Ethical hacking programs patchy across govt despite mandate


Justin Hendry
Administrator

Only a handful of federal government departments and agencies with responsibilities for front-facing digital services have opened the door to security researchers to report bugs they discover in the nine months since vulnerability disclosure programs were mandated.

An investigation by InnovationAus.com reveals that of the 15 departments without such a program when the mandate was introduced, only one has implemented public reporting processes for vulnerabilities.

A further seven agencies that were assessed, including those responsible for the majority of the government’s interactions with citizens, have implemented or partially implemented vulnerability disclosure programs (VDPs).

VDPs allow security researchers and other members of the public to easily report potential bugs and security vulnerabilities so software owners can apply patches before a vulnerability can be exploited.

The Attorney-General updated advice to departments and agencies subject to the Protective Security Policy Framework (PSPF) in July 2022 following industry feedback about the “value of government entities establishing a VDP”.

The move brought Australia into line with the United States government, which has had such a policy in place since 2020. Some departments have also gone one step further by introducing bug bounties – cash rewards for uncovering and reporting software bugs.

But federal government departments in Australia have been slow to implement the changes mandated 10 months ago, with the Department of Industry, Science and Resources the only department to have met the requirements since they were introduced.

The Department of Health is the only other department with a VDP in place, having introduced one in June 2020, just weeks after the federal government’s launched its discarded COVIDSafe contact tracing app.

Developers who poked holes in the COVIDSafe app and found security vulnerabilities posing a significant threat to users privacy initially struggled to contact the department to have the issues fixed.

The Department of Home Affairs, which is the government’s policy lead for cybersecurity, did not provide a timeline for when its VDP would be introduced, telling InnovationAus.com that scoping would commence in the coming months.

Defence and the Attorney-General’s Department, meanwhile, have internal process and are planning to introduce VDPs to conform with the PSPF. A spokesperson for the Attorney-General’s Department said this would be done “by the required deadline of 30 June 2023”.

The Department of the Prime Minister and Cabinet, Department of Foreign Affairs, the Department of Social Services, the Department of Employment and Workplace Relations, and Department of Education are also planning to introduce programs by mid-year.

Of the seven agencies that have introduced VDPs, only the Australian Taxation Office and Australian Bureau of Statistics had programs in place since before July 2022, with the remainder introducing them this year.

Canberra’s biggest service delivery agency, Services Australia, introduced a VDP for myGov – the front door to which most citizens interact with the government – in February but is yet to extend it to other services.

A spokesperson told InnovationAus.com that it is “finalising a vulnerability disclosure program to cover all services provided by the agency”, including Medicare and Child Support, and that this would be available before the end of June.

“We have robust 24/7 cybersecurity capabilities which scan for potential threats and make ongoing security enhancements. The vulnerability disclosure program is part of a suite of measures to ensure our systems remain secure,” the spokesperson added.

Other agencies to introduce VDP’s in recent months include the Digital Transformation Agency (April), the Australian Research Council (February) and the Clean Energy Regulator (January).

There are 100 departments and agencies across the federal government that are Non-corporate Commonwealth entities and, therefore, subject to the information security requirements of the PSPF.

A handful of agencies not subject to the PSPF have also introduced such programs, including the National Disability Insurance Agency.

Lyria Bennett Moses, a professor of law at UNSW and a director at UNSW Allens Hub for Technology, Law and Innovation, told InnovationAus.com that VDPs are an easy way for departments and agencies to crowdsource cybersecurity improvements.

“Ignorance is never a good idea in the context of security, especially when there are people who will go out, find them and report them when such programs exist, so why not take the benefit of that,” she said.

According to a Home Affairs spokesperson, the number of government agencies with VDP programs will be included in the annual PSPF assessment report. The 2021-22 report, released in January 2023, did not take into account the VDP policy change.

Do you know more? Contact James Riley via Email.

Leave a Comment