‘These are the basics’: Why this professor warns many government websites aren’t secure

By Matthew Elmas

Wednesday October 28, 2020


As billions of dollars are invested in bolstering cyber security, new analysis finds serious gaps in federal, state and territory government defences when it comes to the largest repositories of public government information available: websites.

Macquarie University professor Dali Kaafar has just finished an unenviable task: a three-year, cross jurisdiction security audit of more than 1,800 government websites.

The mammoth undertaking, published for the first time this week, was spurred by a desire to determine how vulnerable federal, state and territory government websites are to cyber security breaches.

Premium unlocked.

Sample and save 50% on a yearly subscription.

Offer ends 08/12/2020.

Examining update of basic secure transfer protocols (HTTPS) and how effective broader security measures are, Kaafar found that while governments have made progress since 2018, Australia is still behind the international eight-ball, and without a dedicated effort, the prospect of a serious and trust-smashing incident may be a question of when — not if.

“With cyber security the devil is really in the detail, and unfortunately the details here are not backing up any guarantee of security on government websites,” Kaafar tells The Mandarin.

Kaafar’s analysis is at once soothing and anxiety-inducing; while today over 84% of federal government websites use basic secure transfer protocols (HTTPS) –up from just 36% in 2018– more than half of all government websites are still vulnerable to attack, with some departments still using encryption protocols (SSL 3) that are 15-20 years out-of-date.

Just as worrying, the audit finds at least 57% of federal government and more than 70% of state/territory government webpages  include at least one outdated or deprecated JavaScript library with publicly known vulnerabilities — including one-in-ten webpages that remain open to injections of malicious code.

“There’s clear evidence that some of this has not really been updated and that’s a serious concern … we’re calling on every single Australian to be patching and updating software, but the government doesn’t seem to be keeping up itself,” Kaafar says.

Website warning: security paramount to maintaining trust

Public websites are not the most sensitive digital assets departments maintain, but they do serve as the communication platform between governments at all levels and the public, and this is where the risks really emerge.

For example, 16% of federal government websites still have not adopted HTTPS, including more than a third of websites under the Department of Health, meaning those pages could be open to all manner of malicious meddling.

“Data can be modified or corrupted during transfer, intentionally or otherwise, without being detected,” Kaafar explains.

“It could potentially lead to vulnerabilities to ransomware, or phishing links being involved in a website that’s trusted as a government website.”

The report comes at an inflection point in government efforts to deal with cybersecurity threats. Earlier this year Prime Minister Scott Morrison set the stage for an overhaul of security practices, pledging $1.7 billion in a wide ranging push to bolster defences that’s being spearheaded by the Department of Home Affairs.

A report published by the Australian Cyber Security Centre (ACSC) in September found there were 2266 cybersecurity incidents and more than 59,000 cybercrime reports logged over the last financial year, underscoring the presence of malicious actors.

One particular incident captured national attention in June, when the ACSC identified a high level threat from a “sophisticated state-based actor” targeting Australian governments and businesses .

While government resources have so far focused on protecting critical infrastructure and sensitive data sets, Kaafar says cyber attacks will often target points of vulnerability, and in this respect government websites currently don’t meet the mark.

“What if an attacker modified content or redefined content about health advice, or some particular type of information government is trying to deliver?” Kafaar says.

“Neither those managing those websites, nor the users would be able to differentiate or to see the difference between the content that has been injected and the legitimate content.”

Outdated systems weigh on government security scores

In his 44-page report, Kaafar has identified a series of outstanding vulnerabilities in government websites at both a state and federal level.

Even among those websites with basic security protocols, the academic finds a non-negligible proportion of sites (3.9%) at the federal government level are still live with patchable problems, misconfigured servers and untrusted certificates.

While the proportion of the most vulnerable websites has decreased substantially since 2018 at the federal level, some state and territory governments are much more vulnerable.

Diving into specific classes of vulnerabilities, Kaafar finds many Queensland and ACT government websites aren’t adequately protected against browser exploit attacks first discovered almost a decade ago.

Tasmania, moreover, maintains a variety of cryptographic weaknesses across its web presence, with 2.3 security vulnerabilities per URL maintained by the government.

This contrasts to other jurisdictions around the world, where governments have mandated adoption of measures like HTTPS.

In 2015, the United States made it mandatory for government websites to adopt HTTPS, a development Kaafar says puts Australia behind the international eight-ball.

“The US regards HTTPS as the minimum level of security that needs to be  guaranteed for every web service managed by the federal government,” Kaafar explains.

“These are the basics”: governments urged to take action

Kaafar is now is urging governments to take action now to avoid a damaging scandal down the line, particularly because government websites are so integral to public facing functions, which require trust to operate effectively.

While governments have significantly improved website security since 2018, cybersecurity isn’t the type of issue were swimming 90% of the way across the lake will cut it.

But as Kaafar explains, HTTPS adoption and best practice security are also matters for successful web hosting, as digital platforms like Google begin putting up barriers around websites that aren’t keeping up.

“HTTPS should be everywhere, Google is immediately redirecting people and forcing them to use HTTPS and that should be the default we have across Australian government websites,” Kaafar says.

Essentially, this means government websites that don’t beef up security practices might be less useful to the public, not just in that they’re less secure, but in that they could become less accessible over time.

“To put it bluntly, we’re putting millions of millions into cybersecurity every year and dealing with this, and maintaining [websites properly] would cost a fraction of that,” Kaafar says.

“These are the basics, right?”

Subscribe today and save $220 on an annual subscription

Because we are reader funded, we’d love you to join Mandarin Premium. Without your support, we simply can’t do what we do. And we’re looking forward to doing a whole lot more in 2021.

If you subscribe now, you can save 50% ($220) on an annual subscription*. Just enter promo code PREMIUM50 when you subscribe.

*Offer ends 08/12/2020.


Chris Johnson
Managing Editor

Subscribe today
About the author
Inline Feedbacks
View all comments

The essential resource for effective public sector leaders