Why Geoscience Australia Is Inviting a Nightmare Attack

The Australian land research agency, Geoscience Australia, has apparently failed to implement the mandatory cybersecurity requirements for a company of its size and importance. A recent probe revealed this negligence has subsequently left the organization highly vulnerable to possible cyberattacks such as data theft, ransomware, denial of service, and other advanced persistent threats.

A probe conducted by the ANAO (Australian National Audit Office) has found Geoscience Australia to be non-compliant with at least four of the Australian Signals Directorate’s (ASD) “basic eight” mitigation strategies. These directives include:

1. application whitelisting
2. patching applications
3. configuring Microsoft Office Macro settings
4. application hardening
5. restricting administrative privileges
6. patching operating systems
7. multi-factor authentication
8. daily backups

The independent performance audit, which has been titled “Cyber Resilience,” was conducted by the ANAO at the Department of the Treasury, the National Archives of Australia, and Geoscience Australia in accordance with the authority contained in the Auditor-General Act 1997. The Cyber Resilience report of all the suggestions, only the Treasury had implemented the mandatory strategies. (The Australian Signals Directorate prescribes eight mitigation strategies, of which four are mandatory).

The ANAO has already performed three performance audits, since 2013-14, to assess the cyber resilience of 11 different government entities. The latest audit, the fourth one in the series, finds that Geoscience Australia was the most vulnerable among the three entities included.

The audit report says- “As with the ANAO’s previous audits of cyber security, this audit identified relatively low levels of effectiveness of Commonwealth entities in managing cyber risks, with only one of the three audited entities compliant with the Top Four mitigation strategies. None of the three entities had implemented the four non-mandatory strategies in the Essential Eight and were largely at early stages of consideration and implementation. These findings provide further evidence that the implementation of the current framework is not achieving compliance with cyber security requirements, and needs to be strengthened.”

The report further says- “Of the three entities, only Treasury was compliant with the Top Four mitigation strategies and cyber resilient. National Archives was not compliant with the Top Four mitigation strategies but had sound ICT general controls and so was assessed as not cyber resilient but internally resilient. Geoscience Australia was not compliant with the Top Four mitigation strategies and did not have sound ICT general controls so was assessed as vulnerable to cyber attacks. All three entities had implemented only one of the four non-mandatory mitigation strategies in the Essential Eight, and were not well progressed in considering an implementation position for the other three strategies.”

Geoscience Australia had not implemented application whitelisting, which is key to cyber security. Similarly, in some cases, the agency was taking almost 30 days to install critical patches whereas the current requirement to do the same is just 48 hours. While Geoscience Australia scored lowest in the audit, National Archives fared better by meeting two of the four strategies: patching applications and minimizing privileged user access. But it missed application whitelisting and patching operating systems. Thus, as per the audit, while Geoscience Australia was vulnerable and was exposed to external attacks, internal breaches and unauthorized disclosures of information, National Archives was internally resilient but vulnerable to external attacks.

The audit report says- “Of the three entities, only Treasury was cyber resilient, with a high level of protection from external intrusions and internal breaches. The department complied with the Top Four mitigation strategies and had sound ICT general controls in place for logical access and change management. The ANAO assessed National Archives as internally resilient but vulnerable to attacks from external sources. Geoscience Australia was assessed as vulnerable, with a high level of exposure and opportunity for external attacks and internal breaches and unauthorised disclosures of information.”

The audit also pointed out that while all these agencies had implemented or were progressing towards the implementation of the four mandatory mitigation strategies, they were indifferent towards implementing the non-mandatory strategies. They had all implemented only one among the non-mandatory strategies, namely the daily backup of important data.

The auditor has also recommended that both Geoscience Australia and National Archives of Australia “…each establish a plan and timeframe to achieve compliance with the Top Four mitigation strategies, and monitor delivery against that plan.” Both the entities have expressed their agreement to this recommendation.