Information Technology

TikTok has confirmed it will launch a lawsuit against the US government with regards to the Chinese app maker’s ban. Any potential lawsuit, however, will not prevent the company from being compelled to sell off the app in the US market. 
TikTok reiterated its previous stance that it had worked to engage the Trump administration for almost a year to “provide a construction solution” to resolve concerns the latter had about the app. 
“What we encountered instead was a lack of due process as the administration paid no attention to facts and tried to inset itself into negotiations between private businesses,” the company said in a statement issued to several media outlets, after Reuters first broke the news Saturday. 
“To ensure that the rule of law is not discarded, and that our company and users are treated fairly, we have no choice but to challenge the executive order through the judicial system,” TikTok said.
Donald Trump earlier this month signed two executive orders barring any US transaction with TikTok, its parent company ByteDance, and its subsidiaries, as well as with popular Chinese messaging app WeChat and its parent company Tencent. The US President alleged that apps developed in China threatened his country’s national security, foreign policy, and economy. “TikTok automatically captures vast swaths of information from its users, including internet and other network activity information such as location data and browsing and search histories,” the order noted. “This data collection threatens to allow the Chinese Communist Party access to Americans’ personal and proprietary information, potentially allowing China to track the locations of federal employees and contractors, build dossiers of personal information for blackmail, and conduct espionage.”
TikTok reportedly planned to argue in its lawsuit that Trump’s first August 6 executive order, filed under the US International Emergency Economic Powers Act, deprived the Chinese company of due process. It also planned to fight its label as a national security threat by the US government, Reuters reported. 
TikTok did not specify which court it planned to tap for its lawsuit, but this move would not stop the company from being compelled to relinquish its US operations, which was laid out under Trump’s second executive order issued on August 14 and was not subject to judicial review.
The August 14 order gave TikTok’s parent company ByteDance 90 days to sell of its business in the US. Discussions were ongoing with Microsoft and, more recently, Oracle involving a potential sale.
According to TikTok, 100 million Americans used its platform. It recently unveiled new measures it said aimed to stem misinformation and content designed to disrupt the US elections in November. These included updates to its policies for better clarity on what was and was not allowed on its platform and wider collaboration with fact-checking partners as well as the US Department of Homeland Security, such as on efforts to verify election-related information, in-app reporting of election misinformation, and safeguard against foreign interference. 
It also refuted suggestions it shared user data with the Chinese government or censored content at the government’s request. “In fact, we make our moderation guidelines and algorithm source code available in our transparency center, which is a level of accountability no peer company has committed to,” TikTok had said. “We even expressed our willingness to pursue a full sale of the US business to an American company.”
Trump had suggested the US government should receive a “substantial” cut of the acquisition for “making it possible”.
 RELATED COVERAGE More

Another symbol of a post-Covid future?
Screenshot by ZDNet
I worry we’ve become used to being spied upon.

I don’t suggest this is a good thing. I do wonder, though, whether humanity’s defenses have been permanently weakened. Especially as the Coronavirus has made many of us even more dependent on technology as we work from home.
When, though, does instrusive become abusive?
I only ask because of a moving report emerging from Australia.
The police in Victoria — the state that houses Melbourne — are trying a new way to make sure people are wearing masks.
As 7News Melbourne reports, they’re sending up drones to catch mask miscreants. They’ll also be deputed to discover cars that have gone beyond five kilometers from home, in contravention of current laws.
Melbourne has suffered a return of Covid-19, after many thought it had passed. At the beginning of this month, Melbourne declared, a state of emergency.

The lockdown carries with it fines of up to A$20,000. Failing to wear a mask will cost you A$200.
I can conceive how certain parts of America would warm to such penalties.
And, indeed, how they might warm to the idea that a drone will be spying on their faces, and report on them if they’re not wearing a mask.
One can understand — if not feel comfortable with or even find tolerable — the use of such flying machines at a time like this.

However, one sentence from the 7News report offers a chilling thought: “There are concerns this style of policing won’t end when the pandemic is over.”
That’s the issue with so many technological glories being used for policing. Where does it end? Does it end at all?
It’s the sort of thing that’s driven tech employees themselves to lobby their managements. Recently, Amazon declared it wouldn’t use its facial recognition system to be used by the police for a year. This could be because some believe it’s painfully inaccurate.
Of course, concerns about surveillance heighten with every day one is alive.
Imagine, though, how it might feel if you need milk and bananas, you’ve accidentally forgotten your mask and are quickly running to the store.
Suddenly, you hear a buzzing sound.
A minute or two later, you’re being grabbed from behind.
“You’re not wearing a mask,” says the voice.
And then imagine, in 2021, you need milk and bananas and are quickly running to the store.
Suddenly, you hear a buzzing sound.
A minute or two later you’re being grabbed from behind.
“You’re two minutes over your parking time,” says the voice. More

Image: Freepik Company

Freepik, a website dedicated to providing access to high-quality free photos and design graphics, has disclosed today a major security breach.
The company made it official after users started grumbling on social media this week about receiving shady-looking breach notification emails in their inboxes.
ZDNet reached out to the Freepik Company on Thursday, and while we have not heard back before this article’s publication, the company formally disclosed a security breach today, confirming the authenticity of the emails it’s been sending to registered users for the past few days.
Hacker used an SQL injection to get in
According to the company’s official statement, the security breach occurred after a hacker (or hackers) used an SQL injection vulnerability to gain access to one of its databases storing user data.
Freepik said the hacker obtained usernames and passwords for the oldest 8.3 million users registered on its Freepik and Flaticon websites.
Freepik didn’t say when the breach took place, or when it found out about it. However, the company says it notified authorities as soon as it learned of the incident, and began investigating the breach, and what the hacker had accessed.
Millions of password hashes were pilfered
As for what was taken, Freepik said that not all users had passwords associated with their accounts, and the hacker only took user emails for some.
The company puts this number at 4.5 million, representing users who used federated logins (Google, Facebook, or Twitter) to log into their accounts.
“For the remaining 3.77M users the attacker got their email address and a hash of their password,” the company added. “For 3.55M of these users, the method to hash the password is bcrypt, and for the remaining 229K users the method was salted MD5. Since then we have updated the hash of all users to bcrypt.”
In the process of notifying users
The company said it’s now in the process of notifying all impacted users with customized emails, depending on what was taken. These emails are going out to Freepik and Flaticon users, depending on what service users had registered on. Below are some of these messages, as we received from our readers.

“Those who had a password hashed with salted MD5 got their password canceled and have received an email to urge them to choose a new password and to change their password if it was shared with any other site (a practice that is strongly discouraged),” Freepik said. “Users who got their password hashed with bcrypt received an email suggesting them to change their password, especially if it was an easy to guess password. Users who only had their email leaked were notified, but no special action is required from them.”
Freepik is one of today’s most popular sites on the internet, currently ranked #97 on the Alexa Top 100 sites list. Flaticon is not far behind, ranked #668.
When EQT acquired the Freepik Company at the end of May this year, the company claimed the Freepik service has a community of more than 20 million registered users.
Users registered on Slidesgo, another of the Freepik Company’s websites, don’t appear to have been impacted. More

Updated: Ancestry.com shared a statement about privacy. See below.
When you get a DNA test kit, you’ll get a set of instructions to follow so you can get a sample of DNA from your body to the lab. You’ll either be asked to spit into a tube or wipe a swab around inside your mouth.

directory

Best DNA Ancestry Testing Kits
We compare and contrast the available options,and take a look at exactly why you’d invest in a DNA testing service — including the upsides and the caveats.
Read More

Some folks have difficulty producing enough saliva to do a spit test. If you often have a dry mouth, you might want to consider one of the cheek swab tests. Another trick is to think about lemons, the taste of a lemon, and biting into a lemon. Sometimes just the thought will increase mouth saliva.
Also: My ancestry adventure: When DNA testing delivers unexpected and unsettling results
Saliva. Not your usual ZDNet topic. So, rather than imagine the bitter taste of lemons in your mouth as your face crinkles up slightly from the tart taste and you feel your mouth water, let’s talk about some important things you need to know.
1. Know what DNA testing involves
DNA can tell you a lot about yourself. Imagine you’re reverse engineering source code for a video game. If you find a function that solves a puzzle, you can intuit that the game includes puzzle solving. If you find a function in that code for jumping and climbing, the game might have more action elements.
DNA tests can do this, by looking at your DNA to determine what “functions” it exposes in your genetic code. That’s why some DNA tests are able to provide health and lifestyle information.
Also: Soon, your brain will be connected to a computer. Can we stop hackers breaking in?
With the permission of their customers, many DNA companies store DNA data from thousands or millions of customers. By matching your DNA against the DNA patterns of all those other DNA test participants, some DNA companies are able to tell if you share unique sequences, essentially proving that you share ancestors somewhere in your family history.
That opens up one of the biggest services offered by DNA testing providers: Helping you understand your family tree, the migration patterns of your ancestors, and even identify relatives you never knew you had.
2. Be aware there is a dark side to DNA testing
This also opens up one of the more disturbing aspect of DNA testing: The privacy implications. Your DNA is, fundamentally, the source code to… you. If DNA companies are sharing that code, whether with law enforcement or with other companies, it can be a little unsettling. If you authorized that sharing, it’s one thing.
But if your family member or cousin authorized sharing their DNA, they have also, essentially, allowed a considerable amount of your DNA to be shared. And that doesn’t even include what happens if your testing service provider gets hacked.
Also: Genealogy sites credited with helping ID Golden State Killer CNET
The other issue is for those folks who took DNA tests and got back results they didn’t expect. There are many issues involved with this, from what’s called “misattributed paternity” to issues of race, what you’ve been told as part of your family history, and disturbing discoveries about your family tree. When I tested three DNA services, I got some disturbing results.
Keep these unexpected consequences in mind if you decide to move forward doing DNA testing.
3. Know how to choose a DNA testing service
To help you navigate through the offerings of various DNA testing services, we recently produced a guide for CNET. In it, we looked at how well these providers can help you learn about yourself through DNA. Each provider is shown with the size of its matching database. If you’re looking for family information, the bigger the database, the better the chance you’ll find long-lost family members.
Also: Genealogy database used to identify suspect in 1987 homicide CNET
When it comes to health and lifestyle information, the DNA tests use some of the same information. This is really a matching process, but instead of looking for family members, the test provider looks for matching characteristics, particularly genetic markers for certain diseases and traits.
4. Understand the structure of DNA

DNA, is essentially, code. The order and combination of the code provide instructions for creating organic material.
Segments of DNA convert amino acids into proteins. Proteins do all sorts of things, including create new cells. That’s how you get the building blocks, from amino acids to proteins, proteins to cells, cells to tissues, tissues to organs, and organs to people, dogs, trees, cats, and so on.
Also: The startling future of DNA genome editing TechRepublic
Long strands of DNA are called chromosomes. These chromosomes are passed from both a father and a mother to a child. The child’s DNA contains code that represents characteristics of both parents.
5. Know the limits of DNA matching
These chromosomes not only contain code for genetic characteristics, they also contain something of a genetic fingerprint of the parents in each child. That’s why two siblings, born of the same two parents, will share a considerable amount of chromosomal data.
Cousins, too, share chromosomal data, just not as much. The fingerprint has, essentially, been diluted. As you move back in time to grandparents and great grandparents and great great grandparents, and then down other branches of the tree to first cousins, second cousins, third cousins, fourth cousins, and so forth, less and less of the DNA sequences will match.
The reason you need to understand a bit about chromosomes is that you’re about to make a decision: Which test type do you choose? That’s next.
6. Understand the test types
Generally, there are three different test types: Autosomal, Y-DNA, and mtDNA.
Today, autosomal tests are the most common. They can be administered to both men and women, and trace back through the lineage of both sexes.
The Y-DNA test can only be administered to men, and traces DNA back through the patrilineal ancestry (basically from father to grandfather to great grandfather).
The mtDNA is matrilineal and lets you trace your ancestry back through your mother, her mother, and her mother going back.
Autosomal tests can get you quality genetic information going back about four or five generations. Because the Y-DNA and mtDNA tests are more focused on one side of the line, you can get information going back farther, but with less data about family structure.
Which test you take depends entirely on what you’re looking for. Don’t expect perfect accuracy. They can give you indications, but taking a DNA test won’t magically produce a history book of your family’s background.
My experience
So, there you go. In the guide, we present to you 10 of the more interesting DNA services we’ve found. Some are better than others, so you should not only take our information into account when spending on a service, but look for reviews and stories posted by those who have used the services to see what their experiences have been.
I, personally, have now tested three services: Ancestry, 23andMe and LivingDNA. It’s been interesting — and also disturbing. By combining the DNA tests with Ancestry’s research database, my wife and I were able to answer some long-kept mysteries about our family trees. Here’s my story about that, as well as in-depth reviews of those three services:
Also: My ancestry adventure: When DNA testing delivers unexpected and unsettling results
By the way, a spokesperson at Ancestry reached out to me to talk about the data privacy concerns I raised in this article. They wanted to share this statement:

Protecting our customers’ privacy is Ancestry’s highest priority, and that starts with the basic belief that customers should always maintain ownership and control over their own data. We will not share customers’ personal information with third-parties – including insurers, employers, health providers or external marketers – without their explicit, informed consent. Ancestry will not share any DNA data with law enforcement unless compelled to by valid legal process and will always seek to minimize the impact on our customers’ expectations of privacy.

I am personally fascinated by Ancestry and the work they’re doing, so I hope to be able to bring you more from them over time.
Stay tuned. If I can, I’ll do more tests and report back to you here on ZDNet and CNET about what I learn.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

Previous and related coverage:
Haven Life adds DNA testing, discounts, wills
Haven Life aims to give policyholders more perks for when they’re alive.
92 million accounts for DNA testing site MyHeritage found online
DNA testing site MyHeritage has said the company has been hacked. More

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint security advisory on Thursday, warning about an ongoing wave of vishing attacks targeting the US private sector.

Vishing, or voice phishing, is a form of social engineering where criminals call victims to obtain desired information, usually posing as other persons.
According to the FBI and CISA, in mid-July 2020, cybercriminals started a vishing campaign targeting employees working from home for US companies. The attackers collected login credentials for corporate networks, which they then monetized by selling the access to corporate resources to other criminal gangs.
How attacks happened
The two cyber-security agencies didn’t name targeted companies, but instead described the technique the attackers used, which usually followed the same pattern.
Per the two agencies, cybercrime groups started by first registering domains that looked like company resources, and then created and hosted phishing sites on these domains. The domains usually had a structure like:
support-[company]
ticket-[company]
employee-[company]
[company]-support
[company]-okta
The phishing pages were made to look like a targeted company’s internal VPN login page, and the sites were also capable of capturing two-factor authentication (2FA) or one-time passwords (OTP), if the situation required.
Criminal groups then compiled dossiers on the employees working for the companies they wanted to target, usually by “mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.”
Collected information included: name, home address, personal cell/phone number, the position at the company, and duration at the company, according to the two agencies.
The attackers than called employees using random Voice-over-IP (VoIP) phone numbers or by spoofing the phone numbers of other company employees.
“The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee,” the joint alert reads.
“The actors then convinced the targeted employee that a new VPN link would be sent and required their login, including any 2FA or OTP.”
When the victim accessed the link, for the phishing site hackers had created, the cybercriminals logged the credentials, and used it in real-time to gain access to the corporate account, even bypassing 2FA/OTP limits with the help of the employee.
“The actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using varying methods dependent on the platform being accessed,” the FBI and CISA said.
The two cyber-security agencies are now warning companies to keep on the lookout for threat actors targeting their telework (work-from-home) employees using this technique.

To help companies, FBI and CISA experts shared a series of tips and recommendations for companies and their employees, which we’ll reproduce below.
Organizational Tips:
Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
Employ the principle of least privilege and implement software restriction policies or other controls; monitor authorized user accesses and usage.
Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
Improve 2FA and OTP messaging to reduce confusion about employee authentication attempts.
End-User Tips:
Verify web links do not have misspellings or contain the wrong domain.
Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
If you receive a vishing call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, visit the CISA Security Tips below: More

The open-source project behind the Mozilla-founded systems programming language, Rust, has announced a new Rust foundation to boost its independence following Mozilla’s recent round of pandemic layoffs.  
Firefox-maker Mozilla’s decision to cut 250 roles or 25% of its workforce last week has taken a toll on the open-source project behind Rust. Mozilla is the key sponsor of Rust and provides much of the language’s infrastructure as well as core talent. 

Some Mozilla contributors to five-year-old Rust did lose their jobs in Mozilla’s job cuts, causing some speculation that heavier cuts to the team behind Mozilla’s Servo browser engine – a core user of Rust – might pose an existential threat to the young language. 
Rust’s demise would be bad news for a growing number of developers exploring it for system programming – as opposed to application development – as a modern and memory-safe alternative to C and C++. 
Rust is now in developer analyst RedMonk’s top 20 most-popular language rankings, and it is being used at Amazon Web Services (AWS), Microsoft and Google Cloud among others for building platforms.  And while Mozilla is the main sponsor of Rust, AWS, Microsoft Azure and Google Cloud have come on board as a sponsor too. 
However, discussing Mozilla’s layoffs, Steve Klabnik, a Rust Core member, has pointed out that the Rust community is much bigger than the number of Mozilla employees who contributed to the project and were affected by the layoffs.
“Rust will survive,” wrote Klabnik in a post on Hacker News. “This situation is very painful, and it has the possibility of being more so, but Rust is bigger than Mozilla.”
Nonetheless, as a project born in Mozilla Research and supported heavily by Mozilla, Rust is still currently entrenched in Mozilla’s infrastructure, which, for example, hosts the Rust package manager, crates.io. 
“Mozilla employs a small number of people to work on Rust full time, and many of the Servo people contributed to Rust too, even if it wasn’t their job,” Klabnik wrote. 
“[Mozilla] also pays for the hosting bill for crates.io. They also own a trademark on Rust, Cargo, and the logos of both. Two people from the Rust team have posted about their situation, one was laid off and one was not. Unsure about the others. Many of the Servo folks (and possibly all, it’s not 100% clear yet but it doesn’t look good) have been laid off.”
But Klabnik notes that “vast majority” of Rust contributors are not employed by Mozilla, even though the Mozilla’s talent and infrastructure is important to the language’s survival.  
To resolve issues around ownership and control, the Rust Core team and Mozilla are accelerating plans to create a Rust foundation, which they expect to be operating by the end of the year. 
“The various trademarks and domain names associated with Rust, Cargo, and crates.io will move into the foundation, which will also take financial responsibility for the costs they incur. We see this first iteration of the foundation as just the beginning,” the Rust Core team said in a blog post this week. 
“There’s a lot of possibilities for growing the role of the foundation, and we’re excited to explore those in the future,” it added. 
Addressing the question of Rust’s demise, the team noted that it was a “common misconception that all the Mozilla employees who participated in Rust leadership did so as a part of their employment”. Instead, some leaders were contributing to Rust on a voluntary basis rather than as part of the job at Mozilla.  
The Rust language project has also selected a team to lead the creation of the Rust foundation, including Microsoft Rust expert Ryan Levick and Josh Triplett, a former Intel engineer and a lead of the Rust language team. 
Microsoft Azure engineers are exploring Rust for a Kubernetes container tool, and Microsoft recently released a public preview of Rust/WinRT, or Rust for the Windows Runtime (WinRT), to support Rust developers who build Windows desktop apps, store apps, and components like device drivers.
While a primary sponsor like AWS, Microsoft or Google Cloud could be good news for Rust, the Rust Core team says it doesn’t want to rely too heavily on just one sponsor. 
“While we have only begun the process of setting up the foundation, over the past two years the Infrastructure Team has been leading the charge to reduce the reliance on any single company sponsoring the project, as well as growing the number of companies that support Rust,” the Rust Core team said.
More on Rust and programming languages More

Consumers in Singapore may know what phishing entails, but few are able to properly identify the various types of phishing email. In addition, inertia continues to persist with amongst some who believe they will not fall victim to online scams. 
Some 66% in Singapore said they aware of phishing attacks, but just 4% were able to correctly identify all phishing email shown to them in an online study. Conducted in December last year for Cyber Security Agency (CSA), the annual Cybersecurity Public Awareness Survey polled 1,000 respondents to assess adoption and awareness of cyber hygiene behaviour and attitudes. 
While 86% correctly identified phishing email that promised attractive rewards, a lower 57% were able to pick out email message with suspicious attachments and 53% could identify phishing email requesting for confidential information.

The 2019 survey also revealed that 85% recognised the risks of not installing security apps on their mobile devices, but just 47% did so. This was a slight increase of 45% in 2018 who installed security apps on their devices. 
In addition, the adoption rate for two-factor authentication climbed slightly to 83% in 2019 from 80% in the previous year. 
This despite the fact that more Singaporeans were using their mobile devices for online transactions, with 80% doing so last year compared to 73% in 2018. Furthermore, 82% expressed moderate to extreme concern that cybercriminals would hijack control of their computer or obtain their financial information without prior consent. 
The survey revealed that 28% had fallen victim to at least one cyber incident over the past 12 months, with 14% experiencing unauthorised attempts to access their online accounts. Another 10% had such accounts used to contact others without their consent. 
Upon experiencing a security incident, 68% said they changed their passwords, while 46% reported the breach to the relevant organisation. Another 30% installed an antivirus software and 8% did not take any action.
Despite 78% of respondents who were worried about falling prey to online scammers or fraudsters, just 27% believed there was a likelihood such incidents could happen to them. 
CSA’s chief executive and commissioner of cybersecurity David Koh said: “With our increasing reliance on technology, especially amidst the COVID-19 pandemic, opportunistic cybercriminals now have a bigger hunting ground. It is important for us to shake off the ‘it will not happen to me’ mindset, stay vigilant, and take steps to protect ourselves online so that we do not become the next victim.”
Cybercrime accounted for 26.8% of all crimes in Singapore last year, with e-commerce scams the most popular and used by scammers who hoodwinked 2,809 victims. This was a 30% increase from 2,161 reported cases in 2018, according to the Singapore Cyber Landscape 2019 report released in June by CSA. Citing figures from the local police, the report noted that victims of e-commerce scams continued to be lured by attractive online deals on items such as electronic gadgets and event tickets.

(Source: Singapore’s Cyber Security Agency)
RELATED COVERAGE More

Geoscience Australia has gone to market as part of its plans to further modernise its IT environment by shifting off legacy platforms and making continued improvements toward more modern platforms through 2021.
In a request for tender, Geoscience Australia said it is seeking a service provider to act as the single point of contact for any IT-related incidents and requests; provide end user computing; and provision business and corporate applications.
Additionally, Geoscience Australia also plans to upgrade from Skype for Business to Microsoft Teams for enterprise voice, video conferencing, and collaboration tools; make networking enhancements around remote access/VPN and end of life elements; improve its record management system capabilities; and implement a customer relationship management system.
Geoscience added there are plans to make further IT security enhancements so that it is in line with the Essential Eight controls for mitigating cyber attacks, which entails reviewing all existing identity-related processes and automating “unnecessary manual steps” through single multifactor login.
“As we deal with more and more networks and endpoints, identity has become important as one of many factors that act as the new network boundary. Identity gives us a powerful common layer that we can control across many different networks and endpoints,” Geoscience Australia said.
“Identity is a critical component of the new chain of trust that binds and protects our resources across various endpoints in a way that facilitates our mobile workforce.”
In a previous ANAO audit on cyber resilience, Geoscience Australia was labelled as lacking where the Top Four mitigation strategies were concerned. 
Following the ANAO probe, Geoscience Australia agreed to up its security posture, telling the Joint Committee of Public Accounts and Audit in March last year that it would be compliant with the Top Four by 30 June 2019.
The Top Four are mandatory and the Essential Eight are recommended as best practice.  
See also: Industry report calls for ACSC to get offensive and smaller agencies to get cyber help
In its tender documents, Geoscience Australia also revealed how it is hoping to retire a “small number” of Window 7 devices, as well as upgrade the infrastructure of its existing Citrix-based remote desktop environment which is nearing the end of its life cycle.
Geoscience Australia’s plans to carry out additional IT work follows work the agency has been undertaking over the last two years across its IT environment, specifically in end user computing, enterprise voice and collaboration, in-cloud compute, identity, database, and IT security.
The IT service provider will be charged with providing support for Geoscience Australia’s headquarters based in the Australia Capital Territory and its remotes sites, such as its Alice Springs ground station and potentially Yarragadee in Western Australia, the tender documents said.
The initial contract will be for three years, with the option to extend it to a maximum term of five years.
Tender submissions close September 30, with an anticipated start date of April 2021.
Geoscience Australia had previously said it would fix its culture by immersing its staff in the world of government-owned enterprise by learning from others, such as Australia Post, that are “leading” the way.
“We ended up sending four staff down to Melbourne to go work for Australia Post for 100 days to learn their culture internally and flew another 30 or 40 people down on day trips to see how they worked with continuous delivery and cloud engineering,” Geoscience Australia director of scientific computing Ole Nielson said at the time.
Related Coverage  More