The Department of Finance is going shopping for protection against distributed denial of service attacks on federal government websites, like those that led to the online Census form being taken offline on the big night itself last August.
Since the release of govCMS, more entities and business units inside the APS have been able to publish their own websites. But these business units are unlikely to have the extensive resources that agencies like the Australian Bureau of Statistics can allocate to issues like DDOS protection.
Finance wants to procure DDOS protection services in a package deal for these sites, as well with those hosted by Sliced Tech, along with web application firewall and content distribution network services, and explains to prospective tenderers:
“Collectively the services are intended to protect against as many types of attack as possible and ensure the protected web sites remain available and responsive at all times.”
According to the AusTender entry, the federal bureaucracy needs protection for 50 individual websites that get about 100 million hits and handle about 2.5 terabytes of traffic per month to start with. The new protection services are expected to be up and running, ready to “respond automatically to DDOS attacks” from Thursday, April 27 this year.
The department wants the winning supplier to help it “provide advance warnings of events … where DDOS attacks may be anticipated” to the government, report any that arise, be on hand with “advice and input in relation to DDOS and other cyber attack activity” and help configure services on the fly, including during attacks.
White-hat hackers might be happy to hear the request for tenders mentions the possibility that its web security service provider might run a “bug bounty” program, a way of crowd-sourcing expertise by paying a reward to for finding and reporting vulnerabilities:
“The tenderer should describe how they identify and remediate vulnerabilities in the Services such as independent bug bounty program, responsible bug disclosure program, third party provider disclosures, patch management schedule and vulnerability management strategy.”
The service provider or providers will have to report any security incident by phone as soon as possible and provide a written report of any attack that disrupts a service or “is otherwise significant” — due to the scale of the attack, for example — within 5 days:
“Details should include the nature of the attack (type, duration, traffic volumes and impact), source IP address and how the attack was resolved.”
Contractors will also be expected to report directly to the the Australian Cyber Security Centre or any other government body as required, and in the event of breaches, collect evidence about “how, when and by whom” the systems have been compromised and keep it for up to 12 months.
Some responsibility for mitigation strategies that reduce the impact of security incidents as they are unfolding and reduce the chance of them recurring would be built into the contract.
Data mining offlimits
Another special addition to the contract terms reveals that the Australian government takes a dim view of external IT service providers poking around in their web traffic for insights:
“Unless authorised in writing by the Finance Representative, the Contractor must not at any time conduct Data Mining activities in respect of the Cloud Services or any Finance Material, user material or information uploaded, accessed or manipulated in the Cloud Services by Finance or its authorised users.”
Finance defines “data mining” as anything that involves “analysing or searching for patterns in data sets to extract information and transform it into an understandable structure, whether through automated or human means, and includes data dredging, data fishing and data snooping or similar methods” and it doesn’t care what your terms and conditions say:
“The prohibition on Data Mining applies even if a user is required to click through and accept the Contractor terms permitting the Contractor to conduct Data Mining on a user, or a collection of user accounts. Such terms have no effect whatsoever.”
Camp for a better govCMS
The team behind govCMS are running a hackathon-like camp later this month to add new functionality to Finance department’s Drupal-based content management and hosting service.
“As part of the grassroots events, this camp is designed to get the community together to share expertise, collaborate across agencies, and to contribute back to the open source community.
“You don’t necessarily have to be a UX specialist, designer, developer, web content publisher/editor or site owner to attend the camp. Anyone who wants to inform the development of govCMS in 2017 is welcome to attend.”
The camp will be held at Department of Finance’s One Canberra Avenue, Forrest office on January 30 and 31. BYO laptop. Finance will provide the pizza, WiFi and other essentials. Registration details at the GovCMS site.