Government's big security challenge: Keeping data private
Governments across the globe are using technology to be as efficient as their counterparts in the business world. So-called e-government projects allow constituents to go online and pay utility bills, apply for construction permits, and even see children's grades — without human interaction. The result is more convenience for constituents and better use of government staffing resources.
In Summary:
| • | The realm of government IT security is expanding into the realm of secure and reliable communications in times of citizen crisis. |
| • | IT must guard against security failures that will erode public trust. |
| • | Best practices require participation and collaboration across all government departments. |
However, with all of these changes for the sake of convenience, government IT personnel responsible for security have an ever-growing task list. It includes:
| • | Keeping public data accessible while keeping private data secure and networks free from dangerous "malware"; |
| • | Dealing with public safety departments, such as fire and police, which are mobile and need 24-hour availability; |
| • | Ensuring communications security in light of both an increasingly mobile workforce and the need for emergency response after a disaster. |
Everything in government security seems to be a balancing act: civic transparency versus civilian privacy; usability versus data protection; responding to IT-driven demands without access to adequate funding; teaching kids about technology without unduly limiting their Web access. The challenge will only get worse.
Security with holes can mean lost funds, and lives
For government IT staff, maintaining security and reliability means more than ensuring that library patrons can read The New York Times or South China Morning Post online. It also means that in emergency situations, public safety workers need to be able to effectively communicate with one another to provide aid, and, save lives. The 9/11 attacks in New York highlighted the importance of this issue; it is now well-known that the lack of interoperability between communication systems caused unnecessary casualties.
David Jordan, chief information security officer for Arlington County, Va., acknowledges that he's learning much more about emergency management. His IT department has deployed an emergency vehicle that's responsible for going on-scene at disasters to consolidate information from police, fire, and electrical and sewage services. It even includes wireless video capabilities to transmit disaster images back to an operations center, Jordan says.
As a county, such capabilities are important, he adds, because Hurricane Katrina taught U.S. government officials that sometimes outlying areas need as much help as urban areas; without exposure, those remote communities can get left behind by disaster workers. Ensuring that this system works can be crucial for getting timely response from state and federal officials; the Arlington County vehicle even has its own firewall to keep transmissions secure.
Today, government agencies and offices need to consider how their IT efforts intersect with broader anti-terrorism initiatives. For instance, a recent document released by the U.S. Congressional Record Service looked at the potential of data mining to discern terrorist activity. This report suggested that government IT departments look at pattern-recognition, and invest in analyzing everything from passport and visa applications to car rentals and driver's license renewals to criminal records and airline ticket purchases. Doing so, however, would require "improved collaboration and decision support tools."
Security and reliability are also important in constituent-facing systems, of course, because taxpayers are footing the bill. In the Floyd County, Va., school district, chief technical officer Michael Murphy is researching a secure portal whereby parents will be able to access their children's report cards online. In this scenario, security also dovetails with reliability and bandwidth. "If 1,000 parents try to check in at the same time, and they don't have the bandwidth, they're going to have a sour taste in their mouth," he says.
Tighter security means changes in processes
As the spectrum of what constitutes security issues grows, so too does the IT department's workload and its interaction with other departments. For instance, in Arlington County, the county's IT and security executives are now on 24-hour call on a revolving basis. When there's anything from a power failure to a tanker fire, emergency management can call the IT duty officer for assistance. "That's how important IT is in the continuity of operations," Jordan says.
At the same time, both field service technicians and public safety officers are using laptops more frequently. This has two ramifications: (1) Data on a mobile device should be encrypted, and (2) such laptops and handheld computers should have "kill" capabilities installed so that if a device is stolen or lost, the data is blocked after a failed password attempt.
Government IT workers also have to pay more attention to wireless security, and ensure that only authorized users have access to back-office financial and operational information. Because a city or local government, unlike a traditional corporation, is made up of departments that may have little in common, cultural and process issues take center stage.
Christopher David, Arlington County's chief technical officer, notes that all those departments — the country offices, the libraries, and the public safety departments — have different, overlapping schedules. That wreaks havoc in terms of system maintenance, because there's no time when everyone is off the system. As a result, the county has an architectural review board involving multiple departments, so that managers understand how the deployment of security and other solutions affect each of them.
Public access, data protection, and wireless security are certainly issues which affect corporate IT departments as well. But government IT staff has the added challenge of providing this protection on sometimes extremely limited budgets. Their constituents will never notice when security is maintained, but will always notice when it isn't.
3 steps for government IT security managers
According to government executives, both in IT and administration, there are three things to focus on when it comes to security — both now and in the future.
1. Isolate public information from proprietary data. The minimum level of government security requires that you maintain two networks: one containing data available to the public over the Web, and the other maintaining proprietary data, such as personnel information. For instance, salaries may be public information, but payday and direct-deposit information is not. (For more on access management of multiple databases, see information about Microsoft Identity Integration Server 2003.)
2. Control and monitor Internet usage in public places. In school districts and libraries, kids and young adults are likely to access the latest social-networking and peer-to-peer Web sites, such as MySpace and FaceBook. Not only can these sites contain malware, but even innocent downloads can bring network traffic to a crawl. Maintain logs of the sites this demographic visits most, in order to block them if they're not pertinent to education. (And know that Windows Vista is the most secure and reliable operating system ever developed by Microsoft, with security features that include protection against malware and other unwanted software. See this page for details.)
3. Start formulating a GIS strategy. Even though information regarding property is available to the public in most cities and counties, it's difficult to access without visiting multiple government offices in person. Geographical information systems (GIS) for public safety or municipal permit programs reveal everything about a property, from how many children live in a particular home (useful for firefighters) or if a handicapped ramp was installed (meaning the resident is potentially vulnerable). Making these systems open, just as the current information is, means some sensitive information can be gathered quickly and anonymously. Most government entities haven't formulated a plan for maintaining the privacy of this information.
To learn more about Microsoft's efforts to address the unique security requirements of governments worldwide, read this overview of the Government Security Program. For more Microsoft product information and security tips for government agencies, see the Security Guidance Center for Government.
