Over a hundred government websites are ‘not secure’, will they harm us?

2022

Over a hundred government websites are ‘not secure’, will they harm us?

Country/area: Malaysia

Organisation: Malaysiakini

Organisation size: Big

Publication date: 19/07/2021

Credit: Lee Long Hui, Ooi Choon Nam, Hazman Hazwan Sulaiman, Syariman Badrulzaman, Nur‌ ‌Aziatul‌ ‌Khazizi‌, Raveena Nagotra, Alena Nadia, Alex Woon, Ng Xiang Yi, Wahyudi Yunus

Biography:

The project is presented by Kini News Lab in Malaysiakini, one of the most-read news portals in Malaysia.

At Kini News Lab, we experiment with new ways of presenting news by combining visual and interactive storytelling as well as in-depth and data-driven journalism.

We aspire to turn important but complex issues into something that is engaging and enjoyable for the Malaysian public.

Project description:

The purpose of this project is to examine the security status of Malaysian government websites.

Of the nearly 700 websites examined, at least 255 were “not secure”, leaving open the possibility of personal data breaches and other cybersecurity risks.

The article quoted several cybersecurity experts to explain, in layman’s terms, how the security weaknesses of the government websites could expose the Malaysian public to harm.

It also put forward suggestions to the Malaysian government on how to enhance the security measures of its websites, as well as advised the public on how to protect themselves from potentially harmful sites.

Impact reached:

Of the 255 ”not secure” websites highlighted, 91 government agencies and ministries have subsequently upgraded their websites to HTTPS from HTTP after we have contacted them for replies. This response was even before the publication of the project.

Following the publication of the report, the Malaysian Communications and Multimedia Commission (MCMC) stated that a cybersecurity audit would be conducted on those websites.

As of Dec 28, 2021, the government upgraded the security status of an additional 76 websites from HTTP to HTTPS, while removing spam and malicious elements from four websites.

Nonetheless, at the same time, there were still at least 90 websites that have remained “not secure” five months after the audit announcement.

Techniques/technologies used:

We gathered a list of Malaysian government websites from a Wikipedia page. From those websites, we obtained more links to other government websites.

We mainly use Google Spreadsheets to store information of these websites, such as whether they have forms for user information, the date of access to check on whether they have been upgraded to HTTPS or not, and the comments and response of the government agencies that own the respective websites.

A special website is created for the project. Its structure and layout were built with JavaScript, JavaScript library React and React framework Next.js.

The key information of the websites is presented on a table built with react-table, which allows the user to search and filter for a particular website(s).

To achieve a more engaging user experience, we have also created a small interactive component on the page where users can enter a usernames and passwords pair, and we will show the data sent from an HTTP and HTTPS website respectively. This is to show the difference between the encrypted data sent from an HTTPS website and the unencrypted data sent from an HTTP website.

Screenshots of each website were taken and they were processed with Adobe Photoshop by stating the access date.

Old-school journalism methods were applied in this project too. We sourced the contact numbers and email addresses of each government agency we named in our project and tried to call or mail them for their right of reply.

What was the hardest part of this project?

The most challenging task of this project is to verify the security status of nearly 700 websites one by one. It is because there will be special cases, such as some of the websites actually having their HTTPS version, but one that was not redirected from their HTTP sites.

The checking task had to be performed on a weekly basis as the status might change overnight. It was extremely crucial for us to go through the list again a day before publication.

Another challenge is to produce a fair and balanced report by getting the replies and comments of all the 700 government agencies named in the report.

It was a painstaking task. We have three dedicated journalists to ring and/or email those agencies for their reply.

Around 130 agencies had gotten back to us, explaining the difficulties and challenges they were facing when upgrading their websites. 86 of the websites have been upgraded to HTTPS since receiving our phone call and/or emails. It shows that those agencies were taking this matter seriously.

We have put all the replies we have got into the story.

What can others learn from this project?

Working with experts is crucial for our project. We have the help of several experts, including the software engineer from our own newsroom, who guided us through the end of the project to avoid misjudgements and reporting any misleading information.

I think what we have also learned from this project is how to present the technical information about cybersecurity in layman’s terms, with the help of graphics and videos.

It is hard for us to avoid using jargon in the story. To make sure our readers, mainly in their 40s to 60s, understand the technical terms and aspects of the project, we use plenty of accordions (collapsible content) throughout the article for those terms.

The most important aspect is to think of the impact we would like to achieve before starting working on the project. It did help us set a clear goal and served as the most vital guidance for us from the beginning to the end.