Inadequate Govt Security

Summary

Poor safeguarding of personal information could damage the uptake of government services online. For example, on rare occasions personal records have been found at landfill sites, which has caused concern. If people are concerned about government security and about Internet security, they are doubly unlikely to use e-government services.

Mechanism

Poor government or commercial IT security can be exploited many ways. Hackers can compromise insecurely configured systems. In some cases, web servers can be set up so badly that they provide unintended information to anyone willing to experiment with web page addresses.

There have been many examples:

A US Federal Government department (the Department of the Interior) has now twice been directed by a court to take down its web presence because its porous IT security was exposing citizens' data on the Internet.

The UK Government was embarrassed when a document it released in Microsoft Word form was shown to contain a history of who had drafted it and when.

Government departments in several countries including New Zealand have had their web servers compromised from time to time and the home pages replaced.

While website defacements are generally obvious, this does not have to be the case. Information on a US newspaper's website was altered by a hacker with the intention of improving the share price of a company.

Comment

The New Zealand Government is highly aware of risks in this regard. It already provides services to departments through the GCSB and CCIP and the security.govt.nz website. It also publishes Security in the Government Sector, a manual covering risk mitigation in this regard.