Is federal IT security a disaster waiting to happen? The Auditor General’s February 2005 report uses correct bureaucratic language to say exactly that.
“The majority of departments do not meet the minimum standards set by the [Treasury Board] Secretariat for IT security,” says the report. “Vulnerability assessments, conducted in departments and agencies over the last two years, have revealed significant weaknesses that, if exploited, could result in serious damage to government information systems.”
In Greek mythology, the mortal Cassandra rebuffed the amorous attentions of a god and was cursed. She could see impending disaster, but nobody believed her.
Today, Auditor General Sheila Fraser plays the role of Cassandra to official Ottawa, but with an important difference: People do believe her. Her credibility is almost unchallenged, because her predictions are all too easy to believe. Not only are they based on meticulous research, but many knowledgeable readers of her reports only need look around their own departments to confirm their relevance.
Unfortunately, while her recommendations are always acknowledged by the departments and agencies she reviews, they are not always implemented. In April 2002, the Information Technology Security section of the Auditor General’s report said: “Our audit has identified a number of issues that the government needs to address to improve IT security across departments and agencies.”
In the February 2005 follow-up report, the Auditor General wrote, “Despite encouraging signs of improvement, the government has made unsatisfactory progress in strengthening IT security since our audit in 2002…two-and-a-half years after revising its Government Security Policy, the government has much work to do to translate its policies and standards into consistent, cost-effective practices that will result in a more secure IT environment in departments and agencies.”
Fraser knew exactly what was at stake in 2002. “Before Canadians go online to do business with the government, they want assurance that government systems are secure and that their personal information will be properly protected.” What was true in 2002 is even more true in 2005. “As more and more government services are offered online, individuals and businesses need to have confidence that the information they share will be well protected.”
With dozens of applications already available online and more to come, the government is eager to declare victory for the Government On-Line initiative, launched in the 1999 Throne Speech (and since quietly given an extra year to become reality). As well as prestige, the credibility of citizen-government online communication is worth a lot of money. Moving even a small percentage of transactions to the Internet brings a substantial return on investment. Failure would be expensive, but failure is all too possible.
A recent U.S. study found that four adults out of five believe their personal information is not protected online, and one in four have reduced their online buying over the preceding year. Almost 25 per cent felt more vulnerable to identity theft, and 40 per cent don’t give personal information to businesses online. The implications for governments are obvious: If they are not the gold standard for information protection, nobody will deal with them online.
Auditor Generals’ reports have familiar rhythms for experienced readers. They take a traditional approach to persuasion, offering in this case a grudging amount of carrot, like “encouraging signs of improvement,” quickly followed by several stinging blows of the stick: “unsatisfactory progress”, “yet to be developed”, “not completely fulfilled”.
Elsewhere in these reports, the Auditor General sings a series of duets with the departments and agencies under scrutiny, in the form of Recommendations and Responses. Not surprisingly, the bureaucrats usually agree with the Auditor General’s suggestions and, by some happy chance, are often already hard at work implementing them. In the case of follow-up reports, there should probably be a reproachful coda, with the A-G singing, “But that’s what you said the last time!” and the official chorus chanting, “But this time we really mean it!”
IT security incidents are increasing, and the threats are becoming more serious. In light of the Auditor General’s follow-up report, it is now obvious that nothing will happen until a serious security breach exposes the inadequacies of the system.
And the problems are indeed systemic. The technical solutions are all well-known; vendors stand ready to install and troubleshoot their products; government IT staff have the knowledge to manage and administer them; citizens have the right to data security and privacy. The real problem is that responsibility for IT security is too diffused throughout the federal government. Nothing will get better until things get worse, and that is just a matter of time.
Richard Bray ([email protected]) is an Ottawa writer specializing in high technology issues.