e-Government: Security Threats

posted Nov 11, 2012, 9:46 AM by STC eGov   [ updated Aug 25, 2013, 7:29 PM by Carlos E. Jimenez-Gomez ]

Hector D. Puyosa P.

IEEE eGovernment STC
e-mail: hector.puyosa@ieee.org

The term e-Government is defined by the Organization for Economic Cooperation and Development (OECD) as the use of new information and communication technologies (ICTs) by governments as applied to the full range of government functions. In particular, the networking potential offered by the Internet and related technologies have the potential to transform the structures and operation of government [1].

The effective management of information security is a key factor as willingness, of the different users (citizens and other parties), to use e-Government services will heavily depend on the trust they have on the data security of this service. 

As stated in [2] a central challenge of e-Government service is how the new technology can be used not only to increase efficiency for public administration, but also to strengthen confidence in privacy measures by creating mutual transparency between public administration and citizens.

The process approach for information security management system, ISMS, presented in [3] encourages its users to emphasize the importance of:

  • understanding an organization’s information security requirements and the need to establish policy and objectives for information security.
  • implementing and operating controls to manage an organization's information security risks in the context of the organization’s overall business risks.

  • monitoring and reviewing the performance and effectiveness of the ISMS.
  • continual improvement based on objective measurement.

Data security requires a set of security requirements:
Authentication: capability to identify who is using the services (person or software program). Processes of verifying that you are who you say you are.
Authorization: capability to give rights access to resources. Process to verify someone have the rights to do what she is trying to do.
Confidentiality: capability to prevent unauthorized access to information
Integrity: capability to prevent information from unauthorized modification, and ensuring that information can be relied upon and is accurate and complete.
Traceability: capability to chronologically interrelate any transaction to a person or system that performed the action in a way that is verifiable.
Non-repudiation: capability to prevent the intervening person or system in an event or action to denying or challenging their participation on the event.

Example of organizational and technical measures to prevent unauthorized access and processing are shown in [4]:

  • Protecting premises, equipment and systems software, including input-output units
  • Protecting software applications used to process personal data
  • Preventing unauthorized access to personal data during transmission thereof, including transmission via telecommunication means and networks;
  • Ensuring effective methods of blocking, destruction, erasure, or anonymization of personal data;
  • Enabling subsequent determination of when individual personal data were entered into a filing system, used or otherwise processed, and the person responsible, for the period covered by statutory protection of the rights of an individual with regard to unauthorized supply or processing of personal data.

Despite trusted security and privacy measures constitutes a crucial success factor for e-Government that has not been yet addressed as UN 2012 Survey shows only 20% of national portals clearly indicate the presence of security features.  Europe is leading with 44% countries displaying secure links on their national websites but survey do not consider regional and local websites and neither the many decentralized public organization web portals.

Services provided by e-Government to citizens, enterprise, public officer, government administration and agencies via Internet and mobile connections are vulnerable to a variety of threats. In [5] are detailed examples of cyber attacks using techniques like packet sniffer, probe, malware, internet infrastructure attack, denial of services attack, remote to local attack and user to root attack.
As is stated in [6] the successful adoption of an ISMS is important to protect information assets, allowing an organization to:

  • Achieve greater assurance that its information assets are adequately protected against information security risks on a continual basis
  • Maintain a structured and comprehensive framework for identifying and assessing information security risks, selecting and applying applicable controls, and measuring and improving their effectiveness;
  • Continually improve its control environment
  • Effectively achieve legal and regulatory compliance.

There are simple and well-known web application vulnerabilities that could be avoided but e- Government webs are still vulnerable. A research work [7] found 81.6% e-Government web sites from 212 different countries were vulnerable to Cross Site Scripting (XSS) and Structured Query Language (SQL) injection. SQL injection attack can compromise data integrity while XSS is a vulnerability, which attackers may exploit to steal users' information. 

Specific security measures like firewalls, intrusion detection software, encryption, and secure networks must be defined designed and implemented for government agencies to provide the appropriate levels of security. But information security must also take into consideration the people and processes that rely on the systems. Employees with daily access to e-Government systems must be trained on cybersecurity and this aspect must become part of their job.  A study by the Department of Computer Science at Columbia University [8] shows how the human factor influences cybersecurity policies and how that work could be used to train government employees to improve the security posture of government departments and agencies.


Aim of this article is to highlight the need to implement an ISMS to provide e-Government services with the different levels of confidentiality, integrity and availability, which are requested, for the different users regardless of their literacy in electronic information technology.  A lot of work has been done but more is needed to secure e-Government application. 
To protect e-Government systems current information security best practices shall be used.   Security polices, practices and procedures must be in place as well as utilization of security technology, which help to protect e-Government systems against attack, detect abnormal activities services and to have a proven contingency plan in place.
Fundamental factors are to have a proper public-key infrastructure providing the required level of authentication and integrity and also to have a continuous awareness and training program to ensure people understand security threats, know how to identify potential issues and behave accordingly to maintain a secure e-Government service.

[1] Organisation for Economic Co-operation and Development, Public Management Service, PUMA  16/ANN/Rev1 (2001). “E-Government: analysis framework and methodology”. http://search.oecd.org/officialdocuments/publicdisplaydocumentpdf/?cote=PUMA(2001)16/ANN/REV1&docLanguage=En (Link at 21-October-2012)
[2] United Nations, Department of Economic and Social Affairs (2012).  “E-Government Survey 2012. E-Government for the People”. ISBN: 978-92-1-123190-8.
http://unpan1.un.org/intradoc/groups/public/documents/un/unpan048065.pdf (Link at 21-October-2012).
[3] ISO/IEC 2700:2005 (2009). Information technology — Security techniques — Information security management systems — Requirements.
[4] Chatzidimitriou, Marios and Adamantios Koumpis (2008). “Marketing One-stop E-Government Solutions: the European OneStopGov Project”. IAENG International Journal of Computer Science, 35:1, IJCS_35_1_11. (Advance online publication: 19 February). http://www.iaeng.org/IJCS/issues_v35/issue_1/IJCS_35_1_11.pdf
[5] Shailendra, Sing; Singh Karaulia (2011). “E-Governance: Information Security Issues”. International Conference on Computer Science and Information Technology (ICCSIT’2011). http://psrcentre.org/images/extraimages/1211468.pdf
[6] ISO/IEC 2700:2009 (2009). Information technology — Security techniques — Information security management systems — Overview and vocabulary.
[7] Vebjørn Moen, André N. Klingsheim, Kent Inge Fagerland Simonsen, and Kjell Jørgen Hole (2007). “Vulnerabilities in e-governments”. International Journal of Electronic Security and Digital Forensics, vol. 1, issue 1, pages 89-100. http://www.nowires.org/Papers-PDF/ICGeS_egov.pdf
[8] Brian M. Bowen, Ramaswamy Devarajan, Salvatore Stolf (2012). “Measuring the Human Factor of Cyber Security”. Homeland Security Affairs, Supplement 5, article 2. http://academiccommons.columbia.edu/catalog/ac%3A142664