A matter of trust

Stephen Bell looks at the recent privacy failures in government ICT

It would be an understatement to say there are some New Zealanders who don't completely trust our government. There are probably more who have not yet completely overcome their mistrust of ICT.

To experience a privacy failure in government ICT, when more and more government processes and transactions are being consigned to digital channels is to strike powerfully at public confidence. In recent months we have had two accidental releases of public data, from the Earthquake Commission and the Accident Compensation Corporation and one deliberate penetration of a core government agency -- the Ministry of Social Development - albeit only for the purpose of demonstrating the vulnerability.

Though EQC is on the fringe of government, it deals with particularly sensitive transactions.

The naysayers led by John Key who dismiss the matter as trivial and only to be expected from time to time, do not serve public concern well. But neither, really, does a panic reaction like closing all internet and email ports, as EQC did.

A measured response, with admission of the failure, the harm done and the stress caused, and a reassurance that the specific vulnerabilities had been remedied would have served public confidence better. In EQC's case it appears the risk was in the easy autocompletion of a name on an email form; in ACC's the ability to attach an email in its entirety to another email.

You have to ask, though, would the absence of an autocomplete facility or a warning trigger when an email addressee falls outside the expected take too many seconds out of a staffer's day or detract from the organisation's long-term efficiency?

We will have to accept that the files on EQC and ACC emails were sent by accident, and any implication of the recipient taking advantage of the information has been discounted. Nevertheless shortcomings in security open up the chance for irregular practice. Whether a hypothetical internal "mole" involved in any deliberate leak could be called to account before a court is dependent on an interesting hole in the law -- Crimes Act Section 252 subsection 2, which legally absolves an employee entitled to use a computer system lawfully from penalty for any misuse.

The EQC breach has led to an unsavoury Twitter squabble between ICT Minister Amy Adams and Opposition spokesperson Clare Curran. Xero CEO Rod Drury has even weighed in from the sidelines -- to object to Curran's use of his remarks on the need for a government chief technical officer to bolster her (weak) argument that some blame for the EQC breach lies at Adams's door. The surface consideration is which minister or chief executive is responsible for securing the government's computer systems -- Curran implies it's Adams; Adams ducks and points to the Government CIO and Internal Affairs as the responsible 'person' and department for government ICT security.

The deeper question is whether, as Curran suggests, the failure had anything to do with the low "national spend on educating, training, and developing skilled technical personnel."

I suggest not; if the technical personnel had been adequately briefed, they would have disabled email-to-email attach or autocomplete or -- maybe a radical suggestion -- implemented encryption of sensitive data if it was really necessary to send it by email. It's well known technology; even home computer users can set up basic public-key encryption.

A public-key infrastructure is not difficult to maintain. It ensures that email goes to the right person, comes from the right person and has not been corrupted on the way. SEEmail (Secure Electronic Environment Mail) was designed with these objectives in mind, as the first priority of the State Services Commission's e-government unit back in the early years of this century.

Development of private intranets and extranets should have, in any case, made sending sensitive data by email an unnecessary practice.

The failure to specify such precautions comes from higher up in the chain of development, with a lack of appreciation of adequate security precautions among managers and business analysts.

InternetNZ's Susan Chalmers is closer to the true cause than Curran when she says privacy in computer systems should be designed in, not tacked on as an afterthought. The necessity to "put it right" post-facto is an embarrassment and hits public confidence. Now we are getting some measure of all-of-government action in ICT, would the drafting of a set of standard security tools and insistence on, or at least strong recommendation of, their use by all government-associated organisations be that radical a suggestion?

" Bell is a Computerworld journalist who has been reporting on IT for 35 years

Join the CSO newsletter!

Error: Please check your email address.

Tags securitygovernmentprivacy

More about State Services Commission

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stephen Bell

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts