This evolution in computer applications would make life easier and meaningful to the user through rapid access, update and accurate retrieval of information requested, which is not welcome (if it is randomly) from a security point of view because of privacy, identity and data integrity must be preserved and these principles may run counter to the new direction in making systems easy-to-use to provide information and answer queries. The security concern is a major problem and should be taken into account by high level policies planning to counter this problem to be uniform for all applications, taking into account the different levels of relevancy that would start from the normal user to the higher level user. It is well known that any protection system is a countermeasure to one or more threats; there are many potential threats in the application of eGovernment such as (hackers, crackers, disguised ... etc.), physical threats, communications threats ... and so on. It is impossible to have one protection system for all previous threats, but at least we must know that there is an attack or intrusion or theft of information in real time and if we are lucky before they occur, such as warning system this is very important, which is called the intrusion detection system.
eGovernment consists of several components including the infrastructure for Internet connections, many of various web sites, user browsers, products, services, databases, firewalls, electronic payment engines and many other components.
Generally, the scenario of service in the application of eGovernment is as follows: The customer accesses the ministry’s website and looking for a product/service that he requires. It is clear that after that customer examines the ministry’s web service and to identify products or services, the necessary next step is to obtain access by passing through security steps.
Security problems: it is not possible to draw up a list of security-related problems because there is always something unexpected and the threat does not exist previously. We tried to identify threats to this conclusion by categorizing them in order to have the appropriate counter measures. As highlighted, these problems vary according to the value of the stored information. The problems listed below may be present in eGovernment applications:
1. Identification: This is a simple problem but is required for each application to distinguish the authorized and unauthorized user.
2. Authentication: This is a big problem because it requires the user to prove his identity as an authorized user. There are many ways that can be used, ranging from simple method such as password to complex method such as Finger Print or retina.
3. Viruses: include Worms, Trojan Horse, Logical Bombs, Agents Software and Mobile Codes which can be converted from angel to demon.
4. Intruders: such as hackers and crackers. Software Codes can also be used to interrupt and penetrate the communication lines.
5. Integrity of Data: Anything can be obtained from the applications as an output must be considered acceptable and correct, and any unauthorized change for such data may affect users’ confidentiality.
6. Communication and Computer Network: These are considered the backbone of any application of eGovernment, and as a link for citizens to contact each other, so it is very important to keep these portals open and safe or could be compromised. Communications and networks remain the main objective of the intruders to attack the eGovernment applications.
7. Information Hiding: a new technology which could be used to pass any attack by using an image or voice or legal text (true from the standpoint of security). There are many ways that can be used to hide information and it is very difficult to detect.
8. eCommerce: includes ePayment and eBanking. It is an advanced industry that will be the major goal of the hackers and also for all types of threats.
Required Strategy: These unexpected threats require protective measures for both types of expected threats. Therefore, an advanced strategy needs to be developed through:
1. Identify targets and vulnerability: Most organizations did not define the components of the infrastructure necessary to achieve their objectives. None of these organizations are fully equipped to deal with their vulnerability which scientifically called Minimum Essential Infrastructure (MEI), or developed plans to address this vulnerability.
2. Increase information sharing between public and private sectors. If the government and private sectors are targets for intruders and hackers, it is very reasonable for both of them (government and private) to exchange and share information with each other.
3. Improve analysis capabilities and warning: our ability to analyze information and develop an effective warning process directly affects the ability to defend our national infrastructure.
A proposal for protection actions: to implement security measures in eGovernment applications, systems need to be designed with the following specifications:
1. Develop advanced specifications and standards for security system.
2. Security systems need to be compatible with each other and can be transferred and implemented in different institutions.
3. Systems need to be unified to facilitate work and reduce the cost of training for the application.
To make security applications synchronize with the evolution of computer systems and also for monitoring and follow up of intrusion, we must use advanced technology in the field of hardware and software. As we have stated previously, it is impossible that one security system can protect information system against several computer threats. Therefore, it is possible to have multiple measures of protection with a single security policy. We propose some important issues to be included in the security plan:
1. Intrusion Detection System: this system evolved considerably depending on the evolution of computer and communications. This system can detect and stop intrusion, and if intruder succeeded, intrusion detection system tracks the impact of such intrusion to provide a significant source of information and fill the security gaps.
2. Encryption: still evolving to ensure protection of information stored and shared between institutions.
3. Biometrics: fingerprint, retina and DNA are means that can be used for the verification of users in addition to traditional digital means for verification depending on the value of information circulating in the information system.
4. Digital Signature: effective means to verify the sender or recipient and has another benefit for acknowledgment (in the case of the sender or recipient).
5. Information Hiding and Watermark: it is possible to maintain the intellectual property (IP) and individual rights through a water mark on the documents to prove ownership.
6. Firewalls: Effective mean of protecting the internal reliable network of Internet and external networks. These walls prevent the
entry of intruders as well as work on sending information only to their destination.
7. Anti-virus: viruses considerably evolved and have become a threat to information systems that must be combated in real-time. For a great application such as eGovernment, it is preferable that there will be a separate centre to follow up viruses.
8. E-mail: E-mail is now a cornerstone of eGovernment applications, and it is a target for many threats, therefore, more measures should be included in the protection system in terms of the use of verification of identity, encryption algorithms and server certificate.
9. Web site: website protection is very important, especially against the threat of interruption of service; therefore code validity for the site is important.
* Say Yes to e-Government e-Magazine, No. 6, Kingdom of Bahrain, 13/7/2008.