Tue, Sep 24, 2019 - Page 8 News List

New IDs have fatal security flaw

By Lin Tsung-nan and Li Jung-shian 林宗男,李忠憲

The upgraded electronic national identification cards (eID) to be issued in October next year are multifunctional, integrating Citizen Digital Certificates, National Health Insurance cards and driver’s licenses.

The Ministry of the Interior says that the integrated data will end the inconvenience of carrying so many cards and that “there will be absolutely no information security problem, so the public can rest assured,” as the data would be protected by encryption and only accessible with a password.

However, supporters of the ministry’s policy have turned a blind eye to the potential threat to information security because of the convenience brought by digitized administration. They justify their support despite the risk by saying that “all innovations come with a price.”

The government’s digitization policy would spread information on taxes, subsidies, vehicles, labor insurance, national health insurance and other facets of people’s lives across the ministries of finance, interior, transportation and communications, health and welfare and others.

However, the “convenience” of eIDs to log in to online services is worrying. The cards will become an Achilles’ heel of the national digitization policy if the risks of centralized design are not addressed.

People typically use multiple online services, such as Gmail, work or school e-mail, cloud storage, online banking and online shopping. It is convenient to use the same password for these accounts, but anyone who has even the faintest awareness of information security knows that is dangerous — if a work e-mail were hacked, the data on all of their accounts would be vulnerable. When digital assets are stolen in this manner, that affects a single person. However, if people are to use an integrated eID to access government services — a situation known as a single point of failure — that would make it easy for hackers to steal the personal data of all Taiwanese.

Top information officials in the government usually do not have a clear understanding of information security. Even those who have passed the national senior civil service examination usually have had limited experience with technology. Their only trick for managing information security is to outsource it. When a problem occurs, the contractor is responsible for resolving it.

Surely a single point of failure is a considerable security risk, even a national security threat. Which civil servant would be held accountable if it were to be exploited — and how?

Anyone with understanding of information security knows that no system is 100 percent secure. Information security is neither a single product nor a project with a dedicated technician in charge, but a top-down management system.

Information security includes technology and management aspects. There are always technical problems and even if it were possible to provide technologies that were 100 percent secure, it is management that is the main risk — the human factor is the weakest link in every system.

This is especially true when the management of national information security does not involve a security clearance system; when there are no regulations to clearly define who has access to sensitive and confidential information; and when there are not sufficient penalties to deter and punish the leaking of sensitive information and personal data.

This story has been viewed 2740 times.

Comments will be moderated. Keep comments relevant to the article. Remarks containing abusive and obscene language, personal attacks of any kind or promotion will be removed and the user banned. Final decision will be at the discretion of the Taipei Times.

TOP top