3 min read
The Role of Central Signing and Authentication in e-Government Security
Cryptomathic : 05. September 2016
Year after year, more stories surface about large scale data loss from e-government systems across the world.Stolen accounts have been used multiple times to gain access into governmental systems, resulting in destructive attacks that put many citizens sensitive information into the wrong hands.In 2015, the US government announced one of the largest e-government attacks to date, resulting in the loss of over 4 million federal employees’ private information – including background checks, security clearance information, social security numbers, etc. Just one year before, Singapore experienced the hack of 1,500+ user accounts in their government platform, leading hackers to have the means to apply to work passes, create new businesses, among a number of other things.
Understandably, a government’s citizens expect (as they should) that the government has appropriately secured e-government processing to prevent data loss. E-government is a robust data platform that is used for all types of transactions – from basic public information to national security data. E-government facilitates data movement between agencies, government to business transactions, and government to officeholders and citizens.
Given the number of threats present on the global stage including ISIS, North Korea, and other cyber groups, government entities have no choice but to make security a top priority – otherwise, virtually everyone using that platform is in danger of experiencing data loss and corruption.
With the number of security incidents on the rise, should we simply accept the current cyber landscape as the new norm? Increasingly there are advanced technologies being implemented to solutions to protect all processes – from account login to data movement. Security mechanisms that can be used to enhance data integrity security of information include multi-factor authentication (MFA) and signing technologies which better provide authorization to perform data transactions and tasks within electronic government platforms.
Securing access – multifactor authentication
MFA is becoming an imperative addition to government technology, which has characteristically been outdated and vulnerable to account hacks. Based on the rise of breaches in government systems, NIST published guidance on electronic authentication within government IT systems, listing requirements for identity proofing, registration, tokens, and management processes within authentication.
Securing data movement – central signing
Signature technologies are the premise of data integrity and non-repudiation by verifying that the transaction truly originated from the sender. Signatures are built on PKIs and have extensive requirements to protect data integrity, such as the requirement of a data set verifying who issued the qualified certificate, as well as verification of the sender’s name and origination. Many strategies have been deployed to approach signatures – such as the traditional asymmetric keys which are used in digital signatures.The EU recently issued new regulations for electronic signature technologies under eIDAS, which further validates the necessity of a signature technology to protect government information.
Thoughts for the future
As we look ahead, new challenges will be on the horizon for e-government platforms as they are increasingly shifted to cloud environments. Additionally, as seen in companies such as Bitfinex (the digital currency trading platform which just experienced a $65 million dollar loss in bitcoin due to a hack), there is a shift towards multi-signature authentication which requires multiple key holders to authorize a transaction. While this may not sound like a challenge, the strategy clearly is not fool-proof yet as the multiple key holders have begun blindly signing off on exchanges.
E-government is becoming the center of how a government operates, and thus it is no surprise that it is one of the largest targets of nation state cyber groups. Many countries have begun exploring emerging technologies to enhance their data security for applications in order to protect employee accounts and prevent the loss of data integrity. For example, Estonia began using blockchain technologies to provide an added layer of authentication and certification for their e-government applications. Well established authentication and signatory capabilities are key to securing e-government accounts and transactions – and preventing future hacks of entities like the US government and Bitfinex.
References and Further Reading
- Selected articles on Authentication (2014-16), by Heather Walker, Luis Balbas, Guillaume Forget,and Dawn M. Turner
- Selected articles on Electronic Signing and Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority