myGov: The Beginning of the End of Whole-of-Government
The Commonwealth Ombudsman has released a blistering report on Services Australia response to myGov fraud. It is indeed an excellent but sobering report, considering the historical context of myGov. With the spectre of RoboDebt and RoboNDIS, this Ombudsman’s Report should be mandatory reading.
KEY FINDINGS
“myGov’s current security controls do not adequately protect people from unauthorised linking where identity theft has occurred.”
“An apparent lack of formal processes for managing shared risks across the myGov ecosystem.”
Interoperability: the risk impacts everyone. Shared risks are not managed. This is an extraordinary situation.
The Ombudsman reported that it commenced an own motion investigation because, based on Services Australia’s response to its enquiries and feedback in late 2023 - the Ombudsman was not assured adequate security controls were in place to protect people from the impact of myGov fraud.
Interoperability: the risk impacts everyone. Shared risks are not managed. This is an extraordinary situation.
The Ombudsman reported that it commenced an own motion investigation because, based on Services Australia’s response to its enquiries and feedback in late 2023 - the Ombudsman was not assured adequate security controls were in place to protect people from the impact of myGov fraud.
The Ombudsman also received information that suggested a lack of a co-ordinated approach between Services Australia’s three member services, when responding to breaches and myGov fraud reported by customers.
“It remains unclear to us how, as the myGov administrator, Services Australia assures itself the controls implemented by member services are adequate for identified risks across the myGov ecosystem, and ensures other myGov participants are not placed at undue risk.
“It is also not clear if member services have visibility of one another’s risk assessments or ‘proof of record ownership’(PORO) requirements, to support them to make informed decisions about whether another member services' arrangements might pose an unacceptable risk to the security of their own services.”
“Based on the information provided to us during our investigation, it is unclear whether or how Services Australia and/or the broader group of entities within the myGov ecosystem have formally recognised or engaged with this risk.”
TOO BIG
Managing the myGov ecosystem is too big of a job for Services Australia - which itself is too big yet breaking under the load of servicing backlogs. There needs to be serious consideration given to what IS the role of Services Australia: a whole-of-government administrator of identity services and Robo automation - or primarily, a service delivery agency. Hopefully the Thodey Capability Review will examine this.
The Ombudsman’s Report highlighted the relative ease with which a fraudster can obtain "proof of record ownership" (PORO). The result of which is that:
“fraudsters can circumvent this security control by using stolen identity information to meet PORO requirements; and”
“one failed PORO process can open the door to fraudsters obtaining additional personal information which they can use to access other member service accounts.”
Into this complex high risk ecosystem, add the practice of the NDIA, sending unknown text messages to NDIS Participants telling them that the NDIA would call from a “private” number - AND TO ANSWER THE PHONE. For years, people - myself included - have been alerting the JSCNDIS about this scam-like practice, and NOTHING has been done. See my recent submission on the NDISBill, which describes in detail the defective NDIS systems - and the reliance of those defective systems on whole-of-government systems.
GAME OVER FOR WHOLE-OF-GOVERNMENT
Launched in 2013, "myGov is the Australian government’s front door for digital services and supports individuals to access services of participating government agencies." In my 2014 submission to the Murray Financial Systems Inquiry, I said that myGov should not be the centrepiece for digital transformation of government.
myGov has been going for a decade - but there is no magic fix for a model that I believe to be so fundamentally flawed from the beginning, now struggling in a volatile techno-geo-political hyper-connected era.
Of course, there is lots of defence-type talk - "defence in depth" - yet no amount of ruggedising will protect and secure the massive honey pot that has been created.
Now with deepfakes so prevalent, sophisticated cyber impersonation, industrialised bots - myGov won't withstand the onslaught. There is no reason why everything should be connected.
And here we see the political frivolousness of announceables and task forces.
"Management" by advisory group and special task forces never delivers accountability nor builds enduring public sector capability. The bureaucracy has been over-run with them.
With a conspicuous absence of government members and lacking the experience of complex Commonwealth service delivery, the myGov advisory arrangement appears as window dressing: probably to the annoyance of the good folk at Services Australia trying to hold things together.
This is the same approach that Government Services and NDIS Minister Bill Shorten has taken, with the disastrous listening theatre town-hall roadshow of the NDIS Review and the human rights violating NDIS Bill that has resulted in backlash from the disability community and all State and Territory governments. Indeed, it is difficult to see how any due diligence for the massive and extremely problematic RoboNDIS systems development that is already happening over at the NDIA, could have taken into account the robustness or otherwise of the underpinning whole-of-government systems, including myGov which has been a very serious problem for NDIS Participants and their families.
The only way forward, is for member agencies to separate from myGov - the one stop shop is not a one stop for citizens, but a one stop for crooks. Game over.
Meanwhile, crickets so far from the Public Service Commission and the DTA perhaps signals the beginning of the end of this episode of Whole-of-Government.