Home & Office

Governments must keep the faith

Put public services online, but subject IT systems to standards checks to maintain data integrity, says a security expert.
Written by Vivian Yeo, Contributor

Governments need to focus on winning public trust of IT systems with better technologies and policies, according to a global security consultant.

Ian Robertson, managing consultant of security and privacy for IBM Global Services, told ZDNet Asia in an interview Wednesday that in the United Kingdom "a number of failures of government-based systems" have affected public trust.

One such instance was a social welfare system that could not cope with the amount of data changes and did not have enough checks in place to ensure money was paid to the correct recipients. What resulted were inaccurate payouts and payments to the wrong people, Robertson said.

Real-world examples like these warrant attention because once faith in the system is shaken, "it's very difficult to recover the trust of the public", Robertson noted.

"The general view is that the government systems are too expensive and don't work," said Robertson. "That's not entirely true--quite a lot of the systems work, and quite a lot of them are secure. But we need to do a great deal more than that in order to make sure that the public actually trusts the government."

Governments can establish greater trust by seeking quality assurance levels for security, Robertson said. "The quality of security is being improved by a combination of better technology, better standards and better application of those standards," he noted.

Currently, in the United Kingdom, systems that are used by the government to transact with the citizens are required to go through a risk management and accreditation process. Although this provides "a modest level of security", it is a formal process by which each government department can be assured that it has gone through accreditation, he added.

On the area of authentication, Robertson noted that "identification of human beings online is clearly still an imprecise process". Banking institutions are more advanced, with many moving into stronger user identification such as the use of chip and PIN (personal identification number) technology.

For a nationwide authentication system, such as the National Authentication Framework (NAF) announced recently by Singapore, the authorities need to ensure that "the best possible technology" is used, said Robertson. That's because the NAF not only serves as a platform for authentication, it involves the possible sharing of information between the government and citizens, government and businesses, and, businesses and consumers.

The U.K. government, which currently has online database systems for driving licenses and vehicle taxation, is also considering sharing the data with car rental companies. This would mean that any U.K. citizen can rent a car anywhere in the world and prove that they have a valid driving license by simplify performing a check on the Internet.

Governments, however, must think it through carefully before sharing data with private sector companies. "Linking [must be] done in a way that's useful to the public", noted Robertson. "There are lots of bits of information which the public has to give the government, but the government doesn't have to reveal it to anybody else."

For example, a person's medical details such as blood type and allergies may be shared for prompt action during emergencies, said Robertson. The mental health history may not necessarily be shared if that information could invalidate insurance claims.

"It becomes a very complicated equation for privacy, but one which we should be able to build rules for and put those rules into IT systems," he added. "We're just beginning to think of doing that in the U.K."

Editorial standards