Nearly one in every six Australian government web sites do not use the standard security protocol for protecting users’ data, researchers have found, with several federal departments failing to properly protect more than a third of their sites.
A Security Audit of Australian Government Websites by cyber experts from Macquarie University has revealed what the authors describe as “light and shadow” across more than 1800 government sites analysed.
While most government web sites have rapidly adopted Hypertext Transfer Protocol Secure or HTTPS, the widely used protocol for secure communication across the internet, there is still a significant number that have not — leaving them vulnerable to cybercriminals.
Adoption of HTTPS is an essential requirement for providing communication confidentiality, content integrity and server authentication, and is strongly encouraged in the Australian Government Information Security Manual and government cyber threat mitigation advice.
According to the study, 16 per cent of federal government web sites and 11 per cent of state and territory web sites are yet to adopt HTTPS, relying instead on plaintext HTTP which leaves users vulnerable to network and “man in the middle” attacks — where attackers impersonate servers and intercept communications.
The lack of HTTPS is surprising and concerning, according to one of the study’s authors and Executive Director at Optus Macquarie University Cyber Security Hub, Professor Dali Kaafar.
“That was a surprise: the level of HTTPS adoption or lack thereof,” Kaafar tells Which-50. “Even digging deeper into the level of security of the HTTPS was also a big surprise for us. In particular for a few government agencies.”
34.5 per cent of the web sites belonging to the Australian Department of Health and 47.4 per cent of the Department of Environment and Energy still use plain text (non-encrypted) HTTP.
There are significant financial costs to upgrading sites to HTTPS and maintaining them but, Kaafar says, the lack of adoption of HTTPS by federal agencies in Australia is out of step with counterparts in the US and parts of Europe.
“The 100 per cent adoption of HTTPS should have been done yesterday,” says Kaafar. “This is really the number one thing that should probably happen right now [to improve web security].”
Which-50 understands several government agencies were given advanced notice of the study.
Update: A spokesperson for the Australian Cyber Security Centre told Which-50, “The Australian Cyber Security Centre assists government website owners to identify and address website security issues through regular scanning and reporting, which tracks vulnerabilities across federal, state and territory government domains.”
The ACSC has previously issued public advice on the adoption of the HTTPS and TLS configuration settings.
Researchers performed a comprehensive security and vulnerability analysis of federal government sites in 2018, 2019 and 2020, adding state and territory sites this year to the study. They found security has improved significantly over the last three years.
“Our analysis reveals that most of (but not all) Australian government web sites currently provide adequate security guarantees,” the report states. “More than 80 per cent of the analysed web sites adopt HTTPS, and almost 90 per cent of the HTTPS-enabled web sites provide strong or adequate security by adopting robust server configurations.”
In 2018 only 36 per cent of government web sites were HTTPS enabled, and most of those that were had insecure configurations.
Today there are still several security gaps and pitfalls in Australian government web sites, according to the study.
A quarter of Tasmanian government web sites and more than a third of (federal) Department of Health web sites were still not HTTPS-enabled in August 2020. And a small but significant number of federal sites that do use HTTPS do so with insecure server configurations. The shortcomings mean users’ communications are vulnerable to interception by bad actors.
Rating government sites
Adoption of HTTPS alone is not a guarantee of data protection, as it requires continuous updates to protocols on the web servers. The Macquarie University study also audits the strength of the use of HTTPS by government web sites, assigning each a score from 1 to 5 stars.
Overall the effective use of HTTPS has improved dramatically in three years, with one star ratings falling from 71.2 per cent in September 2018, to 30.1 per cent in November 2019 and 3.9 per cent in August 2020.
Currently, almost 96 per cent of Australian federal government department web sites provide either strong (5 stars) or adequate (4 stars) security guarantees.
“There are different shades of security but there’s a lot of them that had this 5 star rating,” Kaafar explains.
There is a full list of all government sites analysed in the study, including their individual ratings.