myGov: The Beginning of the End of Whole-of-Government
The Commonwealth Ombudsman has released a blistering report on Services Australia response to myGov fraud. It is indeed an excellent but sobering report, considering the historical context of myGov. With the spectre of RoboDebt and RoboNDIS, this Ombudsman’s Report should be mandatory reading.
KEY FINDINGS
“myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred.”
“An apparent lack of formal processes for managing shared risks across the myGov ecosystem.”
Interoperability: the risk impacts everyone. Shared risks are not managed. This is an extraordinary situation.
The Ombudsman reported that it commenced an own motion investigation because, based on Services Australia’s response to its enquiries and feedback in late 2023 - the Ombudsman was not assured adequate security controls were in place to protect people from the impact of myGov fraud.
The Ombudsman also received information that suggested a lack of a co-ordinated approach between Services Australia’s three member services, when responding to breaches and myGov fraud reported by customers.
“It remains unclear to us how, as the myGov administrator, Services Australia assures itself the controls implemented by member services are adequate for identified risks across the myGov ecosystem, and ensures other myGov participants are not placed at undue risk.
“It is also not clear if member services have visibility of one another’s risk assessments or ‘proof of record ownership’(PORO) requirements, to support them to make informed decisions about whether another member services' arrangements might pose an unacceptable risk to the security of their own services.”
“Based on the information provided to us during our investigation, it is unclear whether or how Services Australia and/or the broader group of entities within the myGov ecosystem have formally recognised or engaged with this risk.”
TOO BIG
Managing the myGov ecosystem is too big of a job for Services Australia - which itself is too big yet breaking under the load of servicing backlogs. There needs to be serious consideration given to what IS the role of Services Australia: a whole-of-government administrator of identity services and Robo automation - or primarily, a service delivery agency. Hopefully the Thodey Capability Review will examine this.
The Ombudsman’s Report highlighted the relative ease with which a fraudster can obtain "proof of record ownership" (PORO). The result of which is that:
fraudsters can circumvent this security control by using stolen identity information to meet PORO requirements; and
one failed PORO process can open the door to fraudsters obtaining additional personal information which they can use to access other member service accounts.
Into this complex high risk ecosystem, add the practice of the NDIA, sending unknown text messages to NDIS Participants telling them that the NDIA would call from a “private” number - AND TO ANSWER THE PHONE. For years, people - myself included - have been alerting the JSCNDIS about this scam-like practice, and NOTHING has been done. See my recent submission on the NDISBill, which describes in detail the defective NDIS systems - and the reliance of those defective systems on whole-of-government systems.
Recommended by LinkedIn
GAME OVER FOR WHOLE-OF-GOVERNMENT
Launched in 2013, "myGov is the Australian government’s front door for digital services and supports individuals to access services of participating government agencies." In my 2014 submission to the Murray Financial Systems Inquiry, I said that myGov should not be the centrepiece for digital transformation of government.
myGov has been going for a decade - but there is no magic fix for a model that I believe to be so fundamentally flawed from the beginning, now struggling in a volatile techno-geo-political hyper-connected era.
Of course, there is lots of defence-type talk - "defence in depth" - yet no amount of ruggedising will protect and secure the massive honey pot that has been created.
Now with deepfakes so prevalent, sophisticated cyber impersonation, industrialised bots - myGov won't withstand the onslaught. There is no reason why everything should be connected.
And here we see the political frivolousness of announceables and task forces.
"Management" by advisory group and special task forces never delivers accountability nor builds enduring public sector capability. The bureaucracy has been over-run with them.
With a conspicuous absence of government members and lacking the experience of complex Commonwealth service delivery, the myGov advisory arrangement appears as window dressing: probably to the annoyance of the good folk at Services Australia trying to hold things together.
This is the same approach that Government Services and NDIS Minister Bill Shorten has taken, with the disastrous listening theatre town-hall roadshow of the NDIS Review and the human rights violating NDIS Bill that has resulted in backlash from the disability community and all State and Territory governments. Indeed, it is difficult to see how any due diligence for the massive and extremely problematic RoboNDIS systems development that is already happening over at the NDIA, could have taken into account the robustness or otherwise of the underpinning whole-of-government systems, including myGov which has been a very serious problem for NDIS Participants and their families.
The only way forward, is for member agencies to separate from myGov - the one stop shop is not a one stop for citizens, but a one stop for crooks. Game over.
Meanwhile, crickets so far from the Public Service Commission and the DTA perhaps signals the beginning of the end of this episode of Whole-of-Government.
Commonwealth Ombudsman Report on myGov Fraud:
It's concerning to see the vulnerabilities in myGov's system, particularly given the impact on citizens. What steps do you think the government and Services Australia can take to address these issues and prevent similar situations in the future?
CEO & Board Member at M2M North Shore, Factotum, Chief Cook Bottle Washer, Carer, Caring for Carers through Carer Gateway - Your Side
2moMarie Always to the point and informed. I salute your insight and courage. If we cannot trust our government to secure our data - then who can we trust. This MUST be a #1 priority - not legislation that cya (theirs) for past ineptitude. Get on with it please. Data Trust is a must!
im not an academic i just have questions... Autistic | ADHD | INFJ | Aries/Taurus cusp | Wood Ox | Life Path 11 | Soul Urge 11 | Personality 11 | Expression 22 | Maturity 33
3mohttps://youtu.be/h-g3Qvj1sps?si=UsfG6vOgBQ49bgPJ
Author 'Nadia' | Co-creator Nadia AI I Digital Human Cardiac Coach I Global AI Leader | Co-Design for AI © | AFR Top 100 Influential Women | CIO | US O-1 Visa | Inventor | Not Quiet |
3moThe "dark ages". I was criticised for suggesting that we go back to the "dark ages". I'm OK with criticism but it seems that the "dark ages" comment disappeared overnight. So I wanted to share my response to the "dark ages" comment, as it provides some historical context. Response in comment below. 👇 👇👇
Emeritus Prof LTU
3moVery concerning