The federal government has mandated that agencies use protective domain name system services to prevent malware and other infections from malicious websites in the wake of several high-profile data breaches.
The Attorney-General’s Department updated advice to agencies late last month on the recommendation of the Australian Cyber Security Centre (ACSC), with the requirement now embedded in the protective security policy framework (PSPF).
A protective domain name system (PDNS) service works to automatically prevent “connections to and from known malicious endpoints”. It does this by analysing inboard and outbound network traffic against websites and email servers known to be high-risk.
The ACSC began offering federal, state and territory government agencies a free PDNS service from UK-based cyber security firm Nominet on an opt-in basis in October 2021, having originally trialled the service in early 2020.
Nominet also provides the PDNS service offered by the United Kingdom’s National Cyber Security Centre (NCSC), a service that has been available to government agencies in the country since August 2017.
Around 170 organisations, including state and local government agencies, have adopted AUPDNS since it was first offered up last year. In 2021-22, more than 24 million domain requests were blocked.
Despite the ACSC offering the AUPDNS at no cost to other government agencies, the government will not require that agencies use the service, instead giving them the option to select other third-party services.
A spokesperson from the Attorney-General’s department told InnovationAus.com this was because the “PSPF provides flexibility for entities to consider other solutions that block malicious domains as appropriate for their operating environment”.
The spokesperson also stressed that the mandate was “not the result of a particular incident” and was merely recommended to ensure the PSPF – the framework that agencies use to protect their information, assets and people – continues to represent best practice.
The PDNS mandate comes as the federal government continues to centralise its networks through the cyber hubs pilot, which received a further $31.3 million in the October Budget for a six-month extension.
The funding – the second injection this year – will also be used to develop a Commonwealth incident response capability and to prepare a business case for the extension of the scheme beyond July 2023.
Since the arrival of the PDNS mandate, the Department of Finance has approached the market for web application protection services for the Drupal-based GovCMS content management system which is hosted on Amazon Web Services.
Services sought include distributed denial-of-service (DDoS) protection, web application firewall, bot management, content distribution network, domain name system, vulnerability management, among others.
“These services are to provide cyber security protection under a whole of government arrangement for web applications and application program interfaces (APIs),” the department said in a request for proposal.
