Wednesday, August 31, 2016

Have you been pawned? What could Australian governments do to reduce the frequency of data breaches

Data breaches at major organisations have become a weekly event, but don't always make it into the public eye for months, or even years, after they happen.

This is both because it can take some time for an organisation to become aware it has been breached and because few organisations are forthcoming about security concerns.

This lack of willingness to communicate breaches can be because many fear a loss of respect or trust if they admit a breach has occurred, and in certain cases companies may even be liable for fines or damages in a class action.

Of course, not declaring breaches can also come with a sting in the tail. Individuals might find some of their other accounts become compromised, or experience monetary or identity theft - in extreme cases people can find themselves in debt, their property sold, or even be gaoled.

Governments in Australia have been slow to put measures in place to protect citizens in these circumstances - even forcing citizens to take them to court to rectify these situations, as a Canberra homeowner recently had to do.

Unfortunately in Australia it's not even mandatory for data breaches to be reported, so there's limited information about how widespread the threat or cost actually is, making the situation even harder to deal with.

I subscribe to a service (Have I Been Pawned?) that alerts me when a service I use is reported as hacked - but even this is largely limited to international online services and it remains very slow to discover when these hacks occurred.

The example below shows how Dropbox has only in the last few weeks acknowledged a hack in 2012 which exposed the details of over 60 million people - that's more than twice Australia's population. Their information (including mine) has been traded online by the hackers.
Dropbox breach

Now some people might consider this a normal part of living and doing business in the internet age - but should we?

There's a number of steps that both governments and commercial organisations can take to reduce the impact of these types of breaches and help ensure they occur far more rarely.

The first step is a mandatory requirement to publicly notify everyone who may be affected by a breach within a week of it being detected, with a mandatory public announcement of the breach within two weeks.

If the notification is made on a timely basis, organisations should not face a significant fine from the government, but if notification is late, they should face a fine equivalent to a significant portion of their gross income for the previous year.

Where organisations are breached, they should be legally required to, at their own cost, identify the cause and rectify it, putting in place appropriate security measures to prevent recurrence and fix any other identified security issues with their system.

Organisations should also be put on a three-year watch list, where if they suffer another breach and cannot demonstrate that they maintained their security infrastructure to a sufficient standard, are subject to that very significant fine detailed above.

This should apply across both private and public organisations - with government agencies held to the same high standard of conduct. In fact it could be argued that government should be held to an even higher standard due to being required to maintain public trust and how certain agencies may compel information from individuals and store it for their lifetime.

Governments should also set up positive security regimes, where people are rewarded for identifying and reporting security holes in government properties. Corporations could also be provided with incentives to do the same, such as subsidising rewarding and rectifying appropriate security issues in a similar way to R&D subsidies.

The government needs to work with governments around the world to ensure that laws punishing identity theft - fraud - are sufficiently strong to create a strong disincentive for anyone who might be caught either perpetrating a hack or benefiting from it. There's already a base in place for this, but there's ways to strengthen it and treat identity theft with the degree of severity it requires.

Finally governments need to ensure they are appropriately educating citizens through a variety of channels - providing educational content, ensuring that no government agency allows users to create weak passwords, training their own staff (essential for national security), training police forces to understand and engage appropriately with citizens who report identity theft and rewarding companies who educate their staff and customers for reducing the overall risk.

Now it is important to be realistic about the situation. Australians use a variety of foreign online services and it is impossible to secure them all, all of the time. Hackers will find ways in via mistakes in ICT configurations, slow maintenance, zero day exploits and social engineering.

However the incident and severity of the data breach risk can be greatly reduced if Australian governments stop turning a blind eye to the issue and begin seriously engaging with it.

At minimum governments need to broaden their cyber security policies to recognise that it's not just the government itself at risk. From here, there's many opportunities, such as those described above, for governments to be more proactive about protecting their citizens from the risk of data breaches, from enemies both domestic and foreign.

Read full post...

Tuesday, August 30, 2016

Digital Transformation Office launches beta for their Digital Marketplace

Earlier this week the Digital Transformation Office (DTO) launched the beta version of their Digital Marketplace, a directory of vendors offering specialist digital services across a range of role categories.

The explicit reason for the Digital Marketplace was to make it easier for small and medium enterprises to engage with government, particular within large ICT projects. It is supposed to do this by allowing agencies to break down large projects into small stages which smaller companies are able to fulfil.

At this stage the Digital Marketplace is primarily a list of vendors - over 220. Most are small businesses, with a smattering of recruitment agencies (Horizon, Hudson, Randstadt, Talent International, The Recruitment Hive) and larger companies (such as Deloitte).

Right now it's possible for agencies to make both open and select requests to the list for skills via a briefing process, with additional approaches to market, such as an ideation approach both for buyers (roughly 'I have this problem, how would you solve it') and sellers (roughly 'I have this idea to solve a government problem - will anyone fund the work'), still under development.

The beta allows for fourteen role categories, covering a wide range of skills in the digital area, with more to come as the marketplace beds down and grows. The current roles are close to the DTO's core business of promoting and incubating digital transformation, which seems a reasonable place for them to start.

While the marketplace provides the information in a different way to most government procurement panels, it is governed in the same way - under a standing contract arrangement. At this stage all the innovation is at the front end and it will be interesting to see whether other agencies with whole-of-government panels (particularly Human Services and Immigration) see value in this way of displaying vendors and in the additional features the DTO plans for the site.

I've had a good look through the initial Digital Marketplace - in fact I'm affiliated with one of the participating vendors (as would be most private sector digital people in Canberra) - and it was interesting to see how many companies claim to have access to talent that government needs in the digital space.

Most government panels have been far more restrictive in the number of vendors they allow on the list, which has led to significant 'horse trading' of panel access and the development of services like SME Gateway to facilitate companies without a panel presence, whereas the DTO has gone for a 'bucket list' of any company that can demonstrate they meet the required criteria.

I've done a little analysis of the vendors in the Digital Marketplace and found a few interesting insights as to the responses the DTO received.

Firstly, half the approved vendors offer four or fewer of the fourteen role categories in the marketplace, with only 8% (generally recruitment companies) offering the full 14.


This suggests a lot of specialist providers have joined the service - companies which may otherwise struggle to meet procurement requirements without extensively partnering or contracting their services through larger providers.

The most popular role offered by vendors was Business Analyst, provided by 123 (or 55%), whereas the least popular was Ethical Hacker, provided by only 51 vendors (23%), followed by Inclusive Designer (Accessibility Consultant) by 58 (26%) of vendors.

This isn't surprising. Business Analyst is a standard role that has been around for a long time in ICT, whereas Ethical Hacker is relatively new as a role type and Accessibility remains an underrated area by government (with many practitioners struggling to find sufficient paying work).

It was interesting how many vendors offered personnel in the Digital Transformation Advisor role, which was second behind Business Analyst (113 vendors or 51%) despite being a very new role type.

I'm still sifting through the data and expect to find more interesting insights - particularly from the pricing (for which the DTO has published the ranges by role). This was an interesting decision by the DTO as it may encourage organisations to migrate pricing from below the given range upwards, and once in the range toward its top.

A lot of the data exposed in the marketplace has commercial significance, so I may not be able to share all of it, but the site is already gold for organisations seeking to understand the landscape servicing government. Couple the information in the site with industry knowledge and published tender amounts and it becomes relatively easy to identify the high and low price vendors.

Read full post...

Friday, August 26, 2016

How to shut down the easiest path for hackers into your organisation

In the news today is a story about how the Department of Prime Minister and Cabinet has issued guidance to staff on how to manage their personal profiles on Facebook.

According to the The Age's article, 'Nanny state!' New crackdown on public servants' Facebook the department "now insists its public servants lock their personal Facebook accounts with the tightest possible privacy settings and tells them how to configure their passwords".

Based on The Age's article the policy states that "Profiles must use a robust and secure password to protect the account from brute-force hacking attempts".

"This password must be at least seven characters long and contain a mixture of punctuation and alpha-numeric characters".

The policy apparently threatens disciplinary action and even dismissal for non-compliance for both staff and contractors.

I've not yet read the policy so can't comment on the details, and there's also apparently some other parts of the policy dealing with what public servants can comment on, which I don't expect to agree with.

However, I find the advice on security and passwords as fair, long overdue, and something that all organisations should consider providing to their staff.

Hacking is fast emerging as one of the most significant commercial risks for corporations and public agencies, with organised crime and nation-states mobilising sophisticated teams of computer hackers in the search for commercial and political advantage.

Few weeks go by without a major international company or online service being hacked for data, and alongside this the growth of ransomware - where hackers lock organisations out of their own systems and demand money for access - is proving to be a challenge worldwide.

Many large organisations have extensive security provisions in place to protect their data and services against hackers and security advisors are working as hard to keep their system protected as hackers are to find new ways in, in a cyber cold war.

However IT systems are not the only way into an organisation's data heart. 'Social engineering', a term referring to coercing staff to create a chink in an organisation's security armour, is increasingly one of the easiest ways for hackers to sidestep security professionals.

Social engineering takes many forms.

Leaving USBs with malware at a location where staff might pick them up and unsuspectingly put them into an organisational system, sending them email attachments supposedly containing cute kittens (with a cyberworm inside), fooling them with a fake email from security into believing they need to reset a system password by clicking on a link - which gives a hacker access.

There are many many ways in which employees can be fooled, even the most highly intelligent people, and used to evade or break their organisation's security.

Even if people can't be fooled, there's ways to get critical information about them which can provide clues to passwords, or provide blackmail opportunities.

For example, many people still use memorable passwords - children's names and dates of birth, anniversaries, pet and street names, achievements and more. With a little digging through publicly available information, or even information compromised from a weaker external service, hackers can quickly create a potential password list which might give them a route into a more secure system.

Unfortunately many organisations have been slow to address this threat by educating and supporting staff on protecting ALL their information online - from their secure employee logins, to their Facebook accounts and random mailing lists they sign up to.

This education is important not simply for the organisation's security, but for the personal security of individual staff members, who are also at risk from hackers who simply want to steal from them.

In fact there's every reason to believe that well constructed advice to an organisation's staff on protecting themselves online will be well received. It not only protects the organisation, it protects each individual staff member and often their families as well.

So what PM&C is doing with suggestions on passwords and locking down Facebook isn't a 'Nanny State' act - it's a sensible step that every organisation should be doing to protect their commercial information and client data, and to protect their employees.

Now a 'policy' may not be the best structure for this education - I strongly recommend that every organisation should have a 'security awareness' module in their induction program, and ensure that all existing staff receive regular training on how to protect themselves and the organisation they work for from external hacking threats.

This needs to be regular, not once-off, because of the rapid evolution of hacking and IT systems. New threats emerge regularly, as do new social engineering attacks.

Training all staff on how to secure ALL their online accounts is becoming vital for organisations that are serious about security.

In fact I believe that organisations who lose control of personal, private or confidential client, staff or government data should be penalised more harshly if they've not taken steps to guard against social engineering through staff training.

So if your organisation wants to continue to improve your security, don't simply invest in new IT systems and security advisors. Regularly train your staff on how to protect themselves online and they'll help you protect your organisation.

Read full post...

Thursday, August 18, 2016

PM&C sets a new benchmark for public engagement in Open Government Partnership membership process

This morning the Department of Prime Minister and Cabinet (PM&C), through its ogpau.govspace.gov.au site, put out a call for stakeholders to express their interest in joining an Interim Working Group to help co-draft Australia’s National Action Plan (NAP) for the Open Government Partnership (OGP).

The approach that PM&C confirmed this morning is a very innovative and progressive one. I believe it is a model for government/civil society engagement in Australia that other agencies should pay close attention to.

PM&C proposed forming an Interim Working Group to decide which actions to put to the government for final sign-off and inclusion in the NAP.

The Group is expected to have up to 12 members, comprised of equal representation between government officials and civil society stakeholders. It will be co-chaired by a senior government official and a civil society representative.

Anyone can submit an expression of interest to join the Group, with expressions to outline relevant experience and expertise related to supporting transparency, accountability and open government.

It is extremely rare for government agencies in Australian to agree to 'share power' with external stakeholders in this manner during a decision-making process. The usual approach is to invite feedback from outside, but make decisions inside agencies, usually in a 'black box' manner.

The collaborative approach outlined by the OGP team in PM&C is a far more transparent and engaging one. It shows respect by granting near equal standing to external stakeholders and, through sharing decision-making responsibility, is more likely to result in shared ownership and ongoing commitment to implementing the decisions made.

The Interim Working Group announcement is the first public step progressing Australia's membership of the OGP  since the federal election. It follows a multi-stage consultation process which has included:

  • initial stakeholder information sessions run in Brisbane, Sydney, Melbourne and Canberra in December 2015 (Disclosure - I ran them on behalf of DPM&C, the presentation slides are here and a video of one of the sessions here).
  • a dual consultation process in February/March 2016 involving both an external wiki collecting action ideas for Australia's NAP  (over 200 collated ideas here) and an internal consultation with government agencies to identify actions they could commit to.
  • a Canberra-based co-creation workshop in April 2016 involving roughly 60 attendees from civil societies, agencies and individual stakeholders which aimed to aggregate and filter the collated ideas into 10-15 actions for the NAP (outcomes here). My report on the workshop, which I attended is here.
I'm very optimistic about this process, as the Department of Prime Minister and Cabinet has demonstrated significant engagement and commitment to the outcome and a willingness to listen to and involve external stakeholders throughout the decision-making process.

I hope other agencies keep a close eye on this process and the outcomes and consider where a similar approach might help them achieve public goals in a more effective and sustainable way.

Read full post...

Friday, August 12, 2016

What follows #CensusFail

I think it is now safe to say that, technically at least, #CensusFail has peaked, with the ABS and IBM successfully restoring most access for the Census 2016 site.

While there are still scattered reports of failures, not recognizing JavaScript is turned on, issues in some browsers and variable levels of access for people with VPNs, by and large the site is limping home.

Increasingly it appears that there was no large denial of service attack on the ABS, just a cascading series of issues which made the census service vulnerable to demand peaks, with perhaps a small attack being sufficient to drive it over the edge.

The repercussions and fallout for the incident will occur for a long time. Several official reviews are already in motion, all of IBM's advertising in Australia remains offline, and the ABS has not changed its engagement and communications course in any perceivable respect.

The ABS is likely to be feeling the initial impacts of the next demand spike - not of census traffic, but of Freedom of Information requests, with journalists, privacy advocates, IT experts and others all interested in understanding what decisions were made, where and by whom.

Hopefully the ABS will scale its capability effectively, unlike the Census experience, or take the high road and proactively release information, including server logs (anonymised of course) that allow external parties to understand the progression of events and clarify what occurred and the good work the ABS did to protect the data of Australians (their key commitment) throughout the incident.

The real risk now is that politicians and ABS management will try to switch back to business as usual too quickly, answering to official enquiries about the incident but refusing to answer to their real owners - Australian citizens. There's a tendency in most organisations to spring back into normal operations to quickly after a crisis, forgetting that the collective external memory is often longer than insiders expect.

The consequences of #CensusFail are likely to have ripples affecting every major government IT project, significantly reducing political and public trust in digital initiatives by many federal agencies, as well as impacting on state and local government initiatives.

In many other digital projects politicians and citizens will ask for additional safeguards to protect against a potential #CensusFail, no matter how unlikely it may be. This will add cost and time to these projects, pushing up IT expenditures at a time when budgets are being cut, causing agencies to delay and defer the more expensive or ambitious projects and attempt to keep limping along on existing infrastructure for just a year or two more.

In extreme cases this may increase risk, with already old systems pushed beyond their commercial lifespans, in broader cases it will harm innovation and cause governments to fall further behind their peers elsewhere in the world.

This seems a bleak picture, but I don't blame the ABS for this. It is a consequence of the lack of political IT expertise we continue to see across many Australian governments and of the risk-averse cultures that continue to flourish across governments despite the increasing downside risk of this stance.

It takes a long time to turn a big ship, and in this instance the ship is Australia. We are not educating our children or adults adequately to master a digital world and we do not have the level of IT knowledge or capabilities we need as yet to sustain a first-world infrastructure.

This flows through our corporations, our public service and our political leadership and it cannot be solved by the import or outsourcing of expertise.

I wish the ABS well in rebuilding their reputation following #CensusFail. In five years when the next Census is held the organisation will still be dealing with the fallout from 2016.

However the real failure and fallout in 2021 will be much greater if Australians have not invested in building our collective digital expertise to the levels we require to continue to grow our national wealth and economy, to sustain our standards of living and maintain our place as a first world democracy.

Read full post...

Bookmark and Share