In my last blog, I discussed a few ways governments can create citizen journeys with API-led connectivity to address the inertia caused by legacy IT systems. We return to the second reason digital government services are held back: providing secure services. In this blog post, I’ll review the fundamentals of dealing with digital government services and how governments can create a better citizen experience through these fundamentals.
Principles
Without each of the following fundamental principles a government cannot provide secure digital government services. Let’s explore each principle:
Principle 1: Trust
Without trust, all interactions between a citizen and its government are fundamentally broken. If a citizen doesn’t trust the government organizations they are working with, they will mask their identity or attempt to perform the transaction anonymously to share less data with the government organization.
Conversely, if citizens trust their governing organizations, they will opt to perform transactions more frequently over digital channels, consent, and share more data with them, which in turn will enable governments to serve us more efficiently and knowingly.
On certain transactions, issues, or matters, I choose to be anonymous and that is okay. By far, this is my right as the owner/custodian of my identity. Organizations — whether private or government — have to respect this and still value and record my input.
Principle 2: Visibility
Digitally-savvy citizens want to know how they can interact with their currently elected governing officials. Do citizens want to travel to a physical location to perform a transaction that could have been done on their mobile device? And when completing this transaction, do they want to discover other digital processes available to them, like an online driver license renewal process?
This is a two-way street. I want to interact with my government for my own ease of access to services and knowing its more efficient for government, but I also want to measure and monitor the elected officials in the same way. I do this every day as a consumer — I manage my stock portfolios through my bank’s online portal, check out my kids’ latest accomplishments in class through ClassDojo, and use my Qantas app to book a flight with points.
Therefore, a government must be transparent with performance and achievements such that its citizens can assess their success with a view to elections.
This begs the question: how can my government achieve the same level of transparency while upholding security?
Principle 3: Governance
Our elected officials are responsible for governing our territories. We elect them to govern us effectively, efficiently, and fairly. We also insist on transparency into such governance. For example, where has my data been seen, used, or transacted? If we are sharing our data with government for government purposes, we do not expect they share that outside of the intent it was given. This should not mean data is not shared across other government departments at all, but shared to serve me as a citizen as one government.
Governments, therefore, need to track endpoints, data flows, and consumers of data.
Principle 4: Identity protection
Nothing is more personal than one’s identity, yet everything about our identities have gone digital in today’s world. As someone who has had their (digital) identity stolen in the past, I know the reconciliation needed. We must hold the identity provider liable, as we do credit card providers for fraudulent transactions, for the protection (i.e. two-factor authentication) and reconciliation. Governments therefore offering a digital identity must recognize and mitigate this risk.
Open government and open data
Modern APIs define an interaction framework, but also an attack surface. This framework enables the above principles to be addressed in a structured and policy-driven approach using the modern API approach. Therefore, an API becomes a known attack surface and is a much more manageable approach than unknown “unknowns.” Far from closing down risk (risk drives profits), it is better to mitigate risk. With known access points of intended data access and expected consumers, government organizations can detect, analyze, and strategically block threats without interrupting service to the known and valid consumers.
By being proactive and creating digital government services and data sets in an intensional way we can avoid the ever more frequent stories of breach and data loss that often worry citizens. Trust is initially inherent and must be maintained, but can be lost very quickly.
Being fortunate enough to work with NSW Government and deeply understand their strategy for a digital government has been a rewarding experience, both as a citizen and as someone passionate about this space. I am fully supportive of an open, digitally enabled government and confident their approaches to cybersecurity are secure to mitigate the risks described.
For more information on what how the NSW government is creating citizen journeys with connectivity, see our case study.