Australians have told us they want to do more of their business with government online.

They are also demanding the same levels of simplicity, security and convenience that they enjoy from their banks, airlines or retailers that help them manage their busy lives.

But up until now, governments have been unable to meet these expectations due to the difficulty of proving the identity of online users to an appropriate standard.

That is why we have developed a new digital identity solution, called myGovID. The system enables users to complete the digital equivalent of a 100-point ID check—unlocking easy access to a host of new and existing services.

myGovID will also do away with the need for users to have multiple logins for different departments, which can be a nightmare to keep track of and create headaches when passwords or usernames are forgotten.

The first pilot program using this new system started last week, enabling users to apply for a tax file number online.

Currently, if you need a TFN, you have to download a form from the ATO website, which you then have to take to a post office along with your passport and driver’s licence to prove that you are who you say you are.

The form is then posted to the tax office and you have to wait for a TFN to be generated and posted back to you within about 30 days.

Using myGovID, you will be able to complete the entire process online, using your mobile phone, at any time of the day or night, wherever you are. And, best of all, you can get your TFN within minutes, as opposed to having to wait a month.

While the system is still only a prototype, extensive work has been done to ensure that the privacy and security of users have been built into its very heart.

We have also worked closely with privacy advocates from the beginning to incorporate best practices in the standards, design and workings of the system.

For those reasons, I was extremely disappointed to read a report by ASPI’s Fergus Hanson, which threatened to undermine public trust in this new system by attempting to conflate it with the Australia Card issue.

I was also baffled by Hanson’s claims that myGovID could become a Chinese-style social credit system—a claim contradicted by his own report.

What Hanson demonstrated was a clear lack of understanding of both the technical aspects of our digital identity solution and the role that it fulfills.

His report also contains basic factual errors and self-contradictions and is not, in any way, an objective appraisal of the program.

This is even more disappointing given the substantial time my own Digital Transformation Agency spent with him, walking him through the program prior to his writing the paper.

The DTA also provided written feedback to a draft version of the report, highlighting the numerous mistakes. But that feedback was dismissed as a ‘difference of opinion’.

As an example, Hanson asserted that private-sector companies will somehow be able to harvest data from people using the system.

The reality is that the system is deliberately designed to prevent that from happening, by using privacy-protecting architecture. A ‘double blind’ identity exchange sits between the digital service and the identity provider, ensuring personal information cannot be shared and is not visible to service providers and that services being accessed are not visible to identity providers.

As a government, we are acutely aware that myGovID will only be successful if the Australian public can trust it.

That is why we have consulted with thousands of people during development of the system.

We have also made the system opt-in to give users a choice whether to use it or not and made the system a federated one, so there is never the possibility of a single identifier for Australians.

The digital identity program is aligned with the Australian Privacy Principles and the Privacy Code, the Information Security Registered Assessors Program, and the Australian Government Protective Security Policy Framework and Information Security Manual.

Hanson fails to mention these facts in his report.

I fully expect that we will face some disapproval from certain commentators as we move forward with this project over the next six months.

Every major government reform inevitably faces some level of opposition when challenging the status quo. In the case of technology initiatives, calls of ‘Big Brother’ are often associated with progress.

But if we were to continually yield to the views of the naysayers, we would still be lining up in queues at airports to have our passports checked, rather than breezing through using biometric SmartGates.

Out of interest, I went back and looked at media reporting from the mid-2000s when the merits of SmartGates were still being debated.

It was ‘Big Brother’ at its worst according to one commentator. Another claimed the technology would never work and was doomed to be an expensive failure.

History has proven the alarmists wrong. No doubt it will do so again when it comes to myGovID.

The benefits to the Australian public and the nation’s economic future are too great to allow important reforms such as this to be derailed by misinformation and misunderstanding.

There’s been a lot of focus on the security arrangements for the My Health Record system. Most of the commentary has been about protecting the data, how secure the platform is for storing the data, and who will have access to the database. But very little attention has been given to the glaring security weaknesses of the health provider systems that will be used daily to access patient information stored in My Health Record.

In addition to hospitals and large health providers, a range of small providers will be able to access My Health Record. These include not only general practitioners and medical specialists, but also allied health professionals such as physiotherapists, speech pathologists, osteopaths, optometrists and dentists, who can also register to access My Health Record. There are many thousands of these small health providers across Australia and most are small clinics with only a handful of staff.

What this amounts to is an attack surface comprising hundreds of thousands of endpoints, most of which have a level of cybersecurity that is virtually non-existent. This is further compounded by staff who have little or no cybersecurity awareness. As an IT service provider with over 14 years’ experience working exclusively with small businesses, including small health providers, I believe these organisations are ill-equipped to provide an acceptable level of security.

The situation isn’t helped by the fact that, to date, these organisations have never been required to adopt or adhere to a common set of cybersecurity standards. Of course, you could point to the requirements of the Australian privacy principles and the notifiable data breaches scheme, which do apply to health providers. But the reality is that most have only a vague understanding of those rules. Whenever I’ve discussed the privacy principles or the data breaches scheme with the heads of these organisations, most are oblivious to their obligations and consider it an ‘IT issue’. Certainly, none have ever seen or heard of the guidelines on securing personal information issued by the Office of the Australian Information Commissioner.

So, with all of this in mind, it would be reasonable to assume that the Australian Digital Health Agency—the body responsible for national digital health services and systems, including My Health Record—has considered this challenge. Perhaps there’s a cybersecurity framework comprising documented minimum standards, a concise easy-to-understand guide, an education program, a compliance regime, and at least some basic level of monitoring and auditing. The unfortunate reality is that almost none of this is in place.

Both the Australian Digital Health Agency and the My Health Record websites have plenty of content on information security for health providers. Typical of many government sites providing cybersecurity information, it’s a dog’s breakfast—a situation highlighted in a recent policy paper published by AustCyber.

The Australian Digital Health Agency website has a page titled ‘Digital Health Cyber Security Centre’ with a box that provides links to six pieces of cybersecurity guidance, ranging from short webpages on using emails and social media to guides on ransomware and patching aimed at IT professionals. The most useful of these is the Information Security Guide for small healthcare businesses. The document was put together by Stay Smart Online in 2017 and, although it’s a stretch to call it a guide, it does provide some easy-to-understand information about IT security.

On the My Health Record website, there’s a section under ‘For healthcare professionals’ titled ‘Recognise your privacy and security obligations’. Under the heading ‘Implementing security practices and policies’, there’s a statement that ‘healthcare organisations that access digital health records need to meet the requirements under the My Health Records Rule’. It includes a link ‘for a checklist that is based on the requirements outlined in the My Health Records Rule 2016’.

Someone with enough time and energy to follow the link will then end up on a page titled ‘Security practices and policies checklist’. There they’ll find a ‘checklist’ that can be ‘used as a guide to implementing security practices and policies in your healthcare organisation’. The very first point provides an indication of just how useful the checklist is:

• The organisation has a My Health Record system security policy.

Elsewhere on the My Health Record website, there’s a page about the legislation that governs the way the data is managed by health providers, which includes:

• My Health Records Act 2012
• My Health Records Rule 2016
• My Health Records Regulation 2012
• Healthcare Identifiers Act 2010
• Privacy Act 1988.

I challenge anyone to make any sense of all that, let alone the person responsible for running a small clinic. Where do you start, what is essential, and what is optional?

After wading through it all, I couldn’t find any stated minimum cybersecurity standard that a health provider accessing My Health Record data would be required to implement. Not even the absolute bare minimum—have a password policy with a minimum level of complexity, use a password manager, implement two-factor authentication, and ensure all staff have at least one hour of cybersecurity-awareness training.

My Health Record will put vast amounts of confidential health data into a single online database, and no matter how well the central repository itself is protected, it can only ever be as secure as the weakest link. With thousands of small health providers that have only minimal cybersecurity arrangements accessing My Health Record, it has the potential to leak like the proverbial sieve.

We’ve all experienced the pain of data loss. Whether a work report, university assignment or family photos—everyone knows that nauseating realisation that hours, days or even years of work have disappeared in the blink of an eye.

In the late 1990s, Pixar almost lost its film Toy Story 2 before its release when backup systems failed. Luckily, the film’s producer, a working mum, had a copy of the film stored on her personal computer.

While the loss of that film might have been difficult to swallow, the devastation of losing critical national identity data would have much broader and more consequential implications, particularly on our national security, our democratic processes and the memory of who we are as a nation.

Estonia, widely acknowledged as a leader in e-government, now have a cache of government data that they consider so valuable that they’re establishing ‘data embassies’. Effectively, these  will be, datacentres located on foreign soil.

By classifying these new facilities as embassies—essentially Estonian territory in a foreign land—rather than as offshore datacentres, Estonia will retain sovereign control and security over the data.

The project will be expensive. Estonia’s current embassies don’t meet the technical requirements to properly secure the data, which includes the physical construction as well as the necessary networks and trained personnel. Estonia obviously places a high value on its data if it’s willing to go to such lengths to protect it, and to ensure that its government services are uninterrupted.

So, what might happen if Australia’s national digital identity data were manipulated or deleted? That’s the question that ASPI Visiting Fellow Anne Lyons is asking. Historically, the concept of critical infrastructure (CI) has, understandably, been confined to tangible assets.

However, Canada’s definition of CI also refers to processes and systems, both of which could be considered intangible. So an argument could be made that data is both a process and a system, from its collection and creation to its use and eventual re-purposing.

Australia defines CI as:

those physical facilities, supply chains, information technologies and communication networks which, if destroyed, degraded or rendered unavailable for an extended period, would significantly impact the social or economic wellbeing of the nation or affect Australia’s ability to conduct national defence and ensure national security.

Under that definition, data could be considered CI. So, why should we want to think of data as CI?

Data is a valuable national asset that supports the foundations of our nation—the parliament, the courts, the government. Without it, there would be no evidence of modern Australia, its property ownership, international relations, trade history, immigration records or information proving who we are as individuals.

Our data is also evidence of where we have come from—the songs, stories, communities and iconic representations of Australia through the ages.

Our data is one of our nation’s most important assets because it defines our uniqueness.

But there are some who don’t think data should be classified as CI. So what are the obstacles? In general, there are four primary objections:

• Data doesn’t fit within the traditional meaning and view of CI.
• Some data that’s critical to the nation may still be in analogue form, so requires different protection from digitally born material.
• Some datasets may be harder to access if they’re more stringently regulated, or may complicate security practices.
• Some believe that the whole system—hardware, software, personnel and the data—should be considered critical. That would dilute the idea of ‘critical’.

In December 2017, the Australian government released the Security of Critical Infrastructure Bill for public comment. One of the consultation questions was, ‘Are there other critical assets (other than ports, electricity and water), such as gas and data centre assets that should be captured [in the bill]?’

ASPI’s Peter Jennings offered a blunt response in asking, ‘How could [datacentres] not be covered?’

But what we’re considering goes one step further. We’re not asking whether the hardware and software supporting data should be labelled CI, but whether the actual data itself should be considered CI.

The Productivity Commission notes that data takes various forms: characters, text, words, numbers, pictures, sound and video, just to name a few. There are plenty of datasets that—if degraded or made unavailable—‘would significantly impact the social or economic wellbeing’ of Australia.

Take, for example, Australia’s census data. This data not only helps us to decide where government funding should be directed, but also affects our democratic processes. David Fricker, Director-General of the National Archives of Australia, believes that ‘we have to value our government data holdings as a national asset and within government we have to adjust our behaviours and our policies accordingly’. While there have been several efforts to identify which data is critical for Australia, so far no significant efforts have been made to classify said data as CI.

If national identity data is compromised, it jeopardises public trust, as noted by the Productivity Commission regarding #censusfail. If Australia’s national identity data were compromised, the consequences would be far greater than those of the cabinet file saga.

Ultimately, we need to ask whether classifying national identity data as CI would change how it was used or protected, or, if not, what purpose this classification would serve. It’s time we had a conversation about how critical our data really is.