Three separate inquiries have been launched following the closure of 700 kiosks in WINZ offices after a major security hole was discovered by blogger Keith Ng. The office of the privacy commissioner has launched an inquiry, there is a Deloitte’s inquiry into what happened, and the State Services Commission is conducting a broader inquiry into public-facing government computer systems.
Three government inquiries are not enough.
Somebody has to take personal responsibility for this grave error. If a building falls down an engineer takes responsibility, if there is gross financial mismanagement an accountant takes responsibility. This IT system failure has real-world consequences, and the person who signed off on those kiosks must resign. It’s a tough thing, but a public resignation would demonstrate that the Ministry of Social Development is serious about IT security.
As we know Ng, following a tip off from Ira Bailey, walked into two branches of WINZ and downloaded thousands of invoices from a kiosk computer onto a USB stick and walked out. These invoices contained sensitive information about at-risk children, including where they lived.
There was other information, such as the names of people who owed money to the MSD, but for me the fact that the contact details of vulnerable children could have been accessed by any member of the public is astounding.
It’s a horrible thing, but there are people in our society who will harm their own children. That’s why those children have false names and live in secret addresses. MSD’s core job is keeping that information safe. The IT department that built those kiosks and failed to implement the most basic security protocols – as IITP CEO Paul Matthews told me “it wasn’t rocket science” – could have exposed those children to harm.
We can only hope that Ng and Bailey – who have acted with integrity in bringing this to public attention – were the only ones to access this information. But we shouldn’t have to hope, we should know.
There will be many pointing to ICT budget cuts, the loss of CIO roles, the push for the public service to “do more with less” to explain why the kiosk failure occurred. But there is quite a bit of human culpability in there too. You must stand by what you have built. When Telecom’s XT outage occurred top executives at both Telecom and Alcatel Lucent resigned and it was the right thing to do.
There is also the involvement of Dimension Data, which carried out an audit in April 2011, apparently raised security issues and recommended changes. The Deloitte report will outline their involvement, so we don’t know at this stage what they discovered and, in fairness, the company may not have been aware that their recommendations weren’t acted upon.
But in general, what should security consultants bound by commercial contracts do in these circumstances? Is there an IT professional code of conduct which says there is an obligation to speak out if steps are not taken to fix security flaws when sensitive data is at risk?
I suspect the three government reports will provide technical explanations about what went wrong and recommend steps to ensure this situation doesn’t occur again. Technical solutions are likely to be easier to implement than changing an IT culture which, Matthews says, regards security and privacy as a “bolt on” – something that’s added, rather then something that is at the heart of the project.
‘First, do no harm’, should be the mantra of every IT executive working on government projects that deal with sensitive data – whether that’s financial or medical or even the personal details of where a citizen lives.
Prime Minister John Key says the kiosk failure will not slow down the government’s goal that “by 2017 an average of 70 percent of New Zealanders most common transactions with government will be completed in a digital environment.”
But can New Zealand citizens trust government IT departments to protect their personal information?
Until these three inquiries are complete, we can’t be sure.