The Joint Committee of Public Accounts and Audit on Thursday heard that Geoscience Australia had an executable file discovered on its system again in 2017 that had been sitting there for “some months”.
The file was discovered by the Australian Alerts Directorate (ASD) on the time, with Geoscience Australia CEO Dr James Johnson saying it was the one occasion he was conscious of that constituted a cyber incident.
“We have had executable files found within our system — on one occasion I am aware of — whereby it was found and it had been resident within our system for some months,” he stated. “It hadn’t actually developed into a major problem and it was identified for us by the ASD and we acted accordingly to rectify that.”
Whereas Johnson couldn’t give an actual timeline, he stated it was in “approximately 2017”, and conceded there was a lag between when it was positioned and when it was recognized.
“Where we have identified something on our network that we are unsure about, we engage with the [Australian Cyber Security Centre] fairly quickly and also with our service provider for ICT services,” added Trent Rawlings, who along with being Geoscience Australia’s chief working officer can be accountable for cybersecurity.
“We’re certainly increasing the maturity in that area of our monitoring and response capability, but certainly there has been nothing to date that has caused significant impact to our organisation that we’re aware of.”
In a report on cyber resilience from the Australian Nationwide Audit Workplace (ANAO) that was revealed a 12 months after the executable file was discovered, Geoscience Australia was labelled as missing the place the Australian authorities’s Prime four mitigation methods had been involved.
In early 2017, the Prime four was expanded to the Essential Eight.
Following the ANAO probe, Geoscience Australia agreed to up its safety posture, with Johnson telling the committee on Thursday that his company can be compliant with the Prime four come June 30, 2019.
“We agreed with the ANAO findings and have implemented a security improvement program to address those findings and to meet our compliance obligations, and improve overall governance and management of cybersecurity,” he stated.
“We are well more cyber resilient than at the time of the audit last year.”
The safety program, Johnson defined, will implement the Prime four cyber mitigation methods on important programs — consumer work stations, emails programs, and authentication programs — as priorities, and “enhance governance and support arrangements to ensure their effective operation”.
Johnson admitted that cybersecurity was not beforehand a precedence for the federal government company.
“As an organisation that openly shares the majority of its information, Geoscience Australia has historically placed a higher priority on supporting scientific endeavours than cybersecurity. This was based on the presumption that a cyber threat seriously impacting on the organisation was low,” he stated.
“The importance of and reliance on ICT systems has increased rapidly and has changed the risk profile of the organisation, we are therefore changing our practices.”
Whereas Geoscience Australia makes nearly all the info it holds publicly accessible, there’s nonetheless the potential for the non-public info of employees to be breached, for the IP of different scientific organisations it engages with to be focused, or that Geoscience Australia is itself used as a conduit into different authorities entities which have a better stage of safety classification.
Along with Geoscience Australia being compliant with the Prime four within the coming months, Johnson advised the committee it has additionally carried out a handful of tangible measures, reminiscent of lowering the variety of employees with administrator entry, trialling and procuring a whitelisting resolution, and implementing an consciousness elevating marketing campaign throughout the organisation.
The ANAO probed two different Commonwealth entities along with Geoscience Australia in its June 2018 report: Treasury and the Nationwide Archives of Australia. It discovered Treasury was compliant and Nationwide Archives, like Geoscience Australia, was missing.
On the time, ANAO stated it had discovered solely 4 authorities entities compliant with the Prime four requirement when it was made mandatory in April 2013, from the 14 organisations it had examined.