|
|
Report of the Inquiry into the Management and Integrity of Electronic Information in the Commonwealth
Link to full report Senator LUNDY (Australian Capital Territory) (10.27 a.m.)—On behalf of the Joint Committee of Public Accounts and Audit, I present the 399th report of the committee entitled Inquiry into the Management and Integrity of Electronic Information in the Commonwealth, and move: That the Senate take note of the report. I seek leave to incorporate a tabling statement in Hansard. Leave granted. The statement read as follows— The inquiry had originally focused on the electronic protection of information held by Commonwealth agencies. However, it became apparent that a far more fundamental problem was the physical security of Commonwealth computing assets and the information held on them. Towards the end of the inquiry, the Committee had been angered to learn about the theft of IT equipment from an Australian Customs Service facility at Sydney airport through the media, rather than from Customs officials – who had appeared before the Committee the previous day. So concerned was the Committee at the approach by Customs and the nature of the security breach at the airport that Members resolved to extend the inquiry – in part to take further evidence from Customs. The Committee accepts that agencies will make mistakes from time to time and need to improve their procedures. What is totally unacceptable, however, is any lack of openness before the Committee. As a result of the security breach of Customs at Sydney airport the Committee re-commenced gathering evidence and discovered an array of problems associated with poor levels of physical security in the Commonwealth including the theft of electronic equipment from Commonwealth facilities, poor record keeping of lost or stolen IT equipment and a lack of knowledge of appropriate reporting mechanisms in the event of security breaches. Besides addressing the physical security of electronic information, the Committee also has recommended the implementation of standards to protect electronic information against access by unauthorised persons or for unauthorised purposes. In particular attention needs to be given to the making and management of contracts between Commonwealth agencies and outsourced service providers. The Committee has also responded to complaints from both Commonwealth and private sector agencies that the Commonwealth’s public key infrastructure system – Gatekeeper – is too complex and too expensive to make agency accreditation practicable. The Committee has recommended that the effectiveness of Gatekeeper procedures be reviewed in light of other commercially available PKI technologies. Finally, the Committee has recommended the implementation of adequate data storage practices to allow on-going access to data in the face of rapidly changing technology. In conclusion, Mr President, I would like to express the Committee's appreciation to those people who contributed to the inquiry by preparing submissions and giving evidence at public hearings. I wish to thank the members of the Sectional Committee involved for their time and dedication in conducting this inquiry. Mr President, I commend the Report to the Senate. I am pleased to table this report of the Joint Committee of Public Accounts and Audit: Inquiry into the Management and Integrity of Electronic Information in the Commonwealth in the Senate today. The inquiry into the management and integrity of electronic information in the Commonwealth—which is a long way of saying e-security in the public sector, so I will refer to it as e-security—is a comprehensive expose of the ignorance and neglect perpetrated by the Howard government in ensuring that the Commonwealth’s information systems are as secure as can be reasonably achieved. By way of introduction, it is important to put the issue of e-security into the broader context of the security debate. The Howard government has spent a lot of time and energy purporting to be a government concerned about security. However, when tested, the Howard government has little credibility on the home front. The political strategy of John Howard has been to ride off the coat-tails of US President George W. Bush, using the rhetoric of fear—even to the point of distributing fridge magnets to remind everyone there is a reason to be fearful. Labor contends that, if the Howard government were serious about the war on terror and the potential threat facing Australia and Australians, it would have been more focused on genuine homeland security strategies and far less sycophantic in its eagerness to join the US in Iraq. It is not lost on anyone that Australia’s vulnerability to attack has been heightened as a result of this. The Labor opposition has been able to expose this lack of commitment to security in Australia through its diligence. This has come to light in a number of areas, including insufficient customs and airport security. It is this lack of genuine commitment to security generally, and e-security specifically, in Australia that is systematically laid out in the report that I am tabling on behalf of the Joint Committee of Public Accounts and Audit today. The terms of reference to this inquiry were focused and covered the privacy, confidentiality and integrity of Commonwealth information, the management and transmission of data, security thereof, and the adequacy of the legislative and guidance framework. Following many hearings and submissions, the committee has been able to agree to a series of recommendations that by their nature and urgency give light to the serious failings in this area under the Howard government. The committee was surprised by the lack of uniformity in e-security standards, the ad hoc adherence to what e-security guidelines there are and the inability for agencies anywhere in the Commonwealth to be able to report accurately on the collective state of e-security, including breaches thereof. This is perhaps the most concerning thing: the executive government of this country does not know what the e-security status of the Commonwealth is and has not cared enough to ask the question. It took this reference to the Joint Committee for Public Accounts and Audit to uncover this disgraceful hypocrisy. This means that the lip-service paid previously to the Howard government’s e-security agenda, coordinated by the National Office for the Information Economy, has not been effective. There was a lot of talk and a very expensive public key scheme called Gatekeeper, but there was very little substance beyond the rhetoric. In fact where there has been any activity, given the lack of mandated regulatory requirements in this area, due credit can be given to public servants because they have had no policy leadership from the Howard government. It should also be noted that the activity generated by this inquiry has by far reached beyond any effort by the Howard government to require agencies and departments to act. This is also a bipartisan report which underlines the seriousness of the unaddressed issues in e-security. The concern that e-security be addressed transcends the sharper wedge politics of security that the Howard government has been desperate to play. It is also a reflection on the integrity of the Joint Committee for Public Accounts and Audit members and their collective preparedness to say it how it is. The result is a report that does not seek to sensationalise the issues and problems. Nor do any committee members purport to be experts in the field; rather we have actively pursued facts as they relate to the terms of reference and then reflected on the evidence and submissions that came before us. The recommendations, of which there are nine, carry a similar theme in that they recommend diligence, organisation, preparation, implementation and analysis of e-security risks and strategies across the Commonwealth. The committee identifies agencies to be responsible for certain functions. NOIE previously had a coordination role but, given that Labor announced we would be abolishing NOIE and the Howard government later concurred, various agencies have been nominated through the recommendations to handle the implementation of an e-security strategy. These include the Defence Signals Directorate, the Attorney-General’s Department, the Department of the Prime Minister and Cabinet and the Australian government information management office within the Department of Communications, Information Technology and the Arts. Through both briefings and evidence, the committee traversed the sorts of breaches that can occur on information networks—such as viruses, denial of service attacks, and identity fraud—as well as counter measures to deal with these problems. A key area identified was the lack of a uniform reporting system for theft and loss and for breaches of information systems. Astoundingly, some approaches to e-security meant that some agencies did not report the theft of equipment to police and did not bother to report under the existing, albeit non-universally compulsory, reporting system—DSD’s Information Security Incident Detection, Reporting and Analysis Scheme[PK1] or ISIDRAS. Recommendation 5 urges DSD to reiterate to agencies and departments their responsibility to comply with this reporting system. The use of encryption to protect data and authenticate online exchanges was investigated culminating in the committee’s recommendation 9: The Department of the Prime Minister and Cabinet should review and report to the Committee on the cost effectiveness of Gatekeeper versus other commercially available public key infrastructure products and systems. It should be noted that Gatekeeper is a system as opposed to a product in this area. Complaints were received and acknowledged about the complexity and costs associated and potential conflicts of interest with gaining security product evaluation and approval under DSD’s Australasian[PK2] Information Security Evaluation Program, or AISEP. The committee notes that this process could be improved remarkably in both efficiency and cost. But as the inquiry proceeded it became clear that an even more fundamental area of security was being neglected. For example, evidence presented to the committee, relating to the disgraceful handling of a physical security breach at a Sydney airport involving the theft of a number of computers, exposed the fact that many agencies and departments do not have a physical security plan for information assets such as desktop computers and servers. Hence, recommendation 1 of the report is a ‘101’ of e-security: have a plan. One of the more disturbing breaches of physical security involved Telstra’s ‘loss’[PK3] of a whole month’s worth of electronic back-up tapes. These tapes were never recovered and are presumed to have been thrown out with the rubbish as they were, quite bizarrely, stored in a wheelie bin. The committee was dissatisfied by the vagueness of responses by Telstra on this matter. But recommendation 1 goes further—the committee has identified DSD to act as a watchdog to ensure that these plans are developed and to report back to the committee. Recommendation 3 relates to the conditions by which portable IT devices should be distributed in an effort to minimise an extraordinary level of theft and loss across the Commonwealth. The committee found that over 1,000 laptop computers have been lost by the Commonwealth agencies in the last five years. Another area focused on was the impact of an IT outsourcer in relation to e-security. The committee found evidence that security was weaker where the functions were substantially outsourced in that obligations were the content of commercial-in-confidence contracts and sanctions for breaches were either non-existent or unable to be applied—that is, it really meant the loss of the contract. There was also a risk of buck-passing and poor information sharing, and clear evidence of poor communication between IT outsourcers and agencies in relation to security incidents. Given that so many outsourcers are foreign companies, and litigation is possibly the result of ultimately determining contractual disputes and liabilities, the Commonwealth’s vulnerability is enhanced overall by virtue of the vertically integrated model of IT outsourcing. Another issue relates to the potential for offshoring IT services in the context of e-security. The committee was assured that no Commonwealth data was kept offshore, therefore I expect that any disputes would fall under Australia’s jurisdiction. There are more recommendations that relate importantly to the issue of the use of open source and the committee believes that agencies should consider the benefits or otherwise of open source as a normal part of IT risk management processes. I would like to conclude on the prospects of e-security. In the continued absence of policy in this area it is really up to the agencies and departments themselves to take the initiative, read this report and act on the recommendations. It is clear that the efforts the government has made in this matter to date have not been adequate. I would like to thank my fellow committee members and the committee secretariat, past and present, as well as the submitters and witnesses. Also in conclusion I would like to acknowledge the work of the Australian National Audit Office on reporting on these matters previously. Question agreed to. |
|
|