Ronald Reagan once famously said: "The nine most terrifying words in the English language are, 'I'm from the government and I'm here to help.'"
Inside the government itself, the most terrifying words in the English language may be: "The information security office is here to facilitate your office's goals and objectives."
So says a new book, Larstan's The Black Book on Government Security (publication date October 2006), intended to introduce managers and IS professionals to the key cyber security challenges faced by all levels of government.
The book notes that while awareness of the importance of cyber security is growing at all levels of government, awareness is one thing; action another. One of government's biggest challenges is to transition from a general awareness of cyber security to concrete implementation of good cyber security practices. Ensuring cyber security issues are championed by leadership, embraced by business managers, implemented by users and understood by all is like herding cats, it says, especially when cyber threats are very difficult to understand.
"A cyber attack is so amorphous it is often difficult to grasp the concept. It's nearly impossible to determine where a cyber attack will come from, who will launch it, the exact target and the nature and extent of the payload," the book says. "This uncertainty is fostering an accelerating loss of trust in the systems we have relied on for years."
Here a service-oriented architecture (SOA) has a major role to play. There have been significant demands on government to share information in the wake of 9/11, notes co-author Paul Patrick, vice president and chief architect AquaLogic, BEA Systems.
These demands create huge issues across governments, and even within some government agencies. The US Department of Homeland Security (DHS), for example, is a composite of 17 agencies rolled into one and now charged with acting like a single entity. While information sharing issues may not be as obvious - nor as pressing - in other agencies or governments, they nonetheless exist.
"In fact, there has really been a culture shift in government agencies and IT always reflects the culture of a given organization. In the past, government agencies were acculturated NOT to share, so IT was built in silos; proprietary apps and codes built barriers against information sharing," Patrick says.
"Now that information sharing is mandated, governments have to look at how to tie systems together. Obviously, this is huge integration issue, and this is where a service-based approach comes in. To facilitate info sharing, an organization can create an SOA, a collaborative system for linking resources on demand, with a common infrastructure based on open standards. SOA integrates functions to provide actionable data.
"In terms of security, in the past, security was built into individual, often proprietary apps. It was as if each agency thought it was the center of the world. Now that agencies realize that is definitely NOT the case, how do they facilitate sharing-becoming a community of interest-while at the same time creating a safe and consistent. In order to do this, you need to get security out of the individual application codes, and instead attach it to the metadata in the infrastructure. In other words, security needs to be abstracted away form the apps."
The US government - the world's largest IT enterprise - is moving full tilt ahead toward creating a service-based environment, Patrick notes. And the Australian government, with the recent completion of two major projects, is also moving quickly into service-based territory.