Does government assess online channel risks effectively?

When chatting with a friend about risk management via IRC recently, he referred me to the essay The Psychology of Security.

This is quite a good paper discussing how poor humans are at understanding and assessing risks and their impact on security.

Most of the time, when the perception of security doesn't match the reality of security, it's because the perception of the risk doesn't match the reality of the risk. We worry about the wrong things: paying too much attention to minor risks and not enough attention to major ones. We don't correctly assess the magnitude of different risks.

Gain versus loss
One area it explores is how most people are more worried about the risk of a potential loss than inspired by a potential gain - even when the probability is the same.

When the same risk is presented in two different ways, as the probability of a gain or as the probability of a loss, people respond differently, as illustrated in this example from the essay,

In this experiment, subjects were asked to imagine a disease outbreak that is expected to kill 600 people, and then to choose between two alternative treatment programs. Then, the subjects were divided into two groups. One group was asked to choose between these two programs for the 600 people:

• Program A: "200 people will be saved."
• Program B: "There is a one-third probability that 600 people will be saved, and a two-thirds probability that no people will be saved."

The second group of subjects were asked to choose between these two programs:

• Program C: "400 people will die."
• Program D: "There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die."

In this experiment A = C and B = D, so logically both groups of subjects should choose the same option.

Yet most people (72%) choose A over B, and most people (78%) choose D over C. People make very different trade-offs if something is presented as a gain than if something is presented as a loss.

A familiar or known risk is underrated
Another area discussed was how people tended to worry less about the familiar than they did about the unfamiliar and have difficulty assessing risks outside their experience. To quote from the essay,

• People exaggerate spectacular but rare risks and downplay common risks.
• People have trouble estimating risks for anything not exactly like their normal situation.
• Personified risks are perceived to be greater than anonymous risks.
• People underestimate risks they willingly take and overestimate risks in situations they can't control.
• Last, people overestimate risks that are being talked about and remain an object of public scrutiny.

What does this mean for assessing online channel risks?
The internet is still very young and poorly understood by many organisations.

The risks are unfamiliar and outside the experience of many people.

While there are many possible gains through using the online channel, there is also the risk of loss. Potentially the loss of reputation and the opportunity cost of funneling resources to online initiatives that fail.

Based on how humans commonly assess risks the combination of an unfamiliar environment and the potential downside can lead to many online risks being overexaggerated, whereas risks for a more familiar channel would be understated.

For example, consider the alternatives of having a minister or senior public servant engage in a scheduled online chat versus participating in a radio talkback session.

For the talkback the risks would often be considered minimal - it's a well-known environment, and while there are risks of awkward questions from the host or callers, these are accepted as part of the background of the medium and processes on how to manage them are well understood.

For the online chat the risk of unmoderated chatters could be a major concern - even though mechanisms for handling this exist, such that questions can be screened even more effectively than on radio.

There could also be risks raised around hacking, which can also be thoroughly mitigated. For the radio talkback the risk of someone blocking the radio signal or sabotaging the power supply to the transmitter would not even register.

Finally, there could be concerns raised around the ability of the minister/public servant to communicate clearly and effectively via the chat tool. This can also be managed - some answers can be pre-prepared, or a typist could be on hand to type the responses as they are needed.

On talkback radio a similar concern would be raised - and managed through media training.

There are many other examples I've witnessed and heard about where online channel risks were exaggerated alongside the risks of other channels.


How to ensure that online risks are assessed accurately
This is the billion dollar question - determining a process that allows risks related to the online channel to be accurately weighed and considered alongside risks for other channels.

My feeling is that the only effective solutions are education, process change and time.

Of these the first can be directly influenced. Those managing their organisation's online channel or web-based services need to be actively educating others across their organisations on the benefits and issues with online. This raises familiarity and understanding, therefore helping other normalise the internet in their worldview and thereby begin treating online risks in a similar way to those for other channels.

Process change involves modifying the processes around risk identification and rating in order to rebalance the consideration. This can be influenced by education, however generally requires profound changes to organisational risk frameworks, corporate guidelines and policies. High level support is necessary to move this along.

The final solution, time, can be influenced by education, but only to a degree. At the end of the day it may simply require another 20-30 years for organisations to undergo the changes required to understand and integrate online risks accurately into an overall risk framework.


How does your organisation weigh online risks?
I'm interested in how other organisations weigh online risks - whether the risk of change
or the risk of not changing.

What's been your experience of how organisations compare online risks versus others?

Read full post...

View summary...

How well does government secure customer information online?

Privacy Awareness week is coming up later this month (as is the Security in Government conference), but as I mentioned to a colleague on Thursday, every week needs to be privacy week at a government agency.

Privacy is a sticky problems for all organisations. No security system is perfect and, to-date, as technology has advanced the threats to guard against have increased.

At some point every organisations needs to make a trade off between the services they offer customers, the channels through which they are offered, the convenience of using secure services and the cost of raising security versus the risk of security breaches versus customer complaints regarding service levels.

The size and nature of government makes effective security imperative. The Government ID leaks report, prepared by Consumerreports.org, highlighted that more than 1 in 5 US privacy breaches are traceable back to the public sector. This reflects the size of government and amount of data it must collect, store and share, as much as it reflects security levels.

The report also commented that,

When a brokerage firm or retailer has a data leak, consumers can take their business elsewhere, as almost one-third of breach victims do, according to a recent study by the Ponemon Institute, a research group in Traverse City, Mich. But as customers of the government, consumers don’t have a choice about giving personal data to federal, state, and local officials.

In other words, people must provide information to government, but there is no financial incentive for government to maximise security. The impetus for security in the public sector has to come from political will backed up by appropriate legislation.


So how well does government do in securing customer information?
In the US the 2007 Computer Security report card (PDF) prepared for the House Oversight and Government Reform Committee in May this year, gave the US government a 'C' for computer security, up from a 'C-' the previous year.

While some departments stood out with 'A' scores, such as the Justice Department, a number scored 'F's, such as the Department of Treasury and the Department of Veteran's Affairs.

In Australia there is no such security ready reckoner. However the Australian National Audit Office (ANAO) frequently conducts security audits on various departments and agencies.

These are tabled in parliament and made available to be publicly scrutinised, so the media and public have access to quite detailed information on government security.

Based on these reports, Australia's government is doing reasonably well. As in the private sector there is no such thing as perfect security, and opportunities for improvement do exist, however there is a cultural and strategic focus on security and agencies do the best they can with the resources available to them.

Personally, considering the level and severity of incidents reported in Australia compared to the UK and US, for example, Australian government seems to have a good track record, albeit not a perfect one.


What can government do better?
Staff
This stems from a conversation I had on Thursday over lunch, where the discussion turned to the different types of security that can be put in pace.

Australian government seems to do quite well in guarding against external risks and protecting our networks and computer servers from attacks.

The weak point in many security systems are the employees. They need access to information about customers to do their jobs, but exposing the data can raise the risk of it being publicly exposed. This can occur in many ways, confidential data being copied only USB sticks or emailed home to be worked on, the well-known lost laptop/DVD situation, where a laptop or DVD containing customer records are accidentally left somewhere or stolen.

While there are strong guidelines to help reduce and address these issues, another approach is to investigate data-level security which prevents given data from being accessed except by authorised users.

Data protection can be accomplished through mechanisms - which reduces the human risk. It is also now quite developed for certain types of data, for example the 256bit security embedded in Adobe documents.

Customers
A second area government can focus on is customer education. There's less value in centrally securing information if customers do not guard their usernames and passwords.

This can be partially managed through systems enforcing more secure passwords and using different techniques to educate customers on how they should protect their own computers against key loggers and other hackers. Another part involves being more transparent to customers on how secure a system is and how diligence on the customer's part improves the system's security.

Read full post...

View summary...

Build egovernment trust, not privacy

Government Computer News reports that in Singapore government departments share the personal information of their customers in order to provide better egovernment services.

As reported in the article, Singaporese put a lot into passwords,

Singapore’s citizens are accustomed to the government knowing who they are when they access e-government services. With a mandatory password system named SingPass, in place since 2003, government forms download — after authentication — with personal data prepopulated into the fields.

Since the early 1990s, the government has used standardized, cross-agency data-naming conventions for elements such as names and addresses. It also has standardized data elements in the business and land registry domains. SingPass is also a reusable component for agencies building e-services.

In Australia data sharing across government departments is often perceived as a bad thing. Singapore's egovernment approach would be considered as reducing citizen privacy.

However within Singapore the approach is seen as a privacy enhancement.

What's the difference? Trust

As it states in the article (bolding is mine),

Citizens don’t welcome Big Brother surveillance, said Prashent Dhami, a senior consultant at the Singapore branch of consulting firm Frost and Sullivan. But most Singaporese tend to trust their government, Dhami said. Plus, technology infuses the lives of citizens from a young age. “You use technology so much, you start to understand it, you start to trust it. People have seen very few failed attempts at technology,” he added. SingTel, the largest local telecommunications provider, even sends text advertisements to mobile phone subscribers based on their current location.

Perhaps in Australia we need to invest more in raising the level of trust citizens place in government rather than investing more in technical systems to mitigate concerns over privacy.

In the long-run this could result in improved and more accessible egovernment services and a better relationship between citizens and government.

Read full post...

View summary...

Why can one man in a cave out-communicate the government of the world's superpower?

There was an interesting admission from the US Army Secretary last week in Inside Defense as reported in the Wired Danger Room Blog,

Senior Army leaders have fallen behind the breakneck development of cheap
digital communications including cell phones, digital cameras and Web 2.0
Internet sites such as blogs and Facebook, Army Secretary Pete Geren said at a
trade conference on July 10. That helps explain how "just one man in a cave
that's hooked up to the Internet has been able to out-communicate the greatest
communications society in the history of the world -- the United States," Geren
said.

"It's a challenge not only at home, it's a challenge in recruiting, it's a challenge internationally, because effective communication brings people over to our side and ineffective communication allows the enemy to pull people to their side," Geren continued. He said the Army brass needs to catch up -- fast. But how exactly?

One solution: "Find a blog to be a part of," Geren said.

Young people embrace social media "as a fluent second language," he added. Army leaders have to do the same.

The article went on to describe some of the initiatives underway at the US Army to help it prepare for the new world - including adding blogging to their graduate school curriculum and allowing a tiny office of Web-savvy mavericks at West Point to create Army-specific Web 2.0 tools (blogs, forums, social networks) for soldiers.

At the same time the US Air Force is using blogs, wikis and personal profile pages to better support its missions, per a Network World article, U.S. Air Force lets Web 2.0 flourish behind walls.

I expect that the Australian armed forces are watching and learning from our US counterparts. The online channel can deliver major benefits to the training and operations of a defense force.

Read full post...

View summary...

What's the level of security risk from government's internal IT staff?

Over the last week a rogue IT employee in the San Francisco Department of Technology Information Services has held the city to ransom - locking down many of the city's services by refusing to disclose an administration password.

The employee, Terry Childs, helped create the city's FiberWAN network , used for controlling the city's emails, law enforcement records, payroll, and personal records. It controls 60 percent of the city's municipal data.

Using his access as administrator, Childs stopped other authorized network users from accessing parts of the network and gave himself access to parts from which he should have been restricted.

To compound this, the city apparently did not keep adequate system backups, and so cannot restore the system from an earlier state.

Fixing the situation is likely to take several weeks and cost in the order of $500,000, including hardware and system changes.

Childs was taken to court by the city, with a US$5 million bail set - that's five times as much as is usual for a murder in California.

Why did Childs lock down San Francisco? Network World reports in IT administrator pleads not guilty to network tampering that,

He became erratic and then hostile with colleagues after a recent security
audit uncovered his activity on the network, according to a source familiar with
the situation.

An article in Wired, San Francisco Admin Charged With Hijacking City's Network, discusses how Childs could have brought down the entire San Francisco city's network if he'd wanted to.

Fortunately for San Francisco, as reported in eFluxMedia, Childs finally turned over the password to San Francisco's Mayor on 24 July - claiming that only the Mayor was trustworthy enough to have the password.

Do you know how much power your department's IT team has?

Read full post...

View summary...

Obama pledges to appoint a national cyber advisor - does IT need more senior representation in Australia?

As reported in NextGov, Barack Obama, the Democratic Presidential candidate, has pledged to appoint a direct report focusing on online security.

"As president, I'll make cybersecurity the top priority that it should be in the 21st century," Obama said during a summit on national security at Purdue University. "I'll declare our cyber-infrastructure a strategic asset, and
appoint a national cyber adviser, who will report directly to me. We'll
coordinate efforts across the federal government, implement a truly national
cybersecurity policy and tighten standards to secure information -- from the
networks that power the federal government to the networks that you use in your
personal lives."

Security analysts praise Obama's pledge for a cyber chief

Today most of the money supply and trading in the finance sector, our telecommunications and entertainment industries, a significant proportion of our retail activity and a number of government initiatives are focused on, or reliant on, the use of robust and secure broadband and online services.

I wonder when a similar approach to Obama's proposal will be adopted in Australia?

Read full post...

View summary...

Nextgov introduces security assessment tool for government websites

Over in the US, Nextgov has released an online tool explicitly for US public sector website administrators can use to check the security of their website versus the stipulations of the 2002 Federal Information Security Management Act.

As hackers do not restrict themselves to national boundaries - or to government legislation - this tool is useful for government webmasters around the world as a simple test of their security levels against the standards applied by professional security analysts.

As stated in the Nextgov release,

Nextgov and the SANS Institute, a nonprofit cybersecurity research organization in Bethesda, Md., have teamed up on a Web-based tool. It's designed to provide federal officials a means to compare how secure FISMA says their systems are to what professional security analysts would say. As Alan Paller, director of research at SANS, points out, an agency can get an A on FISMA compliance, but receive an F from security analysts on how secure its systems are.

How secure are your systems?

Read full post...

View summary...

The issues with CAPTCHA security

CAPTCHA is a security technology for websites that works by making users verify they are a human by typing in a random string of letters or numbers displayed in an image.

You could consider it a Turing test for humans.

It is now widely used as it is easy to implement and has a reasonably good success rate in differentiating human and machine.

However it does have weaknesses and issues, and organisations need to think a little before they simply decide on the CAPTCHA path.

Here's some factors to consider.

CAPTCHA isn't accessible - straight CAPTCHA may breach accessibility law

CAPTCHA relies on presenting a graphic image of text to a viewer, who then reads the text and enters it into a text box. As computers are now smart enough to read clear images, the images used in modern CAPTCHA systems are usually 'messy' with random strokes and distorted letters (called reCAPTCHA).

For example:

These images can also be hard for some humans to read - the old, the young, the visually-impaired and even groups who would not consider themselves as having sight issues.

This means that visual CAPTCHA systems may be inaccessible under Australian laws regarding accessibility. This is a very important consideration for Australian government agencies.

There are approaches to get around this, such as either offering a selection of images, one of which (hopefully) is readable by the audience; or through offering an audio alternative, whereby someone listens to a series of letters or numbers - usually interspersed with other sounds - and types these in.

Note that the latter approach also has similar accessibility issues for those with hearing impairments.

Personally I have on occasion had difficulty using either a visual and audio CAPTCHA approach and my vision and hearing are both above average for my age group (Gen X).

CAPTCHA is breakable

There are several ways to break a CAPTCHA system.

The first is to simply have a large group of low paid computer users systematically interpret and type in the correct response.

Organisations in nations where labour is cheap are able to offer this as a service for hacking sites or preparing the way for automated systems to then use hacked sites and accounts for spamming and other illicit purposes.

Also as technology improves it becomes easier for machines to break CAPTCHA. Already we've seen a move from clear text to messy and distorted images - tested against optical character recognition to ensure they are not readable - in order to reduce the ability for computers to read the image.

It is only a matter of time before machines can also read these messy images - handwriting recognition and optical character recognition technology both continue to get better and are converging on this area.

Not endorsed by the W3C

CAPTCHA is not endorsed for use by the W3C.

The W3C has indicated in a working paper entitled Inaccessibility of CAPTCHA that CAPTCHA is inaccessible and the technology is not yet endorsed within W3C guidelines.

This means that it is not endorsed within the standard guidelines underpining website development in the public sector.

This doesn't exclude agencies from using it - it has not been specifically rejected by the W3C, it sits in a gray area and each agency would have to make their own decision.

So what next?

CAPTCHA has already advanced to reCAPTCHA - involving the messy distorted text indicated above.

Most reCAPTCHA implementations have also integrated audio reCAPTCHA as an alternative - in the hope that if people cannot read the image they can understand the sounds.

Some organisations, such as banks, use physical PIN devices, others have talked about using fingerprint or retina scanners attached to PCs.

However there is no clear successor to reCAPTCHA for widespread use on websites.

What should organisations do?

As there's no readily accessible and cost-effective alternative, organisations should strongly consider reCAPTCHA as a security measure in their sites, integrating both visual and audio approaches.

However they should also strongly consider offering an approach accessible to those who cannot see or hear the CAPTCHA security, such as phone-based identification or the use of secret questions.

Read full post...

View summary...

Breaking rules: Build your intranet outside your firewall

It's an established fact that intranets (or internal networks) grow and live within your organisation's firewall.

Or is it?

New approaches and technology are now challenging the concept that intranets must be stored within your organisation's direct structure.

For instance in Australian government there is Govdex. This wiki-based extranet system meets secret level Federal government provisions and is free for government users.

It doesn't stretch this system too far to consider it as suitable as an intranet platform for any small government agencies with no intranet budget.

As it is wiki-based it provides basic content management functionality, including a news tool and discussion board - which is more intranet functionality than most smaller agencies can claim now.

For example I've recently worked with another area to implement a secure Govdex wiki space as a micro intranet for a key community within my agency. This will expand into an extranet over time, but it functions now just like any other intranet platform.

Govdex isn't the only option on the horizon.

LinkedIn, a business networking site, is planning to release a series of work-related tools to support collaboration between staff members. These would sit in secure areas of LinkedIn, but on the intranet.

This was discussed in a recent New York Times article, At Social Site, Only the Businesslike Need Apply

One new product, Company Groups, automatically gathers all the employees from a company who use LinkedIn into a single, private Web forum. Employees can pose questions to each other, and share and discuss news articles about their industry.

Soon, LinkedIn plans to add additional features, like a group calendar, and let independent developers contribute their own programs that will allow employees to collaborate on projects.

The idea is to let firms exploit their employees’ social connections, institutional memories and special skills — knowledge that large, geographically dispersed companies often have a difficult time obtaining.

Behind LinkedIn, other start-ups are also entering this space, providing for significant innovation to best address organsational space needs.

This is very interesting news for anyone with a small budget and need for a significant intranet.

Rather than investing in building or buying a content management system, developing social tools or managing intranet hardware and software, simply use openly available software to facilitate it.

So what would it take to make you consider building your intranet outside the firewall?

Read full post...

View summary...

Baby steps into extranets

When I joined the public service a few years back I was very pleased to discover that my agency was very proactive about engaging stakeholders when creating products and services for our customers.

The agency was still using 20th century methods to achieve these outcomes and was making no use of online collaborative groups or extranets.

This isn't a criticism of the people or the systems - the agency had developed the skills to manage this collaboration using the readily available technologies - email, mail, phones, faxes and face-to-face meetings. Since these were working well there had not been the need or money available to innovate new ways of engaging.

However over the last few years the tempo has accelerated.

The agency has placed a greater focus on stakeholder consultation, the level and complexity of engagement has increased and there has been the need to involve more players in approval processes. At the same time the agency has needed to manage its staffing levels carefully.

When most types of system double in size the effort required to manage and maintain them increases much more than double. This is because the connections between the different parts of the system increase exponentially.

For example, if you draw four dots on a piece of paper they can be connected in 6 possible ways (3+2+1), however 8 dots can be connected in 28 possible ways (7+6+5+4+3+2+1).

While it could be argued that as all these extra stakeholders deal with the agency as the central organiser the complexity doesn't increase that much - theoretically all these interactions can be fed into a central point at the agency, like spokes on a wheel.

However in reality the interactions between the stakeholders are an important factor and this is where all the additional potential connections come into play.

So with increasing need, increasing complexity and fixed or diminishing resources an important questions becomes;

How does the agency manage this on an ongoing basis - and do so cost-effectively?

This is where my Online Communications Team been able to add value to the process. We've worked with the stakeholder managers to introduce an approach that is both freely available and totally government approved - an online collaborative wiki.

We've established two collaborative communities for my agency using the Govdex platform provided by AGIMO. This wiki-based system is secure, readily configurable to agency needs, has support available and is free to use by government departments. Best of all it's easy for the relevant groups in the agency to manage themselves, with my team simply providing back up and account managing the Govdex relationship.

As we're in early days yet and learning as we go, the two communities we've established are internally focused. One is supporting the ongoing development of our intranet and helping the agency's online team understand the capabilities of such a system (so we can stay a few steps ahead of other users).

The other is a knowledgebase and discussion forum for the agency's stakeholder engagement officers across Australia. This is the prototype for a future system for engaging with our stakeholders across the country.

The experience of setting up these systems has been largely painless. Other than some issues with the access speed within our firewall, which appear to be due to government networks not playing nice with each other and are rapidly being resolved, our Govdex experience has begun as a positive one.

I'd particularly like to commend the customer service provided by Govdex - they have helped us get the sites up and running in record time.

I'm now in the process of beginning to promote Govdex as a business tool within my agency so that anyone who has the need to deal with a set of internal and external stakeholders can consider it as a potential solution to their communication and collaboration needs.

Note that Govdex and similar online collaboration systems aren't a replacement for face-to-face meetings, phone calls or emails, but they are another tool that can be used to facilitate and manage complex collaboration situations in a cost-effective manner.

By the way - here's a great presentation on GovDex from the Web Directions Government conference on May 19 2008 - Ralph Douglas - GovDex: Collaborating online in a secure environment

Read full post...

View summary...