Cybersecurity for governmentsLiu Keyuan Daniel
Government information and communications technology (ICT) projects like Smart Cities, Open Data, and E-Government are gaining traction in government ministries and city halls around the world. These innovations are exciting, not only for citizens who want a more transparent and efficient government but also for public managers who view these technologies as valuable tools for connecting with their citizens. There are however concerns about whether governments can effectively manage the risks associated with implementing the complex information technology (IT) systems needed to support new ICT tools. This is especially true when considering that many governments today struggle to keep up with the changing demands of IT Security.
For example, it is widely reported that many government agencies in the United States are still using computers installed with Windows XP. Windows XP reached its end-of-life in 2014, meaning that Microsoft no longer provides fixes for vulnerabilities that hackers could exploit. This means that there are thousands of computers sitting on U.S. government networks that are potential entry points for hackers. If even the U.S. Federal government is not able to keep its systems safe, how can citizens around the world trust that their governments will do the same?
Australia has already been tested in this regard. In August 2016, the Australian Bureau of Statistics (ABS), the government agency in charge of the census, attempted an online census. The plan was that during a single day, Australians could log on to the ABS website and fill out an online census form. However, a few hours after the census went live, the ABS site was hit by a series of Denial of Service (DDoS) attacks. DDoS attacks use malware-infected computers to crash a server by sending an overwhelming number of concurrent requests. ABS had no choice but to abort the census. Many Australians were already sceptical of the government’s ability to protect their data before the incident; now it could take years for the government to rebuild their trust.
The Australian census is a good reminder that public managers, even those that have little to do with the day-to-day operations of maintaining an IT system, must be actively engaged in the process of identifying and mitigating IT risks. Unfortunately, most public managers are not equipped with the right roadmap for thinking about IT Security. Here are three key activities that public managers must participate in to ensure some measure of resilience in their systems.
First, every IT security regime should start with a strong IT security framework. An IT security framework is a set of documents outlining the operational and IT risks of a system, but the real magic comes from active stakeholder engagement during the drafting process. Though ownership of the framework should be given to a public manager, they will need the input from multiple stakeholders, including production support, IT management, data owners and internal auditors. If the system is citizen facing, there could be regulatory implications as well. The process of talking to these stakeholders and collating potential risks should be the first thing a public manager does after deciding to implement a new system.
This is true especially if the system is part of a Public-Private Partnership (PPP). This is because, from a risk perspective, the government is responsible if anything goes wrong, not the vendor. Therefore, including vendor management as part of the Framework will be important when negotiating service-level and production support agreements.
Second, public managers need to actively support the designing of controls. It is costly to mitigate every single risk one hundred percent of the time, so allocating resources is critical. Public managers should consider which control failures present the biggest risk to daily operations. Most risks can be mitigated quite easily since modern operating system already come installed with tools to reduce the risk of intrusion, and most networking devices have software that can block unwanted traffic.
The reality is that the biggest risk to an IT system is the people using it. Mitigating human activity is tough, which is why many systems have built-in checks and balances preventing users from carrying out unauthorised activities. A positive trend coming from the industry is that companies are requiring staff to be re-certified in IT security knowledge on an annual basis. Knowing simple things like how to spot a phishing email or not downloading files from unknown senders could be the difference between a smoothly operating system and disaster.
Third, review everything. Figuring out what your risks are and establishing controls for them is a huge step in in making systems more secure. But IT evolves and so do risks. Generally, a framework should be re-evaluated at least every other year, and controls should be audited annually. Beyond that, there needs to be a mechanism in place for public managers to monitor activities performed by the IT teams supporting the systems. This could be as simple as bi-weekly sign-offs of checklists or as in-depth as internal audits. Either way, there is no excuse for resting on one’s laurels when it comes to evaluating control frameworks.
The truth is that the backbone of any government’s operations is its IT infrastructure. Even a small municipal government needs a networked environment to manage daily activities, and if the network has an internet connection, it is fair game to hackers around the world. No government will ever be completely protected, but by being involved in the process of identifying and managing risks, public managers can certainly help to improve the technological resilience of their governments.
This article has been edited by Shinae Baek.