Editorial: Government insecurities

As William Shakespeare wrote, "Once more unto the breach, dear friends, once more!" (Henry V, Act 3, scene 1). It was stirring stuff.

Henry V was rallying his troops to redouble their assault on a city's failing battlements.

Nowadays, as far as New Zealanders are concerned, "breach" is developing a dismal contemporary meaning, signifying another humiliating online security failure by another Government department.

In which case, let's have a bit of respect for the assailants. It's not as if people seem to have been getting much done by just seeking to have a quiet word of warning.

Unless its failures are rather more publicly exposed, the Government is either incapable of or disinclined towards investing the resources necessary to keep deeply personal human records secure.

The latest disgrace is that Work and Income has been operating online self-service kiosks through which, it turns out, acutely sensitive information could be accessed by people as inquisitive as Ira Bailey.

The extent to which Bailey may or may not have been mischievous is scarcely significant in the context of the terrible security failings he uncovered.

Nor should we rise to the distractive bait that Bailey, a systems administrator, was also one of the Urewera activists.

Make what you will of the fact that, having found the information, he contacted the Ministry of Social Development to see if it would reward him as Google and Facebook have been known to do when they benefit from "vulnerability reporting".

Turned down, he then approached - and thank goodness - blogger Keith Ng, who by any reasonable standard reacted with integrity.

Ng checked out the breach himself, took out enough information to confirm it, went public about its existence and returned it all safely to the butter-fingered ministry.

This, remember, comes after all those wider lessons were meant to have been learnt from the ACC and the Inland Revenue Department confidentiality breaches.

The Work and Income failure is shaping up as the worst of them - testament to the persistent creaking inadequacies of Governmental online security.

It even transpires that the Ministry of Social Development had been previously warned about security holes in the Work and Income public kiosk.

Yet its reaction, whatever it was, failed to prevent a situation where someone with just a bit of nous could sit at a Work and Income-provided computer and find, inadvertently or not, sensitive case notes, names of children in care and up for adoption, ministry debtors and the name of someone who had attempted suicide.

It is now essential that the focus of inquiry go beyond this particular chasm of incompetence and extend throughout the public service computer systems.

It's not as though there isn't already a system of checks. But how rigorous and adept they have been is another matter entirely.

In a climate of cost-cutting, it's no small thing that serious information-technology expertise is expensive. That doesn't make it an optional extra.

The Southland Times