Independent Cybersecurity audit of government websites shows ongoing threats

26 October 2020

A three-year cybersecurity audit of 1,862 externally-facing websites across Australia’s federal, state and territory governments has shown that despite improved cybersecurity, many sites remain vulnerable to malicious attacks and insecure data transmission.

Researchers at the Optus Macquarie University Cyber Security Hub rated the security and vulnerability of websites under the .gov.au domain space from one star (poor) to five stars (excellent). Federal websites were tracked for three years, with state and territory websites added this year.

The report found that more than half of the government’s websites are vulnerable to attack and 16 per cent allow non-encrypted data transmission, as they do not have HTTPS website protocols installed.

“The good news is that the security of government websites has improved significantly, rising from just 36 per cent adopting the secure HTTPS protocol in 2018, to 84 per cent using HTTPS in 2020,” says Professor Dali Kaafar from Macquarie University’s Faculty of Science and Engineering, who is the Executive Director of the Optus Macquarie University Cyber Security Hub.

However, the audit also found that over 70 per cent of state/territory governments’ webpages and 57 per cent of federal government webpages had at least one JavaScript library with publicly known weaknesses.

“The majority of government websites include outdated programs with known vulnerabilities,” Professor Kaafar says, adding that ten per cent of Australian government websites are vulnerable to Cross-Site Scripting (XSS), where malicious code can be injected into a webpage.

The federal government’s first annual cybersecurity threat report released in September showed there were 2,266 cybersecurity incidents and 59,806 cybercrime reports logged over the last financial year, with a rise in COVID-19 themed scams from March 2020 onwards.

“Unfortunately, criminals only require a small crack in a window to get into the house,” says Professor Kaafar.

He says that cyber security is a daily fight and all levels of government must ensure they fund the ongoing maintenance of their digital infrastructure.

The public report is available now.

Filed under: Featured