E-government: Australia experiences the risks while seeking better digital identity methods

E-government is a welcome phenomenon for citizens, proving moer convenient digital services. It’s also welcome by cybercriminals, who take advantage of cirtizen’s poor identity hygiene, worsened as identity verification becomes complex, to steal their data.

That’s why Services Australia is on a mission to make e-government services more secure without burdening citizens further through improved digital identiy methods.

South Australia sees digital licences as an attack vector

South Australia government authorities have disabled the passwords of more than 2,000 users of its digital driver’s licence service, as the government authority warned that poor password hygiene had enabled citizens’ accounts to be accessed by cybercriminals during a recent credential-stuffing campaign.

The news emerged this month as the state’s Department for Infrastructure and Transport advised that the hacking of a “separate, unrelated website” had provided a list of passwords that had been reused by cybercriminals attempting to access its mySA GOV services.

Although the department initially said only that the hackers had accessed “a number of mySA GOV accounts”, reports later placed the number of compromised accounts at 2,601—including 2,008 accounts that contained vehicle registration and driver’s licence information.

“This information can be used to steal identities, open bank accounts, apply for credit cards, and cause disruption and stress to the victims,” said Knowbe4 APAC security awareness advocate Jacqueline Jayne, noting that the hack “serves as an important reminder to ensure that you never, ever reuse a password.”

The department proactively blocked the passwords of all affected accounts, notifying their owners by email about the incident and encouraging them to change their driver’s licence numbers through a service centre.

Increase in e-government services means increased vector for cyberattacks

South Australia has been offering digital driver’s licences since 2017, positioning them as a core feature of its expanding digital-government presence. New South Wales has subsequently launched its own digital licence, with 19% of the state’s licence holders—more than 1 million people—opting into the system within its first six weeks and more than 3 million digital licenses, or half of all drivers, using them by May 2021.

The success of those initiatives has underscored Australians’ appetite for digital government services—the country ranked fifth in the world in a United Nations e-government comparison in 2020 but slipped in 2021—but the growing centralisation of personally identifiable information like digital driver’s licences has made them a natural target for cybercriminals.

State-based digital services agencies are custodians of massive volumes of data generated through COVIDsafe QR-code checkins and contact-tracing services, while federal myGov services are the gateway to agencies such as the Medicare national health system and Australian Taxation Office (ATO).

For all the security protections built into such systems, the mySA GOV hack has highlighted the ongoing risk of digital government services being compromised through something as simple as poor user hygiene—and the need to continue educating chronically disinterested Australian users not to reuse passwords across sites.

Fully 61% of the incidents analysed in the 2021 Verizon Data Breach Investigations Report involved credentials, with victims reporting as many as 3.3 billion credential-stuffing attacks thanks to cybercriminals’ widespread use of bots built for the purpose.

Within breaches of public administration organisations, Verizon reported, the use of credentials was even more common—found in 80% of the 3,236 analysed incidents, second only to natural-resources companies.

Guarding e-government’s Achilles’s heel: digital identity

Digital government initiatives’ high susceptibility to credential-stuffing and other attacks reinforces the importance of strong security frameworks around government services. And those frameworks are often not in place: Nine NSW agencies recently asked auditors not to publish the results of a report that identified “significant weaknesses” in their security practices. That’s hardly a vote of confidence in the policies protecting the data that powers the increasingly user-friendly apps that have become the face of Australia’s digital government.

Yet as state and federal governments continue to expand their digital-government efforts, just 21% of respondents told Gartner that all of their critical service delivery areas are making extensive use of digital identity solutions—a cross-function capability that Service Australia is working to enable through broader uptake of its myGovID digital identity service.

That service, which is being positioned as a consistent authentication method across many government services, is being developed with passwordless access in mind—tapping into biometric and other factors to, as Deputy CEO of Service Australia’s Transformation Projects Group Charles McHardie said, “replace the need for people to prove who they are to government agencies time and time again”.

Architected on open standards including OpenID Connect, the Australian Taxation Office (ATO)-managed myGovID is an identity layer that facilitates single signon capabilities by piggybacking the OAuth 2.0 protocol to enable transfer of identity information between government services.

It has so far been used to connect to more than 600,000 myGov accounts, although just 82,000 have reached the Strong level required for accessing all participating government online services.

The use of an identity exchange provides a “double-blind transfer of identity details,” McHardie told a recent Gartner IT Symposium, as well as feeding a citizen-accessible dashboard that lets them view and control identity usage. “While myGov has been instrumental in changing the way Australians access government services, it has limitations,” he said. “MyGov needs to do more to keep up with the demands of modern service delivery and customer expectations … [and] offer a central front door to online government services that includes a broader range of whole-of-government capabilities.”

Now in beta, a new version of the service will integrate myGovID with the government’s emerging facial verification service, which includes liveness detection from iProov to ensure a higher level of ‘selfie verification’ for accessing digital services.

The intent is to steer Australia’s evolving digital government services framework away from a problematic reliance on passwords, providing a greater degree of assurance for other government service providers that have yet to join the growing service ecosystem due to chronic deficiencies in access control.

“Transformation of this scale requires a focus on the total customer experience,” McHardie said, noting that Service Australia is redeveloping its myGov app with features like a secure wallet and a broader focus on interagency collaboration. “As more services accept the digital identity,” he said, “the value of convenience and ability to reuse it will grow. People will no longer need to know what part of government is responsible for transactions and services.”