This week, I would like to tackle my other favorite topic: Development and Information- and Communication Technologies. To narrow it down: security in development through e-Governance. So what is e-governance?
E-governance is becoming more and more popular and there is already a country which completely relies on this method in most of its political interactions: Estonia or E-stonia how it is sometimes called. To put it simple, e-governance is the tuning of administrative processes of the public sector through the use of ICTs. Let me give you an example: In Estonia it is possible to vote for the president in the elections for your computer at home. While, in the ‘old world’, you had to go to a place and put a cross in front of your favorite candidate, all you have to do now is to sit in front of your computer and make some clicks. This is a simple to explain example but of course not the first step to e-governance.
If a country, or developing country for that matter, decides to go e-governance, one more more local government will normally spearhead/ test drive it. A local administration sets up a small computer system where you can go and – for example – register your new car. The clerk will do that on a computer, data will be centrally stored which makes their work more efficient and as a result less hassle for you. Next time you go there to extend your registration or for any other purpose concerning your car, things go much faster and the paperwork will more and more be eradicated. At least, that is the theory. What happens next? If all works out as the local administration planned, they might want to add some more features. So next time you go there instead of just registering your car, you can also register as a citizen of that area, file your tax report and apply for a new passport. After several months, you will be able to almost attend to all your administrative concerns at this office which is managed by ICTs. If that happens, you can call it a ‘one-stop shop’. You go to this office and most of your concerns will be taken care of, therefore you don’t have to go to a second or third ‘shop’ anymore. The office grows so does the data. If this project is successful, it might get replicated in other regions. These regions might decide to use the same software and later on connect to each other in order to enable citizen to easily move between these regions. The next step might be decentralizing these services which means that you don’t even have to (but still can) go to the ‘one-stop shop’ because you can attend to your administrative requirements from your own computer or different computer stores setup by your local authority within the city in order to make it easier for you and reduce waiting inside the shop. When that all works fine and everyone is happy, the national/ federal level might start some of their services online. After a couple of years, everything is e-governance, everyone is happy and the country can call itself GenericCountryName 2.0.
If it would be that easy… . A lot efforts are being directed towards the application and implementation of e-governance in various countries. Especially in developing countries. For them it is a good opportunity to leapfrog development and catch up with the developed countries. What is not taken into account in a lot of e-governance projects is: security. When these projects start, they might not have a large budget because the person managing the money of the locality is still skeptical. The people taking care of the network might not even be an IT specialist. Both points are not too bad if you want to test-drive e-governance. However, if e-governance really takes of, there should be a turning point. This turning point has to involve a good strategy for future planning. Human and financial resources as well as the choice of the right hard- and software are an integral part of it. Are there other local governments in your country already implementing e-governance? If so, do you ever plan to link up with them? If so, what software are they using and is the software good enough to be able to sustain natural growth of your e-governance project? (At that point you already need someone who understands the technical side very very well) If you answer all of these questions with yes, then you might consider using the same software as the other local administration/s you were eyeing. Everything else defies the purpose. Really. The strategy also helps you to allocate the right expenses for the coming year – as most local administrations normally calculate their budget tight for the coming year already. If you know already what to buy and who to hire to sustain the growth and keep everything running smoothly you are already there… just one more thing: security.
No, security is not sexy – well I personally think it is but then again, who cares what I think? Yes, even small e-governance projects need to worry about security. And yes, even bigger e-governance projects have to worry even more about their security. Why so? One word: information.
At one point or the other, the e-governance approach is hooked up to the Internet. There are two eternal truths about the Internet: 1. All the bad comes from the Internet. 2. Internet is for porn. While the latter is not that important for the issue at hand, the first is even more. As soon as your information become somehow accessible from the Internet, they are at risk. In general even before, but that is not going to be part of this article. Because at some point – mentioned above – services will not only provided inside the one-stop shop but also over a website or databank so that the citizen can access them from home, the issue of security becomes more prevalent than ever. Why?
In a late stage of development, your system will contain all personal data of a citizen. For convenience. Address, Age, Sex, Name, Contact Number, Email Address. Additionally, all of the services the local administration is offering add information. Tax return, monthly income, type of car, name and number of children and so on and so far. It is like a citizenpedia just not published, yet. Anyone ever used the word citizenpedia? Maybe not. Does not sound good anyway. Back to topic: So what happens if these information get published? It is an administrative and political nightmare. Many personal nightmares will follow, first of all for the mayor and his IT staff. This kind of information are worth a couple of dollars per person on the Internet. For some cracker groups (non-ethical hacker for that matter) they are also a perfect example of how to show that the government is not taking care well enough of you which leads them to publish it online. These information open the doors for social engineering amongst other things (see the respective articles). Because no one really wants that we need holistic security.
Why is security not thought of in the first place? It is expensive and it does not offer a benefit directly in return. Once you lose all your data, you normally start backing it up – that means if you were sad about losing your data in the first place. Concluding, that would mean that a local authority would start worrying about security latest when all the information or parts of it got leaked for the first time. But then it is too late already. All hell is going to break loose immediately. If you lose your personal files…well. But if you lose the files of thousands of citizens…good luck with getting a good night of sleep in the next… say year.
I am very willing to discuss these implications with any reluctant mayor and treasurer…for a flight and a nice hotel room :).