A matter of trust
Stephen Bell looks at the recent privacy failures in government ICT
IDG News Service - It would be an understatement to say there are some New Zealanders who don't completely trust our government. There are probably more who have not yet completely overcome their mistrust of ICT.
To experience a privacy failure in government ICT, when more and more government processes and transactions are being consigned to digital channels is to strike powerfully at public confidence. In recent months we have had two accidental releases of public data, from the Earthquake Commission and the Accident Compensation Corporation and one deliberate penetration of a core government agency -- the Ministry of Social Development - albeit only for the purpose of demonstrating the vulnerability.
Though EQC is on the fringe of government, it deals with particularly sensitive transactions.
The naysayers led by John Key who dismiss the matter as trivial and only to be expected from time to time, do not serve public concern well. But neither, really, does a panic reaction like closing all internet and email ports, as EQC did.
A measured response, with admission of the failure, the harm done and the stress caused, and a reassurance that the specific vulnerabilities had been remedied would have served public confidence better. In EQC's case it appears the risk was in the easy autocompletion of a name on an email form; in ACC's the ability to attach an email in its entirety to another email.
You have to ask, though, would the absence of an autocomplete facility or a warning trigger when an email addressee falls outside the expected take too many seconds out of a staffer's day or detract from the organisation's long-term efficiency?
We will have to accept that the files on EQC and ACC emails were sent by accident, and any implication of the recipient taking advantage of the information has been discounted. Nevertheless shortcomings in security open up the chance for irregular practice. Whether a hypothetical internal "mole" involved in any deliberate leak could be called to account before a court is dependent on an interesting hole in the law -- Crimes Act Section 252 subsection 2, which legally absolves an employee entitled to use a computer system lawfully from penalty for any misuse.
The EQC breach has led to an unsavoury Twitter squabble between ICT Minister Amy Adams and Opposition spokesperson Clare Curran. Xero CEO Rod Drury has even weighed in from the sidelines -- to object to Curran's use of his remarks on the need for a government chief technical officer to bolster her (weak) argument that some blame for the EQC breach lies at Adams's door. The surface consideration is which minister or chief executive is responsible for securing the government's computer systems -- Curran implies it's Adams; Adams ducks and points to the Government CIO and Internal Affairs as the responsible 'person' and department for government ICT security.
The deeper question is whether, as Curran suggests, the failure had anything to do with the low "national spend on educating, training, and developing skilled technical personnel."
I suggest not; if the technical personnel had been adequately briefed, they would have disabled email-to-email attach or autocomplete or -- maybe a radical suggestion -- implemented encryption of sensitive data if it was really necessary to send it by email. It's well known technology; even home computer users can set up basic public-key encryption.
A public-key infrastructure is not difficult to maintain. It ensures that email goes to the right person, comes from the right person and has not been corrupted on the way. SEEmail (Secure Electronic Environment Mail) was designed with these objectives in mind, as the first priority of the State Services Commission's e-government unit back in the early years of this century.
Development of private intranets and extranets should have, in any case, made sending sensitive data by email an unnecessary practice.
The failure to specify such precautions comes from higher up in the chain of development, with a lack of appreciation of adequate security precautions among managers and business analysts.
InternetNZ's Susan Chalmers is closer to the true cause than Curran when she says privacy in computer systems should be designed in, not tacked on as an afterthought. The necessity to "put it right" post-facto is an embarrassment and hits public confidence. Now we are getting some measure of all-of-government action in ICT, would the drafting of a set of standard security tools and insistence on, or at least strong recommendation of, their use by all government-associated organisations be that radical a suggestion?
" Bell is a Computerworld journalist who has been reporting on IT for 35 years
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- CIOs Deliver Productivity Breakthroughs with Intelligent Digital Signage Retailers have long recognized the influence that digital signage provides over a shopper's point-of-purchase decision making process.
- ERP in the Cloud and the Modern Business View IDC's White Paper, to review IDC CloudTrack Survey findings, gain expert insight into the challenges and opportunities the cloud presents, and determine...
- Study: Total Economic Impact of Google Apps Employees can work faster and IT spending can decrease when companies switch to Google Apps, says a commissioned study by Forrester Consulting. Going...
- Protecting Digitalized Assets in Healthcare Healthcare providers face an urgent, internal battle every day: security and compliance versus productivity and service. For most healthcare organizations, the fight is...
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to...
- Increasing the Value of Your Reports and Dashboards Learn how incorporating other analytical capabilities such as predictive modeling and visualization can increase the value of your reports and dashboards by providing... All Management White Papers | Webcasts