28 January 2008

News by Chip

VOCM has been getting a toasting from a few people lately for its questionable editorial choices, especially when it comes to the current provincial administration.

Well, truth be told the favourable coverage of the puissance du jour started a long while ago but really reached full bloom under Brian Tobin. That's when it came to be known as Voice of the Cabinet Minister.

And boy, that name really applies when you see a news organization repeat almost verbatim the fawning, self-congratulatory spin - i.e. bullshit - of a cabinet minister at the centre of a major breach of personal security by a government agency and with it the violation of a brand new privacy act.

Only in Newfoundland and Labrador would a news organization side with the power of the day in a case where said power:

a. Had a complete breakdown of its computer security.

b. Again.

c. For the second time in three months.

d. And sat on the information for three full days.

e. and even at that point (now almost a week later), still has no idea what exactly happened, how long it was going on and how much information on how many people was involved.

No matter how bad the cock-up, no fear. VOCM will always tell you exactly what the provincial government wants you to know.

And when it comes to stories they get first that cast the current administration (whichever it is) in a bad light, well, they'll avoid it like the plague.

VOCM: Who cares about the common man?

Update; A couple of e-mails raised issues with two aspects of this post.

The first one is simple: the Chip in the title is the Kevin Bacon character in Animal House who ran around insisting all was well in the middle of a riot. it seemed an apt analogy since the basic thrust of the provincial government's message here is that everything is fine and there is a problem, but a really not so important one. After all, "appropriate" measures had been taken. Oh yeah, after the fact but the measures were "appropriate".

The second was with the word "complete" as in complete breakdown of computer security. At this point, we have no idea of the extent of the security breach. But frankly, when it comes to security, the issue is never about the 99% of the system that wasn't involved but the 1% - using arbitrary numbers - that was.

Security is a bit like virginity or pregnancy. You can't be mostly unpregnant any more than you can be a partial virgin.

If there was a breach - and there undeniably was - then the system failed.

To take it a step beyond that, the focus of government's comment and the consequent public comment is that this is seen as an information technology issue. Government computers are secure, as we are told, since the IT people have taken measures to ensure that particular software can't be loaded to government computers.

That's not really the point, though.

Information security is a system, a culture that involves not only the hardware and software but also the attitudes and behaviour of people using the computers and programs.

Take a look at The Breach Blog (breachblog.com) and you'll get a better feel for the issue and the ideas. Information security encompasses a whole range of issues beyond just hardware and software. Scroll the posts at Breach Blog and you can also see the extent of the security issue across the developed world.

Stolen laptops. Unencrypted data. Missing hard drives and flash drives.

Even in the case where a laptop has encrypted data, putting the laptop in a place where it can be stolen suggests a certain laxness (laxity?) in personal habits of the people using the laptops.

Your humble e-scribbler has been involved in information security a number of ways over the years and information security is an integral part of day-to-day business. There are all sorts of the hardware and software methods to secure information from both unintentional disclosure and from possible prying eyes. There's also a segregation of information such that confidential information isn't stored where it might be accessed. Flash drives are routinely cleared of files and each one is kept under close custody.

One client kept apologizing for the security procedures they used internally which included incidentally, keeping physical control over individual movements within the office suite when outside consultants were in the suite. Going to the bathroom required notification, permission and escort. Flash drives were surrendered and scanned on entry and exit to ensure only those files that were authorized came and went.

The Government of Canada has a fairly extensive information security (InfoSec) program that applies throughout government and to contractors. In an increasing number of cases, outside contractors must clear a security screen, including an assessment of security processes and procedures at the contractor's work site.

The responsibility for security is established at the outset:

Departments are responsible for protecting sensitive information and assets under their control according to the Security policy and its operational standards. This responsibility applies to all phases of the contracting process, including bidding, negotiating, awarding, performance and termination of contracts, as well as to internal government operations.

Whether a contract is within or outside a department's delegated contracting responsibilities, the department is responsible for identifying sensitive information and assets warranting safeguards.

Part of the InfoSec issue with the provincial government is related to its overall attitude toward security. That's not a new issue, but things have definitely not improved lately. How many officials have cleared a federally-recognized security screen? The answer as of two years ago was the same as it always has been: zero. That's why no provincial officials were allow to attend a briefing on the Titan missile launch even though the briefing was only at the Secret level, the second lowest level there is.

Recall Heidigate? In 1997, an official of the Premier's Office obtained confidential pension information on three former members of the House of Assembly and leaked it to local media.

Okay. That's bad enough.

But the public servants responsible for controlling the pension data, all of whom knew of the need for confidentiality and who knew or ought to have known the official had no legal right to access the information, gave up the data based on nothing more than a telephone call from the Premier's Office. If they objected or raised questions, we'll never know. Certainly there were no consequences, beyond the minor political controversy that erupted over it. The whole thing was brushed aside by the Premier of the day based on the youthfulness of the person who asked for information. The tone was set from the top.

You see the point: security is about more than whether or not someone can load MSN Messenger or Limewire on a computer.

It's about attitude, and frankly, when the attorney general's news release on the issue focuses attention everywhere except on the gravity of the security breach in the first place, we can be pretty sure the security attitude hasn't changed much.