The Commonwealth Cyber Security Posture Report in 2020 informs the Parliament of the status of the Commonwealth’s cyber security posture. Overall, the report found that Commonwealth entities continued to improve their cyber security in 2020. Ongoing effort is required to maintain the currency and effectiveness of cyber security measures.
Executive Summary
The Commonwealth Cyber Security Posture in 2020 (the Report) informs the Parliament of the status of the Commonwealth’s cyber security posture. Overall, the Report finds that Commonwealth entities continued to improve their cyber security in 2020. Commonwealth entities have responded efficiently to cyber security advice and assistance and have increased their cyber security posture through improved alignment with the Essential Eight Strategies to Mitigate Cyber Security Incidents, basic cyber hygiene and business practices, and responses to cyber security incidents.
The cyber threat environment has deteriorated in 2020. The Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) has noted an increase in the number of cybercrime reports and cyber security incidents. In addition, the ACSC has noted an increase in frequency and sophistication of operations by a range of state-based actors and cybercriminal syndicates. The ACSC has also noted an increase in the speed in which malicious actors have researched and then pivoted to exploit publicly-released vulnerabilities.
Levels of cyber security maturity continue to vary across the Australian government and sustained effort is required for Commonwealth entities to meet the challenges of the evolving cyber threat environment.
Results from the ACSC Cyber Security Survey showed improvement in Commonwealth entity implementation of the Essential Eight strategies relating to user application hardening, application control, restricting administrative privileges and adopting daily backups. However, the baseline adoption of the Essential Eight across the Australian government still requires further improvement to meet the rapidly evolving cyber threat environment.
Australia’s Cyber Security Strategy 2020 positions the Australian government to better meet these evolving cyber threats, investing $1.67 billion over ten years to strengthen Australia’s cyber security, including $1.35 billion for the Cyber Enhanced Situational Awareness and Response (CESAR) package.
The CESAR package will maintain and enhance the cyber security capabilities of the ACSC and the assistance provided to Australians over the next decade. The CESAR package will enable the ACSC to identify more cyber threats, disrupt more foreign cybercriminals, build new partnerships with industry and government, and protect more Australians. The ACSC’s enhanced capability and situational awareness will assist Commonwealth entities to improve and maintain their cyber security posture and resilience.
The Australian government continues to grow capability, delivering positive cyber security outcomes for Commonwealth entities. In particular during 2020:
- the Cyber Hygiene Improvement Programs increased coverage of active Commonwealth government domains by about 320%
- over 150,000 threat events were prevented through a pilot Protective Domain Name System (PDNS) program
- the pool of independent assessors under the Information Security Registered Assessors Program (IRAP) grew by approximately 9%.
The Australian government will also continue to strengthen its cyber security capabilities through the Harden Government IT Initiative, established as part of Australia’s Cyber Security Strategy 2020. Centralising the management and operations of information and communications technology (ICT) systems run by Commonwealth entities will help strengthen the government’s cyber security posture and improve cyber resilience across those entities.
The next report will be delivered in November 2022. The change in timing is to align with financial years, enabling clearer reporting, particularly in relation to significant Commonwealth funding commitments. Instead of crossing two financial years, each new report, from 2023 onwards, will focus on the cyber security posture for a single financial year. The report delivered in November 2022 will be a hybrid report, covering 1 January 2021 to 30 June 2022.