Yesterday’s post on Identity Management got quite a few good responses–thanks. Here’s a lengthy excerpt of the draft version of what we will submit to the CSIA regarding convergence. The entire section is here on our wiki. Please take the time to read and comment–any howlers in here?

Convergence represents both the greatest opportunity for service delivery and the greatest potential threat to information assurance in our broad basket of subject areas.
Our information gathering exercise identified five different areas of convergence. Broadly, they include:
• General: Convergence (converged environments/networks) defines a multi-media environment and/or network where signals regardless of type (i.e. voice, quality audio, video, data, etc.) and encoding methodology may be seamlessly exchanged between independent endpoints with similar characteristics.
• Media: A theory in communications where every mass medium eventually merges to the point where they become one medium due to the advent of new communication technologies
• IP: The migration of multiple legacy networks of data, voice, images and video into a singe integrated IP based network which facilitates higher efficiency in operational management and utilization of a network.
• Technological: The modern presence of a vast array of different types of technology to perform very similar tasks. Also included in this topic is the basis of computer networks, wherein many different operating systems are able to communicate via different protocols.
• Fixed Mobile: Fixed and mobile telephony convergence aims to provide both services with a single phone, which could switch between networks ad hoc.
Each of these different areas are moving quickly and several impact upon each other.

Key Findings

Each of the above contributes to a broadly similar set of issues relating to information assurance
1. Physical security of information: The increasing capabilities and smaller size of devices with access to networks and sensitive information (miniaturization is discussed elsewhere) makes theft, hacking or corruption easier and hence more likely.
2. Non-physical security issues: Attacks against one network using IP may degrade performance of other networks sharing the same infrastructure, due to:
3. Network dependence: The Internet was famously designed as a back-up communications system for use in case of catastrophic failure of traditional communications via telephone and radio. As more information flows migrate to the Internet, capacity issues are already evident. In future, if satellite broadcasting is abandoned for IPTV or wireless access to telecommunications services makes copper connection to homes redundant, an over-reliance on the infrastructure of the Internet introduces vulnerability to attack. What will be the back-up for the Internet?
4. As services converge, some of them will be life-critical to citizens: IP 999 services, telemetrics for those with chronic diseases, etc. As more devices converge around a single physical platform and single network, the number and importance of services will increase, as will their vulnerability to network failure. (This relates to identity management, as access denial can have health consequences.)
5. Although in one sense convergence provides new and exciting opportunities, dealing with convergence issues may impose unforeseen costs on government services. To give just one example, as technical capabilities make it possible to offer more services to the disabled and elderly, political pressure to provide these services may be strong. Adapting service delivery to account for convergence may be expensive. Certainly, dealing with threat to information assurance programmes will not be trivial.
6. As convergence will evolve over time, and may include divergence (see below), dealing with related issues will in all probability take time and effort.

Divergence

A related concept involving emerging technology is Divergence. Following the combination of diverse tools into single devices and migration to the most appropriate delivery platform, a new set of innovation involving single purpose tools for more efficient delivery is sure to follow. Some of these will present particular opportunities for public service delivery, notably for disabled citizens, but also for field workers of government agencies.

Implications for UK Government

Our recommendations regarding convergence might seem schizophrenic, on the one hand urging a bunker mentality towards information security, and on the other hand recommending greater openness and flexibility in insuring government’s ability to deliver services capable of meeting users’ needs. However, convergence issues will present a significant challenge to government, and will likely require cross-departmental co-operation to manage. The key will be to keep services open and flexible, but information secure and redundant.
• Mothball programme. Preparations should begin now for the preservation of non-electronic service delivery mechanisms that might be abandoned by public and private sector organisations, including:
o Broadcasting capabilities
o Physical connections to home and business (or transition to utility companies)
o Switching networks for telephony
• Agreement amongst all network users on prioritized cut-out list in case of emergency, with automatic cascading cut-offs with pre-agreed triggers and a named individual or organisation responsible for initiating a cut-off sequence and notification of affected parties when cut-off occurs.
• Security protocols should be strengthened in advance of the introduction of converged devices with new capabilities:
o Suppression of wireless communications capabilities in locations with access to sensitive data or systems
o Disabling access to internal networks from unauthorized devices
o Disabling auxiliary ports on computing devices with access to sensitive information, including floppy disc drives, CD-ROM, DVD and USB ports.
o Removing Bluetooth and other low-power radio access capabilities from devices with access to sensitive information
o Packet-sniffing on utility connections

Citizen Centric

From the citizen’s point of view, as more services are delivered online and more citizens elect to use electronic transactions, they (we) will have different expectations due to convergence:
• Will I be able to access and transact with government using non-computing devices?
• Will all government services converge on online delivery? What if we don’t want that?
• Can I get 24/7 availability of all government services as reliably as provided by the best companies?
• Can convergence help us to deal with access issues for the disabled?