A bug bounty program for security researchers and other crowdsourcing “incentives” aimed at identifying potential vulnerabilities in federal government systems are being considered to boost the cyber posture of agencies.
As the next phase of development for Australia’s refresh cybersecurity strategy begins, the Department of Home Affairs has flagged changes to the government’s nascent vulnerability disclosure programs (VDPs).
It comes less than a year after VDPs – which allow security researchers and other members of the public to easily report potential bugs to software owners – were mandated for agencies subject to the Protective Security Policy Framework (PSPF).
An investigation on Thursday revealed that only one department and a handful of agencies with responsibilities for front-facing digital services had introduced such programs since the mandated was introduced.
100 departments and agencies are subject to the requirements, which form part of the Protective Security Policy Framework that was last updated earlier this month to ban the use of TikTok on government devices.
Home Affairs, the government’s policy lead for cybersecurity and one of the departments without a VDP, told InnovationAus.com that the government would “further assess the effectiveness of standalone vulnerability disclosure policies” as part of the development of the strategy.
The government is also assessing “whether further incentives are needed to support security researchers to report vulnerabilities, including through a bug bounty program” – cash rewards for uncovering and reporting vulnerabilities.
As recently as 2020, bug bounties had never been considered by the federal government despite the US government introducing such programs, including Hack the Pentagon, Hack the Army and Hack the Air Force, from 2016.
While it is unclear what other incentives are being considered by the government, experts have been pushing for changes to Commonwealth criminal laws to prevent security researchers being prosecuted when reporting vulnerabilities in good faith.
Lyria Bennett Moses, a professor of law at UNSW and a director at UNSW Allens Hub for Technology, Law and Innovation, has recommended a ‘cyber socket’ to allow organisations to easily create vulnerability disclosure programs that align with legislation.
“The protection would only cover people acting in good faith, who are not intending to cause harm or threatening harm. The moment you cease to act in good faith, the moment you threaten harm, that would be outside the protection,” she told InnovationAus.com.
“A [cyber socket] just gives people that confidence that as long as they’re participating in good faith in a vulnerability disclosure program, not making threats, not intending to cause harm, they’re not committing crimes, and therefore it’s safe to make those reports.”
Last year, former New South Wales Minister for Customer Service and Digital Government Victor Dominello indicated that the state government would pursue the proposal before at the Digital and Data Ministers Meeting. It is unclear if this occurred before his retirement.
The federal government is currently considering a range of proposals as part of the Cyber Security Strategy refresh, including the harmonisation of Australia’s cybersecurity laws through single Cyber Security Act.
The proposed reform is contained in a discussion paper drafted by former Telstra boss Andy Penn, Cyber Security Cooperative Research Centre chief Rachel Falk, and former chief of the Air Force Mel Hupfeld, who together make up the expert advisory board advising the government on the strategy.
Last year, Mr Penn highlighted the need for the government to make “progress to harden its own systems and cyber defences”, after successive audits showing it has failed to meet its own cyber standards.
“In asking Australians and Australian businesses to support the strategy, government needs to be a role model in its own operations, in adopting the Essential Eight maturity model and improving the security of increasingly digital government service delivery,” he told the Press Club in August.
This week, Home Affairs minister Clare O’Neil said the development of the Cyber Security Strategy had progressed to its next phase, following the end of the public consultation into the expert advisory board discussion paper.
More than 280 submissions were received from across the community, which Ms O’Neil said “shows the extent of community support for a bold and ambitious strategy to boost our domestic cyber industry, work with industry leaders, and tackle cyber threat”.
“The cyber threat is growing every day, as a Government we are committed to increasing Australia’s national cyber resilience and capabilities in tackling these threats, on the road to becoming a world leader in cyber security by 2030.
