It would be an understatement to say there are some New Zealanders who don’t completely trust our government. There are probably more who have not yet completely overcome their mistrust of ICT.
To experience a privacy failure in government ICT, when more and more government processes and transactions are being consigned to digital channels is to strike powerfully at public confidence. In recent months we have had two accidental releases of public data, from the Earthquake Commission and the Accident Compensation Corporation and one deliberate penetration of a core government agency – the Ministry of Social Development - albeit only for the purpose of demonstrating the vulnerability.
Though EQC is on the fringe of government, it deals with particularly sensitive transactions.
The naysayers led by John Key who dismiss the matter as trivial and only to be expected from time to time, do not serve public concern well. But neither, really, does a panic reaction like closing all internet and email ports, as EQC did.
A measured response, with admission of the failure, the harm done and the stress caused, and a reassurance that the specific vulnerabilities had been remedied would have served public confidence better. In EQC’s case it appears the risk was in the easy autocompletion of a name on an email form; in ACC’s the ability to attach an email in its entirety to another email.
You have to ask, though, would the absence of an autocomplete facility or a warning trigger when an email addressee falls outside the expected take too many seconds out of a staffer’s day or detract from the organisation’s long-term efficiency?
We will have to accept that the files on EQC and ACC emails were sent by accident, and any implication of the recipient taking advantage of the information has been discounted. Nevertheless shortcomings in security open up the chance for irregular practice. Whether a hypothetical internal “mole” involved in any deliberate leak could be called to account before a court is dependent on an interesting hole in the law – Crimes Act Section 252 subsection 2, which legally absolves an employee entitled to use a computer system lawfully from penalty for any misuse.
The EQC breach has led to an unsavoury Twitter squabble between ICT Minister Amy Adams and Opposition spokesperson Clare Curran. Xero CEO Rod Drury has even weighed in from the sidelines — to object to Curran’s use of his remarks on the need for a government chief technical officer to bolster her (weak) argument that some blame for the EQC breach lies at Adams’s door. The surface consideration is which minister or chief executive is responsible for securing the government’s computer systems – Curran implies it’s Adams; Adams ducks and points to the Government CIO and Internal Affairs as the responsible ‘person’ and department for government ICT security.
The deeper question is whether, as Curran suggests, the failure had anything to do with the low “national spend on educating, training, and developing skilled technical personnel.”
I suggest not; if the technical personnel had been adequately briefed, they would have disabled email-to-email attach or autocomplete or – maybe a radical suggestion – implemented encryption of sensitive data if it was really necessary to send it by email. It’s well known technology; even home computer users can set up basic public-key encryption.
A public-key infrastructure is not difficult to maintain. It ensures that email goes to the right person, comes from the right person and has not been corrupted on the way. SEEmail (Secure Electronic Environment Mail) was designed with these objectives in mind, as the first priority of the State Services Commission’s e-government unit back in the early years of this century.
Development of private intranets and extranets should have, in any case, made sending sensitive data by email an unnecessary practice.
The failure to specify such precautions comes from higher up in the chain of development, with a lack of appreciation of adequate security precautions among managers and business analysts.
InternetNZ’s Susan Chalmers is closer to the true cause than Curran when she says privacy in computer systems should be designed in, not tacked on as an afterthought. The necessity to “put it right” post-facto is an embarrassment and hits public confidence. Now we are getting some measure of all-of-government action in ICT, would the drafting of a set of standard security tools and insistence on, or at least strong recommendation of, their use by all government-associated organisations be that radical a suggestion?
• Bell is a Computerworld journalist who has been reporting on IT for 35 years