Securing Electronic Government Mary Mitchell (mary.mitchell@gsa.gov) Deputy Associate Administrator Office of Electronic Commerce Electronic Government, 2010 Seamless Architecture Citizen-Government Business-Government Government-Government Citizens Government-Other Businesses Universities Laboratories State Governments Local Governments Non-Profit Organizations Associations... Government Agencies 1999 Top 5 E-Commerce Barriers and Inhibitors Security and Privacy Culture (resistance to change) Trust Interoperability (E-Commerce applications and legacy systems) Ability to make and receive payments Source: Commercenet Survey Government-wide Drivers Provide better service and lower costs – To individuals, business, and among governmental entities Required by legislation – Government Paperwork Elimination Act – E-FOIA and others Boundary Conditions – Security and Privacy Acts – OMB A-130 Government Paperwork Elimination Act Agencies must provide: – E-forms as alternatives to paper – E-signatures to authenticate sender – E-receipts to acknowledge successful submission Guidance also requires: – Evaluation of customer/user needs – Risk assessment of proposed technology – Implementation by Oct 21, 2003 Other Needs and Considerations Agency Specific Program “enabling legislation” – Sets specific operating conditions • Signatures • Liabilities • “Proofs” (e.g., eligibility but not identity) Differs from Private Sector – Uniform Commercial Code – Liability limitations - e.g, credit card $50.00 Security and Privacy Security is technology driven and Privacy is policy Security Technologies can be used to implement Privacy Policy Issues – Authenticated Identity – Authenticated Authority – When are they required? The Problem Ensuring individual privacy in the collection of information Privacy concerns dictate the need for particular diligence in: > identifying the individual requesting information or services > protecting against the unauthorized release of information Electronic Commerce Trust Requirements Authentication - ensure that transmissions and their originators are authentic (identity). Data integrity - ensure that exchanged data is not reasonably subject to intentional or unintentional alteration. Confidentiality - limit access to authorized entities. Non-Repudiation - can not deny participation Public Key Technology Provides These Security Technologies and Risk Agency Programs have various Risk Profiles Depending on Risk, there are different requirement for assurance – Anonymous request for public information – Anonymous submission to IG/GAO – “Sign here” to get money (and obligation) – “Sign here” that you are not lying Technology Options None - don’t need to know who you are Some - PIN, Password, or Pass-phrase – A shared secret – Coupled with some “user ID” – An “authenticator” – Could include “biometric” Strong - Cryptographic Schemes Security Mechanisms Key Technology (no pun intended) – Cryptography • Digital Signature techniques – Authenticated Identity (well almost) – Data Integrity – Non-repudiation (hard to say “I didn’t do it”) • Confidentiality – Encrypted message content or transport – Supports privacy Public Key Infrastructure (PKI) – Establish binding of Identity & Digital Signature Technology Not Enough Sound implementation of policy Allocation of risks and liability End-user education and training Help-desk operations Candidate Business Processes Thanks to SSA General Public – Earnings – Claims Business – Wage Reporting – Electronic Medical Evidence