National security risk as parliamentary network fails seven out of eight basic cyber checks

The computer network used by federal politicians and thousands of parliamentary staff has been left vulnerable to further mass hacking attempts, with auditors finding major faults remain seven years after Parliament House was targeted in a high-profile cyberattack.

A scathing Australian National Audit Office report found the Department of Parliamentary Services, which manages the online network, had failed to properly implement seven of the government’s eight core cybersecurity controls.

The findings raise fresh concerns about the resilience of one of the nation’s most sensitive IT environments at a time intelligence agencies continue to warn that Australian government systems remain prime targets for foreign espionage and cyberattacks.

Auditors concluded the department’s cybersecurity posture was only “partly effective”, finding it was relying on incomplete workarounds and risk-management measures that failed to adequately address known vulnerabilities.

The ANAO found weaknesses across critical safeguards including multifactor authentication, software patching, administrator access controls, application security and back-up arrangements.

The audit also revealed the parliamentary network – used by almost 5000 people across nearly 11000 devices – may not be properly structured to manage the differing security risks posed by MPs, senators, electorate offices and parliamentary departments.

In October last year it was revealed that more than 100,000 sensitive parliamentary emails and documents were handed to a private law firm despite internal warnings of an “extreme” cybersecurity risk. The firm – previously hit by a major Russian ransomware attack – was also granted broad administrative access to parliamentary systems during a probe into alleged wrongdoing by senior officials.

Last month it also emerged that independent MP Zali Steggall’s WhatsApp account was hacked in March as part of a phishing scheme believed to have been orchestrated by the Russian government that led to the messaging platform being blocked on parliamentary laptops.

The FBI issued a public warning in March about phishing campaigns by Russian intelligence-linked actors targeting messaging apps, while Dutch agencies warned of a global takeover effort of accounts on platforms such as Signal and WhatsApp, with reports in April that hundreds of accounts in Germany – including the federal parliament president and other senior figures – had been compromised.

In a significant warning, auditors noted that the department had previously acknowledged the network “may no longer be fit for