The Australian Bureau of Statistics has only “partly appropriate” cyber security measures in place for the 2021 Census less than a year out, a review by the national auditor has found.
The review [pdf] into preparations for next year’s survey found gaps in the agency’s cyber security planning, which was also a bone of contention in the now infamous 2016 Census.
“The ABS is partly effective in its development of IT systems for the 2021 Census,” the report released on Thursday said.
“Generally appropriate frameworks have been established covering the Census IT systems and data handling, and the procurement of IT suppliers.
“The ABS has not put in place arrangements to ensure that improvements to its architectural framework, change management processes and cyber security measures will be implemented ahead of the 2021 Census.”
Planning and governance overall was found to be “largely appropriate”, though the report noted that there was no overarching plan.
The Australian National Audit Office said the ABS was still to take onboard lessons from the 2016 Census that was downed by a series of distributed-denial-of-service attacks.
Of particular concern were the cyber security measures and controls established for the 2021 Census, which the report said were only “partly appropriate”.
“The high-level measures and controls in the ABS’ cyber security strategy for the 2021 Census are sound. However, the strategy has not been fully implemented,” the report said.
The ABS’ compliance – or lack thereof – with the Australia Cyber Security Centre’s essential eight cyber mitigation strategies was also highlighted.
The report pointed to the agency’s 2018-19 protective security policy framework (PSPF) self-assessment, in which it reported a ‘developing’ compliance rating with the strategies.
A developing rating means an agency’s implementation and management of the ‘top four’ mitigation strategies (a subset of the essential eight) has been “substantial, but not fully effective”.
A similar level of compliance was also found as part of the ACSC’s cyber uplift program in late 2019, which found a small variation in compliance – issues the ABS is now addressing.
But despite the agency’s adherence to ACSC concerns, the report suggests that internal calls for lifting maturity against the PSPF more generally initially went unanswered.
“ABS IT security conducted an internal audit in September 2019 and found eight out of 37 tested strategies to mitigate cyber security incidents were not achieving the required PSPF maturity level,” it said.
“In November 2019, the ABS security committee agreed to lift maturity against the essential eight and that further work on the 37 strategies was not required.”
The ABS has not set a target date for the completion of the essential eight uplift program, and is currenty relying on an interim set of controls that “have not been introduced… in a systemic way”.
“There is a risk that the ABS’ essential eight uplift will not be implemented in time for the Census to provide sufficient coverage over the breadth of the ABS’ threat environment,” the report said.
Architecture gives rise to risks
Another area found to be lacking was the development of IT systems for the 2021 Census, which – like cyber security – was described as only “partly effective”.
While the auditor said the ABS had established a “largely appropriate” IT framework for the 2021 Census, it found the implementation of that framework lacking.
“The ABS has not established a systematic process for managing risks associated with non-compliance,” it said.
“Census systems do not full align with the ABS enterprise IT framework, giving rise to risks in relation to system integration and compliance with legislation and ABS policy.”
Instead, the report found the 30-plus IT systems supporting the Census use several architectures and that these have “not been consistently used to build ABS systems”.
“The ABS chose not to implement intended controls across all systems due to the age of some systems,” it said.
“The ABS is focusing on aligning its important and newer systems, such as the Census eForm, with the architectures.
“The flexible application of architectures and controls across systems may increase the risk that ABS systems do not comply with legislation and policy requirements.”
The report noted that major Census systems had also been built individually with their own architectures, and did not “utilise a common enterprise architecture during implementation”.
The audit made a total of seven recommendations, three of which relate to IT, including cyber security and data handling.
All of the recommendations have been accepted by the ABS, which has begun implementing “the technology and security components necessary for a high quality 2021 Census”.
“This includes rigorous independent testing and assurance of Census systems
in line with the recommendations made in the report to ensure the maintenance of data quality,privacy and security,” it added.