Editorial: Responsibility must be taken for kiosk saga
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Get the latest news from Computerworld delivered via email.
Sign up now
Three separate inquiries have been launched following the closure of 700 kiosks in WINZ offices after a major security hole was discovered by blogger Keith Ng. The office of the privacy commissioner has launched an inquiry, there is a Deloitte’s inquiry into what happened, and the State Services Commission is conducting a broader inquiry into public-facing government computer systems.
Three government inquiries are not enough.
Somebody has to take personal responsibility for this grave error. If a building falls down an engineer takes responsibility, if there is gross financial mismanagement an accountant takes responsibility. This IT system failure has real-world consequences, and the person who signed off on those kiosks must resign. It’s a tough thing, but a public resignation would demonstrate that the Ministry of Social Development is serious about IT security.
As we know Ng, following a tip off from Ira Bailey, walked into two branches of WINZ and downloaded thousands of invoices from a kiosk computer onto a USB stick and walked out. These invoices contained sensitive information about at-risk children, including where they lived.
There was other information, such as the names of people who owed money to the MSD, but for me the fact that the contact details of vulnerable children could have been accessed by any member of the public is astounding.
It’s a horrible thing, but there are people in our society who will harm their own children. That’s why those children have false names and live in secret addresses. MSD’s core job is keeping that information safe. The IT department that built those kiosks and failed to implement the most basic security protocols – as IITP CEO Paul Matthews told me “it wasn’t rocket science” – could have exposed those children to harm.
We can only hope that Ng and Bailey – who have acted with integrity in bringing this to public attention – were the only ones to access this information. But we shouldn’t have to hope, we should know.
There will be many pointing to ICT budget cuts, the loss of CIO roles, the push for the public service to “do more with less” to explain why the kiosk failure occurred. But there is quite a bit of human culpability in there too. You must stand by what you have built. When Telecom’s XT outage occurred top executives at both Telecom and Alcatel Lucent resigned and it was the right thing to do.
There is also the involvement of Dimension Data, which carried out an audit in April 2011, apparently raised security issues and recommended changes. The Deloitte report will outline their involvement, so we don’t know at this stage what they discovered and, in fairness, the company may not have been aware that their recommendations weren’t acted upon.
But in general, what should security consultants bound by commercial contracts do in these circumstances? Is there an IT professional code of conduct which says there is an obligation to speak out if steps are not taken to fix security flaws when sensitive data is at risk?
I suspect the three government reports will provide technical explanations about what went wrong and recommend steps to ensure this situation doesn’t occur again. Technical solutions are likely to be easier to implement than changing an IT culture which, Matthews says, regards security and privacy as a “bolt on” – something that’s added, rather then something that is at the heart of the project.
‘First, do no harm’, should be the mantra of every IT executive working on government projects that deal with sensitive data – whether that’s financial or medical or even the personal details of where a citizen lives.
Prime Minister John Key says the kiosk failure will not slow down the government’s goal that “by 2017 an average of 70 percent of New Zealanders most common transactions with government will be completed in a digital environment.”
But can New Zealand citizens trust government IT departments to protect their personal information?
Until these three inquiries are complete, we can’t be sure.
Posted by Matthew Jenkinson at 6:17:39 on October 25, 2012
Posted by Starfire at 10:33:26 on October 29, 2012
Come on MSD, did u even go through the proper process to appoint these clowns?
Posted by Anonymous at 16:48:05 on October 23, 2012
Do we need more inquiries. Seems there are heaps for Pike River but does not change the outcome. There are heaps for 22 Feb ChCh quake- and in fact the supervising engineer for CTV building is not held responsible- he was a fraud using a false name. More inquiries. There are so many inquiries I suspect it has brought down unemployment by 1.5%
Posted by Press Repeat button at 12:59:11 on October 25, 2012
Something to do with the Wellington Club, perhaps?
Posted by Anonymous at 16:55:53 on October 24, 2012
The outcome of the report's being produced will put certain people under the gun, if the people above them want to remain credible then suggestion of resignations may very well be an outcome.
However, I am extremely uncomfortable with the media themselves calling for resignations, at best it is an abuse of press privledge, at worst it is manipulation by sensationalising the issue.
The only grey area here is that as an editorial it is basically an opinion. But this issue is so sensitive my preference would be for everyone to keep out until the facts are known.
Posted by Deane at 15:01:32 on October 23, 2012
Posted by David Spratt at 9:38:56 on October 26, 2012
Posted by Anonymous at 11:47:11 on October 25, 2012
Posted by Anonymous at 15:25:19 on October 23, 2012
Posted by Anonymous at 11:58:16 on October 23, 2012