Recently it was found that WINZ had a massive security breach. I say breach, I mean that there was no security at all. While some features on the desktop had been shut down, like desktops used by schools and public libraries, there was no hardening of the network. Actually, there was no security at all. The blogger who discovered this, Keith Ng, managed to get the files by browsing the local network neighbourhood in the open file dialogue of MS Word. It’s worth pointing out the MSD WAN (not the WINZ network) is actually hardened, which should make one raise an eyebrow at the fact that the working of a public institution are more secret than people’s medical histories. Mr Ng is “unlikely to be punished”, which is odd to me. Surely finding something like this is not an act of intrusion, it’s a non-issue to establish culpability when the system, through basic use, allows you to open private data. This isn’t the first time that a government department has dropped the ball and exposed personal data of citizens. Again, there was more information security about the inside (and specifically, ministerial mis-doings) than about the citizens.
As famous Computer Scientist Daniel J. Bernstein (who shares my first name, initials, and penchants for being difficult and dressing in black) famously observed: “I’m not interested in security through obscurity. I want real security mechanisms, solutions that work for _everybody_.” Given that the citizen data is hidden by mere obscurity, one imagines easily that typical “lowest bidder” outsourcing or in-house incompetence was the order of the day for this project. It’s easy for me to sit in the peanut gallery and boo at this mistakes, because managing the information infrastructure of an entire country is hard. Even ones as small as New Zealand, because in general the complexity of government scales horizontally, and vertical scaling with population is easy; what that means is that the number of functions required for 4.5 million people is the same as the number of functions required for the 22 million over the other side of the Tasman. But the very fact that it’s hard shows a misapprehension about it in the halls of the beehive.
In system and network design it’s a truism that security cannot be added afterwards: it needs to a fundamental, first-class part of the design. This is also true of privacy in content sharing systems (I’m going to avoid “social blah blah” terminology), Google Plus being an example of it being designed “privacy ahead” and Facebook being a good example of privacy as an afterthought, though in Facebook’s defence, many of the issues are user education. Client privacy on systems like Facebook is not as important as that of the Tax Department, ACC, MSD or any other government department. If you accidentally share a drunken photo on facebook, you may suffer reputation damage, but if your fraud investigation goes public, the damage is significantly more. So government departments really need to address this front on, but it runs deeper.
ICT, or more accurately or national information infrastructure: both the hardware layer, the data formats and the metadata registries, need to built properly the first time. We don’t have one yet. We have a patchwork of different systems, and no fabric to unify them. To meet the challenges of the coming century we need to move beyond this idea that ICT is something that you tack on the side of an institution. It needs to be treated as the fabric upon which the different departments of the public service interact, and interact with the population, and even private enterprise. And when (not if) this is done privacy and security need to be primary concerns to start with.
This may sound like “building the house and then the foundations”, there are example of this, in particular Amazon moving its entire infrastructure to services allowed it to become a huge IaaS provider, after Jeff Bezos just declared it was services only. The cost of any institution can be reduced by effective integrations, in fact research by Dr Robert Amor at the University of Auckland has estimated that the costs of the construction industry can be reduced by 10 million a year. Investing in this sector would develop a large sector for IT in New Zealand, using high quality enterprise grade software, and save the long term costs of the cowboy IT systems that have been slapped in place so far, and if designed correctly would allow for horizontal scaling, avoiding the inevitable high cost of maintaining disparate and dodgy systems (and probably poorly documented too).
Lastly, it appalls me as an internaut and software developer that Government is legislating The Internet, rather than Government legislating government to use the internet. Maybe, just maybe, little old New Zealand can become a shining example to the world by having an actually efficient public service.