Authorities, public sector and the military have traditionally designed their solutions, including IT systems because they believe they have special needs. One of the latest examples has been how different governments have planned their own COVID mobile apps. Nowadays, many governments have learned to adopt standard solutions, but have expensive consultants to tailor these solutions. The question is – could the public sector utilize commercially available standard solutions?
We have all heard of horror stories from public sector IT projects. There are also successful projects, but special solutions simply cannot be developed as fast as solutions that have a more significant number of users. My history of public sector solutions started in the 1990’s when I had an important role in specifying TETRA networks that were designed for public safety and security users like police, health care and fire brigades. It was then a truly state-of-the-art solution that is still in use today, but the development of mobile networks and terminals has been so rapid it is hard to keep such a dedicated network competitive.
Health care is one sector where many governments have invested vast amounts of money in developing systems. Quite often, those solutions are outdated by the time they are released. At the same time, the use of Google’s solutions for health care have raised a lot of concerns. Can people and governments trust Google not to misuse data that it stores and analyzes to develops AI solutions that better predict and treat diseases?
One fundamental component for digital services is identification. The digital identification market is akin to the ‘wild west’. Some governments utilize external private company’s identification for their services, like the UK tax office. You can choose one of the many privately operated services to register on the tax portal and file your documents. In Finland, the digital identification is almost totally outsourced to local banks that together operate a solution to identify users. Estonia is an example where they have created globally available e-identity and e-residency solutions that are also used by private companies for identifying users.
Even the use of cloud services is still murky territory in the public sector (although it is the same situation in several corporations too). Many public sector organizations hesitate to use public clouds but might be ready to use private clouds and single-tenant solutions. At the same time, especially in the USA, security agencies and military organizations have used cloud services for many years.
For COVID apps, Apple and Google have developed operating system support and functionality that makes it easier to produce those apps. App reliability is often questioned starting with issues around Bluetooth and if they function differently in different devices. Several governments have decided to have local applications based on Apple’s and Google’s functionality. For example, the UK’s app is based on that support, but France has decided to develop a completely independent app. The French app appears to have many more unanswered questions about privacy, and its adoption rate has been low.
The military has traditionally wanted to have its own dedicated devices and solutions for all its needs, but this has always been an expensive option, and international crises and war scenarios are constantly changing. Each country must somehow be prepared to work independently (or with its close allies), but with the current globalization and the open internet, it is very limited what most countries could do if they were totally isolated. Ukraine’s situation, for example, has shown how a limited war can mean most of the infrastructure, like the internet and mobile networks is utilized.
These examples raise questions related to solutions used in the public sector, and it is difficult to see what standard model could be adopted by all governments. It quickly becomes a political question.
Maybe some basic principles could work. With most information networks and IT infrastructure, hardware has become a commodity (except special military standard needs). But the same happens in software, too, from the lower layers of stacks and goes up all the time.
Security doesn’t necessarily depend on whether you have your own servers or use the cloud. It doesn’t depend on whether you build everything from scratch or use lower layers (e.g. operating system) functionality. And people don’t necessarily feel it is safer to use public sector services, they are more concerned if they can personally control what they use, how and where their data is kept and who can use it. And how they can verify its access and use?
The question is, who can offer transparent and auditable solutions and offer enough control to the application layer and users. Whether it is about the user’s data, identity, healthcare, security or trust network, transparency and user control should be the design principles, not to try and build expensive one-purpose black boxes. This model also offers much better opportunities to develop and update systems faster and control costs.
The future belongs to those who develop open and transparent services, open APIs, open-source stacks and developer tools to build dedicated high-security solutions on the top and give ultimate control to the users.