President John Magufuli officially launching the e-passport at the Immigration Headquarters in Dar es Salaam recently. Looking on is Zanzibar President, Ali Mohamed Shein. PHOTO | STATE HOUSE
E-passports are a recent example of a planned initiative for
government to go more digital. The issuance of such passports is expected to
lead to faster, more secure and efficient processing of travellers at border
control points. Similarly, the issuance, renewal and replacement of passports
will be more efficient thus saving costs to the government.
The efficiency in these processes will benefit us as
citizens as a lot of time will be saved, which can be productively spent
elsewhere. Some of you may have noted how quickly your fellow passengers get
cleared when you arrive at certain airports (in countries such as the UK which
have already adopted e-passports) through the “automatic border-control gates”
while you are stuck in a long-winding queue.
Aside time and cost savings, the e-passports will also
enhance controls against illegal immigration and national security in general.
These benefits are in line with the government’s technology transformation
projects which aim for efficiency and greater customer satisfaction, but also
introduce new challenges.
Key challenge
One key challenge is how the Immigration Department is going
to secure our data to ensure confidentiality, integrity and availability. Data
that identifies you as a citizen will be stored in a system, and this includes
biometric data (such as fingerprints, iris scans) and other forms of data
deemed useful.
At the time of travel, the information on your e-passport
chip will be validated against a central database that has all your information
in order to authenticate your identity.
So, have adequate measures been thought of to safeguard this
sensitive data? What if your data gets manipulated, and your fingerprints end
up being stored on someone else’s e-passport?
Given the sophistication needed from the system to securely
process travelers at our borders and curb illegal immigration, you can imagine
the value attached to the authenticity of your personal data.
What if your data
falls in the wrong hands? What controls will be in place to prevent this from
happening?
Incidentally, this is not the first project that the
Government has embarked on where citizen’s data is being collected and stored.
We first had the National ID project, where we had to provide personal details
and biometric information (fingerprints). Then came the electoral database
where we provided pretty much the same information.
Where is all this data being stored? How is it protected?
And more importantly, can this information be centrally managed and shared such
that we do not have to supply the same details over and over again? But this
latter point is for another conversation, for now let me focus on the data
security risks.
Even where the process is automated, human intervention will
still play a part leading to some of the risks mentioned above.
Human intervention is required at the point of capture or
update of details in the system, as well as maintenance of the system. It is
this human element that is prone to making errors and can be compromised
sometimes (with or without their knowledge).
In addition, the system in itself is made up of various
components such as the application, the database and the network. If any of
these is not well secured, it can provide a loophole for data or the system to
be manipulated.
A good analogy will be having an expensive car (the system)
that is full of gold (citizen’s data) and having it parked outside a house that
has no fence or security guard.
Cybersecurity ecosystem
The in-built security of the car in itself does not prevent
thieves from getting to the gold. It is the entire ecosystem that needs to be
secured to ensure the gold is well protected.
The same applies to cyber-security ecosystem required to address the challenges above.
I know the word puts off some people as they think
cybersecurity is the job of the IT department.
But it’s not only IT that should
be involved. We all have a part to play. For e-passports, this includes the
applicant, the junior immigration officers, right through to the top most
ranking people who own this project.
With more than 100 countries already using e-passports, the
technology itself is likely to be robust.
However, when we look at the
“ecosystem” and given that Tanzania does not yet have a national framework for
cyber security risk management, are we ready to tackle and address the threats
and vulnerabilities that come with such initiatives?
So, whilst we embrace these great initiatives which will
take our country forward and bring about much needed efficiency, we should also
address the risks involved and in particular cybersecurity which is a new norm,
and which will increase in sophistication as we innovate and integrate more
systems.
How should we ensure the integrity, confidentiality and
availability of all our data?
Firstly, everyone has a part to play when it comes to cyber-security. Gone are the days when this was an “IT” problem only! Provided
that you interact with a system or the internet through any device (smartphone,
laptop, tablet etc.) you should take good measures to keep your information
secure.
We do not sleep with the front door of the house open just
because there is a security guard outside.
The same principle applies in cyber-security. Every user has a role to play. As such, all the people involved
in the process of filling in, processing and maintaining data required for the
e-passports need to be educated on how to be secure in cyberspace.
Clicking unknown links
This starts from the basics of having strong password
controls to not clicking unknown links (as such links can be malicious and
infect the user’s machine or give access to hackers). This education needs to
be given continuously and it has to stay current and relevant as technology
keeps evolving.
Secondly, the system that will be processing and storing
data for e-passports must have robust features that will ensure data integrity
is maintained. This is where IT and the user departments come and work
together.
As the system will be hosted in a network connecting it with
various border points, this network must be designed with security in mind. The
main objective being to protect the system from external and internal attacks.
Secure protocols and encryption needs to be in place when
data is being transmitted between two points to prevent it from being
intercepted.
In addition, there need to be detection mechanisms that will alert
Immigration on a timely basis when an attempt is made to attack or access the
system without proper authentication.
Well-designed processes
The above concepts cover “people” and the “systems”. The
third component that is key in addressing cybersecurity is “processes”.
There
needs to be well designed processes and controls in each activity that involves
e-passports, be it creation, updates, renewals etc. Such processes if not well
designed, can also provide a loophole for exploitation of the security threats
and vulnerabilities mentioned earlier. In addition, the Immigration Department
must also have a process of responding to “electronic-related” incidents.
Then there is an aspect of good work ethics which seem to be
disappearing these days when it comes to maintaining confidentiality. This you
can tell by the number of instances sensitive corporate information has made
the rounds in social media (thanks to smartphones).
So in educating people, staff should also be sensitised
(particularly the ‘young smartphone-savvy’ users) not to snap sensitive data
and share this through social media.
This then brings me to the last point regarding the skillset
required to address cybersecurity issues.
There is a significant shortage of
experienced or qualified cybersecurity professionals in this field both locally
and globally (as noted by various reports by PwC, ISACA, Protiviti, etc).
Tanzania currently has about 250 such professionals (based on Serianu 2016
report on Cybersecurity).
This number is clearly inadequate given the extent of
automation and integrated systems in the public sector alone – and this is
before considering the demands of the private sector, which includes some
heavily automated industries such as telcos and banks.
So, both public and private sectors have a common interest
to invest in the skills-set of those people needed to implement the control
measures mentioned above to minimise cybersecurity risks.
So, whilst we embrace these great initiatives which will
take our country forward and bring about the much needed efficiency, we should
also address the risks involved and particularly cybersecurity which is a new
norm and will only increase in sophistication as we innovate and integrate more
systems.
Sanare Kaduma is an associate director with PwC and the
ISACA Tanzania Chapter President
No comments:
Post a Comment