Cyber security experts fear the Immigration Department is dragging its feet on internet security in the wake of global ransomware attacks and may be vulnerable.
The department has failed to comply with the Australian Signals Directorate’s (ASD) top four security measures — including patching — for years, despite repeatedly promising to do so.
A damning audit earlier this year found the department was vulnerable to external attacks that could compromise sensitive information, including national security data.
But the department’s chief information officer, Randal Brugeaud, will not give a deadline for compliance with the intelligence agency’s recommendations.
“The failure of key government departments to be compliant with ASD’s top four mitigation strategies is alarming,” Greg Austin from the Australian Centre for Cyber Security said.
“These are only the most basic measures designed to begin to get organisations on the difficult path of transforming cyber security culture.”
Computer security expert Richard Buckland said he was “surprised” by the department’s approach.
“They have so much data and they are in such a critical position in our overall strategy that really we would all expect them to get this right,” Dr Buckland said.
“They are very good at expecting compliance from everyone else, so I am surprised that compliance mentality does not apply to their internal systems.”
A department spokesman told the ABC it was taking the challenge seriously and its information communications technology (ICT) systems had not been breached.
Timeline for security ‘astonishing’
Earlier this month, Mr Brugeaud revealed the department may not be compliant with patching processes recommended by the Prime Minister’s cyber security adviser, Alistair MacGibbon.
Patching is a term used to describe updating operating systems and applications to ensure they are protected from malware or ransomware.
Mr Brugeaud told a Senate inquiry that a monthly patching cycle would not be rolled out until next financial year.
“On application patching, which is quite a challenge for all organisations … over the next two to three years we will get to a point where we are able to be fully compliant in applications,” Mr Brugeaud said.
The department spokesman told the ABC it was now in the second year of a five-year ICT plan that would ensure compliance with the ASD recommendations.
But Dr Buckland said the five-year time frame was “astonishing”.
“A five-year plan to deal with this is just the wrong time scale — it makes me concerned about how seriously they are treating this,” he said.
“In five years everything will have changes. It raises the question, how seriously are they taking cyber security?”
Department waits Senate inquiry report
The department’s cyber security processes are now the subject of a senate inquiry led by Liberal senator Dean Smith.
Mr MacGibbon told the inquiry compliance with the ASD’s recommendations were only one approach to security.
“I have found that there is a prevailing “tick box” compliance culture which is in some respects, perversely driven by a fear of audit failure,” Mr MacGibbon said.
“By looking only to these snapshots, we may create a culture of fear and thereby harm our security.”
In its submission, Immigration pointed out a merger with the former customs agency in 2015 presented “an enormous challenge” for its ICT department.
“Combined, the two agencies have over 900 applications, of which 569 are unique,” the submission said.
“Of the 279 business critical applications, approximately 70 per cent are bespoke.”