Tuesday, 16 June 2020
Since 2016, the US government has invited the public to hack the Pentagon. It's true! Knowing that adversaries are constantly trying to breach their systems, the US Department of Defense periodically invites white-hat hackers to try to breach its systems and win a cash bounty if they're successful. It's known as a bug bounty—a financial reward used to harness external security researchers in the task of identifying security vulnerabilities in systems—and it's working. Since 2016, more than 10,000 vulnerabilities have been discovered as security researchers have hacked the Pentagon, the army, the air force, the Marine Corps and the Defense Travel System.
Compare that with this government, which not only fails to engage with security researchers to strengthen the Commonwealth's cybersecurity posture but has often been actively hostile to their work. Compare the philosophy of Hack the Pentagon with this government, which threatened a prominent cryptographer for revealing that an anonymised dataset released by the health department was easily re-identifiable. It is a government that has sought to gag security researchers at Commonwealth funded cybersecurity conferences and has kicked journalists out of public forums on the development of its cybersecurity strategy. Most recently, it has allowed unnecessary bugs to undermine the effectiveness of its COVIDSafe app by failing to engage with the community of public-interest technologists who have volunteered their time to review the app's code for security and operations flaws. Just this week, Richard Nelson, a software developer studying COVIDSafe in his own time, identified a bug in the app that prevents locked iPhones from being logged by other phones—two months after the app passed internal reviews and went live.
This government's approach to security is entirely founded on secrecy, but vulnerabilities don't vanish when you refuse to talk about them. Transparency doesn't create security threats; it reveals them. Yet the government have treated the good-faith endeavours of independent security researchers as acts of malice. They've treated potential allies as enemies. While the US government pays independent security researchers, the Australian government gags and ignores them. The government's addiction to secrecy in cybersecurity is making us less safe.
A government that wanted to harness the endeavours of independent researchers to improve our posture could take a number of steps. It could initiate a process to reconcile conflicting and confusing state and territory laws that are potentially applicable to aspects of security researchers' work. It could insist that Commonwealth entities publish a vulnerability disclosure process outlining how security researchers can alert management to vulnerabilities in their systems and how entities will respond. It could set up a centralised vulnerability disclosure process of last resort for reports that are not adequately addressed.
The government's neglect of cybersecurity policy has been obvious to all since the Prime Minister, when he came to power, abolished the dedicated portfolio for it in the executive and made it the last point in Minister Dutton's 'to do' list. The new Cyber Security Strategy has been in the works for 10 months and is now two months late. But the most inexplicable neglect in the government's approach to cybersecurity is its refusal to engage with the security research community, public-interest technologists volunteering their time to help the government be better.