Security lapse gives hackers a free pass
Treasury and Defence are among a number of federal government departments that have failed to fully implement a cybersecurity system designed to protect them from malicious emails.
Treasury and Defence are among a number of federal government departments that have failed to fully implement a cybersecurity system designed to protect them from malicious emails.
After a slew of attacks this year by state-based hackers against the government and Australian businesses, only Home Affairs, Services Australia and the Australian Signals Directorate have told the Senate they have fully integrated the Domain-based Message Authentication, Reporting and Conformance protocols, which prevent attackers from getting in through emails.
Questions on notice to Senate estimates and checks via domain name networks show Treasury, Defence, Health, Education, Industry, Parliamentary Services and Attorney-General have only partially implemented the cyber protections.
A Department of Home Affairs spokesman said the cyber uplift programs would help departments bolster cyber defences, and that Home Affairs was seeing an uptick in DMARC protocols in commonwealth offices.
“The use of DMARC is a recommended control in the Information Security Manual and is one component of the Australian Signals Directorate’s suggested mitigation strategies,” he said.
“ASD has observed increased adoption of DMARC across government networks.”
Labor’s cybersecurity spokesman Tim Watts said commonwealth departments had to improve their cybersecurity if Scott Morrison expected businesses to do the same.
“The lack of implementation of basic cyber security hygiene, such as DMARC, highlights the lack of real accountability within government on commonwealth entities’ cyber security,” he said.
“Unless the government lifts its game, it leaves itself open to accusations of telling businesses to do as I say, not as I do.”
The commonwealth’s slow progress to implement email defences comes after the nation’s top cyber spy agency started working with potential victims of the SolarWinds Russian hacking offensive, including some of the most sensitive government departments and agencies, to assess whether they had been breached.
The Australian revealed last week that the departments of Defence, Finance, Home Affairs, and the Australian Securities & Investments Commission are all users of the network-management software that was infiltrated by the Russian hackers.
Defence told Senate estimates that it would complete its DMARC email protections by mid-2021, while other departments, such as Industry and Education, said they still had to cover 9 per cent of their systems with the cyber protections before getting to the completion level.
The Health Department and Treasury would not reveal their DMARC statuses to Senate estimates, but domain name records suggest they have begun updating their email protocols.
Cyber security expert Robert Potter said smaller agencies faced chronic cybersecurity issues because of old computer infrastructure and a lack of funding. “They have got a lot of backlog because they have billions of dollars of systems that they need to get accredited. Not every department can even afford that,” Mr Potter said. “A lot of those small departments need to do a significant rethink around cyber governance.”
Hung house fear fuels campaign warchests
Voters in key election seats will be targeted in one of Australia’s biggest third-party campaigns, with industry groups, activists, unions and individuals finalising multimillion-dollar warchests.
Big business, Dutton on same page
Business chiefs will campaign for measures already endorsed by Peter Dutton and heap pressure on Anthony Albanese over spending, deregulation and tax.