The Australian Parliament’s internal computer network remains vulnerable to cyberattacks, with a recent audit revealing that the Department of Parliamentary Services (DPS) has failed to implement seven of the government’s eight mandatory cybersecurity controls. The Australian National Audit Office (ANAO) report, released in May 2024, describes the department’s security posture as only “partly effective,” citing years of unaddressed risks that leave sensitive data belonging to federal politicians and staff exposed.
Why the Parliamentary Network Is Considered Vulnerable
The ANAO audit found that the department managing the network relies on incomplete workarounds rather than robust, permanent security measures. According to the report, critical weaknesses exist in fundamental areas, including multifactor authentication, software patching, and administrator access controls.
The parliamentary network serves approximately 5,000 users across 11,000 devices. Auditors noted that the current architecture lacks proper segmentation between users. This means that a breach in one part of the system—such as a compromised electorate office device—could potentially grant an attacker broader access to the entire parliamentary environment. The department previously acknowledged in internal assessments that the network may no longer be “fit for purpose” given these structural limitations.
History of Security Breaches and Threats
The findings follow a series of high-profile security incidents involving parliamentary figures and systems. In 2023, it was disclosed that over 100,000 sensitive parliamentary emails and documents were provided to a private law firm during an investigation. This occurred despite internal warnings that the firm posed an “extreme” cybersecurity risk, particularly because it had previously been targeted by a Russian ransomware attack.
More recently, the cybersecurity landscape for Australian officials has tightened following reports of targeted phishing campaigns. In March 2024, the FBI issued a warning regarding foreign intelligence-linked actors targeting messaging applications. Independent MP Zali Steggall’s WhatsApp account was compromised in a similar phishing scheme, which prompted authorities to restrict the use of the messaging platform on parliamentary-issued laptops.
Challenges in Cyber Governance
The audit highlights significant operational hurdles, including high staff turnover within the cybersecurity team. More than half of the department’s cyber staff have been in their roles for less than one year, complicating the continuity of risk management efforts.
The ANAO report identified several specific governance failures:
- Incomplete Documentation: Critical IT assets have not been fully documented.
- Expired Approvals: Some systems continue to operate despite having expired security certifications.
- Risk Tolerance: The department has repeatedly accepted cyber risks that exceed its own established tolerance levels.
What Happens Next for Parliamentary Security
The Department of Parliamentary Services has formally agreed to the two recommendations provided by the ANAO. These include a complete overhaul of the current cyber governance framework and the implementation of a risk-based program to ensure compliance with federal standards.
The federal government has committed to a major resilience upgrade for the parliamentary network, with funding allocated in the 2026-27 budget. Opposition special minister of state James McGrath criticized the current state of affairs, stating that the institution at the heart of Australian democracy must be better protected against increasingly sophisticated foreign-state actors. For now, the department remains tasked with reconciling its existing vulnerabilities while preparing for the long-term infrastructure overhaul.