The computer network used by federal politicians and thousands of parliamentary staff has been left vulnerable to further mass hacking attempts, with auditors finding major faults remain seven years after Parliament House was targeted in a high-profile cyberattack.
A scathing Australian National Audit Office report found the Department of Parliamentary Services, which manages the online network, had failed to properly implement seven of the government’s eight core cybersecurity controls.
The findings raise fresh concerns about the resilience of one of the nation’s most sensitive IT environments at a time intelligence agencies continue to warn that Australian government systems remain prime targets for foreign espionage and cyberattacks.
Auditors concluded the department’s cybersecurity posture was only “partly effective”, finding it was relying on incomplete workarounds and risk-management measures that failed to adequately address known vulnerabilities.
The ANAO found weaknesses across critical safeguards including multifactor authentication, software patching, administrator access controls, application security and back-up arrangements.
The audit also revealed the parliamentary network – used by almost 5000 people across nearly 11000 devices – may not be properly structured to manage the differing security risks posed by MPs, senators, electorate offices and parliamentary departments.
In October last year it was revealed that more than 100,000 sensitive parliamentary emails and documents were handed to a private law firm despite internal warnings of an “extreme” cybersecurity risk. The firm – previously hit by a major Russian ransomware attack – was also granted broad administrative access to parliamentary systems during a probe into alleged wrongdoing by senior officials.
Last month it also emerged that independent MP Zali Steggall’s WhatsApp account was hacked in March as part of a phishing scheme believed to have been orchestrated by the Russian government that led to the messaging platform being blocked on parliamentary laptops.
The FBI issued a public warning in March about phishing campaigns by Russian intelligence-linked actors targeting messaging apps, while Dutch agencies warned of a global takeover effort of accounts on platforms such as Signal and WhatsApp, with reports in April that hundreds of accounts in Germany – including the federal parliament president and other senior figures – had been compromised.
In a significant warning, auditors noted that the department had previously acknowledged the network “may no longer be fit for purpose” and lacked appropriate segmentation between users, increasing the potential consequences of any successful breach.
The watchdog found key cyber policies remained unfinished, risk registers were incomplete, critical IT assets had not been fully documented, and some systems were operating with expired security approvals.
More than half the department’s cybersecurity staff had been in their roles for less than a year following significant turnover, creating further challenges for managing cyber risks.
The report found the department repeatedly accepted cyber risks above its own tolerance levels and lacked a single authoritative register tracking vulnerabilities and remediation efforts.
The audit made two recommendations, calling on the department to overhaul its cyber governance framework and implement a risk-based program to address known weaknesses and achieve compliance with federal cybersecurity requirements. DPS agreed to the recommendations and said new funding in the 2026-27 budget would support a major cyber resilience upgrade of the parliamentary network.
Opposition special minister of state James McGrath said the findings were concerning given that parliamentary services was responsible for protecting the sensitive information of parliamentarians, staff, and parliamentary departments.
“The Australian public should expect that the institution at the heart of our democracy is protected against increasingly sophisticated cyber threats from foreign-state actors,” he said.
“Given the current threat environment, it is clear that Labor needs to be much tougher when it comes to cybersecurity.”
Cut through the noise of federal politics with news, views and expert analysis. Subscribers can sign up to our weekly Inside Politics newsletter.
Rob Harris is the national correspondent for The Sydney Morning Herald and The Age based in Canberra. He is a former Europe correspondent.Connect via email.