“If we do ‘open government’ or ‘gov 2.0’, we’re gonna get hacked…”

Home Forums Miscellaneous “If we do ‘open government’ or ‘gov 2.0’, we’re gonna get hacked…”

This topic contains 20 replies, has 9 voices, and was last updated by  Andrew Krzmarzick 7 years, 8 months ago.

  • Author
    Posts
  • #98204

    Have you heard this statement in your agency before?

    Security is a legitimate concern in many agencies.
    But what are the serious security threats that emerge from opening datasets and having more transparent conversations with citizens?
    Weigh in here and let’s keep the conversation going at the Open Government and Innovations Conference on May 4-5. I enjoyed last year’s event and happen to be on the the planning committee this year. In fact, there’s a session called “Open, Yet Secure. The Open Government Paradox?” that will address this very issue.

  • #98244

    @Harlan (and Anyone Else!) – Got examples of security plans related to social media?

  • #98242

    Bill Brantley
    Participant

    You are going to be hacked whether you use social media or not. That’s just been a fact of life since the 1980s. There are plenty of software solutions for preventing hacking but social networking exposes the most vulnerable port to the hacker – the user. Social engineering is the primary tool of hackers because it works so well (ask Kevin Mitnick: The Art of Deception: Controlling the Human Element of Security).

    The best way to handle the security issue is through user training. Here is one great example of fun and interactive social networking training – http://mashable.com/2009/12/16/telstra-social-media/

  • #98240

    Srinidhi Boray
    Participant

    Vulnerability always exists. In fact Open Government will open flood gates of intruders who will transgress for the heck of it just to amuse their perverseness. Systems that exists today when compared to what existed several years back, then it can be observed that they have evolved from being monolith to heterogenous systems. This could happen because of the development of the mechanisms for secured internal system transactions.

    Open Government has begun several years back, when Government brought in legislation for information assurance and dissemination. Moving forward, as Vivek Kundra puts it, need for governance in the public square is most desired now. This means more interactive dialogue with the citizens to foster better mechanisms for the citizens to engage with the government. However, this does not mean business transactions are being conducted in a vulnerable open system. Just that the results of the transactions that are secured are made transparently visible allowing for citizens to better understand the government activities for making informed decisions.

    IT Dashboard and many other contract details (http://www.fbo.gov) were made available on the internet for a long time now. Entire world could read and understand what the US Government was doing and also inference could be formed about the future intensions.

    Recent cyberattack from (avoided “by”) China on Google and like-wise attack on the Georgian twitter bloggers are simple examples of vulnerabilities. Also, one among the biggest fraudulent 2009 Gonzalez credit card case is another transaction related event. These cannot deter world from making progress. While the system strives for transparency, the notion of “privacy” will also be redefined. As more system opens up, that much more system will need to prepare for deterrence to prevent nefarious attacks. This is the anti-thesis. Security is a legitimate concern, but parents did not stop sending their vulnerable children to school. When that could happen mere discussion of the governance in the open is of less security concern.

    The questions to be rephrased is – Does Government Fear to conduct in the Open, (Is it citing reasons not to) ?

  • #98238

    Arvind Nigam
    Participant

    Security of what data? When you re keeping everything open, there is little fun in hacking through it. Facebook is a complete open data system with clear and robust APIs. I am yet to see if someone is able to hack away itno its database. And even if someone does, what advantage does it give to the hacker. 1 day of downtime 🙂 lol funny, it sounds.

    According to me ‘security’ is a marketing buzzword which comes from a closed era and has been cashed upon by likes of Microsofts and Oracles of the by-gone decade. Of course the opinions are subject to expert’s analysis but social media is no rocket science.

    Cheers,
    Arvind
    CEO – http://bubbleideas.com

  • #98236

    I’d actually confirm what you’re saying, Harlan. I know a few friends who had their Gmail accounts hacked this past weekend and messages were sent on their behalf. What if those messages seemed legit and had links to spyware that people loaded onto their machines unknowingly…at work?

    The upshot of all of this discussion: we need a massive public education campaign about operating securely on the Web – including public servants and the public they serve.

  • #98234

    An article that is relevant to this conversation:
    When to Discuss Security Publicly
    http://cybersecurityreport.nextgov.com/2010/04/is_it_ok_to_discuss_

  • #98232

    Arvind Nigam
    Participant

    See hacking of a personal email account is altogether a different scenario than hacking a platform with open conversations such as on gov20 scenario.

    Even TechCrunch was hacked a few weeks back, where there is no chance of anyone finding a credit card number. But that led to nothingness. Let’s not confuse between open data of Governance and other paradigms of sensitive data such as personal email, bank account number, email id which can be used by specific interest in mind.

    For example, medic spammers sell viagra and all thru email spam. And hence we saw gmail hacks and other email account hacks. In sense of gov20 security premise of this article ain’t very clear. Hacking itself can be machine based, social or simply human. Each scenario is different where open data concept of Governance is likely to feel the heat. But not that opening up data would lead to more hacking than being a closed system. That comparison is flawed.

    But to apply terms like “hacking” and “insecurity” prima facie is a biased approach, and calls for correction before hand. Phishing is another scenario which could be utilized without any technical hacking per se. But that doesn’t mean Twitter, Facebook have failed to perform. 🙂

    “The more closed you are, the higher the chance of getting hacked”.

    Of course this is my take,

    Cheers,
    Arvind

  • #98230

    Patrick Quinn
    Participant

    “When you re keeping everything open, there is little fun in hacking through it. Facebook is a complete open data system with clear and robust APIs. I am yet to see if someone is able to hack away itno its database…. According to me ‘security’ is a marketing buzzword which comes from a closed era and has been cashed upon by likes of Microsofts and Oracles of the by-gone decade.”

    Exactly.

  • #98228

    Ed Albetski
    Participant

    There are two issues here:

    1. The agency sets up an official identity at social media outlets to spread information and get feedback from the public. This is “Open Government”.

    2. The agency allows it’s employees access to their personal social media accounts via their government systems.

    The first item is fine as this can be done in a security “sandbox”, a “dirty” server isolated from the network.

    The second, from a security standpoint, is insane. Before we prevented access to these sites one of our folks took their kid to the office during the Christmas holiday and let them use their desktop to keep amused. I had to clean off over 500 spyware infections the next week. This took 2 days of my and another tech’s time.

    Access to GovLoop is one thing, Facebook and the like, are another. Too many gremlins sneak in and we have better things to do. The loss of productivity in re-imaging the PC’s is too high right now. Frankly I don’t see why giving employees access to these sites at the workplace is necessary. Most can use their phones to go there anyway. Do this stuff at home, folks.

    An official presence on these sites should not be a problem to any competent security department.

    @ Harlan — I agree, an agency’s security plan is “eyes only”. I mean, gee, why not publish a map to your whole server farm?

    @ Arvind — Yes, all our data is posted online, but we still have to protect it from attack. Pranksters or more malicious folks will attempt to alter it or otherwise damage the site for any number of reasons. Come now, even if you give away candy, you don’t want someone to spit in the bowl, do you?

  • #98226

    Arvind Nigam
    Participant

    I actually the charm of internet…:)

    I guess I can write a bible on misnomer called internet security threat of spywares/sneakers coz the reason we have spyware/sneakers is that there is some public data/information that we have been hiding. Or intend to hide and someone wants to know it. Lol – so it’s chick n egg problem.

    Technically, it is possible to prevent anyone from spitting on our systems and thwart the curse and vile for sake of hygiene too, and trace the miscreant too quite easily. But these are not challenge to adoption of social media in Governance. The challenge is the mindset. The mindset of public servants, leaders and citizens etc. etc.

    I loved this discussion, and having been a part of Government myself, I pretty much understand the concerns revealed.

    Cheers,
    Arvind
    http://bubbleideas.com

  • #98224

    Bill Brantley
    Participant

    @Ed – I fully understand your concerns. When I was managing a departmental network for a university, I often spent hours cleaning up after the faculty members’ kids and their downloads. I also spent hours cleaning up after the students who turned my stations into BitTorrent servers for all kinds of copyrighted material. There has to be security precautions in place.

    But I disagree with your total ban of social networking sites. They are valuable resources and can increase productivity in the workplace. There are products that allow access to SNS while providing fine-grained security and an audit trail for employee activities. http://compass.socialware.com/

  • #98222

    Arvind Nigam
    Participant

    +1

  • #98220

    Lisa Valentine
    Participant

    Here’s my 2 cents: Companies that simply block employee access to social media apps out of fear and misunderstanding of the risks need to be better educated on the subject. Here’s a helpful resource for them, it’s a whitepaper called “To Block or Not. Is that the question?”

    http://bit.ly/9f8WOT

    It has lots of insightful and useful information about identifying and controlling Enterprise 2.0 apps (Facebook, Twitter, Skype, SharePoint, etc.)

  • #98218

    Perfect resource – thanks, Lisa!

  • #98216

    Ed Albetski
    Participant

    @Bill – We allow LinkedIn, GovLoop, and Twitter, and probably a few more I can’t name off the top of my head. Facebook is banned because some of their games exchange code with the browser and it was just this type of thing that hit us last year. Folks are putting up game and polling modules there all the time and I don’t have the confidence in Facebook’s testing than I would have in our own.

    I understand about social networks being beneficial, but with Facebook, I can’t see how playing Farmville all day is going to help productivity (grin).

    The socialware software is interesting, but I can hear the budget argument now. It will likely be a while before management sees the value of some of these sites, but I do hear you. Thanks!

  • #98214

    Ed Albetski
    Participant

    @Arvind – Understood, but I disagree. There are folks out there who just want to hack government sites, either just for the challenge or to embarrass the government. The Way Back Machine used to have the Justice Department’s home page with the pornographic pictures as an example. The hackers didn’t want information, they just wanted to “tag” the Justice Department site. Our responsibility is to see that that doesn’t happen to our site. Government “openness” isn’t the issue.

    My agency is likely to have accounts on several social media site to spread our information. This should accomplish transparency without endangering our data servers.

    Thanks for your thoughts!

  • #98212

    Ed Albetski
    Participant

    This article seems to sum up a lot of the prevailing attitudes, including mine (grin).

    Information Security Professionals Struggle with Rise of Facebook and Other Web 2.0 Tools

  • #98210

    Ross Collicutt
    Participant

    I’ve not got any examples but I just wanted to add my 2 cents.

    Allowing access to open data just means governments are publishing this data online. It doesn’t mean they’re allowing anybody access into their networks to find this data. They will publish it on their website or data catalogue just as they would with any other type of information. They can do this in a secure fashion.

    Open data means free to use, not insecure.

  • #98208

    Srinidhi Boray
    Participant

    Bottom line – although Open Governance is most desired, if one begins to understands how the platforms are designed internally, one will be aghast to learn about the areas of vulnerability. Cyber risks are too many and it has opportunity of creating recursive and repetitive effect that can replicate over networks pretty fast.

    In security business prevention is prudence.

  • #98206

    Faye Newsham
    Participant

    I think the sticking point is where you have the public participate in your online open data enterprises. Do you have a wiki with public input? Do you croudsource? Tag cloud? Allow comments on YouTube where you post your official Fed videos? Who monitors, cleans up, or addresses questions? This is a real resource hog (people vs machines) and then we move into posted data that is misused or misinterpreted and reposted on something this is, or looks like, a real site… I see both sides of the problem and solutions and it is just plain complicated. I say move forward with social media but be aware and careful!

You must be logged in to reply to this topic.