The federal cyber security agency responded to nearly 450 attacks on Commonwealth-level entities last year, the nation's latest security strategy reveals.
Australian Public Service agencies will centralise their IT as the government tries to strengthen the defences of its digital networks against attacks from state-sponsored actors and nation states.
The new cyber security strategy, released on Thursday, shows Commonwealth, state and territory government bodies were the target in 35.4 per cent of incidents the Australian Cyber Security Centre responded to in 2019-2020.
New figures from the centre show it responded to about 450 incidents involving Commonwealth entities, and more than 350 attacks on state and territory level government bodies.
The strategy flagged major spending on cyber security, and detailed long-term efforts to bolster defences in response to the growing risk of attacks.
It said the first priority would be centralising the management and operations of the large number of IT networks run by federal agencies.
"Centralisation could reduce the number of targets available to hostile actors such as nation states or state-sponsored adversaries, and allow the Australian government to focus its cyber security investment on a smaller number of more secure networks," the strategy said.
It also said federal agencies would improve the government's cyber defences by adopting safety measures recommended by the Australian Signals Directorate and known as the "Essential Eight".
"Australian government agencies will also put a renewed focus on policies and procedures to manage cyber security risks," the strategy said.
MORE PUBLIC SERVICE NEWS:
UNSW professor and cyber security expert Greg Austin said in centralising government IT networks, public service agencies could retain control over their IT systems but that security arrangements and auditing may be centralised.
"That detail has to be worked out and it has some appeal, but it needs to be worked out carefully," he said.
Professor Austin said one model was provided by the NSW government, which required department heads to take responsibility for cyber security. A similar approach could benefit the APS, he said.
"More pressure needs to be put on department heads to take responsibility," Professor Austin said.
A series of reports in recent years have shown federal agencies have fallen behind in adopting cyber security measures.
In a 2019 report, the Australian Signals Directorate found levels of cyber security varied across the government and that some entities remained vulnerable to threats. It said some agencies had misunderstood, misinterpreted and inconsistently applied the "Essential Eight" strategies.
The new cyber security strategy said more than a third of incidents affected critical infrastructure providers delivering healthcare, education, banking, water, communications, transport and energy.
"A successful cyber attack against one of these services could have significant ramifications for the broader economy and Australian way of life," the strategy said.
It said this had happened overseas in the 2015 disruptions to power facilities in Ukraine, the 2017 Triton attacks on Saudi petrochemical facilities, and the NotPetya and WannaCry attacks in 2017 that hit financial, transport and healthcare services globally.