Analysis
- Within this section:
- Framework for analysis
- Assets
- Threats
- Possible actions
Framework for analysis
This paper uses the following framework [This framework is described by Bruce Schneier in Secrets and Lies, Wiley, 2000. It is consistent with AS/NZS 4360.] for considering security threats:
1. Identify the assets that we wish to protect.
2. Identify and assess threats to these assets. This will cover direct and indirect impact (i.e. through public confidence) with likelihoods.
3. Assess the extent to which each proposed security measure protects against the threats.
4. Identify any other risks caused by each measure.
5. Identify costs and trade-offs.
Assets
An "asset" in this context is something we wish to protect against a security threat. While we are not concerned here solely with 'assets' in the physical sense, the framework is valid when we consider the aspects of the Internet and its role in society which are necessary for its use in e-government. For e-government, four "assets" are considered in the analysis below:
1. Internet infrastructure: the Internet's existence, its wide use, its robustness and openness, and its low costs are all necessary prerequisites for people to use it to communicate with government. Increasingly the Internet is becoming a critical part of the national infrastructure.
While the Internet itself is undoubtedly the most important "asset", because e-government is inconceivable without it, protecting the Internet structure gets a lot of attention from people whose businesses rely on selling access to it. This includes ISPs providing a level of support for customers whose machines are so damaged or affected by hostile programs that they are unusable.
However, there are large numbers of home machines with broadband connections [i.e. DSL or cable modem. These machines are connected to the Internet by high-capacity links (relative to dial-up) and, more importantly, are often left continuously running and connected.] which have been compromised but which are not the subject of complaints by their owners and are presumably still usable. While ISPs are often aware of these compromised customer machines because of the traffic they generate, some take no action because of the cost and implications for their customer relationship. This is a serious issue, because of the risk of coordinated attacks using a network of such computers, and because of the potential breach of confidentiality in transactions made with government using a computer that has been compromised.
2. Public confidence: for the Internet to remain useful people need to remain confident in its availability, and not be reluctant to use it for business purposes. This confidence could be damaged by the various public attacks on the infrastructure, by scams running over it, and by spam.
What is a reasonable level of public trust in the Internet? The problems on the Internet are real and should not be made light of. The challenge for e-government is to engender a level of trust that will make e-government possible without exposing people or the government to undue risk. This is particularly difficult in a rapidly developing technical environment.
3. Agency confidence: Government agencies are increasingly investing ways to deliver services online. Threats to Internet security perceived by agencies could undermine such future investment by agencies, and as a result disrupt the e-government programme.
4. Information: the Internet is a mechanism for transporting information. The government has many obligations about information. It needs to protect information which should be kept private, preserve information which must be archived, and make available information which should be published.
Seeing information as an "asset" here reflects the need to protect the confidentiality of information and people's privacy, the need for people to be confident that they can continue to access their own information, and the need for confidence in the integrity of information and messages.
Threats
An earlier phase of this project identified a list of threats on the Internet. A detailed list and discussion of these threats is included as Appendix 1. The threats, and the assets which they threaten, are set out in the table below. [There is no obvious way to classify these threats. These are aimed to be comprehensive, while recognising that some of the different threats listed overlap or magnify each other.]
|
Threat Type Impact on: |
Infrastructure |
Public Confidence |
Agency Confidence |
Information |
|
1. Viruses/Worms |
X |
X |
X |
X |
|
2. Spam |
X |
X |
X |
|
|
3. Identity Theft |
X |
X |
||
|
4. Inadequate Government IT Security |
X |
X |
X |
X |
|
5. Phishing |
X |
X |
X |
|
|
6. Copyright lawsuits |
X |
X |
||
|
7. Digital Rights Management etc |
X |
X |
X |
|
|
8. Cracking |
X |
X |
X |
X |
|
9. Spyware |
X |
X |
X |
|
|
10. De-centralised Internet Governance |
X |
|||
|
11. Pornography / Child Abuse |
X |
X |
||
|
12. Fraud and scams |
X |
X |
||
|
13. Fear of surveillance |
X |
X |
||
|
14. Availability of 'Dangerous' Information |
X |
X |
X |
X |
|
15. Insulting Behaviour and Defamation |
X |
X |
||
|
16. Denial of Service Attacks |
X |
X |
X |
X |
|
17. Trojans |
X |
X |
X |
X |
Possible actions
A variety of potential government actions is set out below. These have been taken from the following sources:
- During consultation, some of these items were recommended to us.
- Some of these measures are being taken by other governments.
- Some were based on our assessment of the situation in New Zealand and the opportunities for the government here.
- Some are recognised good practice.
Some of these measures are being undertaken already, others are not. They have been grouped into education; policy; enforcement. For each potential action the benefit, costs and tradeoffs are listed.
Policy actions
A. A centralised Internet gateway for Government Agencies
|
Protects against: |
Viruses, Spam, Inadequate government security |
|
Rationale |
Government can afford to properly resource a common gateway far better than can individual agencies. By improving security for the agencies least able to do it for themselves, government will improve its overall security. |
|
How effective? |
Highly effective if adequately resourced and operated |
|
What are its risks? |
It presents a central point of compromise (although this can be mitigated by maintaining existing agency gateways as well) |
|
Costs and tradeoffs |
Significant costs to set up and resource gateway. This could be partly offset by consolidating costs of hosting websites and Internet bandwidth. It could also reduce agency flexibility in using new technologies - this could be reduced by agency-controlled governance. |
|
Comment |
This would particularly assist small and mid-sized agencies which cannot otherwise afford the level of security able to be offered by a well resourced gateway. |
|
Conclusion |
This should be scoped, including an outline cost, design and policies. |
|
Recommendation |
Government should consider a central Internet gateway to provide a single Internet point of access for government agencies, especially small and medium agencies. |
B. Encourage ISPs to Intervene where Customer Computers are Compromised
|
Protects against: |
Viruses, Spam, Denial of Service |
|
Rationale |
ISPs with broadband consumer networks are often aware that their customers' machines have been exploited for nefarious purposes such as sending spam but typically do not act on this information because of the effort required to convince, educate and support the customer. Outgoing attacks are less of a concern to an ISP than incoming ones, however they are easier to suppress, e.g. by simply cutting off the affected customer until they have been contacted. |
|
How effective? |
Helping customers clear up compromised machines, or at least cutting them off until they do, will reduce the number of machines available to relay spam, forward viruses, host phishing websites or run denial of service attacks. |
|
What are its risks? |
Some ISPs may not regard this as core business and may see an approach by government to ask them to intervene as interference. They might also find it hard to determine whether or not a compromised machine had been successfully cleaned. |
|
Costs and tradeoffs |
Some costs will fall on ISPs as they deal with customers who may not be aware of the situation and don't want to have to clear it up. |
|
Comment |
If pursued globally this would greatly reduce harm on the Internet. This is a case of thinking globally and acting locally. |
|
Conclusion |
This action has the potential to be highly useful in mitigating problems if it is employed world wide. Government should approach InternetNZ and two main telcos who own almost all the broadband connections. There may need to be regulation or legislation. |
|
Recommendation |
Consider how best to encourage ISPs to take measures to watch for and manage compromised home broadband customers |
C. Anti-Spam Legislation
|
Protects against: |
Spam |
|
Rationale |
Legislation is a necessary part of a government attempt to tackle the problem of spam. Law defines the bounds of acceptable behaviour; it also would enable the necessary international cooperation. |
|
How effective? |
Not very effective of itself but needed before anything will work. To be effective it will need enforcement and international cooperation. Many other jurisdictions are passing similar laws. |
|
What are its risks? |
If exceptions are allowed e.g. for charities or political parties, this will risk legitimising messages which people find annoying and intrusive. |
|
Costs and tradeoffs |
There will need to be an enforcement budget or the law will be irrelevant. If the law is watered down during passage, as occurred for similar legislation in the US, it may do more harm than good. However, the stance of the New Zealand Direct Marketing Association (unlike their US counterparts) is that spam is unacceptable so the pressure on the bill will be less. |
|
Conclusion |
MED has begun the process of getting legislation in place. It is important to ensure that the legislation does not contain exceptions and has a funded enforcer. |
|
Recommendation |
Government should introduce anti-spam legislation |
D. Show Leadership in Authentication by providing secure log ons
|
Protects against |
Identity theft, Inadequate government security |
|
How effective? |
Highly effective |
|
Rationale |
People are used to the relatively undemanding userid and password to sign on, even for such things as banking. This is inadequate in the face of the threats currently on the Internet. |
|
What are its risks? |
May lead to lower uptake of government services online due to the more onerous security procedures necessary (e.g. using a one time password, using a smart card or receiving a text message containing an access code.) |
|
Costs and tradeoffs |
In the 2004 budget Government made provision for an all-of-government authentication system. A more robust authentication system will make accessing government online services less straightforward. When and if the banks tighten their authentication for online banking this will seem more natural. |
|
Conclusion |
The authentication project in EGU should develop an authentication technique for high value government to citizen and government to business transactions which is not susceptible to attack by spyware or Trojan. |
|
Recommendation |
Government should show leadership in securing online transactions by providing an authentication system which is more resistant to common threats. |
E. Encourage Banks etc to Strengthen Authentication
|
Protects against: |
Identity theft |
|
Rationale |
Userids and passwords are vulnerable to capture by the spyware which is now widespread. Banks overseas are moving to two-factor authentication or one time passwords, however New Zealand banks are mainly still using only userids and passwords. |
|
How effective? |
Highly effective - reduces the likelihood of account compromise. |
|
What are its risks? |
Risks that banks ignore pressure and that compromises increase leading to confidence collapse about Internet business in general. |
|
Costs and tradeoffs |
Costs would fall on banks and account holders. Costs need not be high; similar systems are in wide use by overseas banks. To a large extent this can automated. |
|
Comment |
More robust security for Internet transactions in general will improve confidence in the Internet and in undertaking online transactions. |
|
Conclusion |
The police are already pressing banks to do this.The EGU Authentication project needs to work with the Police and banks to look at the extent to which a common system or policies should be implemented. |
|
Recommendation |
The authentication project should work with the police and banks to see how common authentication policies can be made. |
F. Law to Clarify Software Licenses and to Expose Spyware and Trojans
|
Protects against: |
Trojans, spyware, and the unexpected effects of digital rights management. |
|
Rationale |
Users are required to assent to EULAs (end user licence agreements) when installing software. These are seldom comprehensible by the average user and generally rest on foreign legal systems. Software sometimes sends information about its user covertly across the Internet for marketing or other purposes. Users need to understand what the software will do with their information and be given a more reasoned opportunity to accept or reject it. Existing law may cover software which has covert effects, however this is not clear and is difficult for end-users to invoke. There is sector-specific consumer legislation in other sectors (eg motor vehicles) and some might prove beneficial in the software sector. Spyware bills are before the House of Representatives in the US and other jurisdictions are also reportedly considering legislation. |
|
How effective? |
Will only become effective as other jurisdictions pass such laws. |
|
What are its risks? |
Could reduce the volume of software available here if New Zealand requirements are seen to be different to everyone else's. |
|
Costs and tradeoffs |
Will require some focus by government on how to frame such legislation or code. |
|
Comment |
Existing law may cover software which has covert effects, however this is not clear and is difficult for end-users to invoke. There is sector-specific consumer legislation in other sectors (eg motor vehicles) and some might prove beneficial in the software sector. Spyware bills are before the House of Representatives in the US and other jurisdictions are also reportedly considering legislation. |
|
Conclusion |
Government should consider whether there is a need for anti-spyware bill and any other software specific consumer legislation. |
|
Recommendation |
Consider law change to outlaw covert sending of information by programs and clarify EULAs (End-User Licence Agreements). |
G. Government to manage agency policies on digital rights management centrally
|
Protects against: |
Unexpected results of digital rights management - e.g. government being locked out of its own information. |
|
Rationale |
DRM has attractive features but its use has significant downsides which can affect government as a whole - these need to be considered before agencies use it. |
|
How effective? |
Medium |
|
What are its risks? |
May miss some genuine utility of DRM system |
|
Costs and tradeoffs |
Costs are low |
|
Comment |
EGU is investigating the impact of commercial DRM systems and is advising agencies on their (non-) implementation. It is also canvassing other governments to build a coalition to deal with software vendors on the issue. |
|
Conclusion |
It is important that government act as a whole in this regard. |
|
Recommendation |
Government should manage agency polices on DRM use centrally |
H. Government to clarify copyright legislation
|
Protects against: |
Copyright lawsuits, Unexpected results of digital rights management. |
|
Rationale |
Current copyright law does not include 'fair use' provision permitting format changing. Use of iPods and similar may be therefore unlawful. Potentially people could be sued for using these devices. Removing this legal grey area will make it easier to assert what it and is not lawful use. |
|
How effective? |
Medium |
|
What are its risks? |
May provide opportunity for even more restrictive copyright |
|
Costs and tradeoffs |
Will create a lot of comment in both directions |
|
Comment |
MED is currently consulting on changes to copyright along these lines. |
|
Conclusion |
MED appears to have this under control. |
I. Government to participate in Internet governance
|
Protects against: |
De-centralised Internet governance. |
|
Rationale |
Government currently has very little formal participation in Internet governance despite opportunities to do so. It risks decisions being taken which damage its ability to use the Internet for government business. |
|
How effective? |
Medium |
|
What are its risks? |
Main risk is government being blamed when there is an undesirable outcome. However, this is likely if government continues hands off strategy also. |
|
Costs and tradeoffs |
Some cost in resourcing and attending meetings with both bodies. |
|
Comment |
This is becoming more and important as government comes to rely on the Internet as the dominant means of ready access to government. |
|
Conclusion |
Government should commit to participating in ICANN/GAC process where international decisions affecting Internet policy and operations get made. Government should also consider a more formal relationship with the local body, InternetNZ. |
|
Recommendation |
Government should be engaged formally with the ICANN process and with InternetNZ |
J. Government to review its arrangements for cyber-security
|
Protects against: |
All listed threats. |
|
Rationale |
This paper identifies a list of threats to trust and security on the Internet, which are being addressed in varying degrees and by different parts of government. |
|
How effective? |
Medium-high |
|
What are its risks? |
Causing a false sense of security by failing to deal with threats. |
|
Costs and tradeoffs |
Little cost to review. Possible downstream costs if more effort is required by agencies. |
|
Comment |
This is the first attempt by government to consider threats to the use of the Internet holistically. |
|
Conclusion |
There is a need to ensure that all threats are considered and dealt with by the most appropriate agencies, and for ongoing review of this. |
|
Recommendation |
Government should be engaged formally with the ICANN process and with InternetNZ |
Enforcement actions
K. Investigate and Prosecute Malware and other Security Incidents
|
Protects against: |
Cracking, viruses and worms, spyware, trojans, phishing |
|
Rationale |
New Zealand needs to be able to show that it is prepared to investigate and prosecute malefactors before other countries will cooperate. |
|
How effective? |
Medium |
|
What are its risks? |
Could use a lot of resources with little direct gain. |
|
Costs and tradeoffs |
Medium |
|
Comment |
Done to a limited extent by Police E-Crime - one prosecution only since legislation came into effect. |
|
Conclusion |
Encourage New Zealand Police to work to investigate such incidents and to prosecute offenders where possible. |
|
Recommendation |
EGU to continue to work with Police E-Crime Unit to encourage investigation and prosecution. |
L. Enforcement action against New Zealand spammers
|
Protects against: |
Spam |
|
Rationale |
Need for international cooperation to solve the problem of spam. |
|
How effective? |
Medium. |
|
What are its risks? |
Would be hugely popular. However, if prosecution failed (due to inadequate law or process) New Zealand would lose credibility. |
|
Costs and tradeoffs |
Medium. Will need investigative effort and international cooperation. |
|
Comment |
The responsibility for enforcement needs to be identified in the legislation, and budgeted for by the agency concerned. |
|
Conclusion |
Should be part of pending anti-spam legislation. |
|
Recommendation |
MED to ensure that anti-spam legislation contains an adequate budget and performance measures for enforcement. |
M. Investigate and prosecute identity thieves and intermediaries in identity theft
|
Protects against: |
Identity theft, phishing |
|
Rationale |
Establishes a deterrent to both the fraud and laundering the proceeds |
|
How effective? |
Medium |
|
What are its risks? |
May prosecute people who were not aware they were aiding fraud. |
|
Costs and tradeoffs |
Medium. Will need investigative effort and international cooperation. |
|
Comment |
The New Zealand Police is already doing this |
|
Conclusion |
There may be a role for more education and publicity so people are educated to protect themselves. See education recommendations. |
N. Prosecute Crackers and Spyware Distributors
|
Protects against: |
Cracking, spyware, trojans |
|
Rationale |
Deterrence, establishing the bounds of proper behaviour |
|
How effective? |
Medium |
|
What are its risks? |
Credibility loss if a prosecution fails. |
|
Costs and tradeoffs |
Medium. Needs investigative capability and international cooperation |
|
Comment |
New Zealand Police have prosecuted one cracker so far, case pending. |
|
Conclusion |
Trojans and spyware need to be seen in the same light and prosecuted. |
|
Recommendation |
EGU and MED to work together to establish where spyware fits into the New Zealand legal framework and recommend change if found necessary. |
Education actions
O. Education for Internet users on security issues.
| Messages |
|
| Rationale |
|
|
Protects against: |
Cracking, Spyware, Spam, Phishing, Identity theft, Fraud and scams, Dangerous information, Insulting behaviour, Fear of surveillance, Child abuse |
|
How effective? |
Variable. Will help some users save themselves problems. Might also reduce effectiveness and spread of viruses and spam. |
|
What are its risks? |
Could convince people the Internet as a whole is unsafe. Need some care and moderation in messages to explain risks, and must give clear advice. |
|
Costs and tradeoffs |
Medium |
|
Comment |
The Internet Safety Group (ISG), partly funded by the Ministry of Education and the New Zealand Police, has made a start in this area. Its focus is on individuals and particularly on children and families. There is an equal need for education for businesses, particularly those which are too small to maintain in house IT expertise. |
|
Conclusion |
Should look at the scope and reach of Internet Safety Group campaigns and consider extending them. |
|
Recommendation |
Assess extent of support of ISG and other bodies and extent to which messages above are covered. Consider further funding if gaps are found. Consider a specific education campaign for small businesses to deliver the same messages. |
P. Education for agencies on Internet security issues.
| Messages |
|
|
Protects against: |
Inadequate government IT security |
|
How effective? |
Low to medium. These messages have already been promoted and awareness is high. |
|
What are its risks? |
Burnout, boredom and complacency. Messages might be seen as spam. |
|
Costs and tradeoffs |
Costs are low. |
|
Comment |
Hard to see more effort being effective. Most agencies have received these messages repeatedly. |
|
Conclusion |
No further action |
[ Previous | Next ]
