Opinion: Government is about making and implementing policy, and serious thinking about cyber threats needs to be brought into its formulation, writes Paul Waller, researcher at Brunel University London
Government needs to develop a new relationship between its policy makers and digital experts, and if it wants to avoid some serious problems the cyber security specialists should play a significant role.
The thinking behind this is based in the Brunel University working paper, Digital Government: overcoming the systemic failure of transformation.
Along with its warning against “putting lipstick on the pig” – building websites on the front end of administrative transactions – it emphasises the prime role of government as making policy rather than delivering services. The balance varies between different arms of government, with local authorities having responsibility for a range of services in line with central policy, but the fundamental point is that transformation can only be delivered through a focus on policy – and the instruments for its implementation.
This is where the interactions with the citizen and business come into play, with processes such as payments to and from citizens, the granting of permissions, registrations and contracting forming part of administering policy instruments. They provide the bridge between policy and the public, and a large element of public sector reform is about changing these instruments: using digital technology can reduce the administrative burden of instruments and make things easier for the citizen.
But putting them on the internet also creates some juicy targets for cyber criminals; they are potentially weak points in day-to-day administrative processes and the success of efforts to implement policies. Keeping them secure against the constantly evolving threat of cyber-attack has to be one of the key elements of any policy or transformation programme.
This is in some ways an extension of designing administrative processes that are resistant to fraud. That is something that policy designers have been doing for years, by thinking about prevention, and if that fails, detection and collecting evidence for prosecution. The experience of fraud also tells us that where money is involved, criminals are all too often one step ahead, and sadly the same is likely to apply to cybercrime — so continuous attention to prevention measures is required.
This is why cyber security has to be taken into account from the beginning, when policy is being formulated, and built into the design of the implementation instruments. It goes deeper than bolting on security technology, to ensuring that possible threats are kept in mind when decisions are made on policy and processes.
It reflects the concept of ‘security by design’, which has been around for some time in software and hardware development, and has been advocated as an important concept for developing internet applications. It seeks to make systems impervious to cyber-attacks through continuous testing, authentication safeguards and adherence to best practice in programming.
Securing weak links
Similar thinking is needed in policy formulation. It would not take an identical approach, but draw on the principles of testing an idea against possible threats, looking at the processes for authenticating people and businesses, and seeking to secure the possible weak links in the implementation instruments.
For digital administration this means asking different questions: how can we use technology to make government more efficient and ensure things are easier for the citizen; and how do we build safety and security into the processes. There is the difficult question of what level of risk we are willing to accept; and how to provide the flexibility to respond to the continual changes in the landscape around cyber security.
These are very complex issues, and it may not be possible to find definitive answers; but they have to addressed. It needs a healthy and sustained dialogue between the policy makers and, not just the digital specialists, but the experts in dealing with cyber threats. Both sides need to understand the language and priorities of the other, and find a way of ensuring that protection is built into policy and its implementation instruments.
This would be a step towards providing long term security and trust in technology based public administration.
For an array of insights into how cyber security relates to the priorities of local government, come along to the UKAuthority/MJ Leadership in Local Cyber Resilience event on 7 December 2016.