The key to e-government
Well before the arrival of the new year, it seemed that the eyes of the
federal information technology community had begun to shift from the Year
2000 problem to the topic of IT security.
Although security is a broad concept encompassing a variety of concepts
and technologies, one solution that likely will gain prominence in the lives
of federal IT managers during the coming months is public-key infrastructure.
For most of us, the extent of our experience with PKI is the appearance
of that little image of a lock that appears at the bottom of our World Wide
Web browsers when we are buying something online. Yet as government agencies
continue to ramp up their electronic government initiatives, PKI's role
in facilitating the security of those initiatives will increase dramatically.
In its most basic form, PKI allows secure communication between two
parties. Specifically, it can be used to guarantee the identity of the message
sender, ensuring that only the message recipient can read it and assuring
both parties that the message was not tampered with during transmission.
The most pervasive application of PKI is securing credit card transactions
via the Web, but that only scratches the surface of PKI's usefulness and
applicability to the online world.
In the past year, federal agencies have put forth a variety of programs
* The Patent and Trademark Office is using PKI for securely communicating
the status of patent applications.
* The Internal Revenue Service is piloting a program to allow tax filings
via the Web using PKI.
* The General Services Administration recently awarded several contracts
under its Access Certificates for Electronic Services program for the provision
of digital certificates to facilitate e-government initiatives across the
Despite the rapid increase in acceptance of PKI, it is not without its limitations.
As with any security solution, it is only as secure as its weakest link.
If the key for unlocking the encryption code of a message, called the private
key, is lost or compromised, you can no longer be assured of the privacy
of your message.
Similarly, there is a "people" factor involved in maintaining the integrity
of PKI. Just as an employee can inadvertently leave a door unlocked to a
secure office, an employee also can leave a private key insufficiently protected.
Unlike your car keys, which have to be physically duplicated, private keys
exist electronically and can be copied over a network as easily as any other
electronic file. That makes it just as important for agencies to create
sound security procedures for employees as it is for them to build an effective
We may be far from the days when citizens have personal certificates
as a means of doing business with the federal government. PKI is still too
cumbersome for the average citizen, and support is not yet widespread enough
to make it worthwhile. However, the technology is ripe for rapid expansion
in the federal government for business-to-business applications.
Indeed, from secure e-mail to intranet access control, we can expect
to hear a lot about PKI in the coming year.
— Plexico is vice president and chief technology officer at Input, an IT market
research and marketing services firm.