The Immigration Department has admitted it has set no deadline to make crucial IT security reforms protecting against cyber attack, despite a damning audit report.
Chief Information Officer Randall Brugeaud said on Friday the department could not say when it would adopt all four cyber security measures required to defend it from threats, after missing a 2016 deadline to make the changes.
The admission came as Australia's electronic spy agency warned a parliamentary inquiry into cyber security of a "vast increase" in ransomware threats similar to the 'WannaCry' attack that hit the UK hospital system in May.
Mr Brugeaud blamed the Immigration Department's merger with the Australian Customs and Border Protection Service in 2015 for the delay, saying it had complicated efforts to reform its security.
"That became a far more complex environment spanning a far greater number of business lines. So as a consequence of what is quite a significant machinery of government change, we still have maintained a positive trajectory, maintained critical business services, but it has adjusted the time it will take," he said.
The Immigration Department told the inquiry hearing in Canberra it had applied restrictions on desktop applications and would improve other parts of its cyber security after a March report from the national auditor found it was vulnerable to attack.
Before merging with Immigration, the ACBPS missed a July 2014 deadline to adopt four top IT security strategies, which spy agency the Australian Signals Directorate says prevent 85 per cent of cyber intrusions.
Despite promising in 2014 to implement them by 2016, Immigration had adopted only one of the strategies.
Immigration first assistant secretary Cheryl-anne Moy told the inquiry it had also not prepared for any further disruption to its cyber security reforms posed by its possible move into a super-size US-style 'Homeland Security' department.
The Tax Office, which the auditor-general also found was vulnerable to cyber threats, expected to follow the 'Top Four' security measures by November.
Acting auditor-general Rona Mellor said all departments it had probed for cyber security had been affected by change and were still required to maintain security.
"These are mandatory requirements to protect the information that these organisations hold. While there are reasons for pace, the responsibility is still there within the framework, within the regulation to deliver cyber secure environments," she said.
Prime Minister Malcolm Turnbull's adviser on cyber security Alastair MacGibbon said the 'Top Four' measures were hard to implement and required agility from departments.
"It comes down to a question of culture and making sure that when there is a machinery of government change, that you recognise every time you do that, there are consequences in terms of the way computer systems operate," he said.
"There's no excuse for non-compliance but there's understanding that these things take time."
Australian Signals Directorate head of cyber and information security Clive Lines said there were "vast" increases in ransomware threats similar to the WannaCry attack, and state-sponsored cyber threats had grown.
The Attorney-General's Department told the inquiry some agencies did not return a survey it sent out to identify those with vulnerabilities in cyber security, and it could not compel any to complete them.
Mr Brugeaud said the Immigration Department had patched the security of its internet gateway following the WannaCry attack, and had already updated its anti-virus measures.
But Ms Mellor said gateway security was not enough and that the 'Top Four' measures Immigration had not fully met protected against 85 per cent of threats.
Sign up for our newsletter to stay up to date.