Secure Channel will be mandatory for all federal government departments and agencies. At last. But just as no good deed goes unpunished, it seems no good decision goes unquestioned.
As winter tightened its icy grip on Ottawa, the House of Commons Public Accounts Committee was planning to put Secure Channel on the hot seat, with the flames underneath fed by incendiary newspaper accounts calling it “the technology system that no one wants to use” and quoting anonymous bureaucrats calling it “the monster” and a “white elephant.” No one ever claimed Secure Channel would be simple or cheap. But neither has anyone yet claimed it doesn’t work.
As infrastructure, Secure Channel was arguably ahead of its time, using the hardest security technology available, then or now. PKI, or Public Key Infrastructure, can be described as cumbersome, but so is getting a passport. Newspaper reports were careful to point out there was plenty of off-the-shelf alternatives to Secure Channel that were both less costly and less complicated. Of course, if you could get travel documents at the local convenience store, then getting a passport wouldn’t be such a nuisance either. The federal government stands by its passports, it plans to stand by Secure Channel, and it doesn’t plan to offer any alternatives.
The point was made that banks and credit card companies have been getting by without security standards as high as Secure Channel’s. But, as former Public Works ADM Michael Turner points out (Turner was in charge of Secure Channel’s early construction), banks and retail firms have been putting up with security failure rates that no government could even consider tolerating. In fact, they are now contemplating, if not already implementing, much tighter security.
It was always intended that all departments would ultimately buy into Secure Channel, but some argue that since deputy ministers have full responsibility for security within their departments, it’s only fair they have the choice of products. Part of that range of choice, however, meant tinkering and fiddling with the Secure Channel product to make it acceptable to their department’s unique requirements. While it’s unknown just how far the Secure Channel team went to meet client demands, the Canada Revenue Agency probably stood out as especially demanding.
Critics of Secure Channel have seized on the story of Canadians abandoning online registration with Canada Revenue because they did not want to wait five days to receive their out-of-band passwords in the mail. Wait a minute. For purposes of filing income tax online, using only SSL encryption, Line 150 of last year’s tax return has been a perfectly acceptable shared secret for some years now – but when it comes to Secure Channel, the agency must turn to Canada Post?
There may be a valid reason for CRA turning to snail mail to deliver Secure Channel passwords, but dozens of other departments and agencies have been managing to deal successfully with the public, businesses and other government departments over Secure Channel for several years now, without licking a single stamp.
The auditor general has taken Secure Channel to task for not having a business case, but it’s impossible to forecast uptake when your customers are really your colleagues, and sometimes even competitors for the scarce resources of budgets, headcounts and prestige.
Another argument against Secure Channel suggests that major shared services don’t work. Turner has little patience with that one: “Enterprise-wide shared services systems have already been mandated and implemented in other governments, including several provinces and of course many companies, saving millions annually. Just ask companies like IBM or Accenture.”
Recently it has been common wisdom if not certain knowledge that Secure Channel would become mandatory. A strong hint came two years ago when the report of the Information Technology Services Review said: “Secure Channel needs to be leveraged as the first element of mandatory common IT service infrastructure because it underpins IT telecommunications connectivity and the security of data transmission.”
Secure Channel is not one technology, but many. Within certain limitations, it can be customized and tailored to meet special cases, but there is no longer an argument that a department, branch, program, policy or process is unique and therefore exempt from a shared security service.
Uniqueness must express itself within a narrower range. On the other hand, departments will pay for Secure Channel from their own budgets, and that can only mean leverage over present performance and future design. It is now in everyone’s interest to make the best of a good situation, sharing the management as well as the cost.
Richard Bray is an Ottawa-based freelance journalist specializing in high technology and security. He can be contacted at [email protected]