Government managers struggling with IT security have a proven, foolproof method to guarantee that selected data will never be released. Just have someone file an Access to Information request for it.
Anyone who has witnessed this process from the inside knows exactly what happens. Sometimes the steps are sequential, and sometimes they are simultaneous, but they are always undertaken with the greatest diligence.
There is a detailed examination of the person or group making the request. Who is it? What do they really want? Is this part of a pattern? The real question, of course, is the possibility of danger to easily identified individuals: Me, my bosses, their bosses.
There is then a detailed examination of the request itself. Does it ask for a discrete, self-contained nugget of information or is it the opening move in a campaign of information requests? Once the enemies of a quiet life – political opponents, cranks, journalists, special interest groups – get their grasping fingers on a loose thread, there is no telling how quickly the veil of secrecy will be rent asunder. Any sign of vulnerability draws the whole greedy pack, so the sooner the situation is contained the better.
There is then a detailed inventory of every document the request might touch, because any perceived concealment, however innocent, has the look of guilt. It is far less embarrassing to cough up a few grudging pages than to appear to thwart the intent of the Access to Information Act.
With all the documents in hand, the Act itself is then reviewed for exemptions that might diminish the stack of relevant documents or, best of all, cause them to disappear into a fog of loopholes.
The final touch before the labour-intensive task of blacking out everything that should not be made public is more artistic than bureaucratic. As one expert said when asked why he was staring at an Access request, “I find that if I look at them long enough, I can come up with reasons to deny them.” In other words, Access to Information regimes within government are perfect models for how to manage IT security. First and foremost, an access request is not a vague abstraction that may happen. It exists in the here and now, as both a challenging and inescapable task in itself, mandated by law, and a threat whose real consequences must be assessed and understood. The assets to be protected are not lines of code or servers or databases, but political and public sector careers. That focuses the mind, because unlike IT security, responsibility for responding to access requests is not diffuse and scattered across lines of authority. Accountability for failure is individual and motivation to succeed is high.
By definition, a well-written access request does not focus on a single piece of paper. It is a demand to look at anything and everything related to a topic. Like a comprehensive IT security audit, it should be impossible to wall off one part of the network or claim it is a work in progress. Unlike many IT security audits, however, there is a deadline for providing information and a process for enforcing compliance. Whether any information is released or not, at the end of the day, someone must put their signature on a document knowing their decision is subject to review.
Within the organization, managers and workers have a commitment to preventing access requests from even arriving and minimizing them when they do. Federal departments have pre-empted countless requests and avoided thousands of working hours by routinely posting contract, expense and hospitality information on the Web. Drastic as it may have seemed at the time, the release of non-classified information to the public has been a relatively benign experience. IT security in many cases lacks that selectivity, with everything protected to the same standard because nobody wants to assign priorities.
Access to information legislation has had a subtle but far-reaching and continuing impact within governments. In some ways, it has taken us back to a time before literacy. Many thoughts that once were committed to paper or transmitted via electronic text are now communicated verbally, in person, to ensure that the only text record of the meeting is a Starbucks receipt. When something must be written down, the language often becomes circumspect and euphemistic, like characters in Victorian novels or gangsters who suspect they are being bugged.
Governments should apply the same rigour and personal accountability to preventing IT security incidents as they do to processing Access to Information requests. In the end, it just means somebody is taking the job seriously and doing it right.
Richard Bray (rbray@itworldcanada.com) is an Ottawa-based freelance journalist specializing in high technology and security issues.