Security Problems and Government 2.0

The other day, I made a very serious point about the fad that is “Government 2.0”. I was pleased by the amount of attention it received and the large number of very reputable and poignant comments it recieved. However, it was largely a philosophical post, and did not provide anything concrete.

Today, that concrete example fell in my lap as I read this post by IT Security company, Websense. The post outlines how malicious users added an image to a “user generated” section of My.Barack.Obama. The image led to a trojan download site that is infecting user computers.

Granted, the MBO site is not a government site, but it is certainly related, wouldn’t you say?

Veteran federal IT Administrators are vicious about protecting internal systems and intranets. Trust me, I know. I come from a Lockheed Martin, CSC and Northrop Grumman background where projects I worked on were all government-facing or oriented. This is what we did.

For as much complaint as there is about the lack of transparency, the lack of public facing services that engage the public in a Web 2.0 way, I’d point out that there is a valid reason for it. I would love to see the Government opened up to more Web-savvy ways, but there are very tangible reasons why they are not!

This is also why Government 2.0 will not rule the day. At least not soon. Until there is a sensible way to prevent user-generated content from being user-generated security nightmares, such as this incident was, Government 1.0 will rule the day.

Security will always trump anything else and right now, there is too much opportunity for mischief to entrust the federal systems to user-generated anything.

15 Replies to “Security Problems and Government 2.0”

  1. There’s a great article on Wired with another take on this… can Obama really ‘change’ how technology is leveraged and utilized. My thinking is nope… but I hope he stands against the establishment to try to ‘change’ things. :)

  2. Nice post that hits the nail on the head. Much of the social tech community is excited about, intrigued by, and out of touch with Washington DC.

    The Deputy CIO of the Dept of Defense recently said in a panel where I work (also at DOD) that the for him, the balance between info sharing and info security was like the balance between inhaling and exhaling. Can anyone put it any better?

  3. Mark-

    I find it tremendously telling that there were so many comments on the other post, but the moment I bring real life to the table, everyone gets quiet. :-)

    Thanks again, for chiming in with real life experience.

  4. Interesting perspective. I tend to agree to an extent.

    I was in a social media presentation for government affairs professionals today and was appalled by the presenters lack of understanding of the restrictions on certain types of political communications. They were advocating all sorts of ideas that were terrific in concept but not at all applicable to the crowd. Adapting to new technologies will have to be more incremental in the government affairs arena (both on the gov’t side and those dealing with them). Now uses in campaigns? That’s an entirely different story.

  5. Often we communicators (non Web mangers) rail against the security walls (obstacles) because we’re chomping at the bit. For me, it’s eagerness and not frustration. I wholly understand the reality of security needs and appreciate the need for sound planning.

    Which is why I can’t help but agree – right now – that we need to maximize the Gov1.0 world that is our reality. At the same time we need to maintain pressure on CIOs to test, authenticate and allow certain technologies pass. We should not wait for a comprehensive list of what the government Shall and Shall not do; instead embrace an evolving playbook (a la DoD and EPA work).

    We’ll get there.

  6. I think it’s important to note that many of the leading “Gov 2.0” exemplars are behind-the-firewall deployments (enterprise 2.0). Conflating Apps for Democracy (ability to pull massive amounts of government content via RSS, KML, excel, etc) with public-facing, user-generated sites where you can submit content, with a wiki on a top secret networks such as Intellipedia may be one of the reasons for the over-all inflated and confused sense of Gov 2.0.

    Many enterprise 2.0 critics often use internet-based examples to argue against behind-the-firewall tools and these arguments often don’t apply. For example, a trojan horse is terrible but when your network is air-gapped from the internet the likelihood of hacking dramatically declines, so internet-based worst-case scenarios need to be tempered with context.

  7. Aaron – I think Amanda brings up a good point. Us non-IT security/techie people are chomping at the bit to get out there and use social media. We see so much potential. We see ways to make our work easier. We see ways to help communicate and engage with the public. We just want to use these tools in the same way as we do in our private lives. However, I think that a majority of us DO understand the absolute necessity for data security – we just don’t understand the nuts and bolts of how it’s done.

    IT guys need to do a better job of explaining things that seem simple enough to the average Joe so that we can understand the pressures they’re under rather than getting frustrated about it. Here’s a typical conversation:

    Me: We could save soooo much time and money if we encouraged employees to use Skype video conferencing instead of traveling from office to office. Can we look into that?
    IT: No – Skype is on the prohibited software list.
    Me: Ok, why’s that?
    IT: Because it’s prohibited.
    Me: Oh, well in that case, I completely understand!

    It all goes back to honest communications. We wouldn’t be so quick to try and evade our IT departments if they would include other people/departments in their decisions and engage in honest conversations about what works, what doesn’t work, and why certain decisions were made.

  8. Steve, I understand what you’re saying. Often times, those lists are made at high levels or are directives from other agencies. Government, even within government, can be territorial and may not want tp clue other agencies or GSers down the food chain “why”.

    I can say, Skype is on the banned list because comm goes through ebay servers. It leaves the Gov’t control. I can also say that almost any communication tool that sends mission critical data outside will prbably be banned. That’s why its surprising that White House legal counsel approved public affairs staffers to use gmail accounts.

    I can say that better adoption will be with software that is open code/source (ok, it doesn’t explain Windows dependence, honestly) and that can be self hosted with no external dependence. Think Yammer or WordPress or Wikimedia which, I’m told, is the foundation for the Intelligence Communitys Intellimedia.

    All of this can be controlled and that is what IT admins will *never* let go of… Control.

  9. Aaron – you’ve already distinguished yourself as an anomaly with your comment right there. That’s substantially more explanation/conversation than I get from most of my IT people! I definitely agree with you on the open source software – we’re using open source software here internally at Booz Allen for our Enterprise 2.0 platform, and you’re right about Intellipedia – that does run on MediaWiki and they seem to have had a lot of success with it.

    It’s a matter of education and communication. People need to continue getting smarter about these tools, and the people that are already smarter about them need to do a better job at communicating their benefits AND their risks so that everyone understands them.

  10. Essentially, my comment boils down to “Hey, IT, pick you battles!” and/or maybe “Hey, senior leadership, can we coordinate and communicate with everyone a little better?”

    I don’t think the battle should be over Flash and Adobe reader and what-have-you-generally-accepted-for-everyday-Web-use tools. I’m not sure how IT departments decide which things to worry about (everything?), so I’ll just illustrate an example from my office.

    I work on the contract and sit on-site with the Office of the Chief of Public Affairs client. Recently we re-launched the Web site with the blessing of client all the way up to the Secretary of the Army. One of the things we bragged about


    was our new video player.

    Last week, our Assignments Desk – a key part of the Army’s communication coordination squad, talking among all the different media-producers all around the world – asked why she couldn’t see our videos anymore. I’m increasing both of our workloads by giving her a separate list every day of the videos I upload to our player.

    Today (two weeks after approval and relaunch) our direct boss and manager (on the client side) asked why she couldn’t see our videos. Something about Flash? Should she submit a request to IT?

    Luckily, my team work on Macs, so we not-so-sneakily update our systems, software and Web tools whenever we feel like it. But the fact that our client cannot update the latest version of Flash without going through an application-and-wait-for-review process seems very silly. (

    So, IT, please, of course of COURSE please look out for our infrastructure and stop us when we’re threatening our (and the Army and the American people’s) security. Of course this is important. How hard is it, though, to know that the latest version of Flash is going to be a-okay, especially if it’s been vetted and approved through the communication side from the SecArmy himself?

    Maybe we just need more go-between honest communicators/previous IT-ers like Aaron :)

    PS: I forwarded this link and Twitter convo to my boss. Sure did.

  11. Aaron,

    As a Gov communicator, I find that the number of “No’s” I hear from IT aren’t followed up with, “But here’s what we can do…”

    I go back and forth with IT about security, totally understand their concerns, however, I have also made suggestions on how to get around this – for example, a computer/laptop not on the server at all. Many of the social network applications I wish to use to be able to communicate with constituents are internet accessible. I don’t actually need to be on the server to make these things happen.

    I’ve already heard rumblings of what’s coming from the Obama folks and I hope that IT is ready to provide alternatives versus just saying no.

    All the communicators see the potential in reaching directly to constituents about the programs and services each government agency provides. It totally makes sense. We just need a way to do it. Plus, there are just as many Gov agencies who have figured out how to do it, TSA, GSA, HHS, EPA etc.

    IT security needs to come up with the alternatives or, most likely, face consequences when the Administration moves forward.

    Thanks for the post!

  12. I have to agree with Lahne, IT departments just say “No”. It is extremely rare to hear “but here is what we can do …”.

    Part of my job is to sit between our agency and our centralised IT section and take the ideas from the agency and create the “but here is what we can do …”. Unfortunately IT tends to label everything they do not understand or out of their control as a security risk.

    Agencies need to understand there are far bigger implications than security. The public will use various social networking and other tools to talk about your agency and if you do not provide a platform, it is harder to be part of the conversation.

    If your typical .gov or IT department had it’s way would of been not allowed to proceed for security reasons, like those highlighted by that report.

    But what would of been the alternative, if was not set up. The campaign would of missed out on a big chunk of money raised, would of had to work harder and longer to find out what people where saying and what would of stopped phishers and scammers from taking advantage anyway? Look at the last third of the report, phishers and scammers will use any tricks they can think off. Why not a few unofficial support obama community sites to line their pockets? With at least the campaign had more control.

    In communications terms was a huge success, an alexa ranking of 872, big sums of money raised and numerous communities developed. In IT security terms it could be classed as a failure because of those security issues. So was it a success? For the people at the top of the campaign, I would say yes.

    And it is the people at the top of government agencies that need to drive or at least sponsor Gov2.0 initiatives. Because how else can you change IT from “no you can’t do it because of the security risks” to “how can we do it and minimise the security risk”.

    Which is why I watching what happens in the US with interest. Hopefully from the very high approach works and then hopefully spread to other countries.

  13. Luckily I read comment #6 before scrolling all the way down to enter my comment.

    Chris Rasmussen hit the nail on the head:

    “…many of the leading “Gov 2.0″ exemplars are behind-the-firewall deployments (enterprise 2.0). Conflating Apps for Democracy (ability to pull massive amounts of government content via RSS, KML, excel, etc) with public-facing, user-generated sites where you can submit content, with a wiki on a top secret networks such as Intellipedia may be one of the reasons for the over-all inflated and confused sense of Gov 2.0.”

    Your post presumes that Web 2.0 = user-generated content; but the promise of Gov 2.0 using Web 2.0 tech is much, much more. To me the security concerns should be around the construction of APIs and the openness of the data since the real magic of Gov 2.0 will be realized when agencies (fed, state, and local) realize the radical efficiencies of doing what Vivek did with Apps for Democracy.

Comments are closed.