Worldwide, 2019 saw waves of cyberattacks that amounted to trillions of dollars in losses. Hackers are constantly devising way new ways to break through these constructed walls of security. Hence, it is crucial now more than ever to be vigilant and prepared for such attacks.
Both the public and private sectors strive to ensure that digital security efforts remain robust in an ever-changing landscape. As with other countries, Finland has set in place strategies to combat cyber resilience challenges and protect its businesses’ and citizens’ data.
OpenGov had the opportunity to speak with Antti Savolainen, Chief Information Security Officer (CISO) for the Ministry for Foreign Affairs of Finland, to gain insights into the measures taken by the Finnish Government to strengthen its cyber resilience.
Savolainen is responsible for the cybersecurity of Finnish foreign and diplomatic service. He plays an important role as a link between business leaders and IT, and his main focus areas are risk management, security awareness and incident management.
Savolainen has CISSP and RIMAP certifications. He is also a host of a track in Disobey-hacker conference.
Savolainen is interested in gamification and cybersecurity of smart cities and peace mediation.
Before joining the MFA in 2005, Savolainen was a security consultant at an IT service provider and an infantry officer in the Finnish Defence Forces.
He is a speaker at the upcoming Singapore OpenGov Leadership Forum 2020 (SG OGLF 2020) and will be sharing his experiences and knowledge in this field.
Finnish government’s approach to cybersecurity
Savolainen shared that the Government of Finland had adopted a resolution on the Nation’s Cyber Security Strategy during its plenary session on 3rd October 2019.
The Finnish Cyber Security Strategy 2019 is focused on key national objectives which are to develop the cyber environment and to safeguard key functions. The reform and implementation of this strategy are based on the political agenda of the present Government.
The current strategy relies on the general principles of the former cybersecurity strategy, laid out by the government in 2013. The present strategy and its implementation are also a part of the implementation of the European Union´s Cyber Security Strategy. Influential changes in the operating environment and the identified development needs for work at the national level have pushed the government to update the national strategy.
Savolainen listed the following strategic guidelines of the Finnish Cyber Security Strategy 2019:
- International cooperation
- Improved coordination of cybersecurity management, planning and preparedness
- Developing cybersecurity competence
The cybersecurity development programme is set to go beyond government terms, upgrading the allocation of resources and improvement of cooperation for cybersecurity. National cybersecurity policies will be strengthened and there will be a better understanding of cybersecurity projects, research and development programmes.
As part of the programme, there will be an establishment of a dedicated position of Cyber Security Director by the Ministry of Transport and Communications, for coordinating the national development of cybersecurity.
Technologies for enforcing cyber resilience
There is a wide range of technologies in place to enforce cyber resilience. Savolainen shared that the first step to doing so is cyber hygiene. This refers to all systems and networks being designed to resist different forms of cyber disruptions.
Security culture as the solid base for the security technology
“Naturally the technology is not the single silver bullet in solving the challenges. The resilience to cyberattacks comes with security culture, where awareness and education of it produces a positive end-user experience.”
The ‘system resilience by security culture’ is only possible if the system design, development, testing and implementation are made with discipline manners, for example, the DevSecOps-concept.
But this could also be jeopardised with a false sense of security. The weak usage and monitoring of encryption material (certifications, encryption keys, encryption parameters etc.) is one such example.
A “lazy admin”, system administrators with a lack of self-discipline are the quickest option for attackers to access key assets of the system. Following this, the attacker “lives of the land” and uses the system administration tools, technics and credentials to gain the foothold and broaden the attack.
Savolainen shared on some measures taken for ensuring that cyber resilience is enforced:
The National Cyber Security Center (NCSC-FI) delivers and maintains a sensor network called HAVARO. It monitors the internet data flow of key organisations of national cyber assets. This includes governmental organisations and companies tied to the national supply (finance, energy, logistics, digitalisation).
The NCSC-FI monitors and notifies the owner of the network from which the alerts originate. This service is an addition to the organisations’ own responsibility for monitoring its networks.
Isolating the classified information into separated networks and systems ensures that the attack surface is minimalised and beyond the reach from the internet. Savolainen emphasised that this should be made with a strong encryption of the networks (VPN), strong authentication, tempest shielding and constant monitoring and response.
Approaching a cyberattack
The first notice of the attack comes either from the target, internet operator, NCSA-FI or exchange of international cyber intelligence. It may come also from an independent source, such as the media, a hacker or a security researcher.
After the initial analysis of the attack, some of these measures will be adopted for countering the attack:
- Allow the attack to continue
Note: this is strongly advised only if the cyber/intelligence authorities need more information about the attacker for attribution etc.
- Limit or stop the attack net flow
- Isolation of the compromised part of the network
Further analysis of the attack will be done to recognise the following:
- The attack method in different phases of attack
- Vulnerabilities exploited in the attack
- Origin or waypoints of the attack
- Ultimate target of the attack, more complete list of the compromised assets
- The attacker command & control methods in/out the target, the exfiltration method and address
Initiatives by government for educating people/businesses on cyber resilience
The NCSC-FI releases a monthly Cyber Weather report named Kybersää. This report covers the six information security phenomena as follows:
- Network performance
- Malware and vulnerabilities
- Data breaches and leaks
- Scams and phishing
- IoT and automation.
There are three stages for monitoring cybersecurity phenomena. The Cyber Weather conditions may either be calm, worrying or serious.
Anticipating and approaching cyber-attacks
Cyber-attacks are cheaper and easier to launch. Attributing the attack to the source is quite hard, if not impossible. The lack of international regulation provides safe havens for cybercriminals and rogue nations to see this situation as useful for their cyber operations. “The attacks are here to stay,” said Savolainen.
Any regular organisation should agree that they are not capable to avoid the attack in advance, but they should develop the skills to recognise and limit the attack before the attacker gets to the crown jewels.
They should follow the three-step method of surveillance, research and exercise.
Countering a cyberattack
It is imperative for organisations to recognise the attack to stop it. They need to study and research the attacks and exchange information with allies to stay up to the game.
Surveillance and monitoring are important to recognise what should be studied. At the national level, this means getting onboard the internet operators, together with other significant ICT-service and capacity providers. Below the national level, every organisation should take care of their own network, systems and services. Co-operation between the cyber professionals in the same business area amplifies this, especially when business competitors form alliances against cybercriminals.
In Finland, every insurance company reports their cases into a shared information system to counter the insurance frauds. An insurance company can notice if someone claims compensation for the same incident from six different insurance companies.
This same idea about a coalition between competitors could apply in cybersecurity too. They could use proxies, where one does not want to share their findings by their own name. A local security company could do that too.
Ministry for Foreign Affairs of Finland shares a lot of cyber-related information via proxies like NCSC-FI and cybersecurity provider. Mostly the only need is to sanitise the origin of the information to hide our true surveillance capability.
Savolainen stressed that one cannot perform well in real situations without practising and exercising. Or you can avoid common mistakes and make shortcuts when you know the accurate process and contacts.
Exercising should be practised at the team, organisation and national levels. The exercises do not have to be massive and showy to get into the point. Like fire drills, you need to walk the exit route and make sure everyone’s out. You do not have to have smoke and explosions or stuntmen jumping out of windows.
Going through the checklists once a year is far better than once in five years organized spectacle; opting for both is ideal, of course.
What cybersecurity-related topics can be expected during the SG OGLF 2020?
“I’m sure that we cannot avoid talking about AI/ML,” said Savolainen. Topics on AI-powered-deep- fake-videos or netflow analysis will also be discussed.
Savolainen will also engage in discussing Cybersecurity as part of a foreign policy tool kit and on the international regulation of cyber weapons.
He looks forward to having an engaging session and delving into other topics, apart from these I hope there would be also something else than those hard-shelled things. “I would like to have a good conversation about smart city cyber issues from different angles,” he said.
The Ministry of Information and Communications (MIC) has rolled out a Bug Bounty programme to detect security holes and vulnerabilities on national digital platforms. The National Cyber Security Centre (NCSC) described the Bug Bounty programme as a solution to help the government connect with leading domestic and international security experts and save time and costs while ensuring the network security of national platforms.
According to a press release by MIC, Bug Bounty is an annual programme and will be held from October 2021 to October 2022. The total prize money in the first year is VND1 billion (around US$50,000) and is expected to increase annually. Under the programme, MIC will announce a list of the top 50 experts who have made significant contributions to the detection of security holes on the Vietnam Information Security Day, which is held in November every year. The top three cybersecurity experts will receive awards and certificates of merit from the Minister of Information and Communications.
The initiative is an extension of the campaign “Detecting security holes on technology platforms for epidemic prevention and control”, which was launched earlier this month. Aiming to turn Vietnam into a digital country, and a nation of stable development and prosperity by 2030, the National Digital Transformation Programme approved by the government in June 2020 emphasises that cybersecurity is the key and an integral component to successful and sustainable digital transformation. Based on this, the government launched the Bug Bounty programme to detect security holes and better protect national digital transformation platforms.
Globally, vulnerability search platforms are common in the field of information security. “White-hat hackers” or vulnerability experts search for security holes on the platforms of large tech. The Certified Information Systems Auditor (CISA), an agency under the United States government, has selected Bug Crowd and EnDyna to implement a federal policy to find vulnerabilities on government technology platforms.
Earlier this month, the Vietnam Computer Emergency Response Team (VNCERT) and the Authority of Information Security, under MIC, presided over the deployment of the 2021 ASEAN Computer Emergency Response Team Drill (ACID 2021) for members of the emergency response network and IT units of ministries and agencies nationwide. Attending the ACID 2021 were teams representing ASEAN member nations and five dialogue countries, namely Australia, China, India, Japan, and the Republic of Korea.
As OpenGov Asia had reported, the drill was an opportunity for technicians of Vietnamese agencies, organisations, and enterprises to practice their skills in dealing with, investigating, analysing, minimising damage, and reporting emergencies. It aimed to help them gain knowledge and experience in responding to cyber security incidents. The ACID 2021 drill used the latest cybersecurity trends as scenarios for teams to strengthen their preparedness in solving cybersecurity issues. After the drill, experts and domestic team members spent time exchanging and sharing situations and solutions to help participants better understand how to handle the incidents in a specific case.
As per data from the first six months of this year, cyberattacks in Vietnam decreased but the level of sophistication and damage was much greater. Vietnam recorded 2,915 cyber-attacks in the first six months of 2021, an increase of 898 compared with the same period last year. Earlier in May, the MIC Minister issued a directive on strengthening the prevention and combat of violations and crimes on the Internet. The Minister also requested the sector to continue to effectively implement the Prime Minister’s directive on enhancing safety measures on cybersecurity which aims to improve Vietnam’s rankings.
The COVID-19 pandemic illustrates how fast the adoption of new technology can be, including cloud technology. While the cloud journey started well before COVID-19, the pandemic has certainly undoubtedly accelerated the process. This is because government agencies and organisations need to and have to roll out applications and technological solutions quickly, leaving them no time to use everything with hardware.
The public sector in the region, in particular, is still at an early stage of cloud adoption. As a result, many agencies encounter issues with legacy processes and organisational structures when moving to the cloud. As a full-scale cloud migration may not be possible for many government agencies and organisations, Hybrid Multi-Cloud is an efficient strategy as it enables organisations to choose the optimal solution for each task or workload.
OpenGov Asia had the opportunity to speak exclusively to Gunasekharan Chellappan, Country Manager, Singapore, Red Hat. For over 25 years, Guna has been in the IT software industry in various leadership assignments. In his current role, he leads Red Hat’s sales team in Singapore and supports customers in their digital transformation initiatives.
Over the years, Guna has been extensively involved in implementing complex analytics solutions such as supply chain, customer experience and risk management across the world in various industries ranging from financial services, government, manufacturing and retail.
Agencies and organisations are expected to continuously deliver a mix of different services for their citizens and customers. Agility and cost-efficiency are the two primary driving aspects of many government agencies and organisations wanting to move to the cloud. Further, organisations have to maintain some workloads on-premises while also supporting cloud-native development.
Guna believes in an Open Hybrid Multi-Cloud outlook, and, in fact, it should be a default. Hybrid cloud refers to mixed computing, storage and services environments made up of on-premises infrastructure, private cloud services, and a public cloud—such as Amazon Web Services (AWS) or Microsoft Azure. Multi-cloud refers to the presence of more than one cloud deployment of the same type (public or private), sourced from different vendors
Running everything on the public cloud could be inconvenient and unwise, so organisations should retain some data on-premises. Various reasons underpin this perspective, including cost, security or regulations and other control measures, such as data sovereignty.
Organisations have learned over time that having all their eggs in the public cloud is not cost-effective as it was once thought. So over time, they have pulled most applications on-prem, making it easier to manage while using the public cloud for innovation.
An Open Hybrid Multi-Cloud deployment gives organisations the capability to pick and choose specific tools they prefer from different cloud providers, such as storage, security and Artificial Intelligence. As a result, they are not limited to the options of one cloud provider and can choose the best possible tools and services according to their needs.
With a good Hybrid Multi-Cloud strategy, tools from across the various clouds can be made to work together seamlessly. The more sophisticated the organisations are, the better they are at combining the right tools to achieve their goals.
If organisations opt for open source solutions, such as Red Hat, they do not have to learn all the different networking protocols or different storage mechanisms.
By relying on Red Hat as an abstraction layer, organisations can take that complexity issue off the table altogether. Red Hat offers open concepts which encompass being open, portable and giving freedom to developers using consistent tools and processes to deploy the applications on any cloud.
By not being constrained to one cloud, organisations are free to move any application they develop to another provider without reengineering the application. Applications can be developed once, but they can be deployed anywhere, whether on-premises or public cloud.
Typically, customers who are still at the initial stage, want to move an application to the cloud. Then, as they become more comfortable with the setup, they start looking to go deeper, moving more existing applications to the cloud as well as developing applications on the cloud. At this point, they want to take advantage of what the cloud has to offer instead of only moving monolithic applications.
Guna elaborated on how Red Hat helps customers in their cloud journey. Red Hat empowers and supports customers in their cloud transformation, allowing them to focus on their primary objectives. With Red Hat’s significant pool of resources and talent, they assist clients in shifting and modernising applications with a minimal amount of effort. Red Hat helps design new applications that run on the cloud in an agile way. This agility combined with the capability to scale automatically, Guna emphasises, is the true benefit of moving to the cloud.
Sometimes organisations are only looking to move their data centre because it is cost-effective. However, data centres costs could actually be higher over the long term.
The usual timeframe to move from a data centre to the cloud with microservices can vary between weeks to years. For example, developing core banking applications that have hundreds of modules can take years to complete. However, typical applications that are already Java-enabled take about 3 months to break down, refactor and test.
Red Hat Open Innovation Labs is an immersive teaming residency that arms customers with the skills, tools and processes to deliver better software, more quickly, to meet the demands of today’s market. The Labs provide an environment for customers to develop applications with speed, agility, scalability and increased security.
Red Hat works with organisations on a deeper level by helping to change the people, the processes, and the platforms. Different organisations have slightly different strategies in managing their teams. Some rigidly divide their teams and as a result, each does not have a comprehensive understanding of the organisation. For Guna, organisations need to have a blended model, in which there is a specific team that slowly transforms everyone.
Guna encouraged organisations to leverage an open Hybrid Multi-Cloud optimally and take advantage of all its features. Organisations and agencies that are currently relooking at their entire data strategy need to be aware that the future of data residency is with an Open Hybrid Multi-Cloud strategy. The flexibility to run applications across various environments without having to rebuild applications, retrain people or maintain disparate environments is the outcome of implementing a Hybrid Multi-Cloud strategy.
Multi-cloud is now a reality for many organisations. Although it can come with challenges, it has driven technological advancements for developer productivity. Red Hat takes the complexity of having to learn various platforms when considering a Hybrid Multi-Cloud strategy. It can help map out high-level considerations to take advantage of these benefits for cloud-native development.
Red Hat exists to help organisations standardise across environments, develop cloud-native applications, and integrate, automate, secure, and manage complex environments with award-winning support, training, and consulting services.
Government agencies and organisations can use Red Hat products and services to overcome their cloud challenges – all while keeping costs low and their options open.
The Hong Kong Applied Science and Technology Research Institute (ASTRI) joins forces with tech-embracing companies to leverage a privacy-preserving technology, called “Federated Learning”, to develop artificial intelligence (AI) models and output in the form of encrypted parameters that serve as a reference for financial institutions to conduct comprehensive credit analyses for micro, small and medium-sized enterprises (MSMEs) to help them get access to financing.
ASTRI’s partners include two major global banks, one of which is the first virtual bank serving MSMEs in Hong Kong; a Hong Kong restaurant guide and review platform; and a logistics and freight pricing platform.
Unlike traditional machine-learning methods, Federated Learning does not require data to be transferred directly to a central database, thus protecting privacy and mitigating the risk of data security breaches. Data partners and financial institutions can establish common credit evaluation models by combining their encrypted parameters.
During the process, the collaborators do not have access to any consumer personal data, nor are the identities of the enterprises identified. Only when an enterprise applies for financing and is undergoing authorisation can the designated financial institution obtain the relevant parameters and conduct a credit evaluation.
The Chief Executive Officer of ASTRI noted that the agency leverages Federated Learning technology to provide alternative data for credit assessment while protecting privacy and data security to help financial institutions reduce the cost of vetting and approving loans for MSMEs and help enterprises get financing.
It is expected that ASTRI will collaborate with more organisations to promote the implementation of open data. The Federated Learning technology will also effectively promote the development of other Fintech applications and support the government’s efforts to drive smart city transformation.
As data partners, the restaurant guide and review platform and the logistics and freight pricing platform will leverage big data, including various restaurant popularity metrics, the transaction status of consignment merchants, and business operation status, to identify the elements affecting the credit risks of enterprises from alternative data by using AI and Federated Learning.
Through this, a model will be trained to derive parameters to assist credit scoring. No information about the enterprises will be transferred from the data partners to other institutions.
With the authorisation of the enterprises applying for loans, the two banks can refer to data providers’ assessments of an enterprise’s competitiveness in its industry and its credits status, which is determined using the enterprise’s operation parameters through the model developed to process an MSME loan application.
During the loan-approval process, financial institutions will be able to make more reliable credit assessments based on the projections of their own credit evaluation models and the assessments of their data partners. The first phase of the models developed using Federated Learning is expected to be in use within 12 months.
The Deputy Chief Executive of the first virtual bank serving MSMEs in Hong Kong noted that with the AI models, the firm can access customers’ comprehensive operational data in real-time to help realise financial inclusion by expediting loan approvals and meeting the financing needs of SMEs.
The CEO and Acting CTO of the Hong Kong restaurant guide and review platform stated that they expect to use Big Data and Federated Learning to train AI models and develop professional industry parameters to make credit applications from small and medium-sized restaurant partners faster and easier to quickly meet their operational needs.
The Co-founder and Director of the logistics and freight pricing platform noted that they are collaborating with ASTRI, using the Federated Learning technology to strictly protect privacy.
The massive data on the platform is used to train AI models to help to build industry parameters, which helps SMEs apply for trade financing and credit with ease, and effectively addresses their financing needs.
According to the Minister for Digital Economy and Communications, New Zealand is one step closer to enacting national legislation that will bring coherence to national efforts to create digital identification that is recognised by Kiwis and other international partners. Making it easier for New Zealanders to digitally prove their identity and control who has access to that information is one step closer to becoming law.
The Digital Identity Services Trust Framework Bill received its first reading today and will now be referred to the Economic Development, Science, and Innovation Committee for review and public comment. “COVID-19 has shown that when face-to-face interactions prove difficult, we need to be trusted digital services,” the Minister said.
The Trust Framework enables Kiwi businesses to provide trusted digital identity services that provide private, secure, and efficient digital identity verification.
– New Zealand’s Minister for Digital Economy and Communications
The Minister for Digital Economy and Communications acknowledges that New Zealanders want control over their identity information and how it is used by the companies and services with which they share it and that this will help to facilitate that. Whether it’s opening a bank account, sharing medical history, conducting business online, or applying for government services like wage subsidies, the country and its residents must have faith in the systems in place, and that service providers understand what is expected of them.
The Digital Identity Services Trust Framework will ensure that personal and organisational information is shared, stored, and used in a digital environment consistently and safely. This will be achieved through an opt-in accreditation scheme, which details how sensitive information should be handled by authorised providers.
It is also noted that having trusted and regulated digital identity services have economic benefits. According to international studies, the potential benefit of enabling digital identity in a mature economy ranges between 0.5 and 3% of GDP, or $1.5 to $9 billion in NZD. Hence, the framework will make it easier for people to complete certain online transactions. Because accredited businesses will be identified by a ‘trust mark,’ they will be eligible for streamlined processes.
It will also help New Zealand stand out as a global leader in the ethical and trusted deployment of technology. The country already has an international reputation for being an ethical innovator and the implementation of this framework only strengthens that.
“We are working closely with our international partners so that New Zealanders’ digital identities are recognised overseas, including places like Australia. A trusted modern digital identity system will help grow our digital economy, transform government services and ensure all New Zealanders can take part in the digital world,” Minister for Digital Economy and Communications said.
In implementing this framework, the country’s cyber security issues also can be reduced. OpenGov Asia in an article reported that the New Zealand Government’s Communications Minister launched an action plan & national plan to address cybercrime and ensure New Zealanders are safe from online crime.
This new strategy highlights New Zealand’s vision of being secure, resilient, and prosperous online. Individuals will be safe online due to this strategy, while New Zealand businesses will be able to thrive and function. This strategy also recognises that New Zealand’s ability to be secure and resilient online is critical to developing a more productive and competitive economy. The Cyber Security Strategy includes 4 goals:
- Cyber Resilience
- Cyber Capability
- Addressing Cybercrime
- International Cooperation
Cyberattacks on critical infrastructure are a real threat, and governments all over the world are already sitting up and taking notice. As with all cybercrimes, governments, and cybersecurity experts are struggling to keep up with the sophisticated technologies and tactics used by cybercriminals.
This is Part 2 of a two-part series. Read Part 1.
OpenGov Asia had the opportunity to speak exclusively to Simon Dale, Managing Director, South East Asia at Adobe. For over 30 years, Simon has worked for and with innovative tech companies across Europe and in the Asia Pacific and Japan, mostly in sales leadership roles. He specialises in launching and growing new businesses in the enterprise software space.
While the use of technology in the public sector is not new, it is becoming increasingly more important to adopt a more citizen-centric outlook. Simon feels that agencies need to be willing to directly serve citizens and engage with them in real-time. This requires a paradigm shift in thinking followed by a strategy that would enable it.
Adobe’s digital transformation is a great example. A decade ago, Adobe used to sell software (in the form of packaged discs) to distributors who then sold it to the customers. Today, Adobe’s customers can go to the company’s website, purchase the product and download the software directly onto their device. To facilitate this, Adobe had to change its thinking, develop a strategy and set up infrastructure and systems.
Simon encourages governments to understand the importance of citizen experience – which is far different from customer experience. Government agencies need to manage citizen experience from the viewpoint of a life journey broken up into specific stages, organising its content and channels to align appropriately. Such a design can only be built on understanding – when governments recognise what each citizen needs at a particular stage or season of life. Adobe’s 2021 Public Sector Trends Report shows that empathy is essential in designing and implementing truly citizen-centric services.
Adobe has a five-stage customer journey: discover, try, buy, use and renew. When customers first visit Adobe’s website, the company has limited information. Each time a customer returns to their site, explores and/or uses Adobe’s products, a bigger and more comprehensive picture and understanding emerge. For the most part, big data analytics can be used to evaluate data to enable personalisation, but Artificial Intelligence (AI) can accelerate this process.
Fundamentally, when citizens engage with the government in the digital space, they want relevant content and an easier experience. Agencies need to anticipate citizens’ needs and respond with suitable content, send out more timely and relevant information, as well as smoothen the experience on their digital platforms. Adobe is placed perfectly to help with this.
Throughout the pandemic, Adobe worked with both the U.S. and the Australian governments to accelerate communications on the status of the COVID-19 outbreak, critical updates and information, measures in place. This was vital in managing government response during the pandemic and easing concerns that were escalating and managing expectations.
The accelerated adoption of new technologies to improve digital customer experience (CX) has been made possible due to strong public-private partnerships. Amazingly, Adobe has partnered with all 50 U.S. states to power their digital modernisation through Adobe Experience Cloud and Adobe Document Cloud. The partnerships exist across individual agencies at the state, county and city levels.
Great examples are Adobe’s work with the U.S. Census Bureau and the Centres for Disease Control and Prevention (CDC), in terms of content management. The Census Bureau employed Adobe’s Experience Manager to build a digital foundation for the online census. Similarly, Adobe partnered with the CDC to orchestrate multi-channel communications to millions of citizens with up-to-date information about the COVID-19 emergency.
Citizen expectations are hugely influenced by the retail and financial sectors. The ease of business that encompasses many options and easy transactions are what people now demand. Simon believes that an “add-to-basket” experience is possible in some areas of public services.
Accelerated by the pandemic, governments have had to deliver some services without physical contact. If they build on this, citizens should be able to pick up certain services and drop them in a ‘check-out basket’. Services related to things like renewing a driver’s license, applying for a marriage license or getting copies of various certificates are all in the realm of possibility.
Using platforms like Adobe Experience Cloud, governments across the globe are revamping their online presence, making their websites and apps easier to navigate, ensuring content is personalised and updated in real-time, and creating intuitive forms that work on any device. Adobe Document Cloud helps optimise internal document workflows and Adobe Sign powers the entire e-signature process, reducing time spent on tasks such as applying for benefits and drastically reducing paper waste.
This is because Adobe is not just a provider of a piece of technology, but a long-term partner for business applications with values built on technology. Adobe’s perspective allows governments to get into citizen experience best practices immediately rather than building technologies from scratch or spending money on technologies that will not be valuable. Government agencies can focus on their tasks and adopt technology that is going to accelerate their digitalisation.
The concept of democratising digital decision-making for the public sector is vital to long term development. Data democratisation does not mean everyone has access to all data. The idea is to provide access to information that decision-makers need that is relevant to the level at which they operate that is constrained by the sensitivity and the use of data.
The fact is, the public sector collects vast amounts of information on citizens, but they have to be careful who has access to it. Agencies get data about people from their websites which include what they are looking for, what services they have availed of and issues or concerns they have. Every government employee who influences or decides those interactions and that content should have access to that citizen information, bound by the right level of privacy compliance and data protection.
It can help them rethink, reimagine and redesign the content they put up, how they can improve and what they need to do to better serve their citizens. Democratisation in this context means giving everybody who is contributing to “the last mile” more access to the information they need, so they can understand where they fit into the process.
It is analogous to conversion and retention in marketing, which, Simon believes, provides an argument for more government officers to have access to the right level of data. Better information allows faster conversion and better retention of customers, in this case, citizens. Richer data sets being made available to them, allows them to improve the citizen journey.
That being said, data democratisation has to be managed by robust data governance, compliance policies and security measures. Adobe takes safety and regulatory adherence seriously. It can take data that is garnered from citizen interactions – anonymous and authenticated – and use applications to allow decision-makers to analyse that data for various purposes.
Simon is confident in Adobe’s ability to better the world through its digital offerings that can meet the vast and growing needs of the public sector. Designed for easy deployment, compliance and management, Adobe tools, apps and services can be tailored to the specific needs of individual departments.
He firmly believes that digital insights have no value if they are not actionable. Systems, solutions and technology have to drive decisions that improve the lives of citizens through all digital services. Simon is optimistic that technology will continue to drive the quality of life and digital experiences of citizens across the world.
This is Part 2 of a two-part series. Read Part 1.
Service NSW has settled on the secure data transfer application that will replace email for sharing sensitive personal information at service centres following a phishing attack last year. The solution has been rolled out to almost half of all service centres across the state after being developed in-house by the one-stop shop for NSW government services. It will allow frontline staff to transfer information to other government agencies such as NSW Births, Deaths and Marriages and NSW Fair Trading.
The need for such a solution became extremely apparent in March 2020, when an email compromise attack against 47 Service NSW staff members exposed the personal information of 103,000 customers. Roughly 3.8 million documents, including handwritten notes, scans of driver’s licences and records of transactions, were stolen in an incident that has now cost over $25 million to amend.
In the absence of alternative methods of information sharing, service centre staff would routinely transfer documents containing personal information to staff in other NSW government agencies using email, a practice that Service NSW itself identified as a risk at least a year prior.
When answering questions on notice from budget estimates, Service NSW last month revealed it had begun the process of rolling out a new transfer solution to its service centre network. A spokesperson stated that following an assessment of “several delivery options” following the six-month pilot, the agency selected a solution that was developed in-house and built on a stack by an American software and I&T company.
The solution has been developed by a dedicated Service NSW team, the spokesperson said. Its solution provides an improved method to protect customer information and replaces the use of email to transfer scanned documents.
At present, 48 service centres across the state have begun using the solution, all but four of which went live in the past month. The first four service centres – which were involved in the six-month pilot – used the solution to transfer information to Department of Customer Service partner agencies for 280 transactions.
It was noted that the full network rollout to all 107 service centres is expected to be completed by January. Since the email compromise attack, Service NSW has also introduced controls to automatically delete emails that are more than 60 days old. Earlier this year, the Service NSW CEO said this had singlehandedly reduced the number of emails in mailboxes by 92% since June 2020.
Service NSW also introduced multi-factor authentication across almost all of its externally-facing IT systems in the wake of last year’s phishing attack that exposed 736GB of data. After bringing MFA to email shortly after the March 2020 data breach, the CEO said the agency had now enabled the feature on all but 5%of externally-facing systems. It follows funding to the tune of $5 million in last year’s state budget for cyber security upgrades at the one-stop shop for NSW government services.
Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is).
MFA protects user data – this may include personal identification or financial assets – from being accessed by an unauthorised third party that may have been able to discover, for example, a single password. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.
Part 1 of a two-part series. Read Part 2.
Good citizen experience is one of the most essential components of an effective government. Unfortunately, it is still a far cry from the seamless, personalised engagements that citizens have and expect from the private sector. Hence, the public sector must shift to citizen-centric digital offerings, with an effective strategy to deliver private sector level digital services.
OpenGov Asia had the opportunity to speak exclusively to Simon Dale, Managing Director, South East Asia at Adobe. For over 30 years, Simon has worked for and with innovative tech companies across Europe and in the Asia Pacific and Japan, mostly in sales leadership roles. He specialises in launching and growing new businesses in the enterprise software space.
Having worked in the Asia Pacific markets for 20 years, with experience in all major countries, he has deep business experience in the region. He is actively involved in the startup scene in South East Asia as both an advocate for technology as well as a mentor.
In deploying technology with the government, Simon acknowledges the importance of effective policies to support and facilitate government objectives. There are three indispensable dimensions in delivering technological solutions to the public sector – people, technology and processes. The most critical aspect is people as they understand and can determine how to deploy technology to particular use cases or even come up with cases.
For a long time, government agencies were “hidden” behind counters, tickets and forms with limited direct interaction with citizens. With developments in technology, and more recently, being driven by the pandemic, government employees are being pushed to deal directly with citizens and provide real-time services, albeit digitally.
For a great digital citizen experience, Simon firmly believes that agencies need to understand a citizen’s journey as a continuum, learning to serve people effectively at whatever point they are in their life. This direct citizen engagement is a new concept. And if they are to do it successfully, government agencies need to understand citizens’ life journey and their context of citizen experience. Services have to be in line with where people are in their life stages.
While organisations in the private sector tend to have a stronger strategy for personalisation than in the public sector, it should be the other way around. Government has the responsibility of equity – to make sure everyone has access to what is needed and ensure that no one is left behind within society. Empathy and personalisation in government can address that.
In delivering digital services to citizens, Simon emphasises that internal stakeholders are vital. The mindset of key decision-makers and implementers will determine the extent and nature of the experience. As the citizen and customer experience wave is still in its early stages, the role of people to firmly push this to the next stage is essential.
With mindsets and culture addressed, agencies will need to next look into technology and processes. Technology must facilitate the goals of the digital customer experience that the government envisions, while processes need to enable digitalised customer experience instead of being the impediments. They should encourage and foster collaboration and innovation to better serve people.
Across government agencies, a lack of digital skills affects the deployment of technology and the extent of its use. Adobe works with governments to help develop the capacity of their officers and to build citizens’ skills by supporting relevant training initiatives. Adobe’s partnership with Skillsfuture has enabled Singaporeans to develop their fullest potential throughout life, regardless of their starting points.
Infrastructure can be a limitation in deploying technological solutions. Such bottlenecks are often connected to policies that centre around agency perspective – ‘buy’ versus ‘build’ or ‘own and operate’ versus ‘outsource’. While the dedicated infrastructure is necessary to an extent and in specific contexts, a cloud-based mindset is increasingly proving to be more efficient. The availability and agility of cloud services have been well proven in the commercial sector.
A great example is the Adobe Experience Manager, a comprehensive content management solution for building websites, mobile apps and forms. The platform places citizens at the centre with solutions that are responsive, relevant and social, providing lifetime value. It can deliver and manage digital experiences across government agencies that are timely and personal.
More recently Adobe deployed a data centre in Singapore with Adobe Sign and Adobe Experience Manager cloud services that are available to Adobe’s customers across the world, increasing capabilities and efficiencies especially for those in the region.
For Simon, the world has not changed much in terms of the channels of engagement, but it is evolving when it comes to the adoption of digital channels of engagement. The digitisation of the channels has accelerated far more quickly than the government’s ability to deliver the services digitally.
The access to digital services has greatly improved and, with so many cutting-edge technologies on the horizon, things can only get better. Solutions specifically designed for different communities are being created regularly and governments are looking to serve all their citizens equitably – the elderly, differently-abled, people with limited access, education or resources. Simon is optimistic that governments’ ability to digitally serve citizens, even in countries with a slower pace of transformation, will improve quickly.
Adobe is committed to partnering closely with government agencies around the world in this journey to help deliver a better and more empathetic citizen experience.
Part 1 of a two-part series. Read Part 2.