The Commonwealth Cyber Security Posture in 2023

Executive summary

The Commonwealth Cyber Security Posture in 2023 (hereafter ‘the report’) informs Parliament on the implementation of cyber security measures across the Australian Government for the 2022–23 financial year. According to the Flipchart of PGPA Act ¹ Commonwealth entities and companies, ² as of 30 June 2023 the Australian Government comprised 100 ³ non-corporate Commonwealth entities (NCEs), 72 corporate Commonwealth entities (CCEs) and 17 Commonwealth companies (CCs); totalling 189 Australian government entities. ⁴

The information included in this report is primarily derived from the annual Australian Signals Directorate (ASD) Cyber Security Survey for Commonwealth Entities (hereafter ‘the ASD survey’). In 2023, 87 per cent of government entities responded to the ASD survey, a decrease from 92 percent of entities who responded in 2022. Data collected by ASD in the performance of its cyber security function supplements the survey information.

This report also references findings of the Protective Security Policy Framework Assessment Report 2021–22 ⁵ (hereafter ‘the PSPF Assessment Report’) published by the Attorney-General’s Department (AGD). PSPF Policy 10: Safeguarding data from cyber threats (Policy 10) addresses strategies to mitigate common and emerging cyber threats. As of 1 July 2022, Policy 10 requires that entities implement all of the ASD’s Essential Eight cyber security strategies to Maturity Level 2. The 2023 report is the first to assess Commonwealth cyber security since this requirement was updated.

For the purposes of this report, an entity’s cybersecurity posture is considered against the following criteria:

• Cybersecurity hardening: An entity’s implementation of cybersecurity technical mitigations, primarily the Essential Eight ⁶ mitigation strategies, to reduce the likelihood of an information and communications technology (ICT) system being compromised.
• Incident preparedness and response: An entity’s readiness to respond to a cybersecurity incident, and actions when a cybersecurity incident occurs.
• Leadership and planning: An entity’s leadership engagement with cybersecurity and broader cybersecurity culture.

New information has been included in this year’s report, to supplement information provided in preceding reports.

• Cyber Hygiene Improvement Programs (CHIPs) results have been reported at the entity level, in addition to being reported at the server or domain level. This provides insight into the proportion of entities that have effectively implemented a security measure, as well as the measure’s implementation across federal government networks, overall.
• This report includes statistics relating to the use of legacy systems, generated from new questions incorporated in the ASD survey. These questions were added in response to work conducted across the Australian Government to better define and quantify the use of legacy systems in government networks.
• This report includes a statistic on the existence of funded cybersecurity improvement programs across Australian government entities, generated from new questions incorporated in the ASD survey. This information provides an insight into entities’ efforts to improve their cybersecurity.

Findings presented in this report indicate that the cybersecurity posture across federal government entities is well-established in some areas, and requires improvement in others.

1. The proportion of government entities that reached Overall Maturity Level 2 across the Essential Eight mitigation strategies has improved. In 2023, 25 per cent of entities reached Overall Maturity Level 2 when compensating controls are taken into account, increasing from 19 per cent in 2022.
2. Between 2022 and 2023, the proportion of government entities applying effective email domain security and website encryption increased, as measured by ASD’s CHIPs. However, the proportion of government entities applying effective email encryption decreased, as did the proportion of entities hosting only valid websites on their web servers.
3. The majority of entities had planned for a cybersecurity incident, and were ready to respond if needed. In 2023, 82 per cent of entities reported having an incident response plan, an increase from 79 per cent in 2022; of those 90 per cent had updated it within the past two years, and 69 per cent exercised it at least every two years.
4. The percentage of entities reporting cybersecurity incidents to ASD declined over the 2022-23 financial year. In 2023, 42 per cent of entities indicated that they report at least half of the cybersecurity incidents observed on their networks to ASD, compared with 51 per cent of entities in 2022.
5. Indicators of cybersecurity leadership and planning remained high, and showed improvement across entities. In 2023, 73 per cent of entities had a cybersecurity strategy, an increase from 72 per cent in 2022; and 83 per cent addressed cybersecurity disruptions in their business continuity and disaster recovery planning, an increase from 82 per cent in 2022.
6. The proportion of entities that provided annual cybersecurity training to their workforce increased over the 2022-23 financial year, with 78 per cent of entities providing this training in 2023, compared with 68 per cent in 2022. However, the proportion of entities providing privileged user training (PUT)⁷ at least annually remains low at 39 per cent.

The Australian Government continues to improve its cybersecurity posture. The government has committed $9.9 billion over a decade to fund the Resilience, Effects, Defence, Space, Intelligence, Cyber Enablers (REDSPICE) program; this funding commenced 1 July 2022. Through this program, ASD will deliver forward-looking capabilities essential to maintaining Australia's strategic advantage and capability edge. This builds on existing investment under the Cyber Enhanced Situational Awareness and Response (CESAR) Plus Program, which funds the delivery of ASD defensive cyber capability from July 2020 to June 2030.

In order to improve their overall cybersecurity posture, it is recommended that entities:

• continue to implement the Essential Eight mitigation strategies across their networks to at least Maturity Level 2
• implement effective email domain security, email encryption, and website encryption, as recommended by the Information Security Manual (ISM), and decommission dormant websites hosted on their web servers
• maintain an incident response plan, and exercise it at least every two years
• increase cybersecurity incident reporting to ASD
• provide PUT to their privileged users on an annual basis.

1. Introduction

The threat of malicious cyber activity to Australia’s national security and prosperity is very real. Improving the cybersecurity of Australia’s public, private and civil sectors is a priority of the Australian Government. The implementation of preventative cybersecurity measures is by far the best way to help secure Australian networks.

The report focuses on the cybersecurity posture of Australian Government entities. Government networks provide essential services to the Australian public, while holding the sensitive personal identifiable information (PPI) of a large proportion of the population. The Australian Government is committed to uplifting the cybersecurity of its ICT networks.

The Australian Government plays an important role in monitoring, shaping and enabling cybersecurity across the economy. In particular:

• ASD’s Australian Cyber Security Centre (ACSC) provides cybersecurity advice and assistance to Australian governments at the federal, state, territory and local levels; business and critical infrastructure; as well as communities and individuals.
• The Department of Home Affairs leads Australia’s national cybersecurity policy and strategy, driving improvement to cybersecurity policy across government and industry.
  • On 23 June 2023, the Government appointed the first National Cyber Security Coordinator, to lead national cyber security policy, the coordination of responses to major cyber incidents, whole of government cyber incident preparedness efforts and the strengthening of Commonwealth cybersecurity capability.
• During the reporting period, AGD managed the Protective Security Policy Framework (PSPF), which sets out government protective security policy and supports entities’ implementation of that policy. This function has since moved to the Department of Home Affairs.
• The Digital Transformation Agency (DTA) drives digital transformation across government by providing strategic and policy leadership, and investment advice and oversight.

Within this context, entities are responsible for maintaining the cybersecurity of their data and networks. Specifically, each entity is responsible for the security of its own ICT systems pursuant to the Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act).

This report provides an assessment of the cybersecurity posture of entities as at 30 June 2023. It is the fourth such report to be tabled before the Parliament.

1.1 Key findings of this report

The key findings of this report indicate that most government entities have well-developed processes relating to cybersecurity incident preparedness and response, as well as strong cybersecurity leadership and planning. However, further work is required with regards to hardening ICT networks against malicious cyber activity. A lower proportion of entities are reporting the majority of their cybersecurity incidents to ASD than in 2022, potentially diminishing ASD’s visibility of the cybersecurity threat environment.

1.1.1 Cybersecurity hardening

According to the ASD survey, the proportion of government entities that had reached the recommended maturity across the Essential Eight mitigation strategies is increasing, but remains low.

• 25 per cent of entities reported reaching Essential Eight Maturity Level 2 when compensating controls were taken into account, an increase from 19 per cent in 2022.
• 17 per cent of entities reported reaching Essential Eight Maturity Level 2 without considering compensating controls, an increase from 11 per cent in 2022.

This improvement in the overall Essential Eight maturity occurred in the context of updates to the Essential Eight Maturity Model, which strengthened the requirements to meet Maturity Level 2 and made it more difficult to achieve.

The proportion of government entities applying effective email domain security and website encryption, as measured by ASD’s CHIPs, increased over the year. As of May 2023:

• 39 per cent of entities used effective email security, an increase from 33 per cent in 2022
• 10 per cent of entities used effective website encryption, an increase from 4 per cent in 2022.

However, as of May 2023:

• 18 per cent of entities used effective email encryption, a decline from 20 per cent in 2022
• 33 per cent of entities hosted only valid websites on their servers, and had removed any dormant websites, a decline from 40 per cent in 2022.

1.1.2 Incident preparedness and response

Responses to the ASD survey indicated that the majority of entities had planned for a cybersecurity incident, and were ready to respond if needed.

1. 96 per cent of entities had identified the systems and data most essential to their business, an increase from 94 per cent in 2022.
2. 82 per cent of entities had an incident response plan, an increase from 79 per cent in 2022.
3. 83 per cent of entities had a security information and event management (SIEM) program or similar, an increase from 60 per cent in 2022.

However, the percentage of entities reporting cybersecurity incidents to their senior executive
and ASD declined.

1. 72 per cent of entities indicated they had reported at least 80 per cent of incidents to their senior executive, a decrease from 80 per cent in 2022.
2. 42 per cent of entities reported at least 50 per cent of incidents to ASD, a decrease from 51 per cent in 2022.

1.1.3 Leadership and planning

Indicators of cybersecurity leadership and planning remained high.

1. 73 per cent of entities reported having a cybersecurity strategy, an increase from 72 per cent in 2022.
2. 83 per cent of entities reported that they had addressed cybersecurity incident disruptions in business continuity and disaster recovery planning, an increase from 82 per cent in 2022.
3. 80 per cent of entities were participating in ASD’s Cybersecurity Partnership Program, an increase from 75 per cent in 2022.
4. 82 per cent of entities reported having a funded body of work planned to improve their cybersecurity.⁸

A greater proportion of entities are providing annual cybersecurity training: however, the annual provision of privileged user training remains low. According to the ASD survey:

1. 78 per cent of entities provided cybersecurity training to their workforce at least annually, an increase from 68 per cent in 2022
2. 39 per cent of entities provided privileged user training at least annually, an increase from 34 per cent in 2022.

1.2 About this report

This report is prepared in response to a 2017 recommendation from the Joint Committee of Public Accounts and Audit (JCPAA),⁹ that ASD and AGD report annually on the Commonwealth’s cybersecurity posture to Parliament.

The data in this report is primarily derived from the ASD Cyber Security Survey for Commonwealth Entities (ASD survey). ASD conducts annual surveys of federal government entities regarding their cybersecurity practices. NCEs are required to respond to the survey under PSPF Policy 5: Reporting on Security, ¹⁰ while CEs and CCs are encouraged to participate. In 2023, 87 per cent of all federal government entities participated in the survey. This report focuses on the 2023 survey, while drawing on the 2021 and 2022 surveys for context.

This report also references findings from the PSPF Assessment Report for the 2021-22 financial year. Each financial year, NCEs must report on their security posture, with particular reference to the implementation of government policies under the PSPF; the PSPF Assessment Report is an aggregated assessment of that data.

Any insight into the cybersecurity posture of individual entities made available to malicious cyberactors may increase the risk of those entities being targeted. As such, this report does not identify entities by name. All results have been anonymised and aggregated.

2. Cybersecurity hardening

The implementation of technical cybersecurity controls helps entities defend their ICT environments against cybersecurity threats, thereby avoiding costly remediation, system downtime, lost productivity, and loss of public confidence. This report assesses the cybersecurity posture of entities using two data sets:

• Responses to the ASD survey: Entities report on their progress implementing the controls recommended by the Essential Eight. Based on the responses, ASD calculates the entities’ maturity levels.
• CHIPs results: CHIPs performs quarterly scans to detect key cyber hygiene indicators on entities’ internet-facing systems and services.

2.1 The Essential Eight

The Essential Eight outlines a set of eight mitigation strategies designed to help entities reduce their likelihood of experiencing a cybersecurity incident, and the impact of an incident if it does occur.

The Essential Eight comprises the following eight mitigation strategies:

1. Application control
2. Patch applications
3. Configure Microsoft Office macro settings
4. User application hardening
5. Restrict administrative privilege
6. Patch operating systems
7. Multi-factor authentication
8. Regular backups.

The Essential Eight Maturity Model ¹¹ describes four maturity levels (0 to 3). Maturity levels are calculated against each of the eight mitigation strategies, based on the implementation of the recommended controls. A network’s Overall Maturity Level is equal to its least-mature strategy.

Higher levels of maturity are designed to defend against moderate-to-high degrees of sophistication in adversary tradecraft and targeting. As of July 2022, the PSPF mandates that NCEs implement the Essential Eight strategies to at least Maturity Level 2.

The Essential Eight recommends that entities implement the eight mitigation strategies using a risk based approach. Where strategies cannot be fully implemented, compensating controls may be used to manage the residual risk. As such, this report provides entities’ maturity levels when compensating controls have been taken into account (Figure 1), as well as their maturity levels based on their implementation of the Essential Eight mitigation strategies alone (Figure 2).

2.1.1 Updates to the Essential Eight

In November 2022, ASD updated the Essential Eight Maturity Model, with relation to the ‘Patch applications’ and the ‘Patch operating systems’ mitigation strategies. The new recommendations were that:

• entities use an automated method of asset discovery at least fortnightly, to detect assets residing on their networks
• vulnerabilities scanners used by entities are to use up-to-date vulnerability databases.

These new recommendations were introduced to address entities’ lack of visibility of assets on their networks. This lack of visibility, coupled with out-of-date vulnerability scanners, could result in assets remaining unpatched and prime targets for exploitation by malicious actors.

These changes may cause entities’ Essential Eight maturity levels to decline if they did not have good visibility of their assets, or were not conducting regular asset discovery scanning.

2.1.2 Implementation of the Essential Eight

According to findings of the ASD survey, the proportion of entities that have reached Maturity Level 2 across all eight mitigation strategies has increased, but the proportion remains low.

1. 25 per cent of entities reached Overall Maturity Level 2 when compensating controls were taken into account;¹² an increase of 6 percentage points from 19 per cent in 2022.
2. 17 per cent of entities reached Overall Maturity Level 2 when relying on the implementation of Essential Eight controls alone; an increase of 6 percentage points from 11 per cent in 2022.

As shown in Figure 1 and Figure 2:

1. ‘Regular backups’ had been implemented to Maturity Level 2 by the highest proportion of entities (71 per cent with compensating controls, and 65 per cent without compensating controls).
2. ‘Restrict administrative privileges’ had been implemented to Maturity Level 2 by the lowest proportion of entities (40 per cent with compensating controls, and 28 per cent without compensating controls).
3. ‘Configure Microsoft Office macro settings’ had the greatest improvement in entities’ implementation to Maturity Level 2. This level was reached by:
   • 64 per cent of entities when accounting for compensating controls, an increase of 20 percentage points since 2022 when 44 per cent of entities reached Maturity Level 2
   • 57 per cent of entities without accounting for compensation controls, an increase of 22 percentage points since 2022 when 35 per cent of entities reached Maturity Level 2.
4. ‘Patch operating systems’ had the least improvement in entities’ implementation to Maturity Level 2, when compensating controls were taken into account.
   • In 2023, 46 per cent of entities reached this maturity level, a decline of 1 percentage point since 2022 when 47 per cent of entities reached Maturity Level 2.
5. ‘Patch applications’ had the least improvement in entities’ implementation to Maturity Level 2, when compensating controls were not taken into account.
   • In 2023, 37 per cent of entities reached this maturity level, decline of 3 percentage points since 2022 when 40 per cent of entities reached Maturity Level 2.

Entities should assess their cybersecurity technical controls, to ensure they are achieving the desired effect. In 2023, 79 per cent of entities reported having mechanisms in place to assess the effectiveness of their technical controls. ¹³

The use of legacy technologies ¹⁴ within a system can inhibit the implementation of the Essential Eight. In 2023, 76 per cent of entities reported the use of legacy technologies in their networks. Of these, 69 per cent indicated that the use of those technologies had impacted their ability to fully implement the Essential Eight.¹⁵

Figure 1: Percentage of entities with Essential Eight Maturity Level 2 or higher
(Essential Eight plus compensating controls)

Figure 2: Percentage of entities with Essential Eight Maturity Level 2 or higher
(Essential Eight strategies only)

2.1.3 Protective Security Policy Framework Assessment Report 2021–22

The PSPF, which is mandatory for all NCEs, includes two policies which specifically address cybersecurity posture.

• PSPF Policy 10: Safeguarding data from cyber threats (Policy 10)¹⁶ addresses strategies to mitigate common and emerging cyberthreats. Until 1 July 2022, the policy required entities to implement the ASD Top Four strategies to mitigate cybersecurity incidents; the Top Four is a subset of the Essential Eight. Since 1 July 2022, Policy 10 has required entities to implement the Essential Eight to Maturity Level 2.
• PSPF Policy 11: Robust ICT systems (Policy 11) focuses on safeguarding ICT systems to support the secure and continual delivery of government business. This includes safeguarding ICT systems from cyberthreats by effectively implementing principles outlined in the ISM.¹⁷

Each financial year, NCEs must report on their security posture, with particular reference to the implementation of government policies under the PSPF; the PSPF Assessment Report is an aggregated assessment of that data. The 2021-22 PSPF Assessment Report indicated that:

• 25 per cent of entities had implemented Policy 10 to at least a ‘managing’¹⁸ level of maturity
• 44 per cent of entities had implemented Policy 11 to at least a ‘managing’ level of maturity.

The rate of Policy 10 implementation reported in the PSPF Assessment Report is higher than ASD’s findings for the same financial year. The ASD survey found that 19 per cent of entities had implemented the Essential Eight to at least Maturity Level 2, taking into account compensating controls.

Some discrepancy between these results may be expected as the PSPF Report and the ASD survey use different assessment models to determine cybersecurity maturity. Additionally, the PSPF reporting only addressed the Top Four strategies, while ASD reporting assessed the implementation of the full Essential Eight.

2.2 Cyber Hygiene Improvement Programs (CHIPs)

Under the CHIPs program, ASD systematically scans domains and servers, including those associated with federal government entities, to find indicators that effective cybersecurity standards and protocols have been implemented.

CHIPs scans for a range of indicators of cybersecurity, including the use of effective:

• security protocols on email domains ¹⁹
• encryption on email servers 20
• encryption on web servers. ²¹

CHIPs scanning also determines whether web servers are hosting valid websites, as opposed to dormant websites which may be used to host malicious activity. ²²

This report addresses the proportion of:

• domains or servers that have implemented recommended minimum security measures, and
• federal government entities that have implemented those measures across at least 90 per cent of their servers or domains.

This is the first year this report has addressed CHIPs scanning at the entity level. The new analysis provides insight into entities’ individual implementation of security measures, as well as the implementation of measures across federal government networks, overall. While this data was not available for the 2022 report, it has been generated retrospectively for this report using historical data.

The number of domains and servers managed by a given entity varies significantly. As such, an increase or decrease in the number of domains or servers implementing a given security measure is often not reflected at the entity level.

The following compares the CHIPs results from May 2022 and May 2023:

1. The implementation of effective email domain security (Figure 3):
   • by domain, decreased from 62 per cent in 2022 to 59 per cent in 2023
   • by entity, increased from 33 per cent in 2022 to 39 per cent in 2023.
2. The implementation of effective email server encryption (Figure 4):
   • by server, increased from 34 per cent in 2022 to 39 per cent in 2023
   • by entity, decreased from 20 per cent in 2022 to 18 per cent in 2023.
3. The implementation of effective website encryption (Figure 5):
   • by server, increased from 29 per cent in 2022 to 37 per cent in 2023
   • by entity, increased from 4 per cent in 2022 to 10 per cent in 2023.
4. The proportion of web servers hosting only valid websites, i.e. not hosting dormant websites (Figure 6):
   • by server, increased from 80 per cent in 2022 to 83 in 2023
   • by entity, decreased from 40 per cent in 2022 to 33 per cent in 2023.

Figure 3: Implementation of email domain security

Figure 4: Implementation of email encryption

Figure 5: Implementation of website encryption

Figure 6: Dormant websites

3. Incident preparedness and response

Cybersecurity events and cybersecurity incidents are defined in the ISM, as follows:

• A cybersecurity event occurs when a system, service or network flags a possible breach of security policy, a failure of safeguards, or a previously unknown situation that may be relevant to security.
• A cybersecurity incident is an unwanted or unexpected cybersecurity event, or a series of such events, that have a significant probability of compromising business operations.

Cybersecurity incidents may result in the denial of access to, the theft of, or the destruction of systems and data. If not effectively managed, a cybersecurity incident may undermine public confidence in an entity, and the incident’s remediation may consume significant resources.

Entities should plan for, and prepare to respond to, cybersecurity incidents. This includes identifying the data and systems essential to their business, accounting for cybersecurity incidents in business continuity planning, and developing and exercising an incident response plan.

It is essential that entities report cybersecurity incidents to ASD, to ensure those incidents are dealt with appropriately and that any impact is considered in full. According to Policy 5: Reporting on security, entities are required to report ‘significant or reportable’ cybersecurity incidents to ASD.

The Australian Government is a common target for malicious cyber activity. In the 2022–23 financial year, ASD received 348 cybersecurity reports from federal government entities; of these 52 related to confirmed cybersecurity incidents. Federal government reporting represents 31 per cent of all cybersecurity reporting, and 9 per cent of cybersecurity incident reporting, recorded by ASD.

3.1 Implementation of incident preparedness and reporting

In relation to incident preparedness and response, the cybersecurity posture of entities is assessed using responses from the ASD survey. The survey included questions designed to assess entities’ levels of preparedness to respond to a cybersecurity incident, and their incident reporting behaviours.

Responses to the survey indicate that the majority of entities had planned for a cybersecurity incident, and were ready to respond if needed. As shown in Figure 7:

1. 96 per cent of entities had identified the systems and data most essential to their business, an increase from 94 per cent in 2022
2. 82 per cent of entities had an incident response plan, an increase from 79 per cent in 2022. Of these:
   • 90 per cent of entities had updated their plan within the last two years
   • 69 per cent of entities exercised their plan at least every two years.
3. 83 per cent of entities reported using a security information and event management (SIEM) program or similar, an increase from 60 per cent in 2022.

However, according to the survey, entities’ reporting of cybersecurity incidents had declined:

1. 72 per cent of entities reported at least 80 per cent of cybersecurity incidents to their senior executive, a decline from 80 per cent in 2022
2. 42 per cent of entities reported at least 50 per cent of cybersecurity incidents to ASD, a decline from 51 per cent in 2022.

Under PSPF Policy 5, entities are required to report ‘significant or reportable’ cybersecurity incidents to ASD. The low rate may be due to a proportion of entities experiencing a high number of low-impact incidents that they do not consider to meet the PSPF reporting threshold.

Figure 7: Indicators to entities’ cybersecurity incident preparedness and response

4. Leadership and planning

Strong leadership is essential in setting and maintaining a positive cybersecurity culture, and ensuring that cybersecurity remains part of an entity’s planning and everyday business. In particular, the Chief Information Security Officer (CISO) plays a key role in setting the strategy and direction of an entity’s cybersecurity program. CISOs are typically responsible for providing strategic guidance to their entity’s cybersecurity program and ensuring compliance with cybersecurity policy, standards, regulations and legislation.

The broader workforce also plays a key part in maintaining cybersecurity, and entities should provide ongoing cybersecurity awareness training to all personnel to help them to best understand their cybersecurity responsibilities.

4.1 Implementation of leadership and planning

In relation to leadership and planning, the cybersecurity posture of entities was assessed through a series of ASD survey questions designed to provide indications of their cybersecurity leadership, planning and overall culture.

Over this financial year, survey responses indicated improvement in cybersecurity leadership and planning, as shown in Figure 8. Specifically:

1. 73 per cent of entities reported having a cybersecurity strategy, an increase from 72 per cent in 2022.
2. 83 per cent of entities addressed disruptions due to cybersecurity incidents in business continuity and disaster recovery planning, an increase from 82 per cent in 2022.
3. 80 per cent of entities participated in the ASD’s Cybersecurity Partnership Program,²³ an increase from 75 per cent in 2022.

Entities indicated they had undertaken forward planning with regards to cybersecurity. In the 2023 ASD survey, 82 per cent of entities reported having a funded body of work to improve their cybersecurity posture.²⁴

The percentage of entities providing annual cybersecurity training has also increased.

1. 78 per cent of entities provided cybersecurity training for their workforce at least annually, an increase from 68 per cent in 2022.
2. 39 per cent of entities provided privileged user training (PUT) at least annually, an increase from 34 per cent in 2022.

Figure 8: Indicators or entities' leadership and planning

5. Building Australian Government cybersecurity

The Australian Government continues to build and improve its cybersecurity posture. The government has committed $9.9 billion over a decade to fund the Resilience, Effects, Defence, Space, Intelligence, Cyber Enablers (REDSPICE) program; this funding commenced 1 July 2022. REDSPICE responds to the deteriorating strategic circumstances in Australia’s region, characterised by rapid military expansion, growing coercive behaviour and increased cyberattacks. Through this program, ASD will deliver forward-looking capabilities essential to maintaining Australia's strategic advantage and capability edge.

A key pillar of this program is Enhanced National Cyber Defence, which delivers improved critical infrastructure resilience against sophisticated cyberattacks; increased visibility of threats to Australia’s critical systems; improved machine-time threat intelligence sharing across government and industry; and doubled persistent hunt and nation-wide cyber-incident response.

REDSPICE builds on existing investment under the Cyber Enhanced Situational Awareness and Response (CESAR) Plus Program, which funds the delivery of ASD defensive cyber capability from July 2020 to June 2030. This program was designed to boost protection and cyber resilience for all Australians.

This chapter outlines key systems and services delivered by ASD to support federal government entities to build their cybersecurity through the REDSPICE and CESAR Plus programs.

5.1 ASD services supporting Australian Government cybersecurity

The following ASD services have been funded under the REDSPICE or CESAR Plus programs.

Cybersecurity hardening

Cybersecurity maturity assessment and uplift

ASD’s Cyber Maturity Measurement Program (CMMP) assessments involve teams of technical subject-matter experts working with government entities to assess their cybersecurity maturity against the Essential Eight mitigation strategies, as well as assessing their broader cybersecurity posture. Entities are provided with a detailed report containing tailored advice and recommendations to improve their cybersecurity maturity.

ASD also assists government entities – through the provision of ASD ICT professionals – to implement cybersecurity controls, and provide advice and recommendations aligned with ASD’s findings.

In the 2022–23 financial year, ASD undertook:

• 5 CMMP assessments with federal government entities, an increase from 3 assessments in the previous financial year.
• 13 uplift services for government entities to improve their cybersecurity hygiene, awareness, and implementation of a security roadmap, an increase from 5 in the previous financial year.

Cyber Hygiene Improvement Programs (CHIPs)

CHIPs measures the cyber posture and hygiene of government internet-facing systems and assets, by scanning external indicators of cybersecurity vulnerabilities. CHIPs provides quarterly reports to government entities detailing their vulnerabilities. These reports provide network owners with actionable information to help them to understand their vulnerabilities and inform cybersecurity posture improvement activities.

High-Priority Operational Tasking Cyber Hygiene Improvement Programs (HOT CHIPs)

HOT CHIPs conducts targeted scans in response to particular cybersecurity related events. These scans build ASD’s visibility of particular cybersecurity vulnerabilities across the Australian economy and offer network owners highly targeted, timely and actionable threat intelligence.

In the 2022–23 financial year, ASD performed 103 HOT CHIPS scans.

Active Vulnerability Assessments (AVA)

ASD’s AVA capability identifies security vulnerabilities that may be used by a sophisticated cybersecurity actor. An AVA is a long-term engagement with high priority customers to simulate the presence of a sophisticated cyber adversary while remaining undetected on the customer’s network. The outcome of the AVA activity allows customers to understand their vulnerabilities, and test their response to detecting unusual activity.

Hunt

ASD proactively conducts cyberthreat hunt operations on critical Australian networks to detect intrusions by sophisticated cyber actors. This service is offered to high priority entities, including in support of events of national significance.

In the 2022–23 financial year, ASD conducted 2 hunt activities on priority government networks.

Sensor programs

The Host Based Sensor (HBS) Program and the Gateway Sensor Program Network (GSPN) provide visibility of the cybersecurity posture of Australian Government ICT systems by collecting telemetry data from government devices. They allow ASD to help entities identify weaknesses in their cybersecurity and detect intrusions on their ICT infrastructure and mitigate the consequences of compromise.

In the 2022–23 financial year, ASD supported:

• 8 new federal government entities to join the HBS program, bringing the total number of entities to 39
• 1 new federal government entity to join the GSPN program, bringing the total number of entities to 62.

Incident preparedness and response

Alerts and advisories

ASD publishes alerts and advisories to cyber.gov.au to inform Australians on cybersecurity threats and mitigations. Individuals may subscribe to the ACSC Alert Service to receive alerts via email.

Cybersecurity Hotline

The Australian Cybersecurity Hotline ‘1300 CYBER1’ (1300 292 371) provides advice and assistance to Australian individuals and entities impacted by cybersecurity incidents. The hotline is available 24 hours a day, seven days a week.

National Exercise Program (NEP)

The NEP works in partnership with Australian critical infrastructure and government to scope, plan, deliver and evaluate cybersecurity exercises to improve Australia’s overall cyber resilience. The NEP also delivers exercise management training workshops for industry and government.

In the 2022–23 financial year, ASD delivered 23 exercises for government and critical infrastructure organisations.

Incident response

ASD provides incident response services to all entities that have been compromised by malicious cyber actors. ASD prioritises deployment of specialised digital forensics and incident response services in response to incidents causing significant impact to Australia and/or incidents involving high‑harm actors.

Cyber Threat Intelligence Sharing (CTIS)

ASD operates the CTIS platform. CTIS allows participating entities to share observable indicators of compromise (IOCs) at machine speed. Participating entities can use these IOCs to identify activity on their own networks. The CTIS platform also allows participating entities to share with other CTIS partners the IOCs observed on their own networks.

In June 2023, 12 per cent of federal government entities had joined the CTIS platform, an increase from 2 per cent in 2022.

Australian Protective Domain Name System (AUPDNS)

The AUPDNS uses threat intelligence to build a block list of known and assessed malicious web domains. These domains are often used to distribute malware, as part of malicious command and control channels, or as part of a data-exfiltration channel. AUPDNS prevents devices on subscribed networks from accessing the malicious domains on the block list, thereby interrupting potential malicious activity.

In June 2023, 24 per cent of federal government entities were using AUPDNS, a decrease from 26 per cent in 2022. This decrease is due to an increase in the total number of federal government entities, rather than a decline in the number of participating entities.

Leadership and planning

ASD’s Cybersecurity Partnership Program

ASD’s Cybersecurity Partnership Program works with Australian critical infrastructure and government to scope, plan, deliver and evaluate cybersecurity exercises to improve Australia’s overall cyber-resilience.

6. Conclusion

The findings presented in this report indicate that entities’ cybersecurity postures were well-established in some areas, and required improvement in others. In particular:

1. The proportion of government entities that had reached Overall Maturity Level 2 across the Essential Eight mitigation strategies had improved.
2. Between 2022 and 2023, the proportion of government entities applying effective email domain security and website encryption increased, as measured by ASD’s CHIPs. However, the proportion of government entities applying effective email encryption decreased, as did the proportion of entities hosting only valid websites on their web servers.
3. The majority of entities had planned for a cybersecurity incident, and were ready to respond if needed.
4. The percentage of entities reporting cybersecurity incidents to ASD had declined over the 2022–23 financial year.
5. Indicators of cybersecurity leadership and planning had remained high, and showed improvement across entities.
6. The proportion of entities that provided annual cybersecurity training to their workforce increased over the 2022–23 financial year; however, the proportion of entities providing PUT at least annually remains low.

6.1 Report to Parliament 2024

The Commonwealth Cyber Security Posture in 2024 report to Parliament will be delivered by November 2024.

General Information

Use of the Coat of Arms

The Commonwealth Coat of Arms is used in accordance with the April 2014 Commonwealth Coat of Arms: Information and Guidelines, published by the Department of the Prime Minister and Cabinet and available online (http://www.pmc.gov.au/resources/commonwealth-coat-arms-information-and-guidelines).

Website: www.cyber.gov.au
Contact us: Feedback about this report is welcome and should be directed to:
Phone: 1300 CYBER1 (1300 292 371)
Email: asd.assist@defence.gov.au
Post: PO Box 5076, Kingston ACT 2604

Acknowledgement of Country

We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Footnotes

1. ‘PGPA Act’ refers to the Public Governance, Performance and Accountability Act 2013.
2. Flipchart of the PGPA Act entities and companies, PGPA Act Flipchart and List.
3. The number of NCEs quoted includes the Australian National Preventive Health Agency. This agency is listed on the PGPA Flipchart; however it ceased operations in 30 June 2014, and is therefore excluded from all assessment described in this report.
4. The total number of Australian government entities increased from 185 at the end of the 2021-22 financial year.
5. PSPF Assessment Report 2021–22, Protective Security Policy Framework (PSPF) Assessment Report 2021–22 | Protective Security Policy Framework.
6. Essential Eight.
7. PUT is training tailored to personnel with responsibilities beyond that of a normal user, Guidelines for Personnel Security
8. Questions on this topic were introduced to the ASD survey in 2023; as such, data is not available for prior years.
9. JCPAA Report 467: Cybersecurity Compliance, Report 467: Cybersecurity Compliance – Parliament of Australia (aph.gov.au).
10. PSPF Policy 5: Reporting on security, Policy 5: Reporting on security | Protective Security Policy Framework.
11. Essential Eight Maturity Model
12. In 2023, the ASD survey used updated questions regarding the use of compensating controls, seeking additional information on their application and how they were managed. This increases the level of rigour applied to the collection of this data, and the reliability of the results.
13. Questions on this topic were introduced to the ASD survey in 2023; as such, data is not available for prior years.
14. PSPF Policy 11: Robust ICT systems, (PSPF Policy 11), Policy 11: Robust ICT systems | Protective Security Policy Framework.
15. Questions on this topic were introduced to the ASD survey in 2023; as such, data is not available for prior years.
16. PSPF Policy 10: Safeguarding data from cyberthreats, Policy 10: Safeguarding data from cyberthreats | Protective Security Policy Framework.
17. Information Security Manual (ISM)
18. Under the PSPF self-assessment maturity model, a ‘managing’ level of maturity indicates a ‘Complete and effective implementation of the PSPF’.
19. Minimum recommended email domain security: The domain has a valid DMARC record, or has a valid DMARC record on its base domain, with an effective policy of 'reject' or 'quarantine'.
20. Minimum recommended email encryption: The website sends an HSTS header when accessed AND HTTPS is enabled AND no weak or insecure cipher suites are used AND users are redirected to an HTTPS connection AND the oldest supported version of TLS is 1.2 or higher AND client-initiated.
21. Minimum recommended web server encryption: The mail server supports Opportunistic TLS (STARTTLS) AND supports at least TLS 1.2 (but may also allow TLS 1.1 and TLS 1.0 for backwards compatibility) AND has a valid certificate AND offers at least one strong cipher AND offers no insecure ciphers.
22. Minimum recommended valid websites posture: According to existing indicators the website appears to be current and up to date.
23. The ASD’s Cybersecurity Partnership Program enables Australian organisations and individuals to engage with the ACSC and fellow partners to lift cyber resilience across Australia, ASD's Cybersecurity Partnership Program
24. Questions on this topic were introduced to the ASD survey in 2023; as such, data is not available for prior years.