Government docs reveal gunning for AusCERT

The Federal Government chose to drop AusCERT from its Stay Smart Online (SSO) security alert service because it felt the non-for-profit organisation "failed to innovate", freedom of information documents have revealed.

The online security service was run by AusCERT for four years before the contract expired in April 2012. Enex TestLab now runs the alerts.

The DBCDE chose Enex TestLab from a government technology advisory panel that AusCERT chose not to bid to be part of.

FOI documents

Documents circulated within the Department of Broadband, Communications and the Digital Economy (DBCDE) by its Cyber Security and Asia-Pacific Engagement Branch claim that AusCERT had agreed to make SSO "more innovative", but that the department felt it hadn't acted on the promise.

"While AusCERT have met the requirements of the contract over the past four years, they have not been innovative or responded to the changing needs of users despite agreement during conversations with the DCBDE cyber security staff that the service needed to evolve to remain relevant," the document read.

The department wished for the SSO alerts to include broader information than AusCERT's detailed and specific vulnerability alerts. 

It wanted plain english content on how to avoid "viruses, phishing scams, online hoaxes, identity theft, [and] new security measures" among other initiatives.

"A key example was the Sony PlayStation vulnerability, where the department - in consultation with the Attorney-General's Department - had to develop the alert. Although the issue was discussed heavily in the media, the value of the SSO alert is that is advises the people of the actions they need to take if they believe they are vulnerable.

"The alert may need language simplification, modification for Twitter or Facebook or include background. AusCERT has not demonstrated an ability to deliver such a service."

A cursory search of SSO Alerts shows that AusCERT had in fact covered phishing scams and viruses in its SSO alerts issued as far back as 2009 and as recently as this year.

The SSO now sources content from government agencies including the Australian Federal Police, CERT Australia, the Australian Communications and Media Authority, The Australian Competition and Consumer Commission, the Australian Tax Office, banks and "other content alert providers".

Sensitivities

In correspondence marked 'sensitivities', the Government acknowledged its own role in reducing AusCERT's capacity.

The documents noted that AusCERT was dealt a blow when it was "replaced" by the government-run CERT Australia.

 "AusCERT's operations have not changed in the past four years. They were the first CERT service in Australia but have since been replaced by CERT Australia. Discussions with AGD (the Attorney General's Department) suggest this change in market position has had a negative effect on the resources AusCERT now have."

AusCERT initially lost staff to CERT Australia when the latter set up a rival office within walking distance of AusCERT's Brisbane office. But SC Magazine understands that CERT Australia later lost a large number of those staff to private sector security consultancies.

The department expected AusCERT to "go to the media once it becomes clear that the department intends to approach only select companies on the technology panel and not release a tender [for the SSO service] to the open market.

Contacted to comment on the department's claims, AusCERT said it did "not agree with all of the comments made by [the] DBCDE" but would not comment further.

SC Magazine sought these documents in an attempt to determine whether the loss of a DVD containing sensitive information, sent from AusCERT to the Department, played any role in the decision to drop AusCERT from SSO.

Copyright © SC Magazine, Australia