On 25 October 2017, the Federal Parliament’s Joint Committee of Public Accounts and Audit released its Report 467: Cybersecurity Compliance Inquiry based on Auditor-General’s report 42 (2016-17) (Report) containing recommendations coming out of the Australian National Audit Office Report No. 42 (2016–17).
A key recommendation of the Report (recommendation no.2) is that the Australian Signals Directorate’s (ASD) top eight ‘Strategies to Mitigate Cyber Security Incidents’, also known as the ‘Essential Eight’ mitigation strategies, become mandatory for all entities governed by the Public Governance, Performance and Accountability Act 2013 (Cth), by June 2018.
This follows similar moves in the US earlier this year. On May 11, President Trump signed his Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Cybersecurity Order), which mandated that US Federal Government agencies apply the Cybersecurity Framework developed by the US National Institute of Standards and Technology (NIST). The Cybersecurity Order also imposed some quite stringent timeframes on agencies to report back on cybersecurity preparedness and steps taken to impose cybersecurity.
The Report echoes some of this drive for reporting in other recommendations (see for example recommendations 1, 3, 5, 7, 8 and 10).
The Report’s proposals for timeframes are relatively relaxed compared with the aggressive timeframes imposed on US Federal agencies under the Cybersecurity Order. US Federal agencies have demonstrably struggled to meet those timeframes.
The ‘Essential Eight’ strategies may be summarised as follows:
|TO PREVENT MALWARE RUNNING|
|Application whitelisting (Top 4)||Patch applications (Top 4)|
|Disable untrusted Microsoft Office macros||User application hardening (i.e. block web browser access to Flash, Java and web ads)|
|TO LIMIT THE EXTENT OF INCIDENTS AND RECOVER DATA|
|Restrict administrative privileges (Top 4)||Patch operating systems (Top 4)|
|Multi-factor authentication (i.e. using a combination of some or all of passphrases, physical tokens or biometric systems)||Daily backup of important data|