Management Summary of KPMG Report on Public Key Infrastructure, May 2001
Chapter 1 on PKI
Preliminary PKI study on requirements and
comparable initiatives in other countries.
The Icelandic government is promoting the use of Internet-technology to enhance the government’s service delivery as well as its internal operations. However, the potential for improvements in service delivery and internal operations come with many of the security risks faced by existing systems as well as with new risks. In some cases, the sensitive information and communications that may be involved in these activities will require greater security assurances than can be provided by security measures as are implemented today (e.g. requiring passwords to gain access to a system).One of the ways to offer these higher security assurances is through deploying a so-called Public Key Infrastructure (PKI). A PKI is made up of organizational and technical components that allow for the use of digital signatures, digital IDs and encryption which together provide a range of security services.
Recognising the aforementioned, the Icelandic Treasury Department established a committee to make suggestions for a government wide PKI and set the course on the use of digital signatures in the government system. As a first step the committee performed a study with the following two main objectives:
- To identify the specific security requirements of the government of Iceland relating to the electronic communications both within the government and with external parties (business and citizens) with respect to using a PKI to fulfil these.
- To provide an overview of governmental PKI approaches in Canada, the Netherlands and Sweden.
To fulfil the first objective, interviews where conducted with over 15 organisations (most of them governmental) including Statistics Iceland, the Tax Office, Directorate of Customs, the Data Protection Agency, the Office for Vehicle Registration and a number of Health related organisations. It is important to note that the study did not cover an inventoryation of all initiatives or potential PKI usage, but aimed at providing a basis for decisions by the government regarding the use of PKI-technology.
The results of these interviews show that:
- Almost all governmental organisations have identified ways to use the Internet-technology and the majority of the organisations interviewed have initiated projects to that end. The main goals are to increase efficiency (amongst others by replacing paper-based communication by digital communication) and improved quality of service.
- In each of the domains (Government internal, Government-Business, Government-Citizen) all applications require varying levels of confidentiality, integrity, authentication and non-repudiation. However, all applications have such a mix of requirements that there is always at least one of these trust aspects that scores high and at least one that scores medium level.
- Digital certificates are considered to be the preferred solution by almost all interviewed organisations to fulfil their security requirements, and these organisations expect to initiate such a solution in the (near) future.
Discussions with some of the Icelandic banks learned that they are preparing PKI deployments as well as being willing to co-operate with the government on this subject.
Desk research and interviews with the project leaders of the Dutch and Swedish governmental PKI projects have been performed for the second objective of this study. As a first step the e-government approaches of Canada, the Netherlands and Sweden where studied. This showed that all three countries have this subject ‘high on the agenda’. When looking at the PKI initiatives in these countries it became clear that Canada is at least a few years ahead in using PKI technology for e-government applications. The type of applications identified are to a large extent similar to those anticipated in Iceland, supporting the conclusion that Iceland may benefit from using PKI technology as well. Though the Netherlands and Sweden are not nearly as far as Canada, they also have a clear view that PKI technology is required to be able to fulfil the security needs of e-government applications. In both Canada and the Netherlands a co-ordinating infrastructure (made of both organizational and legal standards and technology) is put in place to facilitate departments that want to use PKI technology. By using a common approach and standards, the result is an interoperable infrastructure. In Sweden a simpler model is used, defining a government certificate for citizens that can be issued by multiple private organizations.
Based on the findings above it is concluded that there exists a need for PKI technology for deploying Iceland’s e-government applications. Establishing a PKI requires substantial effort and time and therefore further governmental action on this matter should commence shortly to be able to service the governmental departments and agencies when required. It is important that the government starts building internal expertise on the subject of PKI to allow for a effective deployment and operations.
The steps taken as part of this study can be seen as the initial steps in the process of developing the PKI approach for the government of Iceland. We recommend that the following step is a strategic study into the different alternative scenarios for the PKI approach. This study should take legal and financial consequences into account aimed at choosing the most favourable and feasible scenario. It is further recommended to use a phased approach for the PKI deployment and to start with a limited number of pilot projects in areas where a successful implementation is most likely. The results of these projects will provide valuable insights and expertise for sub sequential government-led PKI deployments.