E-government and its security

Dr. M. Lutfar Rahman

The process of governance has been continuously influenced by the developments of technologies. The technological innovations in the past contributed to improve the efficiency of processes and systems of governance. The use of the present digital revolution needs to transform and redefine the processes of governance by eliminating or reducing the concept of the time and distance.

The subtle difference between two terms electronic governance (e-governance) and electronic government (e-government) should be made clear first. E-government involves modernization of the processes and functions of the government using ICT tools and techniques. On the other hand, e-governance is about the use of ICT tools in systems of governance for decision making. The main focus of e-government is delivery of government services and information to citizens online 24 hours a day 7 days a week using electronic means. Delivery of online services is the most desirable use of e-government and such deliveries could be of the forms: government to citizen (G2C), government to business (G2B), government to government (G2G) that is between different organs of the government, and government to employees (G2E).

All over the world, governments are attempting to move from the era of efficiency to the era of effectiveness through citizen-centric and business-centric online services. Bangladesh is no exception. Bangladesh has significant public sector investments for digitization with the goal of realization of Digital Bangladesh, that is a developed Bangladesh free of corruption, free of poverty and with accountability and effective governance. In fact the goal of the present Government is to realize Sonar Bangla, the dream of the father of the nation, Bangubandhu Sheikh Mujibur Rahman and millions of citizens of the country.

Recognizing the importance of e-government, for increased efficiency, transparency and accountability in governance and service delivery, Government of Bangladesh conducts Support to ICT (SICT) Program with the head of the government as its chairman. Over the past years SICT Task Force Program has designed, planned and implemented numerous ICT projects and a large number of e-government programs are under implementation now (please visit http://www.sict.gov.bd and http://www.bcc.net.bd).

Expansion in the use of the Internet has increased the potential for illegal cyber activities, and the cyberspace and the Internet are misused by individuals and groups to damage software systems of the government, organizations and individuals. Electronic frauds in banks, hacking, identity thefts, and child pornography are common examples. Threats on electronic information in Bangladesh are increasing day by day. Hacking of district Web portals and Rapid Action Battalion Website, email threats to key persons, credit card frauds, blackmailing persons by uploading facial images attached to naked human bodies, digital frauds in admission tests are examples of increasing cyber crimes in Bangladesh.

In the circumstances, security of information in electronic forms in transit through networks or in computer memory requires special treatment against different types of threats and attacks from cyber criminals. This short article presents the types and general characteristics of such attacks and countermeasures against them in relation to e-government.

Photo: Use the image sources

Security For E-government
The basic questions for e-government security are: security of what and security against what? A modern organization requires security of all kinds of ICT assets and the government is no exception. These assets could be internal assets of an organization or external assets. Internal assets are the ICT assets within the organization and external assets, which include the ICT assets of clients, remote users, business partners etc, lie outside the organization. Examples of wide variety of ICT assets include different kinds of data and information in electronic forms, knowledge resources, computer programs, hardware, networks, servers etc.

Threats and attacks to the ICT assets may come in different forms from different sources. In the case of e-government, the source of attacks can be internal or external to the government. With the sharp division of the government employees, the possibility of internal attacks should not be ruled out in Bangladesh. Employees working within e-government projects may misuse the access privileges for financial or other gains.

Government should be couscous of the disgruntled employees, within the government, who may try to sabotage a program for vested interests. In the case of public private partnership, employees of private partners of e-government may also resort to misuse or abuse of the systems. Also external users of e-government may attempt to disfigure or damage databases and websites.

Threats may come from external sources like professional hackers, criminal organizations, terrorist organizations, intelligence and investigation agencies. Professional hackers, having excellent technical skills, can break into e-government systems. The aim of such attackers, are not financial in general, but sadistic pleasure of disrupting e-government services to the citizens. Intelligence and investigation agencies may try to secure classified information from e-government projects. Criminal and terrorist organizations may try to harm the government by de-estabilizing sectors of economy dependent on digital systems and e-government projects.

THREATS TO ICT ASSETS
Threats to ICT assets may be of different forms including defacing of websites, hacking into the servers, damaging databases and application programs. Virus attacks are common now. Such attacks may have the effect of corrupting data or application programs, slowing down or breaking down of networks. Another attack worth mentioning is the DOS (denial of service) attack, which involves flooding of Web portals with millions of requests at critical hours to disable computer servers providing services to the citizens. The damages of ICT assets may be caused by accidents through incorrect usage of systems by valid users during testing and maintenance and also by design faults in software. Power outages or power fluctuations, natural calamities like fire, floods, earthquakes and vandalism may also cause unwanted damages.

For smooth operation of e-government projects, appropriate countermeasures are necessary for outsider and insider attacks, user frauds, false identity, impersonation, theft and duplication of access tokens, DOS attacks, breach of accountability, loss or theft of monitory value to mention a few.

Security Management
e-Government security covers of three distinguishable areas of environment; they are user environment, transport environment and ICT assets environment. Users can be internal or external, transport of information can be through private or public networks and the ICT assets can be tangible or intangible.

Important item of user environment is management of identities with access and interactions. Management of identities involves creation of digital identities or credentials for citizens, businesses and government officials. Conventionally, user names and passwords are used for management of identities of users. The e-government projects should have clear-cut password policies for creating and using passwords. Access management enables ICT systems to identify the valid users by matching passwords or other devices that carry the digital identity of the users. It also authorizes a user to perform only those tasks and transactions granted to the user.

The objective of interaction management system is to provide very important services of authentication, integrity, confidentiality, and non-repudiation. Authentication assures that the user is actually the person who he or she claims to be. Integrity services assure that an electronic document has not been tampered in transit or in storage. Confidentiality service assures that the message or document has not been read by any unauthorized person. Non-repudiation assumes that the sender or receiver of a message cannot deny the transaction of an electronic document.

User name and password system for security has several security issues. A password can be compromised, hacked or transferred to another user. Security solutions have been developed for different circumstances. Examples of such solutions are digital identity token, biometric device, public key infrastructure (PKI), digital signature, asymmetric key pair, public key, secret key etc. PKI can meet the requirements of authentication, integrity, confidentiality, and non-repudiation. Setting up of PKI involves legislation and government approval.

Photo: Use the image sources

The e-government gateway is another central point that controls the users' access to the e-government ICT assets. A gateway performs registration and authentication of users, routes requests for services to appropriate backend installations. It can also provide enrollment of citizens and businesses for a variety of government-to-citizen (G2C) and government-to-business (G2B) services that they need from the government.

Transport environment consists of LANs, WANs, Wireless and RF networks, satellite networks and the Internet. Except the Internet, all other networks can be secured through appropriate means by network administrations. Popular way to tackling the security issues of the Internet are: creation of virtual private networks (VPN) in public domain, installing firewalls at the interface between the Internet and agency networks. Encryption of

data communicated over the Internet; IPSec techniques could also provide confidentiality and protection of data passing through the Internet.

Two types of ICT assets are tangible (that is hardware) and intangible (that is software) assets. They are most valuable from the point of view of an organization or a user. Two categories of security treatments, therefore, are physical security for hardware assets and electronic security for software assets. Physical security is required to guard against physical damage or loss of hardware equipment. On the other hand, electronic security controls digital traffic that enters or goes out of an enterprise. Examples of tools involved for electronic security are antivirus systems, intruder detection systems, firewalls, etc.

Security architecture and standard
Security architecture is a high level policy document that directs and guides the security of e-governance. Among others, its main goals are to create confidence and trust among citizens, businesses and government enforcing standards for security in e-government. Security architecture also indicates the procedures and processes that need to be followed by all the players like government users, citizens, businesses, government partners, operators and service providers participating to e-government. Standard and architecture for e-government takes care of services for authentication, integrity, confidentiality and non-repudiation for transfer and storage of electronic information. The achievement of the above objectives involve regulatory, technological and managerial issues arising out of the security needs encompassing user environment, transport environment and ICT assets environment. The security architecture or security framework should be based on statutory regulations, security standards and security policies.

Security standard provides the specifications for the management of information security. The standard for information security adopted by ISO is known as ISO17799. This standard helps to identify manage and minimize threats to which information is subjected. The items prescribed by ISO17799 standards are: security policy, personal security, access control, compliance, system development and maintenance at the design and development stage. This standard also covers communication and operations management for transport of information, organization of assets and resources, physical environment security, and business continuity management to avoid interruptions in business activities.

Conclusion
In the past years, specially in the last two years, considerable progress has been made in digitization of government processes in the country, but importance of security of information in computer storage or in transit through networks did not receive due importance. There is no mention of information security in 'e-Government Initiatives in Bangladesh: A Sample Survey in 2008”, a publication of Support to ICT Task Force Project of the Government of Bangladesh.

An important concept for the information security in electronic forms for e-government is the awareness of the government and the people. The users of ICT tools for receiving e-government services should be aware of different cyber attacks and threats and they should set up appropriate countermeasures against such attacks. Similarly the technical personnel of the government engaged in networking activities and providing e-services should have in-depth knowledge and understanding of the mechanisms of cyber attacks on ICT assets and their countermeasures.

Cyber crimes and threats to electronic information, especially of e-government, are based on advanced ICT techniques and law enforcers must be trained and well equipped to tackle them. As a matter of fact, cyber crimes investigation cells should be established with trained personnel in information security.

Information security is very critical to the success of e-government. Laws, regulatory framework and polices should be enacted to combat high-tech cyber crimes for e-government projects, organizations and individuals. Many countries of the world have already setup such polices and regulatory framework against attacks and threats for protection of ICT assets; and Bangladesh needs to be ready to face such threats as early as possible. This is especially relevant to Digital Bangladesh requiring a large number of e-government projects. Necessity of ICT cadre service is getting more and more important with increasing digitizations of government processes for providing e-services to the citizens and others. It appears that without ICT cadre service it will be difficult, if not impossible, to provide effective leadership for information security for e-government in future.

The writer is Professor in the Department of Computer Science and Engineering, University of Dhaka and its founding Chairman.