The Commonwealth Cybersecurity Posture Report in 2020 informs the Parliament of the status of the Commonwealth’s cybersecurity posture. Overall, the report found that Commonwealth entities continued to improve their cybersecurity in 2020. Ongoing effort is required to maintain the currency and effectiveness of cybersecurity measures.
Executive Summary
The Commonwealth Cybersecurity Posture in 2020 (the Report) informs the Parliament of the status of the Commonwealth’s cybersecurity posture. Overall, the Report finds that Commonwealth entities continued to improve their cybersecurity in 2020. Commonwealth entities have responded efficiently to cybersecurity advice and assistance and have increased their cybersecurity posture through improved alignment with the Essential Eight Strategies to Mitigate Cybersecurity Incidents, basic cyber hygiene and business practices, and responses to cybersecurity incidents.
The cyber threat environment has deteriorated in 2020. The Australian Signals Directorate’s (ASD’s) Australian Cyber Security Centre (ACSC) has noted an increase in the number of cybercrime reports and cyber security incidents. In addition, the ACSC has noted an increase in frequency and sophistication of operations by a range of state-based actors and cybercriminal syndicates. The ACSC has also noted an increase in the speed in which malicious actors have researched and then pivoted to exploit publicly-released vulnerabilities.
Levels of cybersecurity maturity continue to vary across the Australian government and sustained effort is required for Commonwealth entities to meet the challenges of the evolving cyberthreat environment.
Results from the ACSC Cybersecurity Survey showed improvement in Commonwealth entity implementation of the Essential Eight strategies relating to user application hardening, application control, restricting administrative privileges and adopting daily backups. However, the baseline adoption of the Essential Eight across the Australian government still requires further improvement to meet the rapidly evolving cyberthreat environment.
Australia’s Cybersecurity Strategy 2020 positions the Australian government to better meet these evolving cyberthreats, investing $1.67 billion over ten years to strengthen Australia’s cybersecurity, including $1.35 billion for the Cyber Enhanced Situational Awareness and Response (CESAR) package.
The CESAR package will maintain and enhance the cybersecurity capabilities of the ACSC and the assistance provided to Australians over the next decade. The CESAR package will enable the ACSC to identify more cyberthreats, disrupt more foreign cybercriminals, build new partnerships with industry and government, and protect more Australians. The ACSC’s enhanced capability and situational awareness will assist Commonwealth entities to improve and maintain their cybersecurity posture and resilience.
The Australian government continues to grow capability, delivering positive cybersecurity outcomes for Commonwealth entities. In particular during 2020:
- the Cyber Hygiene Improvement Programs increased coverage of active Commonwealth government domains by about 320%
- over 150,000 threat events were prevented through a pilot Protective Domain Name System (PDNS) program
- the pool of independent assessors under the Information Security Registered Assessors Program (IRAP) grew by approximately 9%.
The Australian government will also continue to strengthen its cybersecurity capabilities through the Harden Government IT Initiative, established as part of Australia’s Cybersecurity Strategy 2020. Centralising the management and operations of information and communications technology (ICT) systems run by Commonwealth entities will help strengthen the government’s cybersecurity posture and improve cyber resilience across those entities.
The next report will be delivered in November 2022. The change in timing is to align with financial years, enabling clearer reporting, particularly in relation to significant Commonwealth funding commitments. Instead of crossing two financial years, each new report, from 2023 onwards, will focus on the cybersecurity posture for a single financial year. The report delivered in November 2022 will be a hybrid report, covering 1 January 2021 to 30 June 2022.