Making electronic apps secure requires that feds resolve old problems
The growth of electronic commerce has generated plenty of light as well as heat when it comes to securing transactional systems. Technology for secure links and strong authentication is in high demand for electronic government.
The General Services Administration's Access Certificates for Electronic Services program aims to provide agencies with public-key infrastructure technology, and many see ACES as the key to moving government services online.
Once the secure links and authentication are in place, however, systems administrators will find themselves staring straight at the same problem they have faced for decades: securing the data that's stored on their systems.
We've heard ad nauseam about wholesale cybertheft of credit card numbers from commercial Web sites'the kind of incidents that make senators call for public hearings and make agencies think twice about posting information on the Web. But none of the thefts occurred during transactions.Like safe cracking
A hacker broke into the databases of CD Universe of Wallingford, Conn., in January and stole 350,000 credit card numbers, demanding $100,000 in ransom. Last month, hundreds of numbers were taken from the databases of Salesgate.com, operated by Internet Management Services Inc. of Buffalo, N.Y.
In neither case did the thief violate the links over which the numbers traveled. In fact, there has been little evidence anywhere of theft of credit card numbers or other information during transmissions. Thieves are stealing data by breaking into databases via vulnerabilities that have been known for years.
The fact is, a transaction is the easiest part of the chain to secure. Browsers' Secure Sockets Layer, virtual private networks and encryption schemes all make it possible to exchange and authenticate information with relative security. They aren't perfect, but sending a credit card number over the Internet might be safer than handing the card to a waiter in a restaurant.
The real threat is to stored information. That applies whether you are selling CDs or dealing in taxes, Social Security records or medical data. Agencies have been storing information on leaky systems for years. Almost every evaluation of the government's information security has found it lacking. General Accounting Office reports for years have labeled government systems high-risk, and GAO repeatedly documents the same lapses in protecting against, detecting and responding to intrusions.
ACES could become a valuable tool for delivering services and doing business online. But without the proper configuration and the latest patches to close the back doors and loopholes on systems, servers, routers and firewalls, adding PKI is like putting a new handle on a leaky bucket.