Rob Otto, EMEA CTO, Ping Identity, discusses how governments embracing the innovative technologies of the modern world must also make cybersecurity a priority.
The future of bureaucracy is digital. Governments all over the world are now putting in place schemes that allow citizens to access essential services from the comfort of their Internet browser or mobile phone. Any innovation brings security risks though and balancing those concerns with the accessibility that an eGov programme demands will be a defining task that ultimately determines the success of the initiative.
Government services are clearly a valuable target for cybercriminals. An identifier that mediates a relationship between a citizen and the government is perhaps the most authoritative ID anyone will ever have. One can only imagine the damage, fraud and identity theft that can be wrought on an individual should those identifiers be stolen.
As eGov schemes pick up pace, their survival rests on how securely they can serve their citizens. Looking across the world, national and local governments are using a variety of means to ensure that.
Estonia, described by Wired magazine as ‘the world’s most advanced digital society’, is at the forefront of such schemes and has been steadily migrating government services online since 1997. Currently, each citizen carries a cryptographic smart card and 98% of Estonia’s government interactions happen online.
The UK’s tax authority, Her Majesty’s Revenue and Customs (HMRC), is attempting to roll out biometric voice authentication, but has taken flack for the supposed violations involved in such a task.
India, the world’s largest democracy, has the Aadhaar scheme which provides a unique 12-digit identifier. These IDs are verified with citizen’s iris scans, fingerprints and facial biometric indicators. However, the scheme has been beset by low uptake in some areas, grave doubts about accuracy and dramatic reports of fraud.
Few are without their problems. eGov schemes are still in their teething stage. Usability is always going to be a core problem within these systems, however pioneering they may be considered. Providing a secure enough means of authentication to use government services will always have to consider how citizens are going to use those services. If they find security alienating, then an eGov scheme is going to be severely hamstrung. The need for governments to make services available to all citizens while catering for varying levels of technological sophistication is another key consideration.
SingPass, the online portal for Singapore that allows citizens to access a wide variety of services, provides a telling example. Citizens only need a password and their unique National Registration Identity Card (NRIC) number to access government services. While they have been given the option to use non-NRIC multi-factor authentication since 2015, by the government’s admission, most have not yet taken the opportunity.
This has partly been driven by the fact that NRIC numbers are unique, simple and easy to remember, while also acquiring the advanced level authentication on offer has been labelled overly complex.
Singapore’s health authority, SingHealth, was recently breached, with attackers leaking the details of 1.5 million citizens online. This included all manner of critical personal information, including NRIC numbers, which highlights the problems of balancing ease of use with security.
eGovernment schemes offer not just a more efficient interface between public services and their users, but inclusion and access to critical government services for people who could not previously obtain them.
The United Nations 2018 eGovernment survey recently presented global research on the uptake of e-government, echoing this promise.
It noted, ‘exploiting digital government has far-reaching potential for countries, not just in improving institutional processes and workflows for greater efficiency and effectiveness of public service delivery but also in helping to ensure inclusion, participation and accountability to leave no one behind’. However, it also labelled the most common barriers to e-government resilience to be accessibility and e-illiteracy.
Such programmes must be strong enough to withstand the attacks and pliable enough to provide a simple user experience to every citizen, however technologically illiterate. This so often forces authorities implementing eGov schemes into a difficult choice but any scheme that fails to balance either will be crippled by low uptake or inflict grave dangers on its citizens.
