Parliament house is not cyber secure. What could go wrong?
Seven of eight mandatory cyber controls failing at Parliament House — and a 2019 state-based breach that apparently changed nothing.
Parliament House is not cyber secure. What could go wrong?
The building that houses Australia's legislature, the institution responsible for passing laws governing everything from national security to data sovereignty, cannot adequately protect its own computer network. A recent audit from the Australian National Audit Office has found that the Department of Parliamentary Services failed to implement seven of the eight mandatory cyber security strategies required under the government's own Protective Security Policy Framework. Not partially. Not pending. Seven out of eight, below the required standard, at the time of the audit.
The Essential Eight is the floor, not the ceiling — and DPS is below it
The Essential Eight is not an obscure technical checklist. It is the baseline framework the Australian Signals Directorate considers the minimum effective defence against the most common and damaging cyber attacks. Things like patching known vulnerabilities, restricting administrative privileges, enabling multi-factor authentication. Not exotic. Not experimental. The floor, not the ceiling. DPS had an outdated policy framework, inadequate risk management, and was relying on compensating controls that did not cover all systems. The ANAO found the department had "limited ability to apply controls and governance for some of the users it supports." In plain terms: they were not sure what was happening on parts of their own network.
That is not a department that doesn't know what to do. That is a department that knows what to do and has not done it.
Six years after a state-based breach, the same gaps remain
This is not Parliament House's first brush with the problem. In 2019, DPS suffered a high-profile cyber security incident, widely reported to be the work of a sophisticated state-based actor. The incident predates the current audit by six years. The Essential Eight framework has been mandatory for non-corporate Commonwealth entities for years. What has been happening in the intervening time? The audit does not say DPS is starting from scratch. It says the governance processes were "established but of limited effectiveness," and that known vulnerabilities were being managed without adequate coverage. That is not a department that doesn't know what to do. That is a department that knows what to do and has not done it.
Parliament House is one of the most attractive intelligence targets on the continent
The stakes here are not abstract. Parliament House is one of the more attractive targets on the Australian continent for foreign intelligence collection. Parliamentarians, their staff, lobbyists, advisers, journalists with network access — the Parliamentary Computing Network is a concentrated intelligence opportunity. The ANAO notes that DPS provides IT services to users "with differing business and security needs," which in practice means the network serves everyone from the Speaker's office to a backbencher's intern. Managing that sprawl is genuinely hard. But hard is not the same as impossible, and mandatory standards exist precisely because the alternative — each entity deciding for itself what is good enough — produces exactly this result.
The government cannot credibly mandate what it does not practise
There is a particular irony in the timing. The government has spent the better part of two years pushing for stronger cyber security obligations on the private sector, on critical infrastructure operators, on telecommunications companies. The 2023-2030 Cyber Security Strategy set out an ambitious national agenda. Legislation has followed. The argument is that Australia cannot afford to be complacent, that the threat environment is worsening, that baseline standards must be enforced. All of that may be true. But the moral and political authority of those arguments rests on some assumption that the government itself is meeting the standards it mandates for others. This audit suggests it is not.
Agreeing to recommendations is not the same as fixing the problem
DPS has agreed to both of the ANAO's recommendations, which cover improving governance and prioritising the remediation of known risks. Agreement is welcome. It is also the minimum possible response to a finding this serious. Departments agree to audit recommendations routinely, and the ANAO has no power to compel compliance or verify follow-through in real time. The implementation is everything, and implementation is what has been missing.
The test for Parliament House is the same one its occupants apply to every other institution they regulate: not whether you have a plan, but whether you have actually done the work. Six years after a significant breach, with a mandatory framework in place and the threat environment more acute than ever, seven of eight controls are below standard. That is the record. The recommendations are a start. They are not an answer.
Sources
Frequently Asked Questions
What is the Essential Eight and why does it matter for Parliament House?
The Essential Eight is the Australian Signals Directorate's baseline framework of eight cyber security controls considered the minimum effective defence against common attacks — things like multi-factor authentication, patching vulnerabilities, and restricting administrative privileges. It is mandatory for non-corporate Commonwealth entities, which includes the Department of Parliamentary Services. DPS failed to meet the required standard on seven of the eight controls.
Has Parliament House been hacked before?
Yes. In 2019, DPS suffered a significant cyber security incident widely attributed to a sophisticated state-based actor. The current audit was conducted six years after that breach, and found the same mandatory controls still below the required standard.
What happens if a government department doesn't comply with ANAO audit recommendations?
The ANAO has no power to compel compliance or verify follow-through in real time. Departments routinely agree to recommendations, but implementation is voluntary and there is no automatic enforcement mechanism — making the gap between agreeing to fix a problem and actually fixing it a structural weakness in the audit regime.
Why is Parliament House a target for foreign intelligence services?
The Parliamentary Computing Network connects parliamentarians, their staff, lobbyists, advisers, and journalists — concentrating high-value targets on a single network. For foreign intelligence services, a foothold in that network offers access to policy deliberations, personal communications, and political intelligence that would otherwise require many separate operations to collect.
Does the government's own cyber security record affect its ability to regulate private sector cyber standards?
The government's 2023-2030 Cyber Security Strategy and related legislation impose mandatory baseline cyber standards on private sector critical infrastructure operators. With Parliament House itself failing to meet those same government-mandated baselines, the political and moral authority behind that regulatory push is materially weakened.