Cybersecurity protections at the federal Department of Parliamentary Services (DPS) are still only “partly effective” seven years after attackers breached its networks, according to a new audit that found its implementation of seven out of eight key cybersecurity controls “fell short”.
A provider of ICT services across Parliament House, DPS manages IT services for 4,817 users and 10,951 end-user devices, which it supports with ICT services including its long-running Parliamentary Computer Network (PCN).
Given the sensitivity of its users at the highest levels of Australia’s government – among other things, the PCN carries Parliamentarians’ emails and web traffic – DPS is expected to have clear policies to manage the cybersecurity risks that threaten them.
It is obliged under the Protective Security Policy Framework (PSPF) and Information Security Manual (ISM) to implement the ASD’s Essential Eight cybersecurity protections to Maturity Level Two.
The Essential Eight outlines ways to improve ICT environments’ resistance to attacks, including application controls, regular patching, restricting Microsoft Office macros, multi-factor authentication (MFA), hardening user applications, backups, and more.
The Australian National Audit Office (ANAO) audit evaluated DPS compliance with these guidelines, ultimately finding they “had not been fully implemented” and that DPS risk-management “fell short of the standard required to adequately address the risk” of attack.
While it serves users with diverse data security needs – including other Parliamentary entities, Parliamentarians and their staff – ANAO found “the differing business and security requirements of these user groups were not reflected in the department’s IT environment.”
DPS lacks an IT control environment that manages key risks for users and “had not completed key cybersecurity policies”, ANAO found, including identifying and documenting key departmental systems and ICT assets – or whether they were adequately protected.
“DPS accepted risks above tolerance when approving the operation of new technology systems, and systems in active use required reassessment and approval,” ANAO found, noting that DPS had reviewed its security risks internally but lacked a single view of them.
Seven years on, little has changed
Demands for better cybersecurity controls at Parliament House are more than academic: amidst an ongoing hacking campaign, in 2019 DPS suffered two significant cyberattacks attributed to cybercriminals believed to be acting with the support of China’s government.
Those hackers accessed Liberal, Labor and National Party networks months before the 2019 federal election – yet Senate president Scott Ryan, in sharing news of the “extremely unfortunate” breach with Parliament, played down suggestions DPS security was lacking.
“DPS has made substantial strides in strengthening cyber defences, which have been effective in limiting the impact of this incident,” Ryan said, adding that “it is important to understand that the methods used by malicious actors are constantly evolving.”
“No network, including the parliamentary computing network, is considered 100 per cent secure; if there is an incident, best practice is possessing the capability to detect it and then remediate it quickly.”
Seven years later, the ANAO report shows that DPS still lacks such a capability – at least, not to the degree it needs – although it is far from alone.
Last year, an audit of NSW government agencies found they had only met 31 per cent of data protection controls in the ‘Protect’ domain of state Cyber Security Policy (CSP) – which mandates Essential Eight implementation, network security controls and security training.
Fully 27 NSW agencies reported 152 “significant, high, and extreme residual cybersecurity risks” during 2024 – with responses to 28 of those threats rated “largely or completely ineffective” and audited bodies unable to provide timelines for fixing 60 of the threats.
In December, a separate audit found NSW Health is “not effectively managing cybersecurity risks” to NSW clinical systems and slammed eHealth NSW’s “lack of support, coordination and oversight” in creating “confusion” about local health districts’ cybersecurity obligations.
Cleaning up the House
Ultimately, DPS’s risk management policies “fell short of the standard required to adequately address the risk”, the ANAO found – a point that DPS acknowledged in accepting all of the audit’s recommendations and undertaking a “comprehensive review” of its processes.
The department has launched a “comprehensive review of cybersecurity governance and risk assessment processes,” securing Budget funding for a major update of the PCN and its security controls for a project called Parliamentary Information and Cyber Resilience (PICR).
That project, DPC said, “will address critical cyber, information security and operational resilience risks in the PCN, strengthening security and resilience of the network.”
It’s just one of many areas where the government’s cybersecurity has been in the spotlight: in May, for example, another ANAO report found “insufficient consideration to holistic planning for cybersecurity” in the ABS’s preparations for the 2026 Census on 11 August.
As at DPS, risk management was lacking – with the ABS audit identifying “shortcomings in completeness and timeliness of risk reviews” and “delayed identification of cybersecurity vulnerabilities”, urging the ABS to “address key remaining cybersecurity vulnerabilities”.
