By now, it’s an old story: Government is becoming increasingly dependent on information technology, both to make internal operations more efficient and to offer better service to citizens.
Lately, however, that storyline has been twisted. Increasingly, confidence in our IT infrastructure has been rattled by headline after headline about the loss of confidential information from trusted systems.
Plus: The situation is probably getting worse. Powerful forces are converging to make networked systems less secure and push the cost of system failure dramatically higher. There are more attacks, they are becoming more sophisticated, and, increasingly, the attackers are criminal gangs or even foreign governments. In hard numbers, security executives around the world reported a 22 per cent increase last year in incidents that caused financial loss.
For governments, the IT investment at risk is more than financial. Dozens of government programs today depend on stable, secure IT infrastructure. Planners look forward to automating processes which are now done by humans and aggregating those processes in centrally provided services. The reward comes in lower costs and more efficient service, as the private sector sets public expectations with a growing range of online services. A considerable investment of money, prestige and ambition is riding on tomorrow’s government information technology systems.
IT insecurity threatens that glittering prize. The more data gathered in one place, the greater the reward to a thief. The greater the access to that rich hoard, the greater the chance a thief will sneak in. And the greater the loss, the greater the embarrassment to those who hold office. Computers have rarely been designed with security as a first priority. The Internet was born as a research project with high levels of trust as a basic assumption. Nothing much has changed in those fundamentals. The rapid pace of growth has created rich targets for criminals and more points of vulnerability to attack them.
Until recently, consumer resistance to Internet-based services with trustworthy institutions was hypothetical. It is now a reality. There are signs of a public backlash against online transactions; people are proving remarkably alert to the new threats in their environment. This summer, for example, the Pew Internet and American Life Project reported that more than 90 per cent of Internet users had altered their web habits to keep spyware off their computers.
They might not know how spyware works, but they know what it does and they are at least trying to avoid it.
Surveys tell us that consumers have more trust in financial institutions to guard their confidential data than governments, but that trust may be fading. Banks and trust companies, early to market with online technology, are learning that consumers are highly sensitive to security fears. In the United Kingdom, Forrester Research reports that half a million Internet users no longer bank online and 6 million of those who never did say they never will.
Designers working to make their online applications easy to use may need to factor in better security, or at least more reassurance for skittish clients. Managers who have invested in online applications may need to adjust their take-up projections in light of this consumer behaviour.
To the public’s knowledge, to be sure, no Canadian government has yet suffered a major loss of confidential information. The Canada Revenue Agency, to cite just one example, has had great success with online tax filing, building confidence in its security year by year. If, however, a well-publicized incident or series of data spills turns generalized public suspicion into specific avoidance of online solutions, changes to CRA take-up rates would sound an early alarm.
The IT industry has always responded reactively and iteratively to threats, with each new hazard generating a new layer of responses, resulting in a wealth of informed expert opinion on all this. Some observers, for example, talk in terms of challenges for technology workers: “You are looking at a high degree of complexity for the IT staff at this point,” said Jamie Sharp, a vice-president at IDC Canada Ltd. “It is a layer cake of complexity.”
Marcus J. Ranum, Chief of Security for Tenable Security Inc., comes to the same point: “Computer security is fundamentally associated with our inability to manage complexity, and our approach to dealing with security problems is to add complexity. If you’re on fire, do you pour gasoline on yourself?”
In some eyes, IT security is trapped on a merry-go-round of vulnerability and patching, threat and response, incident and investigation; there is no way to get off in the near future, Says Michael Daniels, Practice Lead for Identity and Security at IBM Global Service Canada,. “I don’t think that there will be some ultimate solution that will eliminate all potential future threats. There are solutions available, but it is necessary to stay on top of the threats that emerge.”
More to the point for government, specialists like Brian Bourne of CMS Consulting believes that operators in the public sector face a greater challenge than their private sector counterparts. “Doing IT security in government is a little harder,” he says. “You find a significant amount of legacy systems, and a great deal of interoperability is required. You see numerous pockets of people doing different things for all sorts of different reasons.”
IBM’s Daniels takes that point to the user level: ” People have very strong expectations of government, that their information is kept private, that information should not even be shared between government agencies. So (those agencies) need to make sure the systems and solutions they put in place honour those expectations.”
The bottom line –literally — comes down to this: Governments in Canada are spending between one and three per cent of their IT budgets on security, to keep IT systems safe from harm, safeguard citizens’ precious data and spare the blushes of their ministers and mayors. Only the people who tend those systems can tell if it is money well spent.
One of them is, Mike de Rosenroll who has studied federal government IT security from every angle in a series of assignments. These days, he’s Director-General of Strategic Infrastructure Services at Public Works and Government Services Canada, where he’s advocating an enterprise-wide approach to IT security. De Rosenroll is blunt: “If we don’t approach security from a government-wide perspective, as an enterprise . . . then we are subject to the weakest link.”
If government departments operate as independent entities, with self-standing enterprise architecture and IT security, they necessarily operate by consensus. “It is a matter of voluntary compliance, inconsistent rules, and inconsistent application of rules,” said de Rosenroll. “That is the worst case. We have to move from that paradigm to a new paradigm where we manage our security environment as an enterprise, where we have rules that are interpreted and apply across government, that we have a mechanism for knowing if the rules are being applied, and we are making the investments necessary to make that happen.”
Already, de Rosenroll said, IT security is not a separate domain. “Right now, security is used to cover off things like authentication, identity and privilege management, anti-virus and anti-spam, URL filtering, improper Internet use, business continuity. The list goes on and on.
“We have expanded security so broadly that it is virtually meaningless. That may be bad in one sense, but in another way, the implication that we do not practice security in a vacuum is positive. If you are ‘architecting’ or engineering a system, IT security is going to be one of the toolkits you are going to apply.”
De Rosenroll is advocating an “all risk” approach to government business. “In my mind, what we need to do, and what we need to do to support managers, is produce an all risk summation, a synopsis for the managers, so they can take a look at real and actual compliance with the whole range of compliance issues: privacy, accessibility, look and feel, security. They need a holistic view of the risks they are taking.”
Many IT security practitioners agree that effective solutions are available and good management practices are widely understood.
As CMS Consulting’s Bourne said, “It’s always the simple stuff.” To avoid problems, he said, organizations should do three things:
“Number one, install with standard industry best practices. That applies to both architecture and the actual installation. Two, be able to respond quickly with things like patching.
“If you just did those two things, you would be light years further ahead than most organizations.”
Bourne’s third recommendation, proper account management, is almost shockingly basic. “Organizations regularly have accounts with access that haven’t been used for months, perhaps because the person left the organization and nothing was done, or perhaps because that particular system access was overlooked during de-provisioning.”
Put another way, we know what must be done to protect IT systems. Much of It just isn’t happening. Governments spend millions of dollars a year on IT security, but their efforts are uncoordinated and self-enforced. It may be time to tighten up compliance regimes and enforce security policies and management.
Even the ability to maintain existing security standards may be dropping. Public employers are finding it more difficult to attract qualified IT security personnel and retain the ones they already employ. In a recent report, IDC Canada noted that Canada’s governments are facing today’s security threats with significantly fewer formally qualified people compared with their corporate counterparts. It is difficult to believe the situation will improve.
In brief: Governments are asking a shrinking pool of qualified people working in relative isolation to deal with global threats of increasing sophistication against assets of greater value without enforceable standards.
Asked to rank IT security leaders by industry, IDC’s Jamie Sharp said financial services are most advanced. “They have a sense of the enterprise level of threat management, as opposed to device by device, or line of business by line of business.” Managers look for a holistic view of threats.
Many financial services firms are moving to solve the IT security puzzle by simply discarding pieces through outsourcing. Global corporations like IBM are stepping forward with a wide range of security services. One bank, for example, has outsourced firewall management for 30,000 desktops. Says Sharp: “They just manage that piece, so the service providers are willing to purvey on that granular a basis. I believe the managed security market will be able to out-aggregate the individual firm, so we will see individual firms opportunistically cherry-pick to deal with parts of the complexity.”
Outsourcing any aspect of security is a daunting proposition. Sharp says financial services companies have adopted a “trust and verify” model. “Service providers are contracted to meet their Service Level Agreements and third-party auditors are retained to verify performance against that trust level. We are seeing government interest in managed security, but it is predicated on that “trust and verify” model.
Outsourced security offers global expertise against global threats and a competitive marketplace where vendors can be judged on results. Instead of constantly struggling to catch up, governments could use managed services to set standards for progress. If consolidated services are the next stage of government operations, going one step further to outsourced IT security services may be the best way to protect them.
Security: The other bottom line
“If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.” – Practical Unix and Internet Security, 2nd Edition
Richard Bray ([email protected]) is an Ottawa-based freelance journalist specializing in technology and security issues.