Departments and agencies are at a heightened risk of being exploited by cyber criminals and malicious state actors, experts say, with health and critical infrastructure among the pick of the litter.
Subscribe now for unlimited access.
or signup to continue reading
Last week, Home Affairs ordered federal agencies to undertake a wide-ranging audit of all its internet-facing systems in response to rising concerns over foreign interference.
Directives were issued days after the federal government made the rare public admission that a Chinese-backed hacker group was behind a cyber espionage operation targeting the public and private sectors.
Professor Richard Buckland, a cyber security expert from the University of New South Wales, said current prevention and detection strategies used by agencies were insufficient to deal with base levels of cyber crime.
"The landscape is quite scary because state agencies are very well funded and they have resources - they are a quantum shift up from cyber criminals and they are very hard to detect and prevent," Professor Buckland said.
About a third of reported cyber attacks or breaches reported to Australia's cyber intelligence agency in 2022-23 involved government bodies.
Of the dozens of cyber incidents reported to the Australian Information Commissioner in the first few months of 2024, five were classified as malicious.
The federal government has given commonwealth agencies 12 months to sign up to a national automated cyber threat platform after a series of scathing audits last year found a majority did not have appropriate protections in place.
In June, the National Audit Office pinpointed Services Australia, which has about 780,000 users per day, as an agency suffering from ongoing IT control deficiencies.
It flagged financial crime watchdog AUSTRAC as being "unprepared" to respond to a significant cyber attack.
"This is common and this is what the audit office has been finding ... there's just I think risk is invisible until it happens to you, and to fix it and to prepare for it takes a lot of time and new roles," Professor Buckland said.
![Services Australia accepted recommendations from a June cyber audit. Picture by Keegan Carroll Services Australia accepted recommendations from a June cyber audit. Picture by Keegan Carroll](/images/transform/v1/crop/frm/237852436/2c706eb9-c512-4ca3-95ee-0a6b5ca78b65.jpg/r0_263_5000_3079_w1200_h678_fmax.jpg)
"There are technical deficiencies there because of a cultural problem.
"These agencies had their roots in in a time where cyber security wasn't an issue."
Any agency or public entity holding large amounts of sensitive data, such as health or communications, are an intensified risk of blackmail or data leaks by cyber criminals.
Australia's upcoming federal election could also be a prime target for an increase in attempted cyber foreign influence campaigns.
"State actors are more interested in what benefit they can get and don't think they be targeting on ease, but based on the value, such as critical infrastructure, energy, water, electricity, traffic, taxation," Professor Buckland said.
According Dr Vanessa Teague, an ANU cryptography expert and CEO at Thinking Cyber, public agencies should be more transparent when disclosing incidents to the public.
"The notion that we need to keep things secret to make things more secure, it's used throughout the public sector as an excuse for withholding information about problems," Dr Teague said.
"The necessity for holding to account the person that we trust to secure our data needs to outweigh that tenuous argument."
Dr Teague said current data laws that require between organisations has also increased the number of opportunities for a cyber attack.
In November, the federal government announced a review of laws introduced in 2015 that require companies in Australia to retain customers data for at least two years.
It's understood the review is still in progress.
Cyber Security Minister Clare O'Neil conceded in January that current levels of cyber protections within public service agencies needed significant improvement.
"The Australian government is a very large organisation," she told a media conference.
"Our security is not where it needs to be, and this is going to be a big focus of our efforts this year."