Defence tech measures probed
A Defence audit has revealed major failures in securing critical ICT systems against cyber threats.
A recent Australian National Audit Office (ANAO) investigation into the Department of Defence's management of information and communications technology (ICT) security authorisations has revealed a concerning lack of compliance and outdated processes.
Conducted to ensure that Defence's security authorisation processes meet the Protective Security Policy Framework (PSPF), the audit highlights significant gaps that could expose critical systems to cyber threats.
The audit found that Defence's ICT systems management is only “partly effective"”in securing its operations.
Notably, the arrangements for system authorisations have not been consistently reviewed, failing to align with the current PSPF requirements.
Additionally, Defence's internal reports were found to omit key authorisation data, providing a “more optimistic outlook” than warranted by other internal documents.
This raises concerns about the reliability of the department's reporting on cyber security preparedness.
In a review of five case studies, Defence was found to have failed to comply with both PSPF and the internal Defence Security Principles Framework (DSPF) requirements.
As at August 2024, only 5 per cent of Defence’s ICT systems had been registered in its ICT authorisation management system.
Of these, 47 per cent were either ‘Expired’ or had ‘No accreditation’, a significant gap that leaves almost half of Defence's ICT systems unaccounted for in terms of security compliance.
The audit report found that the process to secure authorisations is significantly delayed.
Between September 2020 and September 2021, the average time for processing an ICT system authorisation was 285 days.
Defence's failure to meet its own timelines raises the risk of cyber vulnerabilities in systems that should already have been secured.
“Malicious cyber activity now represents one of Defence’s most critical risks,” according to the department's own 2022 Cyber Security Strategy.
The audit suggests, however, that despite this recognition, Defence’s efforts to manage and secure ICT systems have fallen short.
Key findings included missing data and documentation, incomplete risk assessments, and deficiencies in the peer review process.
The ANAO made eight recommendations to Defence, focused on improving compliance with the PSPF and DSPF, enhancing training for key personnel, and ensuring the accuracy of system authorisation data.
Defence has reportedly agreed to all recommendations and committed to reviewing its cyber security assessment and authorisation framework.
However, the report highlights that improvements are overdue and urgently needed to protect against cyber threats.
The full report is accessible here.