It's the software's fault

Apparently the latest provincial government InfoSec breach can be blamed on the software, specifically a file sharing program known as LimeWire.

A popular file-sharing program exposed the private details of more than 150 people over the internet [sic]earlier this month, the Newfoundland and Labrador government said Thursday.

That's an interesting take on the story, given that people operated the computer involved, loading the software without changing the default settings.

Apparently, no one at the Workplace health and safety commission had anything to do with it either, even though they handed over highly confidential information without ensuring the outside contractor was following appropriate security procedures.

No people were involved at all.

Well, that is, except, ummm, of course for the 153 people whose files were exposed, including 108 who had their medical histories and work histories, as well as names and birthdates openly accessible on the Internet for 24 or so days.

And that identity theft thingy that Attorney General Jerome Kennedy warned about in the news release on Thursday? Well, when he spoke to reporters, Kennedy had a slightly different tune to sing:

"The file sharing program allows for access of various information that's on an individual's computer. It doesn't mean it will be accessed," Kennedy told reporters.

So why all the big fuss about government officials taking proper measures in the wake of the leak or of the giant lock-down being applied to every computer in government? Apparently it was nothing to worry about after all.

In other words, the giant news release Kennedy authorized for distribution was just a waste of energy.

Is it just an overactive imagination or did the province's attorney general sound less like a cabinet minister looking out for the public interest and more like the government's chief legal counsel representing a client staring at potential lawsuits?

-srbp-

Remember the story yesterday and the Telegram's short version? The story on page three of the Friday edition didn't mention identity theft anywhere.

Gov Comm 101: How to manage crisis spin

1. Write a news release which deliberately buries the real news so far down the page that reporters are likely to miss it.

2. Omit key information from the news release, like the fact that the information in a security breach was exposed to the Internet from December 30 until at least January 22.

3. Hold a newser to discuss the security breach later on the same day when the Auditor General releases a scathing report into government operations. (Since you have the AG report months in advance in order to prepare replies and since you know in advance the day, time and place the thing will be released, then deliberately scheduling the newser you want to bury is very easy. Experience tells you that newsrooms will be so consumed with the AG report they won't have the resources - people or time - to dig through your presentation for the news you buried.)

4. Send the number two person in the Communications and Consultation branch to supervise the execution of the spin plan. (That's a clue as to how much concern there is in government about ensuring the story is highly torqued.)

-srbp-

Atty Gen'l: identity theft potential exists for victims of gov't InfoSec breach

Attorney General Jerome Kennedy said today that 153 residents of the province, including 108 clients of the province's workers compensation agency, face the potential risk of identity theft as a result of a computer security breach by a consultant working for the agency.

A total of 694 files were exposed to the Internet for an undisclosed period of time, through an unspecified file-sharing program. While a forensic investigation has been conducted by at least one computer security firm, the minister did not confirm whether or not the files had actually been accessed.

The information included names, addresses, medical histories, work histories, sex and date of birth.

In a backgrounder to the lengthy news release, the provincial government confirms that until now, there was no government policy requiring outside consultants to adhere to government security protocols on access to information.

This situation appears to have existed despite five years of preparation before the government implemented privacy sections of a new access to information law. The law was implemented on January 16 and the security failure occurred on January 22. it was disclosed three days later.

The actions taken by the province's chief information officer in the wake of the breach include installing new software, holding educational sessions for employees and other actions that presumably were not done since the chief information office was created and well before the privacy rules came into effect.

-srbp-

News by Chip

VOCM has been getting a toasting from a few people lately for its questionable editorial choices, especially when it comes to the current provincial administration.

Well, truth be told the favourable coverage of the puissance du jour started a long while ago but really reached full bloom under Brian Tobin. That's when it came to be known as Voice of the Cabinet Minister.

And boy, that name really applies when you see a news organization repeat almost verbatim the fawning, self-congratulatory spin - i.e. bullshit - of a cabinet minister at the centre of a major breach of personal security by a government agency and with it the violation of a brand new privacy act.

Only in Newfoundland and Labrador would a news organization side with the power of the day in a case where said power:

a. Had a complete breakdown of its computer security.

b. Again.

c. For the second time in three months.

d. And sat on the information for three full days.

e. and even at that point (now almost a week later), still has no idea what exactly happened, how long it was going on and how much information on how many people was involved.

No matter how bad the cock-up, no fear. VOCM will always tell you exactly what the provincial government wants you to know.

And when it comes to stories they get first that cast the current administration (whichever it is) in a bad light, well, they'll avoid it like the plague.

VOCM: Who cares about the common man?

Update; A couple of e-mails raised issues with two aspects of this post.

The first one is simple: the Chip in the title is the Kevin Bacon character in Animal House who ran around insisting all was well in the middle of a riot. it seemed an apt analogy since the basic thrust of the provincial government's message here is that everything is fine and there is a problem, but a really not so important one. After all, "appropriate" measures had been taken. Oh yeah, after the fact but the measures were "appropriate".

The second was with the word "complete" as in complete breakdown of computer security. At this point, we have no idea of the extent of the security breach. But frankly, when it comes to security, the issue is never about the 99% of the system that wasn't involved but the 1% - using arbitrary numbers - that was.

Security is a bit like virginity or pregnancy. You can't be mostly unpregnant any more than you can be a partial virgin.

If there was a breach - and there undeniably was - then the system failed.

To take it a step beyond that, the focus of government's comment and the consequent public comment is that this is seen as an information technology issue. Government computers are secure, as we are told, since the IT people have taken measures to ensure that particular software can't be loaded to government computers.

That's not really the point, though.

Information security is a system, a culture that involves not only the hardware and software but also the attitudes and behaviour of people using the computers and programs.

Take a look at The Breach Blog (breachblog.com) and you'll get a better feel for the issue and the ideas. Information security encompasses a whole range of issues beyond just hardware and software. Scroll the posts at Breach Blog and you can also see the extent of the security issue across the developed world.

Stolen laptops. Unencrypted data. Missing hard drives and flash drives.

Even in the case where a laptop has encrypted data, putting the laptop in a place where it can be stolen suggests a certain laxness (laxity?) in personal habits of the people using the laptops.

Your humble e-scribbler has been involved in information security a number of ways over the years and information security is an integral part of day-to-day business. There are all sorts of the hardware and software methods to secure information from both unintentional disclosure and from possible prying eyes. There's also a segregation of information such that confidential information isn't stored where it might be accessed. Flash drives are routinely cleared of files and each one is kept under close custody.

One client kept apologizing for the security procedures they used internally which included incidentally, keeping physical control over individual movements within the office suite when outside consultants were in the suite. Going to the bathroom required notification, permission and escort. Flash drives were surrendered and scanned on entry and exit to ensure only those files that were authorized came and went.

The Government of Canada has a fairly extensive information security (InfoSec) program that applies throughout government and to contractors. In an increasing number of cases, outside contractors must clear a security screen, including an assessment of security processes and procedures at the contractor's work site.

The responsibility for security is established at the outset:

Departments are responsible for protecting sensitive information and assets under their control according to the Security policy and its operational standards. This responsibility applies to all phases of the contracting process, including bidding, negotiating, awarding, performance and termination of contracts, as well as to internal government operations.

Whether a contract is within or outside a department's delegated contracting responsibilities, the department is responsible for identifying sensitive information and assets warranting safeguards.

Part of the InfoSec issue with the provincial government is related to its overall attitude toward security. That's not a new issue, but things have definitely not improved lately. How many officials have cleared a federally-recognized security screen? The answer as of two years ago was the same as it always has been: zero. That's why no provincial officials were allow to attend a briefing on the Titan missile launch even though the briefing was only at the Secret level, the second lowest level there is.

Recall Heidigate? In 1997, an official of the Premier's Office obtained confidential pension information on three former members of the House of Assembly and leaked it to local media.

Okay. That's bad enough.

But the public servants responsible for controlling the pension data, all of whom knew of the need for confidentiality and who knew or ought to have known the official had no legal right to access the information, gave up the data based on nothing more than a telephone call from the Premier's Office. If they objected or raised questions, we'll never know. Certainly there were no consequences, beyond the minor political controversy that erupted over it. The whole thing was brushed aside by the Premier of the day based on the youthfulness of the person who asked for information. The tone was set from the top.

You see the point: security is about more than whether or not someone can load MSN Messenger or Limewire on a computer.

It's about attitude, and frankly, when the attorney general's news release on the issue focuses attention everywhere except on the gravity of the security breach in the first place, we can be pretty sure the security attitude hasn't changed much.

-srbp-

Public body breached new privacy law

Is everyone in government ready to protect personal privacy?

Apparently not.

The section of the Access to Information and Protection of Personal Privacy Act, known by appealing acronym ATIPPA, dealing with personal privacy came into force on January 16, 2008.

Given the five year delay in implementing the new privacy protections, it came as something of a surprise on Friday to learn of the possible leak of an undisclosed amount of private information held by a government agency. Someone on contract to the Workplace Health, Safety and Compensation Commission operated a file sharing program that gave access to files on the computer's hard-drive, including confidential records related to the commission.

It's taken a while to get the whole act into force, something on the order of five years. The delay was apparently due to a need to get government departments ready to deal with the implications of the new legislation. In the meantime, the old Privacy Act, circa 1981 was in force. The Privacy Act was far from perfect but at least it was something.

Workplace Health learned of the security problem on January 22 but it took three whole days for the provincial government to inform the public of the problem. The entirely self-serving news release spent more time trumpeting the actions taken to deal with the problem and to praise the Office of the Chief Information Officer [OCIO] for all its fine work in protecting information than it did in disclosing what government knew about the extent of the breach and whether or not information had actually been obtained illegally by anyone.

In fact, the only thing clear through the release is that the provincial government actually knows - or appears to know - very little about the breach beyond some very rudimentary details.

There's even a rather interesting quote from the newly minted chief executive of Workplace Health;

"The Commission shares the Provincial Government’s view that private and confidential client information must be safe guarded both at the Commission and with service providers. Until the forensic investigation is complete, the extent of the exposure is not known and we are unable to determine how many, if any, of the Commission’s clients may be affected," said Leslie Galway, Chief Executive Officer, Workplace Health, Safety and Compensation Commission. "The Commission was not the source of the breach but nevertheless has taken measures to ensure the integrity of its network system was intact, as well as address the network system concerns with the private company involved."

How comforting.

The commission shares the provincial government's view that private information must be safeguarded.

Unfortunately for the commission, this is not merely a "view", an opinion of the sort one might wish to be associated with like, say, "My goodness that was a lovely sunrise this morning."

It is the law.

36. The head of a public body shall protect personal information by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.

And there's nothing in the law that restricts the legal obligation of a public body to protect private information only to computers owned by the public body itself.

It's a blanket obligation.

That's what makes the provincial government news release so interesting. In the quote above, Leslie Galway talks about securing the commission's own network and refers vaguely to addressing "network system concerns." Heaven knows what that means, but it is entirely irrelevant since the actions were taken after the fact.

The story gets more interesting when one reads the coverage in the Saturday Telegram, sadly not available online.

Justice minister Jerome Kennedy says the consultant was "doing some work for justice" [presumably the department] occupational health and safety assessments. Kennedy repeated that there are government policies in place that prohibited the use of file sharing programs on government computers. He pronounced himself satisfied with that: "I'm comfortable ...that this issue with government-owned computers has been addressed very expeditiously and thoroughly."

Just so that we can all share the minister's sense of comfort, go back and wander through the OCIO website. try and find a policy statement on file sharing and the handling of records. There isn't even a link to the ATIPPA in the links section of the website, even though ATIPPA is a key part of records management within government.

But of course, this is the second such incident in a handful of months. A similar case came to light in November involving 1420 medical files. The Telegram reports that 370 files were accessed - by whom is not disclosed - and that the files belonged to 151 patients and two employees of Eastern Health.

The Telegram also states - erroneously - that provincial government policies do not extend to the private consultant. While a public body is able to disclose personal information to a consultant doing legitimate work for the agency or a government department, section 36 of the ATIPPA doesn't limit the obligation of the department or agency to take reasonable security measures.

The crux of this story is that for the second time since November, a provincial government agency is involved in a breach of privacy. This second case is all the more serious since it comes less than a week after new legislation took effect which obligates public bodies to protect information from disclosure.

No surprise, in that context, that the provincial government delayed disclosing the existence of a security breach and at the same time focused its attention - in the news release - in endless self-praise, rather than acknowledging the gravity of what had occurred.

That's not accountability or transparency, as the justice minister professed when announcing the privacy legislation was in force. And frankly, the people of the province should view with some suspicion this pronouncement by the justice minister.

"I want to assure the people of Newfoundland and Labrador that their personal and confidential information is treated with respect and in accordance with the Access to Information and Protection of Privacy Act."

The subject of his news release - a second security breach involving an undetermined amount of confidential, personal information on an undisclosed number of individuals or corporations - is evidence that information is not being handled "in accordance with" the ATIPPA. If the minister is not prepared to acknowledge a problem exists, it's highly unlikely a proper solution will be implemented, let alone found.

Up-data: Seems the CBC version of this story has some variations from the telegram version.

"The investigation is very early on," said Leslie Galway, the commission's chief executive officer.

"We are not aware of whether our clients are actually involved with the information on that computer specifically, and what sort of information may be there."

Three days later and no one knows what was on the computer?

"At this stage, we don't know the extent or nature of the breach," Kennedy said, "nor the types of information that may have been exposed."

Now there's a familiar line. It popped up in November as well, and right behind came the assurance that there was absolutely nothing to worry about.

The real value of the CBC story though is the link to a follow-up on the November security leak. on November 27, health minister Ross Wiseman said there were only 49 people involved in the first leak. The Telly now has the figure at 153.

Which number is right?

-srbp-