Australian Defence hunts for new contractor to build new recruitment database

It comes after Defence's former recruitment database was attacked using a Citrix vulnerability.
Written by Aimee Chanthadavong, Contributor

Australia's Department of Defence has started its search for a partner that can help deliver a new recruitment system for the Australian Defence Force (ADF).

Defence said under the contract, which will be worth more than AU$1 billion over 10 years, the successful partner would be responsible for delivering an "adaptable, scalable, modern, competitive, collaborative, and transparent" recruiting system.

"The partner will bring expertise in marketing, recruiting operations and candidate management, medical and psychological testing and assessments, ICT, facilities management and administration," the agency said.

"Defence is focused on maximising industry participation and engaging with a wide range of companies with the capability and capacity to deliver the requirements. Defence aims to modernise its ADF recruiting approach through the process."

Defence said the tender process would be undertaken in two stages. The first involves an open market request for proposal (RFP) to identify potential respondents, and the second would be a request for tender (RFT) to a number of shortlisted respondents that were successful in stage one.

Submissions for the RFP will close on December 18, with plans to notify shortlisted respondents by July 2021. Shortlisted respondents will then have until December 2021 to provide their submission to the RFT.

Defence said the successful contractor would be finalised by October 2022.

Plans to develop the new recruitment system come after the Australian Signals Directorate (ASD) notified Defence and its recruitment database contractor that it had reason to believe it was vulnerable to a Netscaler bug a month after Citrix made the vulnerability public.

"On the 24th of January ... through sensitive other sources, had a concern that the Department of Defence and its contractor running the DFRN [Defence Force Recruiting Network] may have been vulnerable to a malicious act as a result of the Citrix issue," director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates in March.

See also: Aussie Parliament's sad cyber espionage saga is a salient lesson for others  

Noble added that ASD believed no data was compromised, but it did see attempts to access the network related to the vulnerability.

The ASD said the database was full of personal information such as health information, medical exams, and psychological information.

"This particular network that we are talking about here for the Defence Force recruiting is an external network, not part of the Defence network," Defence CIO Stephen Pearson said.

As reported by the ABC, the DFRN was offline and quarantined for 10 days from February 2 to February 12. A source told the ABC that the issue was detected before Christmas and crisis meetings were held twice a day over the issue. The database was run by ManpowerGroup, the ABC reported.  

In response to Questions on Notice, Defence said Citrix issued its notice on 17 December 2019, but the agency was only aware of it a week later.

"On 24 December 2019, Defence became aware of the vulnerability through normal monitoring of open source reporting and commenced assessments with the DFR hosting provider to ascertain the relevance of this vulnerability to Defence," Defence said.

"The Australian Cyber Security Centre (ACSC) issued public advice on 25 December 2019 that notified of the vulnerability and mitigations strategies.

Defence said on December 27 that it began monitoring for "external reconnaissance and scanning attempts" against Citrix assets in its environment.

"On 6 January 2020, a Vulnerability Alert was issued to all identified system owners within Defence, and to our Managed Service Providers," it said.

"Between 6 January 2020 and 19 January 2020 Defence continued working with system owners and managed service providers to ensure mitigations were applied."

The Defence timeline showed the department had a month before the ASD stepped in.

Related Coverage

Editorial standards