Australia under cyber attack: How ethical hackers can strengthen public sector security

Technology leaders must take a proactive approach to mitigating security concerns at state, territory and federal government levels.

dreamstime l 179669836
dreamstime_l_179669836

As the ‘sophisticated’ nation-state cyber attack storm rages on in Australia – impacting all levels of government and prompting a Prime Ministerial response – technology leaders face a new type of security dilemma.

Triggered by unprotected systems, lucrative financial rewards and rising COVID-19 challenges, hackers are hammering on the network door of the nation.

As a result, the need for the public sector to strengthen security defences, eliminate risk and manage vulnerabilities continues to heighten.

“Cyber crime and data breaches increase daily – and governments are a prime target,” observed Alex Rice, co-founder and CTO of HackerOne. “Addressing security risks at scale is more important than ever with communication, elections and information storage increasingly happening online.”

Yet at a local level, government agencies are still struggling to lock down security practices, with a string of breaches highlighting the consequences. Whether the Department of Home AffairsService NSW or the Digital Health Agency, the Australian government is facing an epidemic of breaches.

“The stakes are high; agencies are responsible for a massive quantity and variety of data,” Rice added. “As organisations transform digitally, they need a way to maintain system integrity and prevent security risks during all activities.

“Even for large organisations with resources to spare, it’s not possible to add deeper and deeper layers of security to protect new, interconnected applications.”

Despite the consequences, Australian government agencies have turned in yet another poor showing in the latest audit of information-security controls. As revealed by CSO, only one agency out of 18 currently meets mandated information security guidelines.

In co-founding HackerOne – a global bug bounty platform – Rice is well versed in the challenges impacting government departments, drawing on more than 20 years of cyber experience.

“One thing we often hear from government agencies is concern surrounding building trust and appearing proactive in their cyber security defences,” Rice outlined. “Consumers are becoming increasingly wary of how, when and where their information is used.

Digital contact tracing, for example, has been a hot topic surrounding government agencies in recent weeks. Its purpose is to identify and isolate potential risks of spreading infectious diseases. This relies on Bluetooth technology to track individuals’ mobile devices. Obviously, people are concerned about their privacy.”

In assessing the Australian landscape, Rice said securing digital trust has become “increasingly difficult” in an era of increased data breaches, deep fakes and misinformation.

“People no longer trust the information they encounter online or the brands that seek to do business with them,” he acknowledged. “Only a third of consumers trust the companies and service providers they interact with every day.

“To fill this trust gap, organisations must provide secure end-to-end digital experiences. Protecting personally identifiable information [PII] is paramount. And companies of all sizes have to ensure their security meets the rigorous compliance standards of GDPR and others.”

Ethical hacking

To combat rising security concerns at government levels, Rice said bug bounty programs enable agencies to assume a proactive security stance, delivered in an efficient and cost-effective manner.

Step forward ethical hackers, hired to mitigate security concerns at state, territory and federal government levels.

Tasked with identifying and reporting potential security threats, ethical hackers work alongside government agencies to close cyber loopholes through enterprise-sponsored bug bounty programs.

“Many organisations are scrambling to hire cyber security professionals to meet these critical demands,” Rice said. “By some estimates, there are as many as one million unfilled cyber security jobs.

“However, cyber security also suffers one of the highest burnout rates of any industry, making it almost impossible to scale. Working with a crowd of hackers allows you the diversity of talent needed to bolster defences and fill the gaps in your team.”

Created by hackers and security leaders motivated to make businesses safer, HackerOne currently works with almost 2000 organisations across the world, including federal governments from the US to Asia Pacific.

“Having a way for security researchers to reach out to you has become a government best practice and may soon be a government-wide requirement in the US,” Rice added.

Following the success of the ‘Hack the Pentagon’ program in 2016, the U.S. Department of Defence wanted a way to continue leveraging the hacker community to help secure public-facing assets.

“So, they launched an ongoing HackerOne Response program – our version of a vulnerability disclosure program or a ‘see something, say something’ for security,” Rice outlined. “Within the space of three years, more than 15,000 vulnerabilities have been reported in government systems through HackerOne.”

Copyright © 2020 IDG Communications, Inc.