The protection of taxpayer, health and Centrelink data against bot attacks and other cybercrimes will be beefed up as the government works to lock down sensitive data.
Tender documents show the Department of Finance is looking for better security after hack attacks on Optus and Medibank exposed the data of millions, leaving people exposed to extortion and identity theft.
The department manages GovCMS, which looks after content and services for government agencies like the Australian Taxation Office and the Department of Social Services.
The documents, seeking a supplier, are clear about what's wanted.
"The services must protect against a large variety of types of cybersecurity attacks, including all cybersecurity attacks which a sophisticated service would be expected to protect against," it reads.
It goes on to list "denial of service" surges and bot attacks among the threats.
Tight turnaround
Finance Minister Katy Gallagher declined to comment about the tender or the value of the contract.
The deadline means there'll be a lot of work over the Christmas break, because the documents ask any potential supplier to ensure that services:
"... are operational and ready to respond automatically to any malicious attack traffic on or before 27 April 2023."
The requirements are big.
The services must protect websites that reach millions of people, with the documents laying out how busy the sites can get and what's needed.
- 370 individual websites
- 120 terabytes of traffic a month
- 1.5 billion hits a month
The documents have a dry title: "Request for Proposal for the Provision of Web Application Protection Services (CDN, DDoS, WAF and Bot Management)", and lack a key element — cost.
There is no price range attached to the two-year contract, which has a potential one-year extension period.
Data mining ban
Customer data is set to be protected in an extra way, with the security company banned from "mining" it.
Data mining happens when large databases are analysed to discover new information, such as trends.
Unless there's written approval, the security supplier is banned from mining any of the "customer material, user material or information uploaded, accessed or manipulated in the services by the customer".
The ban continues even if customers have to click and accept a terms and conditions page.
"Such terms have no effect whatsoever," the tender documents emphasise.
