e-Security in the Public Sector

By on

The public sector IT market is enjoying healthy growth in many developed countries.

In some countries the public sector annual IT market growth rate exceeds that of the private sector. In the U.K., for example, the biggest driver in the public sector IT market has been modernization within government. The U.K. government has an ambitious target for central and local government to be carrying out 100 per cent of transactions electronically by 2005. It is expected that the U.K. public sector's total IT budget will exceed £10 billion during 2002/3. In Germany, the government's BundOnline initiative hopes to put 370 public services online by 2005 - at a cost of €1.65 billion. It's no surprise then that the interest in e-Security is high.

As in the private sector, email has established itself within the public sector as a primary communication mechanism. The management of email communication must maintain the duality of protecting the interests of the state and at the same time preserving the privacy of the individual citizen.

Of course, the e-security threats in the public sector are just the same as those in the private sector. However, the consequences of, for example, a denial-of-service incident or a security breach can be much more catastrophic in the public than in the private sector.

Central government e-security

The public sector is also very concerned about maintaining the integrity of its systems and networks. One of the safest ways to protect public networks from outside attack is by not connecting them to the outside world. The so-called 'air gap' is quite common at government installations. It is not unusual for electronic documents to arrive at a government installation on a zip disk, which is then examined electronically for viruses or other malware before its contents enter the government network.

The air gap approach is not scalable for a modern dynamic world. In addition, cyberthreats have become more widespread and real. This has led to the establishment last year in the U.K. of the National High Tech Crime Unit (NHTCU). It is tasked to combat computer-based crime, and works with law enforcement experts selected from the National Crime Squad, the National Criminal Intelligence Service, HM Customs and Excise, and the police force.

When selling to government departments, it is unlikely that you will deal directly with government itself. There are likely to be existing supply agreements with large IT suppliers and systems integrators who have long-term responsibilities for infrastructure and application procurement, integration, implementation and support.

Local government

In local government there is a major issue of direct interaction with citizens. Citizens need easy access to the internet and email, but the channel of communication needs to be secure and the privacy of personal data has to be protected. The X.400 email protocol is still popular in local government, but there is a move towards adopting SMTP. As with any publicly accountable body, local authorities have strict guidelines and procedures in regard to protecting the interests of minorities. Racial abuse is a common indiscretion that email scanning systems can detect. A growing issue in local government email use is spam. Many email management vendors are refining their anti-spam facilities in order to deal with this threat to productivity.

State education

The current hot email topics within the U.K. state education system are viruses and bullying. Schools are big breeding grounds for virus propagation and schools' anti-virus protection has to be effective and regularly maintained.

Email bullying and stalking are two worrying developments in the use of email in schools. Email management systems need specialized lexical scanning and monitoring software to detect these undesirable practices.

Ministry of Defence

The U.K. Ministry of Defence is, of course, very security aware and operates different levels of e-security. For example, it runs its own restricted LAN interconnect (RLI) for wide area networking using information classified up to restricted. The approach taken to prevent 'bad' information entering high security government networks and 'good' information escaping from these networks is analogous to the air gap discussed earlier in this article. There is an 'electronic air gap' between external networks/communications and the government secure network.

Selling and delivering security products to the public sector

Sales cycles are longer in the public sector than in the private. The primary reason for this is that, when selling to publicly accountable bodies, there are strict and detailed procurement policies. Very often there will also be a large specialist systems integrator who is the intermediary in the sale. In fact, the systems integrator could be the customer, who then delivers the e-security product as part of a bigger service application or infrastructure solution.

In the London Grid for Learning (LGfL) project, for example, Clearswift is providing an anti-virus and anti-harassment email scanning service for around 1 million state school pupils. This service is being provided, as part of a comprehensive hardware, software and broadband service, by the specialist systems integrator Equinox.

Large systems integrators dominate the sector, with just 10 suppliers accounting for 71 per cent of all public sector IT service spends in 2001. It is not unusual for the procurement process to involve separate selection processes for product selection and systems integrator selection. Where a single procurement process is adopted, it is also not unusual for multiple systems integrators to suggest the same product in their bids. The fact that different systems integrators can bid the same product makes for delicate commercial relationships between a vendor and its system integrators.

Another feature of selling products into the public sector is that after the vendor has successfully come through a protracted accreditation process, its product will appear as an officially approved product. In the U.K., the Communications Electronics Security Group (CESG) is the information assurance arm of the Government Communications Headquarters (GCHQ). CESG is the body to which vendors must submit their products for official accreditation.

Recent framework agreements have improved the procurement process. The government IT catalogue (GCAT) contract, for instance, enables civil servants to buy IT systems and software under an overall framework deal, without having to go through separate tenders each time. The initial GCAT contract went to EDS, which subcontracted most of the commodity IT products to Computacenter, rather than giving users a choice of resellers from which to buy.

Parts of the public sector have specific infrastructure or standards requirements. For example, the U.K. National Health Service (NHS) has adopted an unusual email protocol variant - extended simple mail transfer protocol (ESMTP). Those vendors who want to sell email management into the NHS must, therefore, offer ESMTP scanning.

Overall, the e-security public sector marketplace in the U.K. is a healthy one. The relentless drive by government to allow online access and transactions is forcing all parties involved to consider security seriously. There have been some high profile security breaches - including one at the Inland Revenue - which have certainly heightened the need for robust e-security.

Paul Rutherford is chief marketing officer, Clearswift (www.clearswift.com).
 

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?