E-passports and the critical cybersecurity question
- The efficiency in these processes will benefit us as citizens as a lot of time will be saved, which can be productively spent elsewhere. Some of you may have noted how quickly your fellow passengers get cleared when you arrive at certain airports (in countries such as the UK which have already adopted e-passports) through the “automatic border-control gates” while you are stuck in a long-winding queue.
E-passports are a recent example of a planned initiative for government to go more digital. The issuance of such passports is expected to lead to faster, more secure and efficient processing of travellers at border control points. Similarly, the issuance, renewal and replacement of passports will be more efficient thus saving costs to the government.
The efficiency in these processes will benefit us as citizens as a lot of time will be saved, which can be productively spent elsewhere. Some of you may have noted how quickly your fellow passengers get cleared when you arrive at certain airports (in countries such as the UK which have already adopted e-passports) through the “automatic border-control gates” while you are stuck in a long-winding queue.
Aside time and cost savings, the e-passports will also enhance controls against illegal immigration and national security in general. These benefits are in line with the government’s technology transformation projects which aim for efficiency and greater customer satisfaction, but also introduce new challenges.
One key challenge is how the Immigration Department is going to secure our data to ensure confidentiality, integrity and availability. Data that identifies you as a citizen will be stored in a system, and this includes biometric data (such as fingerprints, iris scans) and other forms of data deemed useful.
At the time of travel, the information on your e-passport chip will be validated against a central database that has all your information in order to authenticate your identity.
So, have adequate measures been thought of to safeguard this sensitive data? What if your data gets manipulated, and your fingerprints end up being stored on someone else’s e-passport?
Given the sophistication needed from the system to securely process travelers at our borders and curb illegal immigration, you can imagine the value attached to the authenticity of your personal data. What if your data falls in the wrong hands? What controls will be in place to prevent this from happening?
Incidentally, this is not the first project that the Government has embarked on where citizen’s data is being collected and stored. We first had the National ID project, where we had to provide personal details and biometric information (fingerprints). Then came the electoral database where we provided pretty much the same information.
Where is all this data being stored? How is it protected? And more importantly, can this information be centrally managed and shared such that we do not have to supply the same details over and over again? But this latter point is for another conversation, for now let me focus on the data security risks.
Even where the process is automated, human intervention will still play a part leading to some of the risks mentioned above.
Human intervention is required at the point of capture or update of details in the system, as well as maintenance of the system. It is this human element that is prone to making errors and can be compromised sometimes (with or without their knowledge).
In addition, the system in itself is made up of various components such as the application, the database and the network. If any of these is not well secured, it can provide a loophole for data or the system to be manipulated.
A good analogy will be having an expensive car (the system) that is full of gold (citizen’s data) and having it parked outside a house that has no fence or security guard.
The in-built security of the car in itself does not prevent thieves from getting to the gold. It is the entire ecosystem that needs to be secured to ensure the gold is well protected. The same applies to cybersecurity ecosystem required to address the challenges above.
I know the word puts off some people as they think cybersecurity is the job of the IT department. But it’s not only IT that should be involved. We all have a part to play. For e-passports, this includes the applicant, the junior immigration officers, right through to the top most ranking people who own this project.
With more than 100 countries already using e-passports, the technology itself is likely to be robust. However, when we look at the “ecosystem” and given that Tanzania does not yet have a national framework for cyber security risk management, are we ready to tackle and address the threats and vulnerabilities that come with such initiatives?
So, whilst we embrace these great initiatives which will take our country forward and bring about much needed efficiency, we should also address the risks involved and in particular cybersecurity which is a new norm, and which will increase in sophistication as we innovate and integrate more systems.
How should we ensure the integrity, confidentiality and availability of all our data?
Firstly, everyone has a part to play when it comes to cybersecurity. Gone are the days when this was an “IT” problem only! Provided that you interact with a system or the internet through any device (smartphone, laptop, tablet etc.) you should take good measures to keep your information secure.
We do not sleep with the front door of the house open just because there is a security guard outside. The same principle applies in cybersecurity. Every user has a role to play. As such, all the people involved in the process of filling in, processing and maintaining data required for the e-passports need to be educated on how to be secure in cyberspace.
Clicking unknown links
This starts from the basics of having strong password controls to not clicking unknown links (as such links can be malicious and infect the user’s machine or give access to hackers). This education needs to be given continuously and it has to stay current and relevant as technology keeps evolving.
Secondly, the system that will be processing and storing data for e-passports must have robust features that will ensure data integrity is maintained. This is where IT and the user departments come and work together.
As the system will be hosted in a network connecting it with various border points, this network must be designed with security in mind. The main objective being to protect the system from external and internal attacks.
Secure protocols and encryption needs to be in place when data is being transmitted between two points to prevent it from being intercepted. In addition, there need to be detection mechanisms that will alert Immigration on a timely basis when an attempt is made to attack or access the system without proper authentication.
The above concepts cover “people” and the “systems”. The third component that is key in addressing cybersecurity is “processes”. There needs to be well designed processes and controls in each activity that involves e-passports, be it creation, updates, renewals etc. Such processes if not well designed, can also provide a loophole for exploitation of the security threats and vulnerabilities mentioned earlier. In addition, the Immigration Department must also have a process of responding to “electronic-related” incidents.
Then there is an aspect of good work ethics which seem to be disappearing these days when it comes to maintaining confidentiality. This you can tell by the number of instances sensitive corporate information has made the rounds in social media (thanks to smartphones).
So in educating people, staff should also be sensitised (particularly the ‘young smartphone-savvy’ users) not to snap sensitive data and share this through social media.
This then brings me to the last point regarding the skillset required to address cybersecurity issues. There is a significant shortage of experienced or qualified cybersecurity professionals in this field both locally and globally (as noted by various reports by PwC, ISACA, Protiviti, etc). Tanzania currently has about 250 such professionals (based on Serianu 2016 report on Cybersecurity).
This number is clearly inadequate given the extent of automation and integrated systems in the public sector alone – and this is before considering the demands of the private sector, which includes some heavily automated industries such as telcos and banks.
So, both public and private sectors have a common interest to invest in the skills-set of those people needed to implement the control measures mentioned above to minimise cybersecurity risks.
So, whilst we embrace these great initiatives which will take our country forward and bring about the much needed efficiency, we should also address the risks involved and particularly cybersecurity which is a new norm and will only increase in sophistication as we innovate and integrate more systems.
Sanare Kaduma is an associate director with PwC and the ISACA Tanzania Chapter President