Editorial: Responsibility must be taken for kiosk saga

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

A public resignation would demonstrate the Ministry of Social Development is serious about IT security

By Sarah Putt | Auckland | Tuesday, 23 October, 2012 | 15 Comments

Three separate inquiries have been launched following the closure of 700 kiosks in WINZ offices after a major security hole was discovered by blogger Keith Ng. The office of the privacy commissioner has launched an inquiry, there is a Deloitte’s inquiry into what happened, and the State Services Commission is conducting a broader inquiry into public-facing government computer systems.

Three government inquiries are not enough.

Somebody has to take personal responsibility for this grave error. If a building falls down an engineer takes responsibility, if there is gross financial mismanagement an accountant takes responsibility. This IT system failure has real-world consequences, and the person who signed off on those kiosks must resign. It’s a tough thing, but a public resignation would demonstrate that the Ministry of Social Development is serious about IT security.

As we know Ng, following a tip off from Ira Bailey, walked into two branches of WINZ and downloaded thousands of invoices from a kiosk computer onto a USB stick and walked out. These invoices contained sensitive information about at-risk children, including where they lived.

There was other information, such as the names of people who owed money to the MSD, but for me the fact that the contact details of vulnerable children could have been accessed by any member of the public is astounding.

It’s a horrible thing, but there are people in our society who will harm their own children. That’s why those children have false names and live in secret addresses. MSD’s core job is keeping that information safe. The IT department that built those kiosks and failed to implement the most basic security protocols – as IITP CEO Paul Matthews told me “it wasn’t rocket science” – could have exposed those children to harm.

We can only hope that Ng and Bailey – who have acted with integrity in bringing this to public attention – were the only ones to access this information. But we shouldn’t have to hope, we should know.

There will be many pointing to ICT budget cuts, the loss of CIO roles, the push for the public service to “do more with less” to explain why the kiosk failure occurred. But there is quite a bit of human culpability in there too. You must stand by what you have built. When Telecom’s XT outage occurred top executives at both Telecom and Alcatel Lucent resigned and it was the right thing to do.

There is also the involvement of Dimension Data, which carried out an audit in April 2011, apparently raised security issues and recommended changes. The Deloitte report will outline their involvement, so we don’t know at this stage what they discovered and, in fairness, the company may not have been aware that their recommendations weren’t acted upon.

But in general, what should security consultants bound by commercial contracts do in these circumstances? Is there an IT professional code of conduct which says there is an obligation to speak out if steps are not taken to fix security flaws when sensitive data is at risk?

I suspect the three government reports will provide technical explanations about what went wrong and recommend steps to ensure this situation doesn’t occur again. Technical solutions are likely to be easier to implement than changing an IT culture which, Matthews says, regards security and privacy as a “bolt on” – something that’s added, rather then something that is at the heart of the project.

‘First, do no harm’, should be the mantra of every IT executive working on government projects that deal with sensitive data – whether that’s financial or medical or even the personal details of where a citizen lives.

Prime Minister John Key says the kiosk failure will not slow down the government’s goal that “by 2017 an average of 70 percent of New Zealanders most common transactions with government will be completed in a digital environment.”

But can New Zealand citizens trust government IT departments to protect their personal information?

Until these three inquiries are complete, we can’t be sure.

Comments

Computer Security With comments like these it appears the IT industry has lost contact with reality. It reminds me of that wonderful old story "The Emporers New Clothes." With all computers now connected through the Internet how can anyone be certain the data on any computer is kept private or only accessible to those who are or should be allowed to see it? A computer can't make this decision. It is only a machine after all. The term "security professional" in relation to computers is an oxymoron if I ever heard one.
Posted by Matthew Jenkinson at 6:17:39 on October 25, 2012

Flag abuse

Computer Security Not the IT Industry, generally it is the management of the IT industry and the available resources. If the CIO has been fired then that responsibility should pass to a director or relevant CEO. However with institutions such IPENZ and IITP for engineers and the Information Technology profession to maintain integrity and training there is little impetus for managers to maintain a base level of job quality. Which is why we have shows like Dilbert, The IT Crowd and alcohol to make the issue less depressing. (The managers typically get paid 3 times more than the operations manager and don't need to be on call afterhours).
Posted by Starfire at 10:33:26 on October 29, 2012

Flag abuse

'review' by Deloitte's How can anyone possibly countenancy a 'review' of IT security by a bunch of accountants who consistently fail at IT? Think of the 55 million fiasco of the Auckand Council SAP project with no requirements, or the 38 million regulatory project at the former Auckland City Council, again a colossal failure. Time after time these clowns screw up IT projects only to be hired back. Why? they are easy to sheet blame home to so someone who commissioned them in the first place can walk away scot free from the screw up.
Come on MSD, did u even go through the proper process to appoint these clowns?
Posted by Anonymous at 16:48:05 on October 23, 2012

Flag abuse

'review' by Deloitte's These accountants sell hours not results. The more hours the better. The cost vs outcomes at Auckland Councils have been appalling. Seems the Wellington brigade play musical chairs with these projects. Deloitte, KPMG, PWC next please....
Do we need more inquiries. Seems there are heaps for Pike River but does not change the outcome. There are heaps for 22 Feb ChCh quake- and in fact the supervising engineer for CTV building is not held responsible- he was a fraud using a false name. More inquiries. There are so many inquiries I suspect it has brought down unemployment by 1.5%
Posted by Press Repeat button at 12:59:11 on October 25, 2012

Flag abuse

'review' by Deloitte's KPMG, Deloittes, PWC and ???? bypass the process imposed on the rest of the industry.

Something to do with the Wellington Club, perhaps?
Posted by Anonymous at 16:55:53 on October 24, 2012

Flag abuse

Who says? I am a little confused. Is it Sarah Putt and Computerworld's job to demand resignations?

The outcome of the report's being produced will put certain people under the gun, if the people above them want to remain credible then suggestion of resignations may very well be an outcome.

However, I am extremely uncomfortable with the media themselves calling for resignations, at best it is an abuse of press privledge, at worst it is manipulation by sensationalising the issue.

The only grey area here is that as an editorial it is basically an opinion. But this issue is so sensitive my preference would be for everyone to keep out until the facts are known.
Posted by Deane at 15:01:32 on October 23, 2012

Flag abuse

Who says? Deane. Sarah Putt is only saying what most of us are thinking. This kind of security breach is not some clever hacker breaking through firewalls. This is gross negligence on the part of everyone - from the top right down to the technical designer and their implementation team. Resignations are required - and soon!
Posted by David Spratt at 9:38:56 on October 26, 2012

Flag abuse

Who says? This is down to the media pushing for influence so they can have another 'big story'. Yes its an opinion piece, but its also on the same lines as scaremongering. Much like politicians, the journalists simply close ranks to protect each other when things go awry for them. Though how Keith Ng can call himself a journalist is beyond me. I have a blog too, it doesn't make me a journalist.
Posted by Anonymous at 11:47:11 on October 25, 2012

Flag abuse

Who says? "Editorial" = Opinion piece.
Posted by Anonymous at 15:25:19 on October 23, 2012

Flag abuse

"Acted with integrity" How on earth did they "act with integrity"? Yes they brought it to public attention, but they also removed thousands of confidential files that if made public, would put those people at risk. We do not know what steps they took to protect the files, who else saw the files, and whether the files have been completely wiped from their machines. Bailey wanted money from this, so he was certainly not acting with any degree of integrity. Ng removed thousands of files unnecessarily - there was no reason to remove and personally analyse so much. He also did not provide the Ministry an opportunity to respond before publishing his story. These two men acted unprofessionally and unreasonably and if it happened in any other country, they would be prosecuted.
Posted by Anonymous at 11:58:16 on October 23, 2012

Flag abuse