Digital identities — trust but verify
As its own identity crisis bites, Australia’s federal government is mustering support for a security overhaul.
Announced in the weeks before the election, a $50m plan by the Malcolm Turnbull-led Liberals to “modernise” the government’s myGov centralised-government portal reflected the increasingly critical role of centralised services as a digital-transformation beachhead — and the urgency of improving security in step with the government’s broadening transformation agenda.
Security is hardly a new concern for government, and indeed was naturally an early goal of the Digital Transformation Office (DTO) Digital Service Standard. But whole-of-government security models have been hindered by a past in which agencies were left to their own devices for security processes and technologies were chosen on what amounted to a haphazard basis.
While those solutions might have been adequate for an individual agency’s needs, as the government coalesces around myGov as a core citizen interface to government, the cracks are starting to show.
Turnbull’s announced overhaul — which could be modified based on whether the Coalition fails to emerge victorious in election counting, which was still up in the air at press time — flagged a range of issues with current processes, such as the “complex, repetitive” and error-prone processes by which citizens manage their government-related information. A “simplified and improved” sign-in process will include federated authentication across a range of government agencies, better mobile support and better usability overall.
The move to revisit myGov — coming on the heels of the government’s 2015 Budget commitment of $33.3 million to construction of a “trusted digital identity framework” as a founding pillar of the $254.7 million allocated to jump-start the DTO — reflects the government’s continuing efforts to not only step up its cybersecurity agenda, but to do so through a centralised and consistent framework that works in lockstep with the DTO’s overall transformation efforts.
Rachel Dixon, head of identity with the DTO, is leading the effort to turn the government’s identity focus into reality. “Giving users the choice to establish their digital identity once is our basic aim,” she wrote in a blog earlier this year to explain the DTO’s plans for a Trusted Digital Identity Framework (TDIF). The TDIF will debut in August as an alpha product in two parts — a federated identity service to verify users’ identities and a credential or log-in that is issued to users and allows them to log-in to access secure government services.
The first element of that effort will mirror the efforts undertaken by the UK’s Government Digital Service (GDS) Verify service, which has authorised nine companies to provide UK citizens with identity verification services that then provide access to specific government services.
“Identity is better thought of as the ability to have trust online,” wrote Dixon, who will speak of the agency’s efforts to an audience of government decision-makers — many of whom will ultimately be users of the TDIF and beneficiaries of the DTO’s work in this area — at AC Events’ Technology in Government conference in August.
“We’re considering a range of ‘use cases’ to better understand the user needs and implications of various designs, on both the product and the framework,” she wrote.
Towards a new identity model
The depth of the government’s commitment to identity-based services reflects changes in users’ interaction patterns — mobiles have quickly come to dominate government interactions, for example — that have complicated efforts to provide a single sign-on for government.
The DTO is considering several models for its service, including the NIST Trust Vectors model. Whichever standard is followed in the end, however, improvements in technology have helped adapt identity systems to evolving government requirements, noted John Lord, managing director of identity verification provider GBG DecTech.
Melbourne-based GBG has already integrated its cloud-based, Australian-developed identity service into the UK’s Verify program and Lord believes the time is right for Australia’s transformation-minded government to leverage the technology in the same way.
“The convenience of how you access these things has totally changed,” said Lord, “and the technologies that support the authentication process are a lot slicker.”
Expanding datasets correlate identity profiles with information about devices used, the location of people accessing services and other factors — enabling a higher degree of accuracy in verifying the identity of a person accessing online services through a broad range of modalities.
“Five years ago we could probably verify maybe 100m systems around the world,” said Lord, “but now we have data algorithms, biometrics and other capabilities to verify over 5 billion citizens uniquely in the one platform. If you can get online, there is a really good chance that we are going to be able to authenticate you.”
As a third-party provider of identity services, GBG has been making approaches to be involved in the DTO’s evolving identity security work and Lord believes looming proof-of-concept works — highlighted in a DTO tender issued in early May — will clarify the value of large-scale digital identity management in the Australian context.
“The technology is now ready — and, more importantly, the user experience is ready — for mass adoption of digital services,” he said. “They have to get it right this time and I absolutely believe they will.”
Trust must be earned
Just what role the private sector will play in the TDIF remains to be seen. Dixon noted that extant identity verification services from government may compromise the commercial market for such services. Yet as the new identity architecture evolves, the potential commercial opportunities — already identified by the likes of GBG — are forming part of the process.
That process has also included a strict procedural focus throughout the project’s Discovery phase, with privacy a key learning point. In this area, Dixon highlighted the importance of watching what people do around managing their identities as well as what they say they want — a dichotomy that becomes most evident when comparing, say, people’s willingness to use fingerprint scanning to log into their phones but refusal to use fingerprints to access government services.
An established body of evidence makes this no surprise. A Unisys Security Insights survey last year, for example, found that government agencies were the second least-trusted bodies when it came to protecting private data, with 49% of Australians expecting a government data breach within the next 12 months — higher than in any other industry save telecommunications (58%).
“Consumer trust must be earned and maintained,” warned John Kendall, security program director with Unisys Asia Pacific, in a statement. “Many Australians have personally experienced a data breach or have seen media reports of high-profile breaches by government and telcos, so they have a low level of trust in the ability of those organisations to protect their data.
“To build trust, an organisation needs to not only take preventative measures, but to make those measures visible to build public confidence.”
Just how that visibility might manifest remains one of the guiding parameters of the DTO’s work. It’s already well understood that user experience is a key aspect of any secure implementation — and that government bodies are trailing private-sector web properties such as Facebook, Google and Dropbox, which have successfully built networks of hundreds of thousands of related properties that seamlessly flow user authentication between their various sites.
Whichever government credentials emerge from the current push for a consistent identity, it’s clear that their handoff will need to happen as smoothly behind the scenes, as the services they feed are integrated within the consumer interface.
This perception of smoothly functioning identity will, in turn, feed consumer perception of a smoothly integrated and secure identity-based government that is also seen to be protecting the privacy of its citizens’ details and empowering them with, as the policy puts it, “greater control of their information”.
“We’re very conscious of the principle of privacy by design and will be providing more information on our plans with regard to this soon,” Dixon said. “There’s value in having trusted identities in transactions, especially where sensitive data or money is involved.”
Identity everywhere
The standardisation of identity opens up opportunities for federation of those identities to departments at the state and local government levels, where citizen-centric portals — such as those of the NSW and Queensland governments — could be wrapped into the evolving identity-federation framework.
Yet even as the handing of myGov to the DTO reflects the government’s continued development of trusted identity processes, technology is conspiring to muddy the field further as the Internet of Things (IoT) continues on its exponential trajectory.
Growing numbers of smart and dumb devices being deployed in the field — particularly for smart-city initiatives based around smart power meters, parking and traffic sensors, adaptive lighting and the like — will complicate the identity paradigm by requiring non-repudiable authentication mechanisms capable of authenticating and validating the data they produce.
In a recent assessment of the IoT market, Gartner predicted that there would be some 25 billion IoT devices installed by 2020, with 6.8 billion of those related to smart-city implementations. Reports suggest that the US federal government alone spent US$35 billion (AU$48 billion) on IoT solutions between 2011 and 2015 alone.
This growth helped position IoT as one of Gartner’s top 10 strategic technologies for government this year, alongside areas such as open data, digital government platforms, multichannel citizen engagement and citizen electronic-identification efforts.
And while IoT is more relevant for governments as an internal tool for service delivery, efforts to boost its security are increasingly relying on identity paradigms to ensure that IoT rollouts don’t get out of hand.
“IoT is an incredible opportunity and many of the opportunities that will flow are not just economic,” said Internet Australia CEO Laurie Patton, who is tailoring his Technology in Government presentation around IoT and the security issues it presents.
“For IoT to be readily accepted, we need to be looking at security and privacy implications and dealing with those up front,” he told GTR. “The government must be on the front foot helping sort out issues in relation to security and privacy, before they cause a backlash. And we need to be mindful of the fact that IoT is not just about economic development, but about social development.”
Internet Australia was a founding member of the recently formed Internet of Things Alliance Australia (IoTAA), which will unite industry groups and commercial businesses with government bodies and similar efforts overseas to address on policy issues around IoT.
The need for government leadership will persist whether the Coalition is returned — putting its digital services strategy into effect — or whether the DTO and other elements of Turnbull’s grand transformation scheme are reworked under a potential Labor government.
Either way, said Patton, addressing IoT and other identity-based issues must be tackled from a bipartisan perspective that keeps pace with continuing rapid developments in technology.
“We need a genuine culture of innovation, and while both sides of politics have talked a lot, there has been more heat than light,” he explained. “The way forward is for us all to develop agreed national strategies that have the support of all sides of politics. This is a new horizon that we’re only beginning to see.”
Demystifying zero trust for government
As zero trust becomes more central to ICT environments, it needs to be considered not just as an...
Cyberwarfare 2025: the rise of AI weapons, zero-days and state-sponsored chaos
Nation-states and rogue factions are rapidly integrating cyber attacks into their military...
Phishing-resistant MFA: elevating security standards in the public sector
Phishing remains a significant issue for government agencies, and current MFA solutions often...