Friday, March 25, 2011

Is it practical for government agencies to block web-based mail?

The Australian National Audit Office has just released a report 'The Protection and Security of Electronic Information Held by Australian Government Agencies' based on a review of the approaches to information security by four agencies, the Office of Financial Management, ComSuper, Medicare Australia, and the Department of the Prime Minister and Cabinet.

Amongst other recommendations was one which has been much discussed on Twitter this morning, "emails using public Web-based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."

This reflects the recommendation in the Defense Signal Directorate's Information Security Manual, the 'bible' for Australian Government agencies when it comes to ICT security, which states on page 100 that:
Agencies should not allow personnel to send and receive emails using public web-based email services.

The concerns are very clear and relevant - web-based email systems can easily be used, inadvertently or deliberately, to distribute large quantities of citizen's personal information, or an agency's In Confidence or other classified information rapidly and to large numbers of people, making it impossible to contain the spread of the information.

Web-based email is also a potential source of attacks against an agency, through viruses, worms and trojans in email attachments (which may not be able to be scanned at the same level as Departmental email can be) and through web-links in emails to compromised websites.

I don't dispute these real concerns. They are concerns for corporations as well.

However, I do ask - what is 'web-based email'?

Most people are aware of the classic web-based email services, Windows Live Hotmail, Yahoo mail and Gmail amongst many, many, many similar services (here's a list of 18 web-based email services - and that's just a start!)

These services follow a standard email model - an inbox, outbox, capability to send and receive email, with attachments and some ability to organise and file emails into folders. Most have automated spam-checkers too, some exceptionally good.

However while they LOOK like email software, they aren't really email software. They are simply web pages providing access to text, links, file upload/download and some buttons.

Any webpage can be designed the same way. In fact it would be hard to find any webpage without at least two of the same features.

In other words, while they look like email and act like email, they're really no different from going to any website which allows people to click on a link or download a file.

Regarding the risk of downloading or clicking on a link with a malicious payload (virus, trojan, etc), web-based email web pages provide no additional risk to standard web pages except, perhaps, that they have content targeted to an individual with a government email address.

There may actually be less risk in using popular and widespread web-based email services as they do employ sophisticated scanning techniques to limit spam and malicious payloads. It is in their interest to not allow their users to become infected with viruses as their business would suffer as a result.

In fact, in some cases the large web-based email providers may offer more security in preventing spam and viruses than a corporation or government agency can offer to its staff using official email accounts. The large web-based email providers have hundreds of millions of users and their business is providing web-based email, meaning they hire the best talent, employ leading edge solutions and invest far more into their email security than most corporations or government agencies can afford.

I've only talked about the identifiable web-based email systems so far, there's also several broader considerations.

More and more online services are implementing systems like web-based email for sending and receiving messages within a web browser.

This includes services like Facebook, LinkedIn, YouTube, Slideshare, Ning, Amazon, all forum systems and micro-blogging services like Twitter (allowing direct messages). Most ISPs offer web-based access to home email accounts. Even your bank probably does it.

In all cases these services provide you with the ability to send and receive messages, including links and sometimes also attachments.

They effectively act like web-based email services, without having the same name.

To block web-based email systems can be tricky without blocking access to the provider's other services, such as Google's analytics and webmaster systems. However it is (mostly) possible.

To block these other pseudo-web-based email services without blocking their service is most probably impossible in most cases. That would mean blocking staff from being able to monitor or interact (officially) over social media services, or even from accessing their bank accounts from work.

Another consideration is the vast array of services that could not remotely be described as having web-based email qualities but still allow people to share information online.

These services, like YouSendIt, DropBox, Scribd and a host of others (including web-based FTP services provided by ISPs and others) allow people to upload a file, or often many files, and share them widely. There are also services for making comments - every newspaper has one - and many services for anonymising where the data is coming from to prevent detection.

Now all of this may still be manageable if it were only defined organisations who provided all these services. However the barrier to setting up a new service that looks and performs like web-based mail, or allow files to be transferred is almost invisible.

Open source software exists to allow any person to create their own service in a matter of hours. Web-based systems allow you to create a web-based email facsimile in a matter of minutes. These services are widespread, easily discoverable and cheap.

People can set one up from home, or any public access computer and then access it at work. That's if they are not amongst the nearly 40% of Australians with personal smartphones, or the millions of others with laptops, netbooks and tablets and 3G connections to the internet. Personal internet connections at the office, every day.

I don't envy the job of ICT Security Advisors.

If an agency wished to prevent staff from sending files and information online to unauthorised recipients, or prevent the possibility of staff clicking on links or downloading files from the web that may carry viruses, there are only three solutions.
  • Whitelist a bare minimum number of sites that staff can access,
  • turn off internet access completely, or
  • establish effective policy guidance and education for staff, have managers monitor use and ICT Security advisers provide support and training.
While it may be easier for organisations to pick one of the first two options, they will experience staff backlashes, have difficulty recruiting younger people (now including people in their 40s) and be unable to effectively engage and respond to changing global and national events.

These approaches won't necessarily limit the use of personal internet-connected devices at work, many more staff might bring them in to get around the security settings (so they can do their banking and respond to critical personal events). These approaches may even increase the incident of information leakage as disgruntled staff use the fax or photocopy and walk out the door.

The third option, which requires extensive senior leadership and support, is more effective in the long-run, however a harder sell due to the time and ongoing education commitment. However it is, in my view, the only approach to managing the use of web-based email and all similar services - in effect the entire internet - which serves the long-term interests of governments, agencies and staff.


  1. As a former IT Security Adviser for a Federal government department, I concur 100 per cent.

    The instinct from many agencies will be to take the easy options - 1 and 2. However, long term, neither of these will be effective.

    Expanding this kind of thinking to include smarter responses on mitigations is a far better idea.

  2. Excellent and thoughtful post Craig. Thank you.

    Security is not a simple issue and can not merely be addressed by blocking access to what would amount to be less than 1% of the potential problem. This area is so rapidly developing, it will almost be impossible to provide a technical solution - there will ALWAYS be a work around, or loop hole or significant areas that would need technical fixes. Taking the proposed course of action is time consuming, inefficient and in the end highly ineffective.
    Like most things in the technology field, security is not a technology issue - it's a people issue. People that use the system need to more fully understand the implications of their actions. They need also to be enabled and empowered to make their own decisions based on good training and knowledge sharing. Unfortunately our organisations, especially the larger ones, and more especially the public sector, have no idea where to start and how to manage.

  3. Great post Craig. It would be great if those responsible for the policy came on here and defended their policy. Discussion is the only way human beings can make progress in making difficult judgements. Perhaps there's more to be said for their side of the story. I'd certainly like to hear it and like to see the people who know the technical and other details really thrash it out.

  4. Craig,

    I'm not endorsing either side here, (because I don't know enough) but on thinking about it, why can't the IT security architects just
    1) blacklist known webmail sites and
    2) issue instructions to public servants not to use any other ones?

    Doesn't seem to be a lot of training or complexity there?

  5. This is a timely discussion, as I have only recently drafted a revised IT acceptable use policy for my agency incorporating the ‘don’t use webmail’ stipulation, and it was the first thing seized upon by users as ‘why not?’

    Further intrigue comes from the ANAO report, the new ISM/PSPF, and an ACS morning briefing this week I attended where Craig Valli from ECU posited the question ‘who really needs internet access at all in your organisation’?

    As you point out the definition of these types of services extends way beyond web-based email services, and just blocking Hotmail/Gmail won’t solve the problem: it would require a very strict whitelist or total internet restriction to enforce. Education won’t solve it as the either malicious, bored, or arrogant employee will simply ignore the advice and do it anyway.

    A totalitarian regime of blocking and banning is also contradictory to the content of the Protocols for Online Media Participation, and the Declaration of Open Government – both of which talk of increasing collaboration and engagement.

    I still foresee a future conflict where the rhetoric of open government and the practicalities of agency security and public information confidentiality collide. Wikileaks has given us a flavour of what this might look like, and the webmail issue presents us with a small scale example of contradictory information. Bigger and worse issues are to come (particularly once we get to the tightened shared internet gateway infrastructure over-sighted by DSD late this year/next year).

  6. Hi Nicholas,

    If blacklisting major webmail sites and then instructing people to not use other sites worked, why blacklist at all - just instruct people. Surely if we can ask people to not look at less well known webmail sites we could just ask them not to look at the leading ones as well. If not, what is the distinction?

    My view is that the issue is not around what is blacklisted, it is around the level of instruction, education and support.

    If we ensured that staff knew what to do, and trusted them to do it, we would not have to block anything. Blocking exists where organisations recognize they cannot train and trust all of their staff and don't trust management to oversee staff behaviourand alert them if they've behaved inappropriately.

    If an organisation doesn't educate and train, or doesn't complete trust it's own management, blocking becomes an option. I will hazard a guess that organisations that block more, trust and train less. This then impacts on culture, other work practices, recruitment, transparency and effectiveness.

    I reckon we will never get to a position where we trust everyone in an organisayion implicitly, however I do believe the best leadership and management finds ways to enable staff, not disable them. This involves significant communication, training and support however it may also involve a level of blocking as a backup for inadvertent actions - but in a way that supports staff.

    Training must be harder than it looks as the vast majority of organisations take the simpler route of blocking more and training less. Unless, of course, if the decision to block is ascribed to other factors such as leadership, management, systems, budgets or staff.

  7. This policy is not intended to stop people using the internet (though there are some in management who would probably like that). It is intended to stop casual use of web based email. As you say, anyone competent can get around these blacklists but most will not have the ability. I think it really isn't about viruses etc, but rather PR ('government employees waste 25% of year on personal email!'), leaking of unannounced policy or plain theft. Your average computer user isn't going to think "I can't use hotmail, I'll just upload it as a scribd document"

  8. Hi Craig, Your answer doesn't really satisfy me because it seems to suggest two polar opposites.

    I think high trust is important and so do you, but some surveillance and blacklisting where it can't do any harm can be of some assistance with high volume web email systems. (Am I missing something if I think that there is not much use in visiting or except to look at and 'do' your email. And that's against policy.)

    Given that there is a technogical fix here, why not use it. It doesn't seem to do any harm, and as you say it doesn't entirely displace needing to inform your staff what to do and to trust them - and verify. It's just that 90% of the work is done for you - and no practical harm done (because these sites are not useful for anything other than doing one's email) - with a bit of a techno fix.

  9. Re Nicholas' comments I'm not sure I understand the real difference between "doing" ones email and say making a personal phone call or even writing a letter. Surely the issue is one of protecting systems from malicious or accidental corruption and ensuring that staff focus is maintained on achieving the required tasks.
    Communication is in the nature of humans be it round the water cooler, on the phone or by email. Setting clear expectations, promoting responsible use and informing of the potential dangers and consequences is probably better management than promoting sneakiness by banning something for which there are numerous workarounds.
    Good management is sometimes empowering people to do (say) their banking online rather than spending half their lunch time in a queue, although admittedly sometimes councelling is required.

  10. Paul, I appreciate your arguments and the phone analogy is apposite.

    I'm not taking a side here, I'm trying to see the argument for banning from the best possible light. Then at least I'll understand the issues better.

  11. Hi Nick,

    A couple of things can occur when web-based email services are blocked.

    1) people redirect their personal email to their work account, resulting in more time spent on personal matters, increased load on Departmental servers and greater confusion before personal and work activities.

    2) it can present challenges in time-based activities such as testing enewsletters, where work systems may have scanning systems that delay the receipt of some emails for hours, or even days.

    3) it increases the propensity for staff to carry personal computing devices - which can create other types of security issues for s workplace.

    4) When official email systems go down (but the net remains active) it can result in a government agency beng unable to conduct it's business to the extent required by government and e public. The recent floods in Brisbane are an example. Many government employees relied on services such as webmail and services like Facebook to remain in contact and share necessary information.

  12. Hi Craig,

    In response to your points:
    1. In this case, the department's firewall can detect viruses, malware, spyware etc which is a good thing.
    2. Departments where I've worked generally have a computer outside the department's network, eg laptop with wireless broadband, for testing when site's are up, enewsletters, registration tasks etc. Using computers on the network sometimes give a false positive by showing things are working, when outside the network they are not.
    3. I don't think it increases how many staff carry personal computing devices. They might not like some of their personal emails ever being on the network.
    4. No email system is infallible, even free ones.

    But in providing a counter-balance to your views, I've always been a believer in trusting staff and relying on management to resolve staff breaches.

    And to take Nicholas' point, the SOE could include a list of approved bookmarks pre installed in the browser for staff to use and their use incorporated into staff inductions.

    @Jeff. Agreed.

  13. Since reading this piece some further thoughts have been provoked. Looking at my own communications, my email use is almost exclusively business. A mixture of personal and work related business certainly but compared with quite recently there is an almost total lack of social communication via email as it has nearly all shifted to my various social networks.
    "Well d'uh" is probably the correct response as this shift is intuitive, logical and already a marked trend. Social interaction is moving away from the clumsy, slow and severely restricted format that is email and into the virtual pub, meeting room, head space etc that is sm. Increasingly too, my work related interactions are moving to various sm, im being the most common.
    I am convinced that time is not the appropriate performance metric for the workplace (as is implied). The important measure is how many widgets we make and the quality of those widgets, not how long we spend in the widget factory. I too would like to see how this issue is being considered in the broader context of widget production.
    Given recent trends the appropriate strategy for reducing personal emails may be to simply wait a while, it worked for the telphone and snail mail after all.
    Apropro nothing really but I have five screens of various sizes within 2 metres of where I am sitting.

  14. aka @LegoStormtroopr

    In repsonse to the question "Is it practical for government agencies to block web-based mail?"

    Short answer: No.

    Long answer:
    It isn't practical long term to rely on blacklisting of personal sites for staff at all. The internet simply moves to fast for policy to keep up.
    In this case "web-based email" is banned, but as Craig pointed out this is too narrow.

    A better objective is to encourage staff to minimize non-work related communications. Note minimize, as an outright ban is unreasonable and unenforcable.

    The secondary reason for allowing personal email access is that I have a life outside of work. I am an active member of a few professional organisations. Some of these I joined prior to my current job so had to use personal email , but for many reasons, I communicate to these communities through my "personal" email, but frequently discuss work, as my professional career and image is a factor of 'me' not my current employer.

    Its important I am able to control that image, so some organisations I am part of twice - one for home and work emails, others I just don't expose my work face to - which may infact be a detriment to my employer as my image doesn't reflect on them as much as it could.

    Ultimately, employers and employees should trust each other to work in the others best interests... but that trust is rapidly eroding.