[LINK] Quality & Security Implications of Govt Outsourcing

Roger Clarke Roger.Clarke at xamax.com.au
Fri May 6 12:11:49 AEST 2011 

The SMH today carries reports on two remarkable instances of 
incompetence in public sector outsourcing.


No. 1 involves low-quality software combined with appallingly low QA 
processes, by Accenture, for the ATO, as perceived by the 
Inspector-General of Taxation:

Taxpayers used as guinea pigs to test faulty computer system
Peter Martin
The Sydney Morning Herald
May 6, 2011
http://www.smh.com.au/technology/technology-news/taxpayers-used-as-guinea-pigs-to-test-faulty-computer-system-20110505-1ead3.html


No. 2 involves 'security theatre' becoming 'theatre of the absurd'.

OTS - the agency that wants to install body scanners without 
justification - has been found by the ANAO to have failed to 
effectively administer an ID Card scheme for secure areas at airports 
and seaports.

Comments at end.

Ports security lacking due to card system
Date: May 06 2011
The Sydney Morning Herald
Dylan Welch
http://www.smh.com.au/national/ports-security-lacking-due-to-card-system-20110505-1eac6.html?skin=text-only

TENS of thousands of people are able to come and go from secure zones 
at Australia's air and sea ports without security checks because of 
failures by the government body established to oversee transport 
security.

The statement was made in the latest audit of the Office of Transport 
Security and the controversial maritime and aviation security 
identification cards, known as ASICs and MSICs.

More than 10,000 of the security cards have also not been recorded on 
the central AusCheck database, meaning out-of-date cards or possibly 
even fakes could be slipping through the net.

''Some of the risks Š could be better managed by [the Office of 
Transport Security],'' the Australian National Audit Office review 
states.

''These risks primarily relate to issuing bodies and visitor[s] Š and 
are inherent in the devolved nature of the schemes.''

The report found that the way the security cards were being issued 
has been compromised because there are more than 200 separate issuing 
bodies, nearly all private and few with direct contact with the 
people to whom they issue the cards.

The largest issuer of aviation cards other than Qantas, for example, 
is Aviation ID, a company based at Merimbula airport in southern NSW. 
It has issued more than 16,000 aviation cards, representing 13 per 
cent of all ASICs in Australia. But it issues most of those cards to 
people at 64 other airports, meaning there is no oversight of the 
people who receive the cards.

The audit office also referred to visitor identification cards, which 
are meant to be given only to people visiting secure areas 
infrequently. But the office established they were a widely used card 
and, given the lack of security checks undertaken on people who were 
given them, they became a possible means of circumventing security.

The report found that visitor identification cards were widely 
over-issued, and found that at one entry point at a major airport 
there were 40,000 issued in the 12 months to June last year of which 
90 per cent were issued to repeat users.

There are regulations under way to address the concerns around the 
card system, but those plans were considered as early as 2003 and 
have yet to be put in place.


[1.  This makes the closure of Sydney Airport recently look even 
*more* ridiculous.

[2.  The concepts of a Certification Authority (CA) and a 
Registration Authority (RA) are as relevant here as they are in the 
(mostly failed) digital signature schemes.  OTS has clearly failed 
its responsibility to establish standards for CAs and RAs, and to 
structure a process whereby CAs and RAs are certified and audited in 
order to enforce those standards.

[3.  Most Clth agencies are pure policy organisations.  They're 
disconnected from the real world, and have no operational expertise.

[They're also risk-averse, and design structures so that the agency 
is at least once-removed from operations that go wrong.  This is 
commonly achieved by the agency keeping the 'policy' responsibility, 
creating a QANGO and giving it the 'purchaser' responsibility, and 
having the QANGO outsource the actual work to a 'provider'.  And 
sometimes the design is first outsourced to another contractor.  That 
way the agency has plenty of other people to point the finger of 
blame at.

[A few agencies actually *do* things, however, such as Customs and 
AQIS.  You'd have expected OTS to have some expertise in real-world 
doings as well, but their performance in this matter is as farcical 
as that of the Dept of the Environment etc. in relation to Green 
Loans.


-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
                    Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list