The New South Wales government will push for changes to Commonwealth criminal laws to prevent cybersecurity researchers being prosecuted for reporting potential bugs and vulnerabilities, including in the systems of public sector agencies, in “good faith”.
Customer Service and Digital Government minister Victor Dominello is planning to pursue the changes before he retires from politics in March 2023, to pave the way for the state’s first whole-of-government policy framework for cyber security vulnerability disclosure.
Cyber Security NSW recently began developing the policy to source “more reports from the community, allowing NSW government… to proactively improve the cyber security of public systems”, a spokesperson told InnovationAus.com.
Vulnerability disclosure is currently haphazard across government, with most agencies liaising with researchers individually in the absence of a standardised approach for reporting.
The government’s one-stop shop for services, Service NSW, is one of the few agencies to have created a public bug bounty program, which it introduced in the course of developing the New South Wales digital driver’s licence.
In creating the policy, Cyber Security NSW hopes it can provide “much-needed clarity” around disclosure, including “definitions of ‘good faith’ security research and timeframes for agencies to respond”.
“The vulnerability disclosure policy will provide clear expectations for all NSW government agencies and the public about how the government will handle reports of identified vulnerabilities,” the spokesperson said.
Before the arrival of the policy, however, the state government will seek to have Commonwealth legislation amended to ensure those that report vulnerabilities in line with the policy are not liable to be prosecuted for good faith reporting.
The concerns were raised during a ‘Cyber Insights’ roundtable with 20 cyber security leaders from across NSW government, industry and academia, including crowdsourced security company Bugcrowd, last month.
Lyria Bennett Moses, a professor of law at the University of NSW and a director at the Allens Hub for Technology, Law and Innovation, recommended a ‘cyber socket’ to allow organisations easily create vulnerability disclosure programs that align with legislation.
A proposal paper on the cyber socket was subsequently drafted by some of the academic and industry leaders at the roundtable and provided to Minister Dominello, who has committed to taking it to a future Digital and Data Ministers Meeting prior to his departure.
Professor Moses said that clarifying computer crime legislation would give researchers and the public confidence wen reporting and ultimately lead to a greater number of important vulnerability disclosures.
In keeping with NSW’s one-stop shop model, the state government will also consider introducing a single ‘front door’ for disclosing vulnerabilities and adding vulnerability disclosure processes to the NSW Cyber Security Policy once the policy has been implemented.
The policy is similarly expected to be “written in a way which accounts for future whole-of-Australian government policy frameworks on vulnerability disclosure to make this transition as seamless as possible”.
Vulnerability disclosure programs were mandated at a federal government level in July after similar feedback from industry about the value of allowing security researchers and other members of the public to easily report vulnerabilities.
It is unclear if any agencies have introduced vulnerability disclosure programs since the arrival of the mandate. The Australian Taxation Office, Department of Health and the Australian Bureau of Statistics already have established vulnerability disclosure policies.
Other state and territory government agencies, including South Australia Department of Premier and Cabinet, are also working to introduce formalised bug bounty programs to better manage the discovery of vulnerabilities.
Do you know more? Contact James Riley via Email.