protective measures on its ICT systems".
"Defence uses a range of cyber, physical and personnel security measures to provide a resilient network," they said.
"As part of Defence’s uplift to cyber security governance and risk management, Defence is reviewing its Cyber Security Assessment and Authorisation Framework, along with the associated policies, practices and processes."
Defence acting secretary Matt Yannopoulus (left) and acting Defence Force chief Robert Chipman (right) said the department accepted all eight recommendations made in the audit. Photos: Defence Department / Supplied
The audit noted that in its 2022 Cyber Security Strategy, Defence recognised that “malicious cyber activity now represents one of Defence’s most critical risks”.
“Robust ICT systems protect the confidentiality, integrity and availability of the information and data that entities process, store and communicate,” the audit said.
The report did not examine Defence ICT systems which were classified as Top Secret, and which were overseen by the government’s cyber intelligence organisation the Australian Signals Directorate (ASD).
Most Defence ICT systems were not accredited
The ANAO audit found only 5 per cent of Defence’s ICT systems had been registered in the department’s ICT authorisation management system as of June 2024.
Of those 5 per cent of registered systems, almost half of them (47 per cent) had no accreditation or had expired as of August this year.
Between September 2020 and September 2021, it took an average of 285 days for Defence to process system authorisations, the audit found.
One case study found a system used by the Air Force which had its security authorisation expire in November 2020 was not submitted for re-authorisation until April 2021 and was not granted the re-authorisation until November 2022, two years after it had expired.
Another example examined by the audit involved a system used by the Navy which had an undisclosed cost of between $50,000 and $500,000 and was described as “a critical element of Navy’s capability”.
There was “moderate” residual risk, the audit found, as “a complete security document suite had not been provided” when the system was issued with a three-year accreditation in October 2021.
“Across the ICT systems examined in case studies, deficiencies included: the absence of key data and mandatory security documentation; no evidence of assessment of control implementation; and deficiencies in the peer review process,” the audit said.
In its latest roadmap for its digital strategy, Defence said it was “eliminating outdated legacy systems” by 2027 and embracing generative artificial intelligence, funded by up to $11 billion which the federal government planned to spend on enterprise data and ICT over the coming decade.
A separate ANAO audit revealed earlier this year that Australia’s social services agency Services Australia and financial crime watchdog AUSTRAC were unprepared for “a significant or reportable cyber security incident”.
