Answers in e-standards

Lena Jönsson, of VERVA - The Swedish Administrative Development Agency, outlines the need for efficient iSecurity for public services.

The development of public e-services has been on-going for some ten years now. Initially these services were quite simple. They consisted mainly of general information about the organisation in the form of simple text and about the possibilities for downloading documents and forms. Today they are quite advanced; users actively perform their responsibilities and fulfil their service needs in real-time dialogues inside the public agency's internal information system. This enables us to provide good, efficient services to the public.

The development of e-services has created a number of challenges. One of the most important challenges is to solve the security problems linked with the use of Internet and web technology.

There is no doubt that security is a key enabler and success factor for the evolution of cost-effective and usable e-services. In order to facilitate secure e-services, to raise efficiency and to increase public confidence in electronic government services, it is highly recommended that Government Agencies assemble secure identification mechanisms. Secure identification is a means to protect the personal information of the individual and to prevent non-authorized access to personal information. Secure identification procedures and the use of digital signatures will assure growing confidence in electronic government in the long run.

From a global perspective the presence of organised crime in the e-services arena cannot be ignored. Some years ago we received attacks from individual hackers who tampered with websites, accessed classified information and stole e-mail addresses. Although these attacks caused problems, they were quite moderate in comparison to what we are exposed to today. It is no longer just individuals that are attacking public interests; now we have organised crime syndicates with substantial technical resources, skills and global networks that are threatening common interests. Their methods are often on the cutting edge of technical evolution and thus difficult to detect and neutralize, and they can cause substantial damage. These attacks are getting more technically refined. Instead of just simply stealing access numbers for bank accounts, perpetrators are now deploying Trojans that silently execute services where account holders unknowingly transfer money to a bank account in a third country.

Fortunately, things have not come quite so far in the public sector, but the risk of organised crime causing damage to government information is rising. Theft of personal identity information can become a severe problem when it is applied for the purposes of deception in public remuneration. Government information is more and more dependant on the Internet and there is thus a higher risk today of government information being wire-tapped and misused.

There are no easy answers or silver bullet solutions to avoid these threats. We have to focus on two security issues. Firstly, the user has access to sensitive personal data, and secondly the user has access to the sensitive infrastructure of the public agency. To lay the foundation for a secure, reliable access to public information and the efficient provision of public e-services, it is therefore crucial to understand these issues. Services should be secure in the sense that every user has to be authorised to use the information. Personal identification is thus a key for secure services. Secure services should be accessible through a unique electronic identification system which accredits the user the right to transact his or her personal information. Services should be reliable in the sense that they are robust and secure. Top-level managers have to think, live and act “iSecurely”. They have to build and implement iSecurity (Information Security) from the very bottom of the organisation. They have to produce an electronic security strategy and communicate it to the organisation. This strategy must be based on common standards such as ISO/IEC 27001: Information security management systems. Relevant staff must be trained in iSecurity and follow the iSecurity strategy. Top management has to perform risk assessments for each service and take proper measures, such as classifying information and enhancing the means for electronic identification.

The Swedish National Audit Office (SNAO) recently conducted a review of the information security management in 11 National Agencies. It noticed that the agencies' security systems where not sufficient. It detected serious shortcomings in the information systems which were caused by the failure of top-level management in fulfilling its responsibilities. The review stated that there was inadequate virus protection, some vital information systems were not available and in some cases, sensitive personal information was being disclosed. SNAO criticized the Government for not being explicit in its information security policy for the National Agencies. SNAO proposed that the Government should take appropriate action, focus on  information security and communicate the goals and objectives to the Agencies. The agency for which I am responsible (VERVA) drafted a regulation for the secure exchange of information for National Agencies in December. This regulation is based on the ISO 27001:2006 and 27002:2005 standards and entered into force on 1 January 2008. The aim of the regulation is to enable agencies to build and maintain environments for a secure and reliable exchange of electronic information. My responsibility is now to communicate this regulation to the agencies so they can implement it. We will also be following up and reviewing its implementation in due course.

In the light of these developments and all the work we have done in this area until now, I have realized that, as the handling the information security is a global issue, so must the standards also be. Unless they are not understood, implemented and used in the organisations that provide important public services, these standards can assume “a life of their own”. This insight is important in order to sustain efficient public e-services.

From another perspective, the architecture of e-services must be designed in a way that safeguards vital elements of the information system and personal information. The use of products evaluated in accordance with the standard of Common Criteria (ISO/IEC 15408) when procuring and purchasing equipment for public e-services is expected to be increasingly important in the future. The public sector has a responsibility to lead the way in creating a   more secure and reliable technical architecture and for establishing a professional organisation for secure, reliable and effective public e-services. The use of iSecurity is from my point of view a strategic enabler for delivering public e-services.

This also provides a good foundation for innovation in the ways we deliver public services. Electronic services should be built for high accessibility at all hours and designed in way that make them simple and intuitive to use. A user-friendly language is fundamentally important here. The user should be able to trust that the electronic service really comes from the government and not some obscure provider with false intentions. The effectiveness of public e-services incorporates the understanding that governments should provide the right services, 'right' meaning services that are attractive to users, and save them time and money.

Lastly, to protect both personal and sensitive data, protect public property and to defend other national democratic interests it is important that government has an intensive cooperation with equivalent authorities and organisations in the European Union and globally.

Lena Jönsson,
Director General of The Swedish Administrative Development Agency