By Brid-Aine Conway
With cyber-crime on the rise, we look at how governments can protect their e-services and market that protection.
Crime is as old as humankind itself - for as long as there has been society, there has been crime, and those who try to prevent it struggle to keep up with its many variations. It should come as no surprise then, that the information society has produced its own special brand of crime - cyber-crime - the sophisticated theft of information, money and even identity without ever needing to meet the intended victim face-to-face.
Cyber-crime is most often linked with the finance industry, for obvious reasons, and with the theft of financial data from online retailers. But another sector that is coming to be recognised as a place to access valuable information is within e-government structures.
As eGovernment becomes more pervasive, the damage done by cyber-crime does becomes much more real and serious.
"To put it in very plain terms, why do the bad guys hit banks? Because that's where the money is. So if we all agree on that and then take the view of the digital world, is there money in the information society? Yes, there is. Well, that's where the criminals will go then. It's as simple as that. And the more money there is in the information society, the more criminals will try to move in that direction," says Ilias Chantzos, manager of government relations and public affairs EMEA for Symantec.
And there is a lot of money in cyber-crime. Information is worth money to enterprises because knowledge of customers, production methods, patents and so on can be enough for a cyber-criminal to earn millions through extortion.
But personal information is also stored online. Identity theft is a new form of crime that has received much publicity in the media and that is well facilitated by the internet, as well as the theft of credit card information through email, from online banking and from online retailers. All of this publicity can make people reluctant to take advantage of the simplicity and ease of online services, though the provision of these services is practically a must for the financial and retail industries and is fast approaching necessity for the government sector.
E-government is seen by many in the West as a way of reconnecting with disillusioned voters, of bringing citizens back in touch with their governments and providing forums for contact and discussion, through blogs and political websites.
More than this, however, e-government is a way to provide the services that a government needs to provide in a manner that is simple and easy, both for the population and for the government. Here in the Middle East, e-government services are growing at a rate that's comparable with the booming economy, with countries such as Bahrain, the UAE and Saudi Arabia moving more and more of their services online.
In the government sector, e-services could bring an unparalleled upgrade to the efficiency and cost-effectiveness of services, purely because the government is required to provide so many diverse functions to what is usually a very large number of people. While the finance industry matches the government sector in terms of privacy requirements and complexity of online services, it is usually not required to handle the sheer volume of traffic that government services must.
E-government opens up an entirely new avenue of information access to cyber-criminals. In an over-arching e-government structure, data such as medical records, financial data and personal information for the provision of identification documents could be stored online and access to such information could enable extortion, e-fraud or identity theft. And e-governments are all too aware of the risks associated with their services and the need to adequately protect them.
"As the usage of IT and eGovernment becomes ever more pervasive, the damage that can be done by cyber-crimes also becomes much more real and serious. The concerns in the Kingdom are no different than the rest of the world and are mainly regarding the data security and privacy of individuals, defacing of government websites, paralyzing the government's services delivery network and so on. However, concrete steps have already been undertaken and others are also planned," says Mohammed Ali Al Qaed, CEO of the Kingdom of Bahrain's e-government agency.
Security specialists see the vast store of personal information on the internet as a veritable treasure trove for cyber-criminals.
"All over the world e-government sites are some of the prime targets for cyber-crime, either for fame or practically, it's the best thing for extortion. Once you have access to that data, you can get into personal records, financial records, medical records, there's just no end to it," says Faisal Khan, senior security consultant at McAfee.
John Eisen, VP of production management for fusion middleware at Oracle, believes that as online services begin to provide more value to users and providers, the risks they are exposed to will grow too. Oracle has been involved in e-government projects in Dubai, Ras al Khaimah and Egypt and Eisen feels that despite the risks, service providers need to look at the advantages.
"There's no doubt that the internet as well as ubiquitous networks in general as a channel for delivery of services are here to stay and are increasing in penetration and value every day. As a result of that, the levels of risk that they are subjected to are increasing exponentially. I would say though, that I genuinely believe the opportunities that this delivery channel represents significantly outweigh the risk," he says.
Juniper's regional director, Mohamad Abdul Malak, agrees: "Sometimes people think when they apply to build an e-government, they're exposing themselves to more attacks on more services. At the same time, you need to take into consideration that there is also an opportunity to know more about what's going on within government in terms of fraud and access and attack and cyber-crime. It has pros and cons, but at the end of the day, IT or using e-government is a necessity in the modern world."
What is important for e-governments securing their services, is to making sure that their users are aware that they are secure. In any project, it is the uptake of the service that is the mark of success, and if a service cannot lure users, it cannot succeed, regardless of its technical capabilities. With cyber-crime moving up in the public agenda, e-governments and security providers need to market and publicise the protection of those services.
"We appreciate the need to educate and create awareness amongst the masses regarding not only the new services that are being made available but also to ensure that they are aware of the steps being undertaken for ensuring the privacy and security of their data," Al Qaed states, adding that a comprehensive PR and marketing strategy is in place in the Kingdom of Bahrain.
Once you have access to that data, you can get into personal records, financial records, there’s just no end to it.
Many security specialists, including Khan of McAfee, feel that the way to reassure end-users is by compliance to international standards.
"What e-governments need to do is get themselves certified in terms of international standards, get themselves compliant to all these standards, do assessments from well-reputed auditors and then go and market these out to the world outside through media and through other means. They need to map the people, process and technology and prove to the people that they have a good framework in place. They also need to back it up with some kind of evidence that that framework has been audited and checked by international security standards and organisations," he asserts.
Some specialists feel that, in an ideological way, governments have a stronger responsibility to their end-users than those who are looking at services in terms of profit and loss, and that therefore their requirements should be more stringent. As well as compliance to international standards, many recommend laws that should govern the release of information about e-government breaches, although within reason. Oracle's Eisen believes that where governmental or national security is an issue, transparency is at the government's discretion and Juniper's Abdul Malak agrees.
"I think it's a balance. In today's world, when it comes to the side that impacts the security of the country, I think it's really going to be for the government to deal with the way they perceive to be appropriate. Definitely giving some awareness out and some information out and marketing some statistics is important because you can fight some of those events and actions by sharing some of those statistics," Abdul Malak says.
Eisen recommends that governments retain other channels through which the population can access services.
"While I'm a huge proponent of e-government, I definitely think it's a mistake to use that as the only channel by which you can deliver services to citizens. First of all, access to the public web is still not as ubiquitous as we might think and second, there's still a varying level of risk associated with many of these applications, so I think it's extremely important to have multiple channels for service delivery," he says.
Another recommendation from Abdul Malak is that governments have a central body of information, rather than replicating databases across different e-services. A central database is efficient and cost-effective, but it is also much easier to protect against penetration.
"There should be at least one unified platform for governments and that could be the main or the core e-government that provides services, especially when it comes to data and the bank of information, because you don't want to replicate," he adds.
Steve Grey is the Middle East regional manager at Websense, which works in internet security. He says that because e-government is such a recent development, there are more doubts in users about its security.
"People tend to feel that they're probably more secure with their bank - they tend to feel that their bank has got the pedigree and the systems in place to manage the security effectively. Whereas e-government services, not just in the Middle East but around the world, are quite a new area and governments are having to research and identify suitable solutions to protect them," he says.
Most specialists agree that more needs to be done to promote awareness in target users. Both Eisen and Abdul Malak believe that one of the ways to achieve this goal is through strong government leadership of these projects.
"You need to have a government leadership that can sponsor the project and take it forward. You need to talk about the go-to-market strategy, how do you take small successes and applications that you do quickly and take them outside and expose them so that you start to build support for the services in order to ensure adaptation by the users," asserts Abdul Malak.
Eisen adds, "Clearly, there's a whole series of fantastic technologies that really should provide a citizen that's knowledgeable about those technologies with a degree of confidence about, for example, registering with these websites. But I would argue that most citizens would not be knowledgeable about these technologies. I think ultimately it's about the strength and the confidence of the government support for the initiative in the first instance."
Symantec's Chantzos sums up: "When it comes to awareness, all of us can do more. Because awareness is a constantly moving target, it's not something which one is going to be able to get from one day to the other."
He feels that as long as e-government is a new initiative, awareness is something that will be continue to be important for everyone that is involved.
"There's a question of educating the organisation itself which is going to be using the technology to provide the service, there's a question of educating the organisation about the security limitations and there's a question of educating the users about the security limitations and about the service which is going to be provided. And there's also an additional challenge - that of the user at the very beginning of using that service and of being convinced to use the service," he says.
However, as e-government services become more widely available, and the numbers of users increase, the need for awareness is unlikely to decrease. It is technology that makes all of these services possible, but those same technologies are available to the criminals who want to penetrate the security in place. When it comes to staying ahead of those criminals, Abdul Malak observes that there are new technologies all the time and some will offer not just protection, but predictability and prevention capabilities.
Nevertheless, he acknowledges what all those who try to prevent crime know: "It is a race."