Today the Federal Government asked for suggestions on how agencies could better protect citizens' online information.
It noted that it is easier for people to access government services when they are online, but that cyber criminals are becoming ever more bold — and government information is a wonderful repository of information for them.
The Australian Government Information Management Office wants to develop guidance to help government agencies reduce security risks to the public from their dealings with government.
My first suggestion would be, as I have said in a previous blog, that the agencies try to educate those using its services as much as possible. Users are often the reason that things go awry, as is made evidentby the PEBKAC acronym.
The government also needs to learn from Vodafone's recent security mishap when dealers were able to access too much information. The sharing of citizen information by governments should strictly be on a need-to-know basis.
This brings me to the new legislation passed in the Senate, which allows the Australian Security Intelligence Organisation (ASIO) to share the results of spying and interviews with other agencies. This really needs to be handled very carefully, or we could have all sorts of information flying around that shouldn't be.
I would also suggest that agencies make sure their cybersecurity spend is high enough, and that they not fall into business-as-usual slashing in this quarter. Yes, it's a cost, but our identity is precious. Spend especially needs to be made in the areas of training and keeping security staff happy so that they aren’t poached by the ravenous private sector. To take advantage of specialist skills, there should be constant connection with specialist centres such as CERT Australia and the Defence Signals Directorate.
Given how important our personal information is, especially medical information that is supposed to be going into a Personally-Controlled EHealth Record, I also wonder if we need to start thinking like a bank does; multiple-factor authentication, perhaps even involving biometrics.
To make sure it's not onerous, a federated ID should be rolled out across all levels of government. I am "me" for every transaction I have to make with the public sphere.
And when a data breach occurs, we want and need to know. Firstly, this will put pressure on agencies to learn from past mistakes. Secondly, it will allow citizens to take appropriate actions to protect their identities and spur us to take more care in our personal security. And lastly, it will hopefully lessen the likelihood of budgets being cut in that area, as it will become a public concern.