Cybersecurity: the Federal Government should expand plans, personnel and infrastructure

Cybersecurity plays an essential role in all areas of electronic data processing. At the federal level, the Federal Chancellery, the Federal Ministry of the Interior, the Federal Ministry of Defence and the Federal Ministry for European and International Affairs are responsible for the coordination of cybersecurity. In its report published today, the ACA reveals potential for improvement: crisis, continuity and operational plans, for example, were lacking for the management of cyber crises. A permanently available cyber rapid response team as well as a cyber situation centre should be set up. These are the conclusions drawn by the ACA’s auditors from, among others, the cyber crisis experienced at the Federal Ministry for European and International Affairs from December 2019 to March 2020. The audit covered the period from 2018 to 2021.

The cyber crisis was "in essence successfully” addressed

In December 2019, a covert cyberattack was launched on the systems of the Federal Ministry for European and International Affairs. This cyberattack was identified as the first cyber crisis in Austria and prompted the activation of the structures envisaged therefor. In addition to the Inner Circle of the Operational Coordination Structure, which is headed by the Federal Ministry of the Interior and in which the Federal Ministries of the Interior and for European and International Affairs are represented, a specific operational structure was established. The Federal Ministry of the Interior identified the cyber crisis on 4 January 2020. On 7 January 2020, the cybersecurity forces of the responsible ministries and of an external company were able to take up their operational work. Prior to that, the infrastructure (premises) and other equipment (hardware, software, office equipment) had to be organized and acquired for the response team.

"In essence", the cyber crisis was addressed "successfully". This is the conclusion drawn by the ACA’s auditors. However, they have identified numerous options for improvement.

Establishing a cyber rapid response team and a cyber situation centre

In light of the cyber situation assessment to be regularly compiled by the Inner Circle of the Operational Coordination Structure (ICOCS), but especially since a centre for responding to cyber incidents should be available immediately, the permanent establishment of a centre dedicated to such events, which is available for use at any time, would be appropriate. The coordination structure of the ICOCS itself, the most important interministerial body for cybersecurity, is perceived as suitable by the ACA to carry out the tasks assigned to it.

Furthermore, a permanently available cyber rapid response team would have to be set up. In this context, the ACA highlights the shortage of personnel in the cybersecurity forces. For example, both the Federal Chancellery and the Federal Ministry of the Interior have failed to secure the human resources deemed necessary for safeguarding cybersecurity. In order for more suitable personnel to be available, a modern personnel management system would have to be established. 
Crisis, continuity and operational plans are essential for a well-functioning cyber crisis management. However, such plans were not available, although the Cybersecurity Steering Group had already decided to develop such plans in 2014 and 2019. The Federal Chancellery and the Federal Ministry of the Interior would have been responsible for this.

The NIS notification analysis system had not been set up

The aim of cybersecurity is to ensure a high level of security of network and information systems (NIS). Providers of digital services, the public administration as well as operators of essential service – such as in the sectors of energy, transport, banking, financial market infrastructures, health care, drinking water, digital infrastructure – must report security incidents.

The Federal Ministry of the Interior is obliged to analyse the forwarded reports on security incidents and to regularly draw up a situation assessment based thereon. Although such assessments were recorded in files, entered into a notification overview and forwarded to the Federal Chancellery and the Federal Ministry of Defence, the ACA critically points out that about two and a half years after the Network and Information Systems Security Act (Netz- und Informationssystemsicherheitsgesetz) had entered into force, the statutorily required “NIS notification analysis system” was not yet in operation. Such a system is to support the preparation of a situation assessment by means of a strategic and operational analysis. According to the statement of the Ministry of the Interior, a notification collection system has been implemented in the meantime and has been in productive use since the third quarter of 2021. The notification collection system is to be regarded as a preliminary stage to the required “NIS notification analysis system”.

In 2021 the early warning system was merely in the design phase

In order to prevent possible security incidents, the Federal Ministry of the Interior was authorized to operate an early warning system that can detect risks or incidents of network and information systems at an early stage. The ACA critically notes that in 2021 the envisaged early warning system was merely in the initial design phase, although the outcome-oriented impact assessment attached to the Network and Information Systems Security Act had already provided for initial investments in 2019 and for operating costs already in 2020.
The ACA recommends to the Federal Ministry of the Interior to intensify and realize the early warning system implementation project. As many organizations as possible should participate in this early warning system in order to attain the national and cross-sectoral objective of identifying cyberattacks and/or minimising their effects and of analysing patterns and methods related to cyberattacks.