More fallout from the Ministry of Social Development kiosk security breach as the State Services Commission asks the head of the DIA to conduct an urgent, government-wide review.
The State Services Commissioner and head of state services, Iain Rennie, today asked Department of Internal Affairs and Government Chief Information Office head Colin McDonald to undertake an urgent review of publicly-accessible systems operated by State Services.
“The Work and Income kiosk security failure has been a serious breach of the trust that New Zealanders place in their government. It is imperative that government takes the lead to ensure the public and in repairing the damage that has been done to this trust,” Mr Rennie says.
A spokeswoman for the commissioner told NBR ONLINE there were no terms-of-reference for the inquiry. They were expected in the next couple of days.
Mr McDonald will be contacting government agencies in the first instance to seek assurances that their current systems are robust.
“In keeping with the increase in responsibility of his role, the GCIO will lead public service agencies in evaluating and strengthening their ICT security measures to ensure that there are no systemic faults that could cause additional security issues,” Mr Rennie says.
“Since the findings of the Privacy Commission report in August on the handling of private material held by ACC, the State Services Commission have been considering a wider role for the GCIO across the system.”
GCSB role highlighted
Meanwhile, a senior IT industry manger, who did not want to be named but has worked with the Government Communications Security Bureau, has highlighted the agency's role in domestic computer network security.
He told NBR there is a common misconception - even among those working in government IT - that the Department of Internal Affairs (DIA) mandates security practices.
In fact, all government agencies must follow a set of security guidelines laid down by the GCSB.
The GCSB protocols, called the New Zealand Information Security Manual, are online here (with some sections censored).
Former GCSB director Jerry Mateparae writes in the introduction:
The New Zealand Information Security Manual (NZISM) is the national baseline technical security policy, describing baseline and minimum mandatory technical security standards for government departments and agencies.
The guidelines, which run to 247 pages, are comprehensive. Among many other measures, they say information should be encrypted if there is any possibility it can be accessed from a computer in a public space.
However, the manager said he had encountered widespread ignorance about the GCSB rules among government agencies.
They had obviously not been followed by the MSD and its private contractors.
Beyond connecting public kiosks to its main corporate network, storing passwords in plain text (which Keith Ng and Ira Bailey could view) was contrary to any security security guidelines, let alone the GCSB-mandated protocols.
The source said the security issue at the GCSB went beyond the potential for rogue staff, or locals like Ng and Bailey to access the MSD network. Any foreign power looking to access sensitive files would not make a full frontal assault, but likely find a weak point, such as the MSD kiosks, then work there way in from there.
Deloitte contracted for MSD inquiry
Developments yesterday saw Ministry of Social Development CEO Brendan Boyle acknowledge he was wrong to blame IT contractor Dimension Data yesterday for the WINZ kiosk breach.
In fact, the IT services company had warned of a possible security issue in April last year.
The MSD contracted Deloitte to conduct an independent inquiry. Its scope will go beyond the public kiosk security to wider network security and MSD culture and governance.
Ex-Deloitte senior manager Daniel Ayers told NBR the initial two-week assessment by Deloitte could cost $40,000 to $50,000 - but network fixes required could run to tens of millions of dollars.
Mr Ayers maintains he already knows what Deloitte will say; read more of his comments here.
