E-Government and Security Issues

As previously discussed, all branches of federal government are required by law to migrate their business practices to a paperless operation. In implementing the new e-procurement way of contracting, it is clear that there is a need to ensure the confidentiality, security, and authentication of information exchanged between government and its contractors in the electronic environment.

The DoD, the buying giant of the federal government, has addressed the need for security in the e-government environment by adopting a mandatory system, referred to as "public key infrastructure" (PKI). PKI allows DoD to electronically communicate with industry by enabling paperless, secure, private electronic business contracting. In addition to adoption by DoD, PKI use is expanding at all levels, including federal, state, and local levels of government as well as in the private sector.

What is PKI? It works much like a realtor's lockbox. Under this arrangement, the seller has agreed to "trust" the realtor to gain access, via a key or combination to a lockbox, and show the home to prospective buyers when the seller is away.

PKI uses a process similar to the realtor's lockbox, although in this case the lockbox is digital and is stored on computers. For government contracting purposes, a unique PKI digital identity certificate file is issued to a contractor's authorized officer or agent. In essence, this PKI digital certificate file verifies that the contractor is in fact authorized to conduct business electronically with the government contracting office. In this way, PKI helps the contracting parties to establish a "trust relationship" while doing business via computers in a virtual world, and digitally protects the information assets of both parties in much the same way a lockbox protects the seller from allowing just anyone to enter the home while still providing access to the "trusted" parties and potential buyers.

In addition to ensuring the security of the electronic information at all times during transit through shared networks and storage on network servers and desktop hard drives, it ensures that the document being signed and sent online is from the company or person authorized to provide the information within the electronic document, that the document is legally signed in accordance with current federal and state laws, that the document has not been altered since being completed and electronically signed, and that the electronic document is time-stamped and requires an electronic return receipt.

What PKI Means to You

At this point, you may be wondering how all of this could affect you. Here are answers to the questions businesses most often ask about PKI.

Why not just use a PIN number? While a number of government agencies have successfully used PINs to provide security in innovative applications, particularly the Securities and Exchange Commission for regulatory filings and the Internal Revenue Service for tax filings, they are planning for an eventual transfer to digital signatures. PKI technology fosters interoperability across numerous applications--PIN numbers can't do that.

Are you required to get PKI-certified in order to do business with the government? It's only a matter of time. The plan under federal e-government initiatives is to ultimately provide all U.S. citizens and companies interested in procurement activities with a single entry point to all government online services and information through www.FirstGov.gov, a web portal from which anyone can access virtually all federal government information. The ability for a citizen to access information will be based on the nature and sensitivity of the information being accessed. Government contracting with federal agencies falls into the area that will require a PKI digital certificate authenticating the identity of the online user and insuring they have the authority to access and provide secure online data and documentation when required.

Does it cost anything to get PKI certification? There is no charge. It's just a matter of downloading and filling out a form from one of various sites. How do you get a digital ID or learn more? Microsoft Corp. in conjunction with Verisign.com has enabled their email applications, Outlook Express and Outlook 2000, to install PKI certificates. Microsoft and Verisign have also enabled Office XP and a number of versions of Internet Explorer browsers to include PKI digital certificates.

Visit the Microsoft web site for more information on how to get your own certificate here. The following web sites can give you more detailed information on the various PKI programs for GSA, DoD, and the State of Illinois:

• The Rise of the e-Citizen: How People Use Government Agencies' Web Sites
• GSA's ACES, What is ACES
• DoD eMall
• DoD e-Business Exchange System
• State of Illinois PKI Digital Signature Project

Security is, and will continue to be, an issue in many aspects of our lives, including e-business. Although digital authorization is not currently a requirement, it certainly may be one day. It's a good idea to keep yourself informed about changes and developments. In the next several years, you will start to see more adoption of digital identities through the government implementation of Homeland Security policies.

With the surge in identity theft, you'll see an increase in PKI. If you are going to do any type of business on the Internet, you'll need to protect yourself and your company. It will cost you little-to-nothing to get there. It only takes a little time and effort.