10 years on and the government still can’t get the basics of Cyber Security right. The Auditor General report on “key internal controls” – or more specifically the Essential 8 – showed that most departments are failing to do this properly.
Back around 2013/4 the then DSD published a set of four compulsory requirements for government departments.
What were those original four controls?
- Application whitelisting
- Patching applications
- Patch operating system vulnerabilities
- Minimise the number of users with domain or local administrative privilege
Back in 2013 DSD claimed that if organisations had implemented those four controls 85% of intrusions would have been prevented.
Do they look familiar? They should, they are four of the Essential 8.
Application control was the hard one. I remember thinking – how will we implement this in Windows based environment? At the time there were no commercially available solutions that were tried and tested. There were a few vendors that had options, but none had been implemented in anger inside a larger government department. It was a number of years before any department had implemented application control in any real form across the board.
Now of course we have multiple vendors offering solutions and it is no longer a question of what tool to use but how will you manage it.
But what about the other three – patching and reducing admin rights? These have been no brainers since the days of mainframes. This is defence 101 – strengthen your weak areas, don’t give everyone the keys to the gate.
Patching is is essentially a change management issue. Just do it.
Restricting administrative access is also a no brainer. Just do it
Despite all the advances in supporting technologies for these four items we progressed poorly in the last 10 years? Less than half the departments doing this properly[1]:
- 10 of 25 are compliant with application control
- 5 of 25 compliant with patching application
- 7 of 25 compliant with patching operating systems
- 12 of 25 compliant with restricting administrative privileges
This is like Linfox deciding not servicing their trucks. It wouldn’t be long till trucks start to break down, accidents start to happen, deliveries fail, and finally they would be out of business.
Unlike Linfox I can’t take my business to another company. We are not customers, we are citizens. (Of course, this angle does not have the same weight as it does with the private industry but that is a discussion for another time). So the government is not as worried about getting it wrong.
Why are we dropping the ball so fundamentally? Ultimately it come down to one thing – the impetus to fix the issue is not that high.
There are no excuses any more, there is absolutely no reason for this not being achieved other than it is not a priority of the departments. That is not to say that the task will be simple or cheap. Years of “neglect” across the whole of the IT environment have resulted in mountains instead of molehills. There will be multiple mountains they are often interconnected. Resulting in a chain of events that need to happen. This leaves the average public servant overwhelmed and standing in front of the proverbial elephant and not knowing where to start eating.
Once you have the will of the executive to make it happen. Bring in the experience that knows what to do and when to do it. It wont happen over night but it also wont take 10 years either.
[1] Auditor-General Report No.32 2021-22 Figure 1.3