Security complex

For state and local governments, the technical work associated with moving

services online may seem elementary compared with the beleaguering task

of gaining the public trust that is critical for digital government to take

hold.

Many agencies didn't have proper security policies to protect their

internal data before they launched their first rudimentary World Wide Web

sites, which offered static information. As a result, several agencies were

publicly embarrassed after hackers defaced those sites.

So now, as they are on the cusp of turning their systems inside out

to serve constituents and accept confidential data generated from electronic

government transactions, officials must craft policies to protect internal

systems from outsiders while shielding external data being offered via Web

transactions.

"This is a serious business," said Doug Robinson, executive director

for information technology policy and customer relations in Kentucky's

Governor's Office for Technology. "Privacy is a serious business to our

customers. Security is a serious business to our customers if we want the

public's trust. The public already does not trust the government, and now

we're saying, "Give us your credit card number.' "

Many of the challenges of protecting data in this era of e-government

stem from the stark differences between processing forms at a counter and

processing packets from cyberspace, said Brandon Lenoir, director of the

National Electronic Commerce Coordinating Council.

"You would walk in and somebody would make copies, and an hour or two

later, you'd get the requested information," he said. "In the paper-based

world, they'd pull out their black marker and delete information they didn't

want people to have. Now, it's instantaneous."

Policing Cyberspace

Most government officials agree that protecting private information

about citizens is paramount to the success of digital government initiatives.

It is paramount because privacy will be the "make or break issue for government

online," said Jerry Johnson, senior policy analyst for the Texas Department

of Information Resources.

Texas has detailed computer security rules and guidelines for its 240

agencies. For example, IT security policies require state agencies to use

Secure Sockets Layer, a popular encryption protocol developed by Netscape

Communications Corp., if they are collecting personally identifiable information

from citizens.

In addition, the state requires agencies to perform security risk assessments

that must be presented to agency heads. The agency heads make final security

risk management decisions, including whether or not to accept the vulnerabilities

or take corrective action.

But despite the comprehensive policies developed to date, officials

are still mulling various policy issues related to e-government, Johnson

said.

For example, officials have not resolved the issue of adapting their

security measures, such as digital signatures, to meet the blistering speed

of technology advancements. Although a digital signature can be verified

today, officials say it may not be easily verified in 10 or 15 years. In

addition, before offering electronic services, agencies must evaluate the

risk of specific transactions and formulate policy to correspond to the

various risk levels.

"What's the possibility of fraud?" Johnson asked. "If you're paying

your utility bill online, probably not much. If it's for a license renewal,

you can revoke that license. If you are providing access to electronic information,

the risk is probably higher because once [unauthorized users] get it, it's

gone. What do you have to do to verify or authenticate that transaction?"

In addition, because of the government's public stewardship duties,

agencies are routinely subject to audits. Designing policies that map the

paper audit trail to the electronic audit trail are crucial, Johnson said.

"It's one thing to say, "I've got a policy that provides for adequate

security for this private data,' " he said. "This is a brand new area for

a lot of government auditors. Now, they've got to be able to say, "Are you

doing what you said you would do and providing adequate security? Can you

go back and show that this transaction was closely monitored and secured?'

"

Ushering audit trails into the Information Age is not the only thorny

issue governments are tackling when forming IT security policies. For many

state and local agencies, the core product is generating public information.

Still, those agencies — and others whose mission revolves around personal

data — must identify and protect information that may be private.

Although designating separate file cabinets may have solved this problem

in the past, the Web complicates matters, said Rupert Loza, strategic planning

manager for Arizona's Government Information Technology Agency (GITA).

"A lot of this information is public information," he said. "We have

to let a lot of people in while still protecting the information. There's

been a lot of discussion of privacy issues. Is everything we have public

information?"

GITA also faced stumbling blocks after attempting to devise an encryption

policy. GITA hasn't identified an encryption method to recommend because

officials found that the broad topic of encryption spawned the need for

additional policies, Loza said.

"It's not just an IT organization saying, "We're going to encrypt everything.'

That's not the best approach," he said. "We have all kinds of data. How

are we going to classify those types of data? Should it be encrypted or

not? Should we offer this information to the public?"

In addition to sifting through data that was never classified in the

paper-based world, agencies also need to create policies to allow citizens

using e-government applications to seamlessly access multiple agency systems

that historically have been isolated silo systems.

Officials in Kentucky are eyeing policies and technology to give people

a "global sign-on" personal identification number that would allow them

to traverse many applications without having to be authorized for each one,

Robinson said. The state may opt to use policy-based meta directories, which

allow the roles and permissions for all applications to be stored in one

directory.

"What the PIN does is authorize them, but then you have to secure everything,"

Robinson said. "In our case, we're dealing with 14 different lines of business.

The forestry people aren't talking to the people who build roads, but our

citizens and our business may need to talk to them both. If all the citizens

and businesses have a PIN, then we would have a meta directory, and it could

be used for many applications."

Robinson spends much of his time focusing on "pre-emptive strikes" to

ward off potential security or privacy policy transgressions in state agencies.

For example, a state agency recently began letting people register for a

training event via the Web with a form that requested the registrant's Social

Security number but did not provide adequate security and privacy controls,

he said.

"They basically took their paper registration form and put it on the

Web," he said. "[Agency officials said], "We do it every day on paper, and

it's going to cost us money to get a [digital] certificate.' They're just

not really thinking about the impact."

Solutions

In July, Kansas' Department of Administration unveiled its comprehensive

security policy, which took about 10 months to complete. Andrew Scharf,

deputy director for telecommunications, said policy architects ensured success

by narrowing their mission and fending off the tendency to put procedures

before policies.

"The first thing we did was to sit down and try to decide what the mission

was," he said. "The biggest challenge is getting the communications focused

on policy. They're thinking [about] procedures and how that's going to affect

their agency."

While security policies often reflect the struggles associated with

moving from in-store transactions to keyboard transactions by offering broad,

high-level guidelines, the department's policy includes granular security

requirements.

For example, direct dial-in by remote users to modems on the department's

local-area network is prohibited unless explicitly approved by the department's

security administrator.

The divisions also must ensure that new application and systems development

and modifications to old systems meet the security policy criteria. New

projects that require access to the department's network must include a

security plan and be approved by the department's security council.

"There will be some divisions that will have to make some changes to

the way they do business," Scharf said. "It may have some budgetary implications.

For instance, there may be a division that has allowed unrestricted access

into their systems for remote access. For them to change it may cost them

money. It could take a year or so before budgets could accommodate the changes."

Many states just beginning the task of drafting security policy model

their work after Tennessee's enterprisewide policy, which has been in place

for the past four years.

Bradley Dugger, the state chief information officer, said one of the

most critical aspects of putting a policy into place is viewing it as a

"living document" that must be constantly reviewed. He advises officials

to avoid getting trapped by the temptation to wait until an entire enterprise

architecture is rolled out before launching policies — and associated technologies — to protect the enterprise. In Tennessee, officials deployed security mechanisms

in bits and pieces.

Still, even states like Tennessee, which tackled IT security policy

in the days when many governments were resisting the notion that government

would even move services online, are facing challenges associated with e-government.

"What we're wrestling with is trying to be consistent with good security

policy but not go overboard versus what we have for paper signatures," Dugger

said. "The legal community wants to push us toward total encryption and

[digital] certificates when sometimes we think a PIN would work just as

well. If the security on the handwritten signatures was adequate, then we

should model electronic signatures on that."

Some states are turning to consultants to help them form security policy.

North Dakota has released a request for proposals for a consultant to

help officials design a blueprint for a security architecture and a formal

policy that will support the architecture, said Dan Sipes, associate director

for administration in North Dakota's information technology department.

"We're going to use the consultant to bring best-of-breed knowledge

to supplement ours," Sipes said. And having the work done by an un-biased

third party sometimes helps reluctant agencies accept the decisions, he

said.

"As you put security in place, there's always that balancing act — the

more I secure something, the more inconvenience I'm imposing on my customers,"

Sipes said. "There's a whole continuum of what people are looking for —

some people are really worried about encryption and privacy, and others

just want it as easy and convenient as possible. There's a little more weight

and a little more willingness to come to the table, and [acknowledging]

it might mean increasing costs or more hoops, but here's why we're doing

it."

—Harreld is a freelance writer based in Cary, N.C.