OTTAWA — The Ontario government will boost the number of digital certificates within the public sector to 100,000 in the next few years to ensure the electronic information of its 11 million residents is not compromised by hackers
or worms, an Ottawa conference heard Wednesday.
“”There is no doubt in my mind: We have to take the lead on this,”” said Curtis Allen, the provincial government’s director of corporate security.
Speaking to attendees of Multi-Channel Service Delivery for Government, Allen outlined how Ontario’s e-government security strategy has progressed in its first year.
The government’s Public Key Infrastructures (PKI) system currently comprises some 60,000 digital certificates. But in the next few years, Allen and his team will reach out to Ontario’s “”wider public sector,”” he said. This includes such groups as the Children’s Aid Society and various police forces, he said.
The government-wide strategy also aims to improve the interoperability of the Royal Canadian Mounted Police and the Ontario Provincial Police. By combining PKI systems, the two police forces can share sensitive information more efficiently, he said.
In the last year, the provincial government has combined one of the largest PKIs with the Privilege Management Infrastructure. Working in tandem, PKI confirms the identity of the user through data encryption and digital signatures while PMI defines what that user is authorized to access.
Applications like PKI and PMI are crucial if governments or businesses are serious about fighting cases of identity theft and other security breaches that result from online transactions, said Allen, who served with the RCMP for 36 years before moving to his current post. For example, online address-changes or credit-card payments by Web users can be an easy way for intruders to obtain private information.
Threats to IT infrastructure are no longer random, isolated events perpetrated by amateurs, he said. Last January, the SQL Slammer worm spread across the globe in a staggering half-hour.
Internal threats pose an even greater risk because of the in-depth knowledge and unfettered access that an insider has. An employee may reveal sensitive information without even knowing it, which means organizations must be vigilant in educating their staff, he said.
Simple things, such as a computer monitor facing a window, can pose a threat to security. In other instances, a caller could be posing as a help-desk employee who calls an employee for passwords, said Allen.
“”Chances are they will get them,”” he said.
Responding to the need for education, Allen’s department has developed programs to increase security awareness that focuses on employees, managers, security, and system staff.
His team has also identified mission-critical applications throughout the government — some of which are related to education and health. Now that these gaps and shortfalls are identified, 11 out of 70 applications have been subjected to “”threat and risk assessments.”” The remainder will be completed over the next two years.
Allen is quick to point out that the Ontario government has never shut down its gateway. But if the unthinkable does happen, his team is ready. It has conducted disaster-recovery tests on all computers within the government’s four data centres. Meanwhile, “”business contingency plans”” have been initiated for a government building that houses four ministries.
It is hoped that all these measures will improve the dismal public perception of online transactions, Allen said. A recent poll indicated that two-thirds of Canadians believe it is unsafe or very unsafe to go online to give governments key information such as annual income and credit-card numbers.
“”We need to get over this barrier,”” said Helen McDonald, the Treasury Board Secretariat’s (TBS) assistant secretary of government online (GOL). McDonald gave the keynote address at the conference. “”And we also must know with confidence who the client is in the online world.””
The conference wraps up Thursday.