[LINK] Quality & Security Implications of Govt Outsourcing

Frank O'Connor francisoconnor3 at bigpond.com
Fri May 6 17:06:52 AEST 2011 

Murphy's Law applies in spades to government IT systems.

Bottom line: Their assessment, implementation and 
development methods have REAL shortcomings: the 
suits get in the way at every opportunity 
attempting to 'stamp their mark' on whatever is 
being purchased/installed, 'feature creep' is the 
real name of the development game, they have no 
concept of small iterations of feature addition 
and rather want their big humungous uber-Systems 
from Day 1 (because that's where the Big Money is 
for budgets and ensures that the Empires 
continue), and they have little or no 
appreciation of the idea that the more 
prospective points of failure the humungous 
system that they want entails ... the more likely 
it will fail.

It's more surprising to me when a public service 
IT system comes in on-budget, on time and working 
to specifications (or even close to design 
specifications) than it is when they routinely 
crash and burn taking hundreds or billions of 
dollars in public funds with them. So, the 
security and other implications of Point 2 don't 
really worry me, because it's highly unlikely the 
system as outlined will ever see the light of day.

Finally .. I don't expect Point 3 to rectify itself anytime soon.

In future could we limit comment on government IT 
systems to those that actually work, that add to 
the quality of our lives, and that serve the twin 
purposes of efficiency and effectiveness in 
delivering government services.

There ... there'll be no more comment on public 
service IT for at least a decade or two.    :)

				Regards,
---
At 12:11 PM +1000 6/5/11, Roger Clarke wrote:
>The SMH today carries reports on two remarkable instances of
>incompetence in public sector outsourcing.
>
>
>No. 1 involves low-quality software combined with appallingly low QA
>processes, by Accenture, for the ATO, as perceived by the
>Inspector-General of Taxation:
>
>Taxpayers used as guinea pigs to test faulty computer system
>Peter Martin
>The Sydney Morning Herald
>May 6, 2011
>http://www.smh.com.au/technology/technology-news/taxpayers-used-as-guinea-pigs-to-test-faulty-computer-system-20110505-1ead3.html
>
>
>No. 2 involves 'security theatre' becoming 'theatre of the absurd'.
>
>OTS - the agency that wants to install body scanners without
>justification - has been found by the ANAO to have failed to
>effectively administer an ID Card scheme for secure areas at airports
>and seaports.
>
>Comments at end.
>
>Ports security lacking due to card system
>Date: May 06 2011
>The Sydney Morning Herald
>Dylan Welch
>http://www.smh.com.au/national/ports-security-lacking-due-to-card-system-20110505-1eac6.html?skin=text-only
>
>TENS of thousands of people are able to come and go from secure zones
>at Australia's air and sea ports without security checks because of
>failures by the government body established to oversee transport
>security.
>
>The statement was made in the latest audit of the Office of Transport
>Security and the controversial maritime and aviation security
>identification cards, known as ASICs and MSICs.
>
>More than 10,000 of the security cards have also not been recorded on
>the central AusCheck database, meaning out-of-date cards or possibly
>even fakes could be slipping through the net.
>
>''Some of the risks Š could be better managed by [the Office of
>Transport Security],'' the Australian National Audit Office review
>states.
>
>''These risks primarily relate to issuing bodies and visitor[s] Š and
>are inherent in the devolved nature of the schemes.''
>
>The report found that the way the security cards were being issued
>has been compromised because there are more than 200 separate issuing
>bodies, nearly all private and few with direct contact with the
>people to whom they issue the cards.
>
>The largest issuer of aviation cards other than Qantas, for example,
>is Aviation ID, a company based at Merimbula airport in southern NSW.
>It has issued more than 16,000 aviation cards, representing 13 per
>cent of all ASICs in Australia. But it issues most of those cards to
>people at 64 other airports, meaning there is no oversight of the
>people who receive the cards.
>
>The audit office also referred to visitor identification cards, which
>are meant to be given only to people visiting secure areas
>infrequently. But the office established they were a widely used card
>and, given the lack of security checks undertaken on people who were
>given them, they became a possible means of circumventing security.
>
>The report found that visitor identification cards were widely
>over-issued, and found that at one entry point at a major airport
>there were 40,000 issued in the 12 months to June last year of which
>90 per cent were issued to repeat users.
>
>There are regulations under way to address the concerns around the
>card system, but those plans were considered as early as 2003 and
>have yet to be put in place.
>
>
>[1.  This makes the closure of Sydney Airport recently look even
>*more* ridiculous.
>
>[2.  The concepts of a Certification Authority (CA) and a
>Registration Authority (RA) are as relevant here as they are in the
>(mostly failed) digital signature schemes.  OTS has clearly failed
>its responsibility to establish standards for CAs and RAs, and to
>structure a process whereby CAs and RAs are certified and audited in
>order to enforce those standards.
>
>[3.  Most Clth agencies are pure policy organisations.  They're
>disconnected from the real world, and have no operational expertise.
>
>[They're also risk-averse, and design structures so that the agency
>is at least once-removed from operations that go wrong.  This is
>commonly achieved by the agency keeping the 'policy' responsibility,
>creating a QANGO and giving it the 'purchaser' responsibility, and
>having the QANGO outsource the actual work to a 'provider'.  And
>sometimes the design is first outsourced to another contractor.  That
>way the agency has plenty of other people to point the finger of
>blame at.
>
>[A few agencies actually *do* things, however, such as Customs and
>AQIS.  You'd have expected OTS to have some expertise in real-world
>doings as well, but their performance in this matter is as farcical
>as that of the Dept of the Environment etc. in relation to Green
>Loans.
>
>
>--
>Roger Clarke                                 http://www.rogerclarke.com/
>			           
>Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
>                     Tel: +61 2 6288 1472, and 6288 6916
>mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/
>
>Visiting Professor in the Cyberspace Law & Policy Centre      Uni of NSW
>Visiting Professor in Computer Science    Australian National University
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link

More information about the Link mailing list