Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard   

Previous Fragment    Next Fragment
Thursday, 24 March 1994
Page: 2247


Senator MICHAEL BAUME (3.56 p.m.) —I move:

  That the Senate take note of the document.

This is the Auditor-General's report No. 31 which is a project audit into the CSIRO's information technology security. This is an incredible report because it demonstrates that in the very sensitive area of information, the CSIRO in its computer arrangements has had a minimal, almost non-existent, level of security.

  When one recognises that security of technical information can involve multimillions of dollars worth of knowledge it is absolutely incredible that CSIRO has not in fact been able to provide any kind of effective security for its information. I will quote some key points from the Auditor-General's report. It states:

This audit of CSIRO addressed the important role of computer security and focused on the custodianship of scientific data within the Organisation. The audit also examined responses to a series of break ins to the computer facilities through the external Australia-wide network operated by the Organisation.

  The ANOA found that the CSIRO network and computing facilities have evolved without the establishment of effective computing and management arrangements to ensure that the organisation is a good custodian of its data holdings.

Specifically the audit found:

.  an absence of computer and network security policies and directions

.limited assessment of the value of data and its vulnerability to loss, corruption and disclosure

.limited direction through standards and `good practice statements' across CSIRO

.ineffective security over unauthorised access to computer facilities through the network

.inadequate resourcing of the management and operation of computer facilities, and

.poor control of security of data held in personal computers.

The audit office says:

A good reputation for well managed scientific and industrial research is essential as CSIRO becomes increasingly reliant on outside funding. The organisation has not established policies and strategies to ensure appropriate custodianship of its data resources and as a result there is no clear responsibility or accountability for data security. The data produced by its scientific research and commercial activities represents one of the most material assets of CSIRO, despite this there is no imperative for assessing the value of these assets and determining the organisation's vulnerability to their loss. The ANAO is concerned that only one of the 11 sites visited had adequate security.

Recommendations designed to improve computer security across the Organisation were made and the ANAO considers that these should be implemented immediately. These recommendations include the:

.establishment of policies to ensure awareness of the need and responsibility for computer security

.conduct of risk analysis and threat assessments to provide an effective base for the implementation of security

.development of computer standards and good practice statements along with programs to ensure implementation and continuing compliance, and

.need to ensure that adequate resources with appropriate skills are available to support computer facilities and users.

A number of breaches of network security were investigated during the audit. As a result, management was advised to ensure:

.appropriate network security for individual computer sites within CSIRO

.all connections to external networks were secure

.a single central authority is responsible for coordinating any response to a network breach, and

.computer managers are provided with guidance and are aware of the process to be adopted in the event of a breach.

In addition, the ANAO provided specific technical recommendations to each of the sites reviewed during the audit.

The Auditor-General's report goes on:

Following the series of external breaches of network security, the Organisation established a Network Security Task Force to review and recommend policies and strategies to ensure high security levels for the network.

The Task Force reported in February 1994 and its findings and recommendations were accepted by the Organisation.

CSIRO accepted the ANAO recommendations and acknowledged that it had not sufficiently assessed the risks associated with its computer operations. It added, however, that there are computers which store key commercial data where precautions had been taken to limit risk by avoiding connection to the network.

The organisation advised that it is moving rapidly to enforce the principle of assessing risks and acting accordingly, particularly through the application of policy and adoption of best practices.

This practice of security breaches is very significant. The Auditor-General said:

These breaches resulted in unauthorised access to a number of CSIRO computer systems. It may never be possible to determine the full extent of these breaches of computer security. The first detection of a breach in network security was in January 1991. A further breach was detected in 1992 and a series of breaches occurred over the period December 1992 to January 1993. It is believed that these breaches were the work of hackers, perpetrated by individuals for `fun' rather than for material gain. There have been police investigations of the breaches and, in at least one case, successful criminal prosecution.

  Despite breaches occurring over a two-year period, the ANAO found that the Organisation had not developed response mechanisms to effectively recognise and isolate breaches, investigate causes and control damage. The audit found that there was no area with responsibility and authority to deal with the situation from a corporate point of view.

I want to commend the Auditor-General for yet another very effective report. I want to note that while the Auditor-General says that it concluded that the reputation of CSIRO was at risk because it did not have appropriate mechanisms to ensure that it is a good custodian of scientific and commercial information held on computer systems, the CSIRO acknowledged that it has not sufficiently assessed the risks associated with its computer operations and advised that this point is now being addressed.

  The organisation commented that while it did not contest the vital point of risk assessment within CSIRO, there are computers which store key commercial information where the decision has been made to avoid network connection to limit the risk. It emphasised that it was important for its key commercial partners to be aware that precautions had been taken at several key points, where a very high liability would exist if data were lost or stolen.

  At least there is that recognition by CSIRO. May I say how depressing it is that a body which has an outstanding record for technical and scientific research and handles such significant and valuable information which has led to very significant technological breakthroughs in Australia—some of which, I regret to say, has had to be developed and produced overseas—for so long had this lack of appreciation of the importance of the security of the information it has in computer systems.

  I commend the Auditor-General, who has once again done this parliament an immense service. It underlines the need, as every one of these reports does, for this government to get off the Auditor-General's back and to stop trying to squeeze the department for money and to freeze its resources. Over the last few years the government has been ripping off the department with its incredible rent at the Labor-owned Centenary House where the Auditor-General is a tenant. The government needs to follow through with its undertaking that it will examine the prospect of the Auditor-General being directly funded by and responsible to the parliament, instead of having to put up with the uncertain funding future of a government which is clearly hostile to the great job the Auditor-General is doing.

  Question resolved in the affirmative.