Holes in Victoria Government Cyber Security


Following the announcement by IT Minister, 2 weeks ago, of the cyber-security strategy for the Victorian government to be directed by Alastair McGibbon, a report showed last week that the Victorian Government’s IT systems are totally unprepared for cyber-attacks;  the state doesn’t have the procedures in place to identify and respond to cyber threat, let alone prevent them.

The picture of a state with no apparent central mechanism to even collect reports on such attacks is almost frightening given the comments by the Auditor-general John Doyle that a concerted attack on multiple agency ICT systems could be catastrophic.

In 2012, the state ranked at the top end of the Cyber-weakness chain having experienced 26 “serious cyber threat incidents”, second only to Western Australia. “Some agencies are detecting thousands of intrusion attempts per month”, ranging from Identity and credential theft, online phishing attacks, email scams to more elaborate methodologies the report said.

The report also reveals that there is no process in place to notify ministers that an attack has occurred. This is compounded by the complete lack of procedures from the states government to monitor a coordinated intrusion into the networks of more than one agency.

Finally, and probably more worrying, is the absence of any central entity or committee of sort overseeing serious incidents no earlier than until six months after they have occurred. As it stands, each agency has to communicate breaches to the ASD, which then then issue a report every six months to the Department of State Development, Business and Innovation (DSDBI) –the Victoria’s central IT agency.

Of additional concern is the fact that government’s agencies are often not being overseen by the state’s security program. It has been discovered that only up to 500 statuary bodies and state-owned enterprises –besides of the central government departments– are concerned by the DSBD’s information security policy. Furthermore, these organisations are not on the list of agencies receiving ASD threat alerts distributed by the DSDBI. meaning they cannot know about imminent attack even though they are in charge of a “significant sources of state revenue, and control billions of dollars of financial assets” and, operating IT systems “critical to public safety, or systems holding sensitive personal data with potential value to third parties”, the report said.