For state and local governments, the technical work associated with moving services online may seem elementary compared with the beleaguering task of gaining the public trust that is critical for digital government to take hold.
For state and local governments, the technical work associated with moving
services online may seem elementary compared with the beleaguering task
of gaining the public trust that is critical for digital government to take
hold.
Many agencies didn't have proper security policies to protect their
internal data before they launched their first rudimentary World Wide Web
sites, which offered static information. As a result, several agencies were
publicly embarrassed after hackers defaced those sites.
So now, as they are on the cusp of turning their systems inside out
to serve constituents and accept confidential data generated from electronic
government transactions, officials must craft policies to protect internal
systems from outsiders while shielding external data being offered via Web
transactions.
"This is a serious business," said Doug Robinson, executive director
for information technology policy and customer relations in Kentucky's
Governor's Office for Technology. "Privacy is a serious business to our
customers. Security is a serious business to our customers if we want the
public's trust. The public already does not trust the government, and now
we're saying, "Give us your credit card number.' "
Many of the challenges of protecting data in this era of e-government
stem from the stark differences between processing forms at a counter and
processing packets from cyberspace, said Brandon Lenoir, director of the
National Electronic Commerce Coordinating Council.
"You would walk in and somebody would make copies, and an hour or two
later, you'd get the requested information," he said. "In the paper-based
world, they'd pull out their black marker and delete information they didn't
want people to have. Now, it's instantaneous."
Policing Cyberspace
Most government officials agree that protecting private information
about citizens is paramount to the success of digital government initiatives.
It is paramount because privacy will be the "make or break issue for government
online," said Jerry Johnson, senior policy analyst for the Texas Department
of Information Resources.
Texas has detailed computer security rules and guidelines for its 240
agencies. For example, IT security policies require state agencies to use
Secure Sockets Layer, a popular encryption protocol developed by Netscape
Communications Corp., if they are collecting personally identifiable information
from citizens.
In addition, the state requires agencies to perform security risk assessments
that must be presented to agency heads. The agency heads make final security
risk management decisions, including whether or not to accept the vulnerabilities
or take corrective action.
But despite the comprehensive policies developed to date, officials
are still mulling various policy issues related to e-government, Johnson
said.
For example, officials have not resolved the issue of adapting their
security measures, such as digital signatures, to meet the blistering speed
of technology advancements. Although a digital signature can be verified
today, officials say it may not be easily verified in 10 or 15 years. In
addition, before offering electronic services, agencies must evaluate the
risk of specific transactions and formulate policy to correspond to the
various risk levels.
"What's the possibility of fraud?" Johnson asked. "If you're paying
your utility bill online, probably not much. If it's for a license renewal,
you can revoke that license. If you are providing access to electronic information,
the risk is probably higher because once [unauthorized users] get it, it's
gone. What do you have to do to verify or authenticate that transaction?"
In addition, because of the government's public stewardship duties,
agencies are routinely subject to audits. Designing policies that map the
paper audit trail to the electronic audit trail are crucial, Johnson said.
"It's one thing to say, "I've got a policy that provides for adequate
security for this private data,' " he said. "This is a brand new area for
a lot of government auditors. Now, they've got to be able to say, "Are you
doing what you said you would do and providing adequate security? Can you
go back and show that this transaction was closely monitored and secured?'
"
Ushering audit trails into the Information Age is not the only thorny
issue governments are tackling when forming IT security policies. For many
state and local agencies, the core product is generating public information.
Still, those agencies — and others whose mission revolves around personal
data — must identify and protect information that may be private.
Although designating separate file cabinets may have solved this problem
in the past, the Web complicates matters, said Rupert Loza, strategic planning
manager for Arizona's Government Information Technology Agency (GITA).
"A lot of this information is public information," he said. "We have
to let a lot of people in while still protecting the information. There's
been a lot of discussion of privacy issues. Is everything we have public
information?"
GITA also faced stumbling blocks after attempting to devise an encryption
policy. GITA hasn't identified an encryption method to recommend because
officials found that the broad topic of encryption spawned the need for
additional policies, Loza said.
"It's not just an IT organization saying, "We're going to encrypt everything.'
That's not the best approach," he said. "We have all kinds of data. How
are we going to classify those types of data? Should it be encrypted or
not? Should we offer this information to the public?"
In addition to sifting through data that was never classified in the
paper-based world, agencies also need to create policies to allow citizens
using e-government applications to seamlessly access multiple agency systems
that historically have been isolated silo systems.
Officials in Kentucky are eyeing policies and technology to give people
a "global sign-on" personal identification number that would allow them
to traverse many applications without having to be authorized for each one,
Robinson said. The state may opt to use policy-based meta directories, which
allow the roles and permissions for all applications to be stored in one
directory.
"What the PIN does is authorize them, but then you have to secure everything,"
Robinson said. "In our case, we're dealing with 14 different lines of business.
The forestry people aren't talking to the people who build roads, but our
citizens and our business may need to talk to them both. If all the citizens
and businesses have a PIN, then we would have a meta directory, and it could
be used for many applications."
Robinson spends much of his time focusing on "pre-emptive strikes" to
ward off potential security or privacy policy transgressions in state agencies.
For example, a state agency recently began letting people register for a
training event via the Web with a form that requested the registrant's Social
Security number but did not provide adequate security and privacy controls,
he said.
"They basically took their paper registration form and put it on the
Web," he said. "[Agency officials said], "We do it every day on paper, and
it's going to cost us money to get a [digital] certificate.' They're just
not really thinking about the impact."
Solutions
In July, Kansas' Department of Administration unveiled its comprehensive
security policy, which took about 10 months to complete. Andrew Scharf,
deputy director for telecommunications, said policy architects ensured success
by narrowing their mission and fending off the tendency to put procedures
before policies.
"The first thing we did was to sit down and try to decide what the mission
was," he said. "The biggest challenge is getting the communications focused
on policy. They're thinking [about] procedures and how that's going to affect
their agency."
While security policies often reflect the struggles associated with
moving from in-store transactions to keyboard transactions by offering broad,
high-level guidelines, the department's policy includes granular security
requirements.
For example, direct dial-in by remote users to modems on the department's
local-area network is prohibited unless explicitly approved by the department's
security administrator.
The divisions also must ensure that new application and systems development
and modifications to old systems meet the security policy criteria. New
projects that require access to the department's network must include a
security plan and be approved by the department's security council.
"There will be some divisions that will have to make some changes to
the way they do business," Scharf said. "It may have some budgetary implications.
For instance, there may be a division that has allowed unrestricted access
into their systems for remote access. For them to change it may cost them
money. It could take a year or so before budgets could accommodate the changes."
Many states just beginning the task of drafting security policy model
their work after Tennessee's enterprisewide policy, which has been in place
for the past four years.
Bradley Dugger, the state chief information officer, said one of the
most critical aspects of putting a policy into place is viewing it as a
"living document" that must be constantly reviewed. He advises officials
to avoid getting trapped by the temptation to wait until an entire enterprise
architecture is rolled out before launching policies — and associated technologies — to protect the enterprise. In Tennessee, officials deployed security mechanisms
in bits and pieces.
Still, even states like Tennessee, which tackled IT security policy
in the days when many governments were resisting the notion that government
would even move services online, are facing challenges associated with e-government.
"What we're wrestling with is trying to be consistent with good security
policy but not go overboard versus what we have for paper signatures," Dugger
said. "The legal community wants to push us toward total encryption and
[digital] certificates when sometimes we think a PIN would work just as
well. If the security on the handwritten signatures was adequate, then we
should model electronic signatures on that."
Some states are turning to consultants to help them form security policy.
North Dakota has released a request for proposals for a consultant to
help officials design a blueprint for a security architecture and a formal
policy that will support the architecture, said Dan Sipes, associate director
for administration in North Dakota's information technology department.
"We're going to use the consultant to bring best-of-breed knowledge
to supplement ours," Sipes said. And having the work done by an un-biased
third party sometimes helps reluctant agencies accept the decisions, he
said.
"As you put security in place, there's always that balancing act — the
more I secure something, the more inconvenience I'm imposing on my customers,"
Sipes said. "There's a whole continuum of what people are looking for —
some people are really worried about encryption and privacy, and others
just want it as easy and convenient as possible. There's a little more weight
and a little more willingness to come to the table, and [acknowledging]
it might mean increasing costs or more hoops, but here's why we're doing
it."
—Harreld is a freelance writer based in Cary, N.C.
NEXT STORY: Report: Income, not ethnicity, determines access