Ng's 15 mins is Government's nightmare

TOO EASY: Keith Ng showed how inept some government agency computer security was.
TOO EASY: Keith Ng showed how inept some government agency computer security was.

Recently I went to the excellent Warhol: Immortal exhibition at Te Papa. I first got into Andy Warhol via his pet rock group, The Velvet Underground, the band famously described by Rolling Stone as the greatest band that never was.

Warhol, on the other hand, was a master at self-promotion and glorification of the mundane, from soup cans to Coke bottles.

Warhol believed everyone deserved some glorification and predicted that in the future everyone would be famous for 15 minutes. Perhaps that explains what happened last October to Keith Ng.

In days Ng went from being a smart but funny data visualiser and hobo freelancer, to briefly being the country's most infamous hacker. Keith walked into a couple of Work and Income offices and managed to access client files on kiosk computers. He then downloaded a bunch of those files on to a memory stick and walked out with them. Twice.

He didn't walk very far, however, choosing to throw himself and his findings upon the mercy of the privacy commissioner with his fresh, and fairly compelling, evidence of poorly-protected private information.

The Beehive responded by calling upon their chief geek (more formally known as the Government Chief Information Officer) to undertake a review of publicly accessible State sector computer systems. GCIO Colin MacDonald enlisted the help of KPMG and together they reviewed 70 state agencies and their 215 publicly accessible systems, including kiosks, wi-fi networks and web services.

MacDonald delivered his findings at the end of last year, but for reasons best known to the state services commissioner (but most likely to give the loose agencies time to tighten up), the report wasn't made public until last week.

MacDonald is a colourful but down-to-earth Scot who's likely to call a spade a bloody shovel. And having previously been head of technology across IRD and ANZ/National Bank, he's got technical cred.

Unsurprisingly, he didn't beat around the bush. His review found that the Government is not doing enough to protect people's personal information, and it needs to move quickly to restore public confidence. The large majority (87 per cent) of agencies don't have formal security certification processes, and 73 per cent lack formal security standards and robust risk-management processes.

Of most concern, 97 per cent of agencies had not assessed their compliance against the Government's mandated standards.

Despite the privacy apocalypse that happened at ACC (and subsequently at EQC), only 4 per cent of agencies carry out security-related privacy impact assessments.

Twelve of the 215 systems had live security weaknesses, although there was no evidence they had led to breaches. While it would be interesting to know where the 12 flawed systems were, and whether they were concentrated across a few agencies, the nature of these things is that as soon as you name them, every Zuckerberg wannabe decides to have a crack.

After the report was delivered to the SSC, government agencies were required to take immediate action to get their poop in scoop around security systems and privacy controls. Importantly, top-tier level management were singled out for the cloak of responsibility, not the poor buggers at the bottom of the organisational chart. All the government chief executives got a rocket and received the message that they were carrying the can on security and privacy, and a new governance group would be checking up on them.

The review prompts three obvious questions. First, what would have been the result if MacDonald had focused his Scottish sensibilities on the private sector rather than the public sector? I'd bet a cold beer on a hot day that the findings would have been worse. A lot worse. While it's appropriate that public agencies funded by taxpayers and entrusted with private information should be more accountable, I imagine the number of flaws in private sector web services would be eye-watering.

Second, while influenced and motivated by privacy concerns, MacDonald's review was primarily security-focused. Given the orgy of privacy violations over the past year and the findings of the ACC privacy review, isn't it time a similar exercise was carried out across the 60 public sector agencies, examining their protection of people's privacy?

Third, when people are increasingly consuming and complying online, and big data is fundamentally changing the opportunities and the risks for New Zealanders, why is the role of GCIO an add-on responsibility to the Department of Internal Affairs chief executive? It is already one of the most demanding portfolios in government.

This is no criticism of MacDonald, easily the best GCIO in 20 years. Rather it's a statement about the need to ensure someone is permanently focused on exploiting the opportunities and mitigating the risks as the digitalisation of Kiwis' lives continues apace. Just keep it out of the SSC.

The other great Warhol quote is: "Art is anything you can get away with."

Let's hope that the same doesn't apply to our digital-empowered future.

Mike "MOD" O'Donnell is a professional director and eCommerce manager. His Twitter handle is @modsta and he's still waiting for his 15 minutes.