Securing Electronic Government
Mary Mitchell (mary.mitchell@gsa.gov)
Deputy Associate Administrator
Office of Electronic Commerce
Electronic Government, 2010
Seamless Architecture
Citizen-Government
Business-Government
Government-Government
Citizens
Government-Other
Businesses
Universities
Laboratories
State Governments
Local Governments
Non-Profit Organizations
Associations...
Government Agencies
1999 Top 5 E-Commerce
Barriers and Inhibitors

Security and Privacy

Culture (resistance to change)

Trust

Interoperability (E-Commerce applications and
legacy systems)

Ability to make and receive payments
Source: Commercenet Survey
Government-wide Drivers

Provide better service and lower costs
– To individuals, business, and among
governmental entities

Required by legislation
– Government Paperwork Elimination Act
– E-FOIA and others

Boundary Conditions
– Security and Privacy Acts
– OMB A-130
Government Paperwork
Elimination Act

Agencies must provide:
– E-forms as alternatives to paper
– E-signatures to authenticate sender
– E-receipts to acknowledge successful
submission

Guidance also requires:
– Evaluation of customer/user needs
– Risk assessment of proposed technology
– Implementation by Oct 21, 2003
Other Needs and Considerations

Agency Specific Program “enabling legislation”
– Sets specific operating conditions
• Signatures
• Liabilities
• “Proofs” (e.g., eligibility but not identity)

Differs from Private Sector
– Uniform Commercial Code
– Liability limitations - e.g, credit card $50.00
Security and Privacy

Security is technology driven and Privacy is
policy

Security Technologies can be used to implement
Privacy Policy

Issues
– Authenticated Identity
– Authenticated Authority
– When are they required?
The Problem
Ensuring individual privacy in the collection
of information
Privacy concerns dictate the need for particular
diligence in:
> identifying the individual
requesting information or
services
> protecting against the
unauthorized release of
information
Electronic Commerce
Trust Requirements

Authentication - ensure that transmissions and
their originators are authentic (identity).

Data integrity - ensure that exchanged data is not
reasonably subject to intentional or unintentional
alteration.

Confidentiality - limit access to authorized entities.

Non-Repudiation - can not deny participation
Public Key Technology Provides These
Security Technologies and Risk

Agency Programs have various Risk Profiles

Depending on Risk, there are different
requirement for assurance
– Anonymous request for public information
– Anonymous submission to IG/GAO
– “Sign here” to get money (and obligation)
– “Sign here” that you are not lying
Technology Options

None - don’t need to know who you are

Some - PIN, Password, or Pass-phrase
– A shared secret
– Coupled with some “user ID”
– An “authenticator”
– Could include “biometric”

Strong - Cryptographic Schemes
Security Mechanisms

Key Technology (no pun intended)
– Cryptography
• Digital Signature techniques
– Authenticated Identity (well almost)
– Data Integrity
– Non-repudiation (hard to say “I didn’t do it”)
• Confidentiality
– Encrypted message content or transport
– Supports privacy

Public Key Infrastructure (PKI)
– Establish binding of Identity & Digital Signature
Technology Not Enough

Sound implementation of policy

Allocation of risks and liability

End-user education and training

Help-desk operations
Candidate Business Processes

Thanks to SSA

General Public
– Earnings
– Claims

Business
– Wage Reporting
– Electronic Medical Evidence