Leaked report describes Federal Parliament’s cyber security as having ‘low level of maturity’
Federal Parliament failed to develop effective methods for preventing cyber intrusions and did not regularly update some sensitive information systems, according to a draft internal audit dated three months after a major cyber attack was uncovered.
7.30 can reveal that a scathing internal audit report written by KPMG for the Department of Parliamentary Services concluded the agency had an “ad hoc” approach to all elements of information security management, the lowest rating possible under the scoring metric used.
The findings of the draft report, titled the Protective Services Protective Framework (PSPF) Alignment Review, indicate that at one point the department’s contracted review team considered Parliament may have been more vulnerable than was previously known.
The department has overall responsibility for cyber security in Parliament, including the electoral and Commonwealth offices of MPs and Senators. The network it is responsible for includes over 5,000 users, 5,000 PCs and laptops, 1,000 servers and more than 2,000 mobile devices.
The emergence of the draft report is likely to raise further concerns about the severity of a major cyber attack in February 2019 that breached Australia’s parliamentary network and also separately targeted the major political parties.
Got a confidential news tip?
Contact Paul Farrell using the Signal secure messaging app on +61457262172, or at
Critically, the draft review found that “Essential Eight strategies and other methods to prevent cyber intrusions are at a low level of maturity”.
“Essential Eight strategies” are key pillars of cyber security management established by the Australian Signals Directorate that all government agencies are expected to comply with.
A spokeswoman for the Department of Parliamentary Services told 7.30 that: “The confidential working draft KPMG PSPF Alignment Review to which you refer does not reflect the true state of the department’s PSPF maturity.”
‘Lack of an overarching approach’
The draft report also found significant deficiencies in the management of key systems that hold potentially classified information.
“Some information systems are not regularly patched due to the legacy nature of their systems,” it said.
In relation to how the agency handles classified and sensitive information, the draft report said that “critical information assets have not been identified”.
Physical security of computer assets also remains a significant issue. The draft report noted that “DPS security branch is unable to identify all critical assets within APH”.
It also added that “no security zones within DPS’ remit have undergone formal zone certification or accreditation”.
Overall it found that “a large contributing factor to the low maturity for the department is the lack of an overarching approach defined for protective security management and security risk management processes”.
“Up until now, the Department has had a responsive approach to protective security management, rather than based on formal, documented, and integrated risk-based approach.”
The findings of a “low level of maturity” suggest the department has not developed a clear framework for managing key information security protocols.
The spokeswoman for the Department of Parliamentary Services told 7.30 in a statement: “Without commenting directly on this confidential draft document, it reflects early fieldwork by KPMG and was not subject to verification by the department and does not incorporate a body of work undertaken to demonstrate that the department’s PSPF maturity rating of ‘managing’ for the relevant criteria.
“The final report of the alignment review in July 2019 did not make adverse findings in relation to the department achieving an acceptable maturity rating.”
She said that the program the department undertook to assess how it met the PSPF criteria showed that it achieved “a maturity rating of ‘managing’ against 85 of the 88 relevant PSPF criteria and ‘developing’ against three criteria. The department did not rate ‘ad hoc’ against any of these 88 criteria.”
A KPMG spokesperson said: “KPMG does not comment on client work but I can confirm we were engaged by the Department of Parliamentary Services in 2019 to provide advice in relation to the Protective Security Policy Framework.”
Scale of last year’s cyber attack unknown
The specific circumstances surrounding the Parliament House cyber attack last year remain largely concealed from the public and questions have recently been raised over the scale and severity of the attack.
In January, former defence minister Christopher Pyne and Martin Parkinson, the former secretary of the Department of Prime Minister and Cabinet, spoke on Mr Pyne’s podcast at length about cyber security in government and in the private sector.
Mr Parkinson observed how he was “amazed actually at how little concern is expressed by the public when these breaches occur”.
He referenced a cyber attack on ANU as one example, and the attack on Parliament House as another.
Mr Pyne then responded: “You and I know how much worse it all was, which we can never talk about.”
Mr Pyne told 7.30 he was referring to cyber security incidents generally, and not any specific breach.
Following the publication of Mr Pyne’s comments last week, the speaker of the House of Representatives, Tony Smith, rebuked the comments and said any suggestion the public had not received the full facts was “false”.
He also said: “I would just finally say the podcast also refers to a cyber intrusion at the Australian National University … so perhaps it shouldn’t be inferred that the comments necessarily relate to the parliamentary network.”
In a Senate estimates hearing in November, the president of the Senate, Scott Ryan, said the breach occurred when “a small number of users visited a legitimate external website that had been compromised”.
This led to the injection of malware into the parliamentary computing network.
The Department of Parliamentary Services became aware of the breach on January 31, 2019. The attacker was present in their systems until February 8, 2019.
Senator Ryan had said only a small amount of non-sensitive data was taken, but he added: “While we cannot precisely guarantee that no other data was removed, extensive investigation has provided no evidence of this.”
The small amount of data known to be taken from the network was described as “corporate data and data related to a small number of parliamentarians”.
At least two parliamentarians have been informed that some of their data was taken.
The Department of Parliamentary Services’ latest annual report says that “significant advancements have been made this year to strengthen our physical and cyber security capability”.
This content was originally published here.