Follow me on Twitter
Friend me on Google+
Profile me on LinkedIn
Follow me on FriendFeed
Posts
All Comments
Good read: Nicholas Gruen on Gov 2.0 in Australia and cultural change | Tweet |
How can we be knowledge workers without knowledge? | Tweet |
In this post-industrial society many of us are knowledge workers, using information as a key input to create new products, services and ideas.
Particularly in government knowledge is critical. That's why government departments invest a great deal of resources into research, stakeholder engagement and community consultation.
Without a reliable and diverse flow of information government can be crippled. Public servants can become unable to provide the best possible advice, Ministers therefore can't always make the best decisions and departments cannot quickly and cost-effectively track policy impacts and adjust policy delivery over time to address citizen needs.
So what happens if you cut knowledge workers off from important sources of knowledge?
I'd suggest this leads to less considered advice, poorer decisions and therefore worse outcomes. Money is wasted, service recipients get frustrated, citizens end up changing their votes.
In other words, cutting knowledge workers off from important sources of knowledge risks damaging the survival odds of Ministers and the reputation of the public service.
When it comes to online knowledge, government departments are constantly striving to achieve a balance between access to knowledge and minimisation of risks such as hacking, viruses and theft of information.
This isn't an easy balance - and sometimes the approaches to filtering sites can end up with unexpected outcomes.
For example, one of OpenAustralia's founders has just blogged about a department that blocks access to Open Australia - as the outsourced filtering service the department uses mistakenly classifies the website as a 'blog' and the department isn't able to amend the categories (though can make specific exclusions).
There are staff at the department wishing to use the site for legitimate work purposes.
This specific issue (which I am sure the department is rectifying) aside, does it still make sense to block a category such as 'blogs'?
Maybe ten years ago when blogs were new, rare and very, very specialised, they didn't contain much in the way of knowledge that was important for government deliberations.
However this the situation has changed. Blog platforms such as wordpress are now used for websites as well as blog - including by government departments, not-for-profits, businesses, peak bodies, and even political parties.
Also I'd suggest that blogs now come in all shapes and sizes - some are written by teams of experts, others are personal. Many have information and ideas that could help public servants shape their thinking, influence policy deliberations and affect the way services are delivered.
If they can be accessed.
I know that my blog, eGovAU, has been inaccessible to at least two large departments. More importantly, the Gov 2.0 Taskforce's site was inaccessible to at least one department during its consultation phase - I know this because it was brought to the attention of the Taskforce during one of their public meetings.
The APSC is using a blog to consult on Australian Public Servant Values, a blog is driving the APS innovation agenda and AGIMO is making excellent use of their blog for web accessibility, communications and new developments. That's not to mention another 20 or so government blogs I can think of.
Surely just this internal government use of blogs makes it necessary for departments to reconsider the basis for blocking 'blogs' as a category.
And that's not to mention all those stakeholders, individual experts and service recipients whose blogs contain knowledge that may be useful to public servants.
Perhaps there's even a Catch-22 here. If public servants are blocked from accessing potentially useful blogs they can't even assess them for value or build a case for allowing access. The only way they can do this is by taking a personal risk - doing their work at home, outside their corporate network.
So far this has just been about blogs. I've not mentioned forums, social networks and services such as Twitter which can also be extremely rich sources of useful knowledge - so long as they are not blocked.
In the OpenAustralia case, the reason given for blocking 'blogs' was that they posed a security risk to the department's network.
I wonder if this security risk is regularly being weighed against the risk to Departments and Ministers of blocking access to important knowledge.
Do departments need to revisit how they measure security risks and how they protect against them?
Launching banknotes via online video | Tweet |
In what I believe is a world first, the US Bureau of Engraving and Printing has launched its new US$100 note, featuring Benjamin Franklin, via an online video in YouTube.
Brought to my attention by Nicholas Gruen, the 82 second long production provides a clear view of all the security provisions included in the banknote.
There is also an interactive video quiz available for people who wish to learn about how to recognise the note.
The approach offers an innovative vision as to how countries around the world could market and communicate the features of their currency and stamps to their citizens.
Benjamin Franklin, as a former printer and scientist (one of the early pioneers in electricity), would have been proud.
A majority of US government agencies now using social media | Tweet |
A recent report from talent management companies Human Capital Institute and Saba indicates that a majority of US government agencies are using social media.
The report estimates that 66% of US government agencies use social media tools, with 65% using more than one tool.
A graph from the report (see below) indicates that the US government still trails US corporate use of social media - which provides some indication of the direction for the future.
I wonder how we're tracking in Australia - anyone seen research on the topic?
Microsoft 'strongly recommends' customers upgrade web browsers from IE6 to IE8 to solve security issues | Tweet |
In their strongest advisement yet, Microsoft Australia has issued a "strong recommendation" through its Government Affairs Blog that customers upgrade from the nine-year old Internet Explorer 6 web browser to Internet Explorer 8.
This is because the security flaws now being discovered in Internet Explorer 6 are such that they leave organisations more vulnerable to successful co-ordinated hacking attacks - the potential theft of confidential or sensitive information and intellectual property.
The risk isn't from a 17-year old hacker in their bedroom, but from crime syndicates, corporate interests and, potentially, other governments.
Google and at least 33 other companies have experienced co-ordinated attacks, originating from China, in the last week. Google believes these attacks were launched, or at least endorsed by, the Chinese government - although they cannot prove it beyond doubt. However the concern is great enough that the US President has asked the Chinese government to comment on the attacks and Google is considering leaving China.
These attacks exploited a security flaw present in Internet Explorer versions 6, 7 and 8. Microsoft reported that attacks only seem to be effective against IE6. Information out of Google agree with this, as do comments by other security specialists.
This security flaw has no fix at this time and it is unclear when a fix will be available.
Defence Minister John Faulkner was recently quoted in the media (including this Brisbane Times article) as saying that cyber attacks were a worsening global problem. "Cyber intrusions on government, critical infrastructure and other information networks are a real threat to Australia's national security and national interests."
Both French and German governments have advised their citizens to stop using Internet Explorer 6.
In Australia some government agencies are still using Internet Explorer 6 as their standard web browser.
So why do government agencies (and some large commercial organisations) still use a nine-year old web browser with dubious security, that isn't compliant with modern web standards and is soon to no longer be supported by major websites (including YouTube and Gmail owned by Google and Facebook)?
I can't speak for any agencies, however while most modern web browsers, such as Internet Explorer 8, Firefox 3.5, Opera 10 and Chrome are free to users, there are often switching costs for organisations to change even free software on a large scale.
They may have designed internal software around a particular web browser or have costs associated with rolling out new software across thousands of computers.
Switching from IE6 in particular can be quite involved as it has a number of features (developed in ActiveX) that may be exploited by organisations in websites and other software. South Korea in particular built around Internet Explorer 6 and has had difficulties in migrating to modern browsers or operating systems.
There is also the need to test how modern browsers work on a network and ensure that their security models are understood so new vulnerabilities do not arise. This costs time and money - at a time when Australian government departments are expected to save money in IT as a result of the Gershon Report. It's another choice they have to make on where to allocate their limited funds.
Plus as many government agencies block sites like YouTube, Gmail and Facebook, citing concerns over staff wasting time (as previously was the concern over access to personal telephone calls), improving agency capability to engage in social media may not create any urgency to upgrade.
However, given the clear and present dangers linked specifically to Internet Explorer 6 I'm hopeful that 2010 will be the year where many Australian organisations still using this old, less accessible and insecure technology decide to implement modern web browsers.
US engaging in offensive as well as defensive cyberwar | Tweet |
Nextgov has published a very insightful piece on the US's cyberwar endeavours, including their use of it as an offensive tool to locate and knock out the organisational capabilities of their enemies and even kill foes.
The article, The cyberwar plan, not just a defensive game, also covers the Russian attacks on Estonia and Georgia and China's use of cyberwarfare techniques to gain economic advantage over foreigners (I also continue wondering about the attack on the Melbourne Film Festival earlier this year).
It's a very well-researched piece and provides a lot of food for thought.
Given that most wealth and knowledge is stored electronically and most organisation is done via digital channels, the impact of a successful attack on our communications systems or finance sector would be catastrophic to our economy and potentially to our ability to cope with a physical attack.
Australia's defense force has traditionally been very quiet about a domestic cyberwar capability and I wonder whether we are adequately defended and able to respond to attacks on Australia's digital sovereignty.
UK Prime Minister driving government 2.0 to address global issues | Tweet |
Prime Minister Gordon Brown has given an astounding presentation, Gordon Brown: Wiring a web for global good, in opening TED Oxford. It firmly establishes his interest and commitment to the use of new technologies by government to aid in the solution of global and national issues.
To quote from the synopsis,
We're at a unique moment in history, says UK Prime Minister Gordon Brown: we can use today's interconnectedness to develop our shared global ethic -- and work together to confront the challenges of poverty, security, climate change and the economy.Despite being highly inspiring, the video (embedded below) is worth watching to gain an understanding of how seriously Government 2.0 and the benefits of new technologies are being taken in leading countries around the world.
Operating web and IT in an abundance mindset | Tweet |
Chris Anderson, the owner of Wired, recently wrote a very thought-provoking article about the need for organisations to consider how to operate within an abundance mindset rather than a scarcity-based one in his article, Tech Is Too Cheap to Meter: It's Time to Manage for Abundance, Not Scarcity.
Chris uses one example of how Wired used to restrict the email and file space provided to every staff member, with the IT team prompting staff regularly to delete files so as not to fill up the server.
One day he asked his ICT team how much file storage space Wired had for staff and was told that they had 500Gb - half the size of the 1 Terabyte hard-drive in the home computer he had recently bought for his kids. As he said,
My children had twice as much storage as my entire staff.I have had a similar experience in various organisations I've worked at. Despite falling storage and computing costs, organisations often place heavy restrictions on staff computing power - for what reason I'm not sure.
Where should government go with single sign-on? | Tweet |
Single sign-on is often seen as one of the Holy Grails of the internet - the ability to use a single logon to access all your secure online accounts and conduct transactions with whoever you choose.
This is seen as a way to make life easier for citizens/customers, allowing them to move easily from provider to provider, just as they may choose to move from store to store in a mall. It also reduces 'password fatigue', where users have too many passwords to remember and, correspondingly, is expected to reduce the IT cost of lost passwords.
The main risk of single sign-on solutions is also related to passwords - having a single logon for everything stored in a central location theoretically makes it easier for a hacker or identity thief to completely compromise an individual.
It might appear that the public sector has an advantage in moving towards a single sign-on for egovernment services. We have the dollars, expertise and computing power to pull together large IT projects, we don't have internal competitive pressures and possess the legislative power to change any laws necessary to allow citizens to access all government services via a single logon.
In contrast the private sector is fragmented between thousands of entities, potentially all competing for their slice of the online pie. Different online services are tied up with different intellectual property and sharing this IP would seem counter-intuitive to increasing profit margins.
However in practice the situation has been very different.
In the commercial world large and small organisations have been lining up behind a single standard for single sign-on, OpenID.
The OpenID Foundation estimates there are already over 1 billion OpenID-enabled web users and that more than 40,000 websites globally support the system.
OpenID is supported by the biggest online, authentication and IT players, including Microsoft, IBM, Verisign, PayPal, Google and Yahoo and was recently implemented by Facebook.
The system is fast becoming the global ID standard for authenticating users to websites - although I am unaware of a single case around the world where a government has adopted the same system.
On the government front single sign-on services are less developed. In Australia we've had the proprietary MyAccount service available for sometime now, linking Centrelink, Medicare and CSA customer accounts. MyAccount requires users to register separately for each agency's online service then link them together by registering a separate (fourth) account. This separate account can then be used to log into the online services for each of the agencies.
This service is presently being expanded. Australia.gov.au has indicated that they will be adopting the same single sign-on mechanism and that more agencies will be coming shortly.
The UK government has similarly been working on an independent single sign-on solution. This has encountered issues that I am sure Australia will also face - different services require different security levels, and stepping between the security necessary is more complex than simply offering a username and password.
The question in my head is whether it is possible for government to adopt the (free and open) OpenID standard rather than spend the time and money required to develop and expand a separate proprietary system.
In other words, do we need the government to continue to invest in a second 'single' sign-on when the commercial world is already well-advanced in a global solution?
The issue isn't that simple unfortunately. There are many reasons why a government may wish to own its own authentication system, such as national security, protection of citizen privacy, custom ways to 'step-up' to higher security levels (though this is also possible in OpenID).
However it is important to reconsider the value of a separate government system is from time to time, particularly if the commercial world is heading in a different direction.
The Catch 22 of government online participation | Tweet |
Government often has a narrow path to walk when engaging online, some of the measures in place to protect the privacy and security of citizens and government officials can conflict with efforts to improve the transparency and openness of government processes.
Hence this article from the New York Times, Government 2.0 Meets Catch 22.
The article highlights some of the issues that US government officials must navigate and contend with when participating with online communities or even using the internet to research potential employees.
While the article doesn't present any real solutions for government, it does highlight that there can be the need for some government policies and legislation to be reconsidered to provide the appropriate balance between government's ability to engage online and to protect those it employs and serves.
Newcastle council online community hijacked by hackers | Tweet |
As posted in the Online Community Consultation blog, Newcastle Council was recently stung by having hackers take over its online consultation community and redirect the site to an independent site containing adult content.
As discussed in the post, Red faces in Newcastle, the lesson to be learnt is to ensure effective security is in place to prevent hacking.
There's a secondary point discussed around the length of the sign-up process, which needs to be as short and as simple as possible to keep the barriers to participation low. I didn't see the Newcastle Council community site, so cannot personally comment, however from the post it appears that a more complex sign-up process had real impacts on the number of participants.
Computer hackers plundering Brazilian rain forests | Tweet |
As reported in the Wired blog post, Hackers plundering Brazilian rain forest, a hacking ring controlled by logging companies has been alleged to allow harvesters to unlawfully access government logging databases and issue extra 'transport permits' to remove resources (trees) from the Amazon.
This has been a challenge for Brazilian authorities, who have arrested 30 suspects and have another 200 people under investigation.
Environmental group Greenpeace estimates 1.7 million cubic meters of illegal timber has been harvested because of the hacks. The group says that's enough wood to fill 780 Olympic-size swimming pools.
Federal authorities are also suing timber companies to recoup an estimated $883 million in purloined resources, Greenpeace said.
How much would your department pay for a 10% improvement in customer satisfaction? | Tweet |
I've been reading an article in the New York Times regarding the public competition Netflix has been holding.
The competition, named the Netflix Prize, has a prize of US$1 million for the individual or group who can improve their movie/TV recommendations engine by 10%.
The article, If you liked this, sure to like that, discusses how Netflix's programmers had gone as far as they could with their available resources and skills, so the company decided to make a large slice of their information available publicly (anonymised to protect privacy) and see where others could take it.
There are now over 33,000 teams around the world competing to come up with insights and algorithms to improve Netflix's recommendations, with a public leaderboard tracking the top forty (the best is currently at 9.44%) and a forum where the teams collaborate on improving results, sharing tips and code.
I can't help but think about this in the context of government.
Every agency struggles to provide the best possible outcomes and customer service with the resources they are given. However few departments or agencies look outside for help - even to other government bodies.
I'm sure there are many complex problems in government that could be looked at in a similar context to the issue Netflix is facing - ranging from simple IT programming issues, to customer service maximisation (such as the most effective placement of face-to-face locations to cover audience needs) and those huge thorny issues, such as devising fair policies or reforming tax regimes.
I wonder if government would be more effective if it allowed talented people to devise potential solutions (for kudos or prize money), which could then be tested, reviewed and the best solutions potentially adopted.
This isn't just a pipe dream. The UK government is running a competition at the moment, asking the public to come up with innovative ways to use government data to add value. The US and Japanese Patent Boards are piloting having the public examine patents and provide views before they are granted and New Zealand had the public write the Police Wiki Act 2007 (on how the police are to act towards the public).
I cannot think of any Australian examples - if anyone know of some let me know.
Clearly there's all kinds of guidelines and governance required for Australian governments to feel 'safe' in inviting outsiders to assist us in improving governance in Australia - but what do we really have to lose?
Is CAPTCHA still effective as a security test? | Tweet |
CAPTCHA is a security provision designed to confirm that an online user is actually human by asking them to complete a simple test which is difficult for computers to interpret.
Often appearing as wavy or handwritten words and numbers, CAPTCHA (standing for Completely Automated Public Turing test to tell Computers and Humans Apart) has been widely implemented as an online security confirmation system within email systems, blogs, ebusiness and egovernment sites. In fact you'll see it in use when commenting on this blog.
Example of a modern CAPTCHA image (source: Wikipedia)
However CAPTCHA is increasingly under threat due to the multiple ways of circumventing this security and organisations need to consider whether it is still worth implementing CAPTCHA or more advanced security systems.
How effective is CAPTCHA?
As was recently reported in AllSpammedUp, Spammers are once again attacking Microsoft's CAPTCHA, used in their Hotmail email system to distinguish between legitimate human customers and automated spam systems.
While 10-15% doesn't sound that significant, given that spammers are able to use automated systems to create hundreds of email addresses a minute - then use the successful ones to distribute spam email - that level of success is quite high.
Hackers are also able to use cheap eyeballs from third world countries to break CAPTCHA - with Indian crackers paid $2 for every 1,000 CAPTCHAs solved.
Other techniques also exist to break CAPTCHA, such as advertising a porn site, embedding CAPTCHA codes from legitimate sites and asking people to solve these codes in order to access the adult content for free.
Given all these different ways to defeat CAPTCHA tests, and the barriers for those with vision impairments (who often unable to complete visual tests where an audio equivalent is not provided), let alone the difficulties real humans have in interpreting CAPTCHA tests correctly, this approach to security is seriously under threat.
However effective alternatives to validating that humans are really humans are not yet available for use.
Where next for CAPTCHA?
Microsoft and other large providers of online systems remain dedicated to strengthening CAPTCHA technology, even where the line of what is actually readable by the average human begins to blur.
They have limited alternatives as to effective tests of whether a user is human or computer to help minimise the success of automated hacking attempts.
Some mechanisms already coming into use are to ask questions via CAPTCHA text which is based on trivia more difficult for a machine to guess, or to have multiple CAPTCHA images which must be reinterpreted based on additional text - also stored as a CAPTCHA image.
All of these remain vulnerable to cheaply paid third-world CAPTCHA breaking groups, albeit increase the difficulty for machines.
Where should organisations use CAPTCHA?
Given the lack of alternatives, organisations need to continue using CAPTCHA, but selectively apply other methods of detecting machine-based attacks (such as rapid or logically sequenced attempts at creating accounts or logging in).
Where possible CAPTCHA should be used only to validate the 'humanness' of a user, rather than as an outright security measure, thereby limiting system vulnerability.
Finally organisations need to use the most current versions of CAPTCHA and update regularly to reduce the risk of intrusion to only the most sophisticated hackers.
How secure is a password? | Tweet |
Following my security theme today, I've never seen much value in passwords as strong security measures - they need to be easy to remember for the user, and therefore rely on common letter and number patterns of relevance to the user, which inevitably become easier to break.
People need to remember passwords for many different services. I count at least 50 passwords I personally use on a monthly basis including phone, ATM and online.
This makes it tempting for people to,
A five second Google search threw up a large number of articles decrying the weakness of passwords as a security method.
One I found interesting was How I'd hack your weak passwords, which provides details on the mistakes people make when creating passwords, and points out that when people use the same password across multiple sites the password is only as good as the weakest site's security.
So what's the alternative?
Given that passwords are not a strong security measure as they rely on the user to select secure passwords, the only real alternatives are to,
Given that most people are unwilling to spend extra money on a PC attachment to allow biometrics scans (though, like seat belts in cars or fire alarms in houses, they could be mandated by government and rolled out with new PCs over time) and issuing physical tokens is a costly exercise (and prone to physical theft), the most viable short-term option is to improve how we communicate with our customers.
I think that we could do a better job of educating people on how to create and manage large numbers of secure passwords, and addressing this area would by itself save significant costs in terms of fraud prevention and personal loss - not to mention password reset calls to call centres.
In the longer-run, I see a strong case for mandating biometric scanners on PCs.
What do you think?
Biographical secret questions weakening as security measures | Tweet |
Due to the rise of online social networks and informational sites, secret questions based on biographical information are losing strength as a supplementary to password-based security.
As discussed in a Time article, Those Crazy Internet Security Questions, as more information on individuals becomes easily available - either provided by them directly or via government, corporate and collaborative online databases - the secureness of personal questions diminish.
The article provides a ten second case study on how easy it is to get the biographical information of a prominent person from their wikipedia entry and online postal database.
Speech transcripts, videos, blog posts, social network profiles, news sites and genealogical websites can also provide significantly more information quickly and cheaply.
It's slightly more difficult to get information on an 'unknown' person - but many are doing hackers the favour of providing their own biographical information online - as well as adding to the available information on their family and friends.
This raises a need to steer secret questions away from purely biographical information, or seek stronger alternatives.
So what was your mother's maiden name again?
egovernment across South-East Asia - towards seamless integration | Tweet |
The Economist Intelligence Unit has published a special research report, Towards Seamless Administration (PDF), on the status and challenges of egovernment across South-East Asia, including commments on a number of Australia's nearest neighbours such as New Guinea, East Timor, Singapore and Malaysia.
While Australia and New Zealand are not included in the review, the maturity of egovernment across the region should be a consideration in our planning and thinking.
Just as Australia has provided an example of stable democratic governance and has assisted in the development and security of our neighbours, I believe we have an opportunity and a responsibility to support them in their progress towards more transparent, low-corruption and democratic regimes through the medium of egovernment.
Why Australia should take on a regional egovernment leadership
In my view there are sound economic, social and political reasons for Australia to take on a leadership and supportive role for regional egovernment.
What's the legal liability in (hyper) linking? | Tweet |
The Securities Exchange Commission (SEC) in the US is investigating the legalities of website linking, putting forward a policy proposal stating that companies should be held liable for linking to other sites containing information related to their share value.
Basically, if a link from a company's website pointed to false or misleading information about the company's prospects, it could be held responsible (under the proposed policy), leading to a fine or more severe action.
Why is this important in Australia?
Because it could be the thin edge of the wedge for linking. If a company cannot link to certain sites for fear of share information related liability (such as a public forum where opinions are aired, or a media publication which accidentally gets a story about the company wrong), it's not too many more steps to a situation where any hyperlinking may contain a legal risk.
If there was a risk for companies, there would also be a risk for government. What if that family-friendly site your agency linked to (even with a warning interstitial) was bought out by an adult products company, who promptly repointed it to one of their adult shops?
Would the agency linking to it become liable for the link? Or would extra legalese be required to discourage anyone going from one site to another, just in case.
This would make one of the fundamental foundations of the internet - linking - a very risky business.
Reported in WebProNews in the article, SEC Looks Into Hyperlink Liability, the SEC's approach does take into account the situation described above - where a clear warning exists, or the intention was not to cause offense or harm, so it's not really the thin edge of that wedge after all.
However I can see greater probity on linking leading to the kind of situation I described above - on the basis that by walling in the garden the customer is protected from 'bad' influences. It was the business model used with considerable success for a number of years by AOL.
Can you see a time coming where linking to other websites (other than trusted .gov.au sites) becomes too risky for your organisation to chance legally?
Is this a real option or should it be considered alongside foil hats?
Safeguarding egovernment networks - what if you had over 1,000 unauthorised web servers connected to your network? | Tweet |
I'd feel concerned if I was the CIO of a government agency that found it had over 1,000 unauthorised web servers connected to its network.
This is the position the US's Internal Revenue Service is in at the moment, having identified 1,150 unauthorised web servers connected to its network .
As the servers are unauthorised, they are not regularly security patched, making them potential intrusion points for hackers.
As reported in Nextgov, in the article, IRS finds unauthorized Web servers connected to its networks, the IRS is now in the process of creating policies and procedures to prevent the unauthorised servers from accessing IRS data and will be undertaking quarterly reviews to measure compliance with security standards.
The future of the internet - and how to stop it | Tweet |
Jonathan Zittrain's new book, The future of the internet - and how to stop it, presents a compelling picture of how the internet has evolved from the 'sterile' and unchangeable computer systems of the 1960s and 70s into a 'generative' environment, enabling individuals around the world to freely develop applications and services and distribute them widely.
The book then looks at what may come next - the impacts of security and privacy holes and the increasing attempts to limit innovation in order to solve these issues.
It provides a compelling view of where we might be headed if we do not take steps at politic and managerial levels to change the direction.
The book is available freely online, notated by readers in an innovative collaborative approach to exploring the written word.
Jonathon has also presented many of the key themes of the book in various lectures, such as the one below.
This work is licenced under a Creative Commons Licence.
Please attribute in the form: Sourced from eGovAU
