Researchers at the Optus Macquarie University Cyber Security Hub have released the results of their three-year comprehensive website security audit of Australia’s externally facing government websites and found that while cybersecurity has improved, a host of vulnerabilities remain.
Around 16 per cent of all government websites still use non-encrypted webpages – including 34.5 per cent of sites belonging to the Australian Department of Health – making them vulnerable to malicious attacks and insecure data transmission.
Examples could include the insertion of a pop-up requesting sensitive information from the Australian electoral portal; or text on an embassy website altered to be in direct opposition to diplomatic policy.
The majority of government websites include outdated programs with known vulnerabilities.
“People put their trust in government websites, they expect links to be safe and information to be well protected,” says Hub Executive Director Professor Dali Kaafar.
The audit looked at the security and vulnerability of 1862 federal, state and territory government websites under the .gov.au domain space, tracking federal sites from 2018-20 and rating them from one to five stars.
Basic security protocols on the rise
The report comes just two months after the federal government announced its $1.67 billion cyber security strategy, and Kaafar says while the report shows gaps and pitfalls in some basic security practices, cyber security is on the rise.
Key issues: The report shows gaps and pitfalls in some basic security practices, says Professor Kaafar.
“The good news is that the security of government websites has improved significantly, rising from just 36 per cent adopting the secure HTTPS protocol in 2018, to 84 per cent using HTTPS in 2020,” he says.
He says that HTTPS is one of the most basic security protocols to prevent data from being stolen or corrupted and it guarantees you are connected to the intended website.
“Every time we access the web, we transmit information from a device such as a computer or our phone, using HTTP (hypertext transfer protocol) or HTTPS, which is the secure version,” says Kaafar.
Cyber security is a daily fight – just as we can’t afford to become complacent in a biological pandemic, we also can’t afford complacency around our digital infrastructure.
Many governments and institutions require the use of HTTPS across their sites – for example, since 2015, it has been mandatory for all US government departments and agencies to use HTTPS – a step that Kaafar believes Australia should adopt.
“When configured correctly, using HTTPS helps secure websites from having data intercepted, or content altered, or malicious code inserted,” he says.
Code updates neglected
Kaafar says it’s not just the HTTPS configuration that’s being neglected. “The majority of government websites include outdated programs with known vulnerabilities,” he says.
Trust factor: Professor Dali Kaafar (pictured) says people expect links to be safe and information well-protected on government websites.
The audit found that more than 70 per cent of state/territory governments' webpages and 57 per cent of federal government webpages had at least one JavaScript library with publicly known weaknesses.
For example, about 10 per cent of Australian government websites use outdated code that’s vulnerable to Cross-Site Scripting (XSS), which could allow malicious code to be injected in the webpage.
The federal government’s first annual cybersecurity threat report released in September showed there were 2266 cybersecurity incidents and 59,806 cybercrime reports logged over the last financial year, with a rise in COVID-19-themed scams from March 2020 onwards.
- New breast implant study launched as risk evidence mounts
- From drumbeat to downbeat: music industry hits a sour note
The government’s own report noted “the sustained targeting of Australian governments and companies by a sophisticated state-based actor".
“Unfortunately, criminals only require a small crack in a window to get into the house,” says Kaafar.
“Cyber security is a daily fight – just as we can’t afford to become complacent in a biological pandemic, we also can’t afford complacency around our digital infrastructure.”
Kaafar says that the team shared the results of the security audit with all relevant state and federal government privacy commissioners and chief cybersecurity officers in mid-September.
Dali Kaafar is a Professor in the Department of Computing and Executive Director of the Optus Macquarie University Cyber Security Hub