How well does government secure customer information online?

Privacy Awareness week is coming up later this month (as is the Security in Government conference), but as I mentioned to a colleague on Thursday, every week needs to be privacy week at a government agency.

Privacy is a sticky problems for all organisations. No security system is perfect and, to-date, as technology has advanced the threats to guard against have increased.

At some point every organisations needs to make a trade off between the services they offer customers, the channels through which they are offered, the convenience of using secure services and the cost of raising security versus the risk of security breaches versus customer complaints regarding service levels.

The size and nature of government makes effective security imperative. The Government ID leaks report, prepared by Consumerreports.org, highlighted that more than 1 in 5 US privacy breaches are traceable back to the public sector. This reflects the size of government and amount of data it must collect, store and share, as much as it reflects security levels.

The report also commented that,

When a brokerage firm or retailer has a data leak, consumers can take their business elsewhere, as almost one-third of breach victims do, according to a recent study by the Ponemon Institute, a research group in Traverse City, Mich. But as customers of the government, consumers don’t have a choice about giving personal data to federal, state, and local officials.

In other words, people must provide information to government, but there is no financial incentive for government to maximise security. The impetus for security in the public sector has to come from political will backed up by appropriate legislation.


So how well does government do in securing customer information?
In the US the 2007 Computer Security report card (PDF) prepared for the House Oversight and Government Reform Committee in May this year, gave the US government a 'C' for computer security, up from a 'C-' the previous year.

While some departments stood out with 'A' scores, such as the Justice Department, a number scored 'F's, such as the Department of Treasury and the Department of Veteran's Affairs.

In Australia there is no such security ready reckoner. However the Australian National Audit Office (ANAO) frequently conducts security audits on various departments and agencies.

These are tabled in parliament and made available to be publicly scrutinised, so the media and public have access to quite detailed information on government security.

Based on these reports, Australia's government is doing reasonably well. As in the private sector there is no such thing as perfect security, and opportunities for improvement do exist, however there is a cultural and strategic focus on security and agencies do the best they can with the resources available to them.

Personally, considering the level and severity of incidents reported in Australia compared to the UK and US, for example, Australian government seems to have a good track record, albeit not a perfect one.


What can government do better?
Staff
This stems from a conversation I had on Thursday over lunch, where the discussion turned to the different types of security that can be put in pace.

Australian government seems to do quite well in guarding against external risks and protecting our networks and computer servers from attacks.

The weak point in many security systems are the employees. They need access to information about customers to do their jobs, but exposing the data can raise the risk of it being publicly exposed. This can occur in many ways, confidential data being copied only USB sticks or emailed home to be worked on, the well-known lost laptop/DVD situation, where a laptop or DVD containing customer records are accidentally left somewhere or stolen.

While there are strong guidelines to help reduce and address these issues, another approach is to investigate data-level security which prevents given data from being accessed except by authorised users.

Data protection can be accomplished through mechanisms - which reduces the human risk. It is also now quite developed for certain types of data, for example the 256bit security embedded in Adobe documents.

Customers
A second area government can focus on is customer education. There's less value in centrally securing information if customers do not guard their usernames and passwords.

This can be partially managed through systems enforcing more secure passwords and using different techniques to educate customers on how they should protect their own computers against key loggers and other hackers. Another part involves being more transparent to customers on how secure a system is and how diligence on the customer's part improves the system's security.