The federal government’s refusal to engage and support security researchers is putting Australian agencies and the general public at risk, according to Labor cybersecurity spokesman Tim Watts.
While countries like the US have actively engaged security researchers through bug bounty programs, the Australian government has been hostile to white-hat hackers and often threatened or gagged them instead of engaging with their work, Mr Watts said in Parliament on Tuesday.
“This government’s approach to security is entirely founded on secrecy. But vulnerabilities don’t vanish when you refuse to talk about them. And transparency doesn’t create security threats – it reveals them. Yet this government has treated the good faith endeavours of independent security researchers as acts of malice,” Mr Watts said.
“They have treated potential allies like enemies. While the US government pays independent security researchers, the Australian government gags and ignores them. The government’s addiction to secrecy in cybersecurity is making us less safe.”
Mr Watts pointed to the US government’s bug bounty programs, which have seen more than 10,000 vulnerabilities discovered by white-hat hackers attempting to breach the Pentagon, Army, Air Force, Marine Corp and Defence Travel System.
“Now compare that to this government which not only fails to engage with security researchers to strengthen the Commonwealth’s security posture, but have often been actively hostile to their work,” he said.
“Compare the philosophy of Hack the Pentagon with this government who threatened a prominent cryptographer for revealing that an anonymised data set released by the Health Department was easily re-identifiable.
“A government who has sought to gag security researchers at Commonwealth-funded cybersecurity conferences and kick journalists out of public forums on the development of its cybersecurity strategy.”
There was a push recently for a bug bounty program to be launched for the government’s COVIDSafe contact tracing app, with several security researchers and developers analysing the app’s code and finding a number of flaws and vulnerabilities.
But the only contact for these developers was an email address at the Digital Transformation Agency, and many developers have been critical of delayed responses, leaving these vulnerabilities still in the app.
“That has allowed unnecessary bugs to undermine the effectiveness of its COVIDSafe contact tracing app by failing to engage with a community of public interest technologists who have volunteered their time to review the app’s code for security and operational flaws,” Mr Watts said.
Policy priorities for the government in this space should be reconciling the “conflicting and confusing” state and territory laws applying to different aspects of the work of security researchers, directing Commonwealth entities to publish a Vulnerability Disclosure Process outline how researchers can alert management about vulnerabilities in their system, and a centralised process to report those not adequately addressed, he said.
“The government’s neglect of cybersecurity policy has been obvious to all since the Prime Minister abolished a dedicated portfolio for the issue and made it the last point on Minister Dutton’s to-do list,” Mr Watts said.
“But the most inexplicable neglect in the government’s approach to cybersecurity is its refusal to engage with the security research community – public interest technologists volunteering their time to help the government better serve the Australian public.”