Published: 07 July 2015


Ms FORREST (Murchison) - Mr President, I move -

That the Auditor-General report No. 8 2014-15 entitled Security of Information and Communications Technology (ICT) Infrastructure be considered and noted.



Mr President, I congratulate the members returning to this place - the members for Mersey, Derwent and Windermere - on their recent successful election campaigns, even though some were very late campaigns to run and they spent most of the election campaign in this place.  All power to them for getting returned in those circumstances - not having a contender until very late.  Congratulations to all of them.  I am sure they will continue to make a valuable contribution to this place in the next six years.  It sounds like a long time when you start, but it goes very quickly.


With respect to the motion standing in my name - to note the Auditor-General report into the security of information and communication technology (ICT) infrastructure - it is important the Parliament notes the reports produced by the Auditor-General.  We have had two more tabled this morning.  They are always very important reports and sometimes we might read them but not take the opportunity to debate and further consider them.  Whilst the Public Accounts Committee, of which I am a member, has a particular role in that, it is also important for the Parliament as a whole to consider some of these reports, particularly those that have significant potential implications for the future of the state.


The objective of this audit was to assess the effectiveness of security measures for ICT infrastructure in government departments.  The audit included ICT physical infrastructure, applications and information.  Departments subject to audit were Treasury and Finance; Primary Industries, Parks, Water and Environment; Health and Human Services; Premier and Cabinet; and Police and Emergency Management.


The Auditor-General noted in this report that state entities operate in an increasingly complex environment.  This is increasingly evident in the areas of information and communications technology, where change is rapid.  It is important to acknowledge that change is very rapid and it is always a bit of a challenge keeping up.  The crooks are only one step behind but often they can get ahead.


The report noted that the rapidly changing and complex nature of this environment was a factor in the decision to benchmark the performance of the government departments against a high threshold.  That being, to prioritise strategies listed by the Australian Signals Directorate.


The audit also acknowledged that a whole-of-government project was underway to produce an ICT security framework including a government ICT security manual.  This report highlights the urgent need for such a framework and ICT security manual.  I hope the recommendations contained in this report inform these documents as they are developed.


The Auditor-General also encouraged the Department of Premier and Cabinet to initiate a review of the framework at a suitable date, post implementation.  This will be an important step in improving and enhancing the ICT security of information and infrastructure.


It was of concern to note that the Auditor-General identified a large number of weaknesses and areas of inadequate security in most departments.  The common problems included a lack of policy on physical security, construction weaknesses, limited CCTV coverage, excessive risk from cyber attacks and a lack of testing of backups.  The issues were compounded by the lack of a strategic approach to ICT security.  It is vital that the ICT security framework referred to will address these matters.


It is noted this a complex and rapidly moving area that carries a number of risks.  We all know that whenever a new technology emerges and another layer of security is added in almost any area, there will be individuals, and sometimes organisations, who seek to find ways through or around the security to access sensitive information and potentially harm or disable infrastructure.


Government departments need to stay ahead of the game, and this cannot occur without the necessary skilled expertise and adequate human and financial resources.  I accept that the department's auditor takes ICT security seriously, we all have to.  I also note from the Auditor-General's report that generally departments had reasonable security over most of their facilities, infrastructure and service, and we, the broader community, should be confident that the data is, or steps are being taken to ensure that the data is, appropriately secure.


It is important to reiterate a point made by the Auditor-General in his report regarding this audit and the timing of the release of it, as I am sure none of us wish to expose any department to additional risk in an area such as this.  The Auditor-General stated that his normal practice when finalising reports is to provide those charged with governance, in this case the five secretaries, approximately two weeks to provide formal responses to his reports, then to table them at the earliest opportunity.  He does this to ensure timely reporting to Parliament, post the completion of an audit.  Had he followed his usual practice in this case, a public report would have been released in late December 2014 or early January 2015.  On this occasion, however, he decided not to table this report at his earliest available opportunity, as he noted - and I will quote from his report -


To do so may have exposed government departments' vulnerabilities to malicious activity.  To allow departments some time to strengthen security of their ICT assets, the response time was extended by three months.  As indicated from the responses provided, departments have used this time well.


It was very sensible of the Auditor-General to do that.  However, it highlighted there were some serious issues that needed addressing.  It is also good to note that the departments took that seriously.  Over the three-month period, the Auditor-General indicated that actions were taken to reduce those risks.  It is heartening to know this, and I commend the relevant departments for taking this matter seriously and taking urgent action as it was much needed.  It is clear that government departments rely heavily on information and communications technology and this must be kept securely.


However, as noted by the Auditor-General, there is a lack of strategic approach to ICT security, as evidenced by the lack of ICT security plans, recording systems, business continuity and disaster recovery plans, and these matters must be addressed.  The recommendations made by the Auditor-General will need to be actioned to address and resolve this, and realistic resourcing set aside in the budget.


I will be interested to know during budget Estimates hearings, what allocations are made to and within each department and the adequacy of resources in this area.  I do not expect the Leader to give a response to that now, it is a matter for budget Estimates, but it is an important area that we should all look at when we are looking at departments that we scrutinise at that time.


This report highlights an important issue and one that has emerged and grown at a very rapid rate.  It is vital strategic planning and resource allocation is made adequate to protect sensitive information and critical infrastructure, as we all know how an absence of adequate security in this area can lead to many serious and adverse outcomes.  The Auditor-General noted that government departments rely on information and communications technology to support key systems, such as patient management, police operations and motor registry.  There are some very important privacy issues associated with this information, as well as public safety and security.


In terms of security, ICT infrastructure and data needs protection from equipment failure, data loss and cyber attack.  The Auditor-General highlighted the need for a high level of security and protection of key ICT infrastructure, citing an illustration of the need for effective protection.  He noted that there was an outage at Hobart's Bathurst Street data centre in early January 2012, when an equipment fire caused a two-to-three-day shutdown of various government services and communications hardware.  Two or three days is an extraordinarily long time in matters such as this, and quite unacceptable.


The Auditor-General noted that traditionally the Government's approach to ICT security has been agency-based, with some whole-of-government support for management and planning.  It is clear this siloed approach is no longer appropriate and a more coordinated and strategic focus has become necessary.  This is due in part to the expanded range of online government services and increasingly sophisticated threats to security.  Part of the audit involved a review of cyber security and that was based on the prioritised strategies listed by the Australian Signals Directorate.


Sitting suspended from 1 p.m. to 2.30 p.m.


[2.48 p.m.]


Ms Forrest (Murchison) - Mr President, I was speaking about the challenges and risks associated with ensuring that this area is taken seriously by government with a whole-of-government approach.  I will pick up where I left off before lunch.


Part of the audit involved a review of the cyber security that is based on prioritised strategies listed by the Australian Signals Directorate - ASD - and what these government departments were benchmarked against.  It was interesting to note in the report that at least 85 per cent of intrusions that ASD responded to in 2011 involved unsophisticated techniques that would have been mitigated by the top four mitigation strategies.  It seems the crooks are moving at least as quickly and in many cases perhaps more quickly in this area and we need to keep ahead of them.


The audit considered whether there was physical security over facilities, networking infrastructure and service and within government buildings.  The report noted generally that departments had reasonable security over most of their facilities, infrastructure and service.  There were areas of inadequate security at most departments.  Common problems included lack of policy on physical security, construction weaknesses and limited CCTV coverage.


With regard to whether the information was safe and secure, the report noted that generally information was safe, with reasonable back-up and access restrictions.  However, all departments were at excessive risk of cyber attack because of the lack of ASD recommendations and mitigation strategies.  Particularly, a lack of testing of backups and access permissions.


It suggests we all understand that it is all well and good to say you have backup of all your data but if you do not check it is working, it is effectively useless.  I am sure we could all remember some time when we had the great crash, of whatever year it happened, and you lost all your data.  It is quite devastating -


Mr Valentine - Some of us are still crying.


Ms Forrest - Yes, still crying - particularly in the middle of a thesis, or something like that, and you did not have the Autosave function on either.  When you lose it and it cannot be recovered, it is quite devastating.


Mr Valentine - It hurts your brain in the end.


Ms Forrest - Yes.  Occasionally when it can be recovered there is great joy and celebration.  What we are talking about here too sometimes is the release of sensitive information, not just the loss of it, into areas where it should not be released.  That is perhaps even more damaging because it can damage more people.


With regard to whether there was a strategic approach taken to ICT security, there was widespread failure across all audited departments, evidenced by the lack of ICT security plans, incident recording systems, and business continuity and disaster recovery plans.  This is not good enough and it must be remedied.


There is a total of 44 different recommendations, including one recommendation supplied to all audited departments, that being that they need to fully implement at least the top four mitigation strategies from the ASD publication Strategies to Mitigate Targeted Cyber Intrusions.  These top four mitigation strategies are noted on page 32 of the report.  They are, and I quote from the report:


Application whitelisting - listing of trusted programs not allowing installation of non-trusted software.  This is the top strategy because it provides control over malicious programs from any source, including emails, USBs and the internet.


Patching applications - monitoring for patches for 'extreme risk' vulnerabilities, timely installation, list software and patches applied.


Patching operating system - monitoring for patches for 'extreme risk' vulnerabilities, timely installation, maintain history of patch applied.


Minimising users with administrative privileges.


Mr President, I will not go through all the recommendations.  They are available in the report and online in what I am confident is a secure site, being the Auditor-General's website.  I do not think anyone would be hacking into that; I am sure he has his own house in order first.


Mr Valentine - You haven't tried.


Ms Forrest - That is right.  I am no hacker so I have not even tried it but maybe the member for Hobart is more skilled in these areas than me.


I do not need to go through them all, I believe it is what they generally cover and I am sure members will have read the report.  However, it is clear that there is much work still to be done.  The report notes many of the essential recommendations have been actioned and the department heads have accepted and/or responded to all recommendations, and have acknowledged actions that have been, need to be or will be undertaken.


The Auditor-General made one recommendation that was common to all departments, and that was to fully implement at least the top four mitigation strategies from Strategies to Mitigate Targeted Cyber Intrusions.  I note there is still work to do in this area for most departments with only the DPEM fully addressing this recommendation when the report was released.


There is much more to do in terms of the physical security of infrastructure as well, including service and server rooms, backups - including the need for offsite backup, testing of systems, and ensuring adequate access control, review of the construction of server rooms, expanding the use of CCTV and greater hazard protection, monitoring access to information and infrastructure, just to name a few.  Clearly there is a whole range of areas across physical security as well as security of the information and making that accessible only to those who should have rightful access.


Other recommendations include the need for greater security in information management and storage, including making greater use of in-built IT controls such as, but not limited to, controls over unauthorised software, media and internet access; development of business continuity plans and ICT security disaster recovery plans and tests for those plans regularly; upgrades of access controls, alarms and hazard protection at specific server rooms; testing of backups at a frequency commensurate with the risk, which may be on a daily basis, depending on the level of risk; and enforcing password protocols.  I know how painful it can be remembering them when we are required to change passwords on a fairly regular basis.  You can now get apps that can remember all your passwords for you - I am not sure how secure they are.


Mr Valentine - As long as they can't be hacked.


Ms Forrest - That is the point.  You are putting your passwords in there - what an ideal place for someone to go looking.


It is frustrating and a pain that - depending on how it is set up - you cannot use the last two or three passwords you have used and so you have to think of a new one and remember that, and on it goes.  Some passwords require numbers, letters, lower and upper case and symbols as well.  Some can only have six characters.  Some need to have eight characters.  It is a challenge for our ageing brains, but it is important they are enforced.


There is development and ongoing review of disaster recovery plans and systems and implementation of IT security instant management and recording systems.  As I mentioned, a whole-of-government project was underway to produce an ICT security framework.  The report notes that some of the recommendations at the departmental level could potentially be overtaken by implementation of a whole-of-government project.  It is important that these recommendations are acted on and met either through a whole-of-government ICT security framework or by other direct action.


With so many areas needing action in a field that is complex in nature and changing rapidly, there is a real need to ensure appropriate attention is paid to it.  It is also vital that progress in this area is reviewed.  I am confident there will be a follow-up report by either the Auditor-General, or by the Public Accounts Committee, in a relatively short time frame.  These sorts of things cannot be left too long.  I am sure it will be on the agenda of one, or both.  It is one of the things the PAC discusses with the Auditor-General when he is determining his annual plan of work - who is going to follow up which report.


In noting this report, I commend the Auditor-General and his office for the quality of the report that has been produced and the sensitive manner in which the report has been prepared.


We need to be informed about these areas and such an audit clearly identifies areas that need attention.  I am pleased to note the response from the audited departments to the initial feedback from the Auditor-General and the actions taken to address the more urgent matters, thus enabling the tabling of this report.  The questions I have for the Government - that I accept cannot all be answered here and now, and I will seek answers through other avenues - include:


• Does the State Government direct specific funds to ICT security or does this work all need to be funded from within departmental budgets?


• What is the current state of the whole-of-government ICT security framework?


Hopefully the Leader may be able to provide some information on that.


• What resources have been allocated to this important task?


• How will the current staff be brought up to speed with ICT security?


• Will there be a whole-of-government approach to this as well?


• Does the Government have an estimate of the costs involved in implementing the necessary improvements to the ICT systems?


There are two aspects to that question - one is getting them up to where they need to be, and the other is maintaining and keeping ahead of the game.  There are going to be ongoing and additional costs associated with that.  Again that comes back to the question about the budget - is it a whole-of-government funding allocation, or is it to be met within departmental budgets?  That is a matter we will probably pursue in budget Estimates with each department.


It is also vital that the experiences and knowledge gained from this audit process be used and/or implemented to improve policies and frameworks elsewhere within the public sector.  In a sense, the state government, as well as other parts of the public sector, is only as strong as its weakest link.  There must also be recognition by government that this is a complex area, requiring ongoing development as risks change and new threats emerge.


As noted in the Auditor-General's conclusion, it is the responsibility of the secretaries of the five departments audited to ensure the implementation of appropriate processes which provide effective security measures.  However, I am also of a mind that this needs to be a whole-of-government approach and I am hopeful this can be achieved.


I commend the Auditor-General's report and I look forward to other members' contributions and the response from the Government to this important report.



Go Back