Ideas and more ideas

In the 1987 sci-fi comic Spaceball, character Dark Helmet, after being told the lock combination to the air shield remarked, “So the combination is, one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!” Most web applications today would discourage users to have such a short password. Nonetheless, according to Security Magazine, the worst password in 2017, for the second year in a row, remained “123456”. Another interesting example is the inadvertent leak of his iCloud password by Kanye West when he unlocked his phone live on video, revealing his passcode online. This goes to show that there are many system users who are very sloppy when it comes to protecting data and restricting access to information, for various reasons. As such, they continue to use weak, easy-to-crack passwords to protect information online.

In general, a system is as strong as its weakest link. This is as true for general ICT users as it is for organisations. This means that a lot of online data is still very vulnerable to hacking and a lot of online systems are vulnerable to intrusion. It is therefore entirely possible for institutions, such as HKS and its stakeholder users to spend a lot of money on security systems and still not be truly secure, because of security vulnerabilities, especially at the human level. Moreso because, by its very nature, as host to strategic experts, former cabinet officials, top global security and international relations resource persons, and generally as a repository of groundbreaking knowhow, some of it proprietary or of a strategic nature, the school is a potential target for cyber attacks.

Because most users use multiple passwords to access different online resources, many end up using the same passwords across multiple platforms, in come cases simplifying them to easily remember them. To deal with this challenge, password managers can be used to store multiple passwords. Password managers keep login details for online applications or websites and help log into them automatically such that one does not need to remember all their passwords.  This is achieved by encrypting the multiple passwords with a master password so that all you need to remember is that master password. This is very convenient. Given this convenience, the question that arises is, should HKS make this mandatory for its system stakeholders?

Password management solutions have their own vulnerabilities,  depending on their engineering. As Schneier argues, despite possible flaws of password managers, they are still a convenient way of managing complex passwords, creating a trade-off with the reality that users sometimes use weak and vulnerable passwords.

Back to the question, should LastPass be mandatory or not? This question depends on the totality of defenses against cyberthreats such as hacking. In the case of HKS, there are multiple levels of (multi-layer)  security – the first being Harvard key, which is Harvard University’s unified user credential, that uniquely identifies users and provides them access to applications and services. The second layer is the mandatory two-factor authentication solution that requires the user to validate their access through verification via a second device. LastPass would therefore be another additional layer, more useful, especially for access to non-HKS online resources. On this basis, I argue that LastPass should be encouraged, but not mandated.

Yet there are additional reasons to not make Lastpass mandatory.

Mandating LastPass would amount to mandating a specific vendor solution, including the flaws that come with it.  LastPass, like other password managers, comes with its own vulnerabilities, which, even though they get patched from time to time, have been exploited by hackers. For example, in 2016, a hacker blogged about how he harvested LastPass passwords. The fact that they save users the headaches by helping them auto-log into accounts doesn’t mean they are no longer immune to security breaches.

Hacking of passwords is an adversarial act, which may be motivated by a variety of reasons such as curiosity, obsession, boredom, thrill-seeking, warfare, malice, revenge-seeking, pursuit of money, and self-promotion among various other motivations. Making one passoword management solution mandatory makes all users vulnerable to LastPass’s own technological weaknesses once an adversary identifies them.

In addition, besides truncating the boundaries between public and private spaces as all passwords for all sorts of applications are stored in the same solution, LastPass, like some of the password managers in its category also allows syncing across multiple devices, which amplifies the risk factor of attack via password syncing, as highlighted by Silver and others. Such synchronization opens up the risk of password extraction from multiple devices.

Cyber-security threats at HKS are potentially high. There are multiple security layers for protecting and restricting access to Harvard-specific resources. Users at HKS can use LastPass for managing passwords, for personal online access and HKS related access. However, the foregoing arguments show that though desirable, it is not necessary to mandate the use of LastPass as a password management solution at Harvard.

Towards a Massachusetts 2.0
Governments everywhere are faced with increased complexity in delivering a good standard of service in the context of global challenges such as natural disasters, economic turbulence, climate change, trade wars, energy shortages and demographic changes among other factors. This has a bearing on the federal authorities as much as it affects state governments and the state of Massachusetts is no exception. In light of these dynamics, harnessing technology to deliver services to increasingly discerning state citizens becomes a necessity for efficient service delivery. This memorandum explores what implementing government as a platform (GaaP) in Massachusetts entails, criteria for deploying services on the platform and governance model for managing the service. I shall call this Massachusetts 2.0.

GaaP: What it entails for the State of Massachusetts & the Criteria for Deployment.
GaaP is one way Massachusetts can gravitate towards an open government. Open government enables the government to co-innovate with citizens, enable mass collaboration and networks the government with other system-wide stakeholders, building trust in the process. The underlying principle and philosophy behind GaaP is that government information is a national asset and that the information as well as a services must be delivered to citizens when needed. As suggested by Tim O’Reilly (1) , GaaP enables the government to be a convener and enabler rather than the initiator of civic action.

To move towards GaaP, the state will have to do work on a number of issues. First it must establish a set of standards. These are a set of rules that help anyone to develop any programs and applications that communicate and cooperate with the state’s platform, Massachusetts 2.0. Second, everything must be centered on simplicity. It means Massachusetts 2.0 must be stripped of elaborate features to a core set of minimal services so that feature filled innovations are farmed out to private innovators. Third, the platform must be open by default. This means that it must be designed to enable participation by anyone who can access the public data and use it for public good in line with set standards. Fourth, the platform and the state must make provision for mistakes and errors as various stakeholders experiment and play around with the platform. This means that citizens must not be unduly punished for mistakes as they experiment with public data, as Massachusetts 2.0 evolves. Sixth, citizens should be allowed, whether private players or non-profits, to mine data to extract insights and innovate around it in more ways than the state government can imagine. Seventh, and last, we can lead by example, by using the same standards to start deploying some services to show how far other players can go. In other words, we will be creating a public, sophisticated and far more liberal and open version of Apple’s App Store, which allowed the state government to collaborate with citizens.

Deploying Massachusetts 2.0.
The first step is to be to develop a comprehensive set of standards. To allow collaboration of the state with citizens, this can be triggered by issuing an executive directive to that effect by the Governor. This directive provides a framework within which the state can function and evolve under the clear direction that it is guided by open government. It is not necessary to recreate standards. Instead, the state can adopt and adapt existing open standards as well open source solutions.

The next step would be to build a simple platform that exposes the underlying data from the state’s systems. This entails ensuring that Massachusetts state internal systems are service-oriented. It is necessary to first audit this and improve it prior to exposing the underlying data.

Once the platform is set, the state can start deploying some of its services on the platform, to lead by example. The state was a leader in providing universal healthcare in the entire United States. One of the services that can be built by the state on the platform is a healthcare service. This would also allow other players to come in and mine data for various other applications and uses, in line with set standards. Other state-mandated services such as licencing, state taxes among others can be deployed on the platform.

Governing model.
Europe and other countries like China favor extensive regulation by the state to achieve what they call platform fairness (2). The state has a duty to regulate the conduct of citizens, natural or corporate. This is to ensure that use of public data and all public assets conforms to the set standards and is not contrary to good public policy. In the same vein, it important for the state to ensure platform fairness to facilitate and engender anti-trust monopolistic behavior in a manner that stimulates innovation and competition.

The governance model proposed is a consultative one, where a mechanisms such as a board, is facilitated through the Governor’s directive order. The board will have representatives of the private sector. The issue of control of servers in this situation becomes paramount. Given the public nature of data exposed by the platform, it is recommended that the state retain control of the servers, while ensuring that the consultative board collects all feedback from consultations to ensure the feedback is implemented promptly by the state.

In conclusion, the Internet is an open platform and its evolution has created immense opportunities to deliver more open forms of government that harness the collective wisdom of citizens. For the state of Massachusetts to harness that wisdom, GaaP is the way to go. Such a platform will ensure that the private sector and talented individuals can in multiple ways leverage public data to create service innovations that can change the state in ways unimaginable.

1. O’Reilly, T (2010). Government as a platform. https://www.mitpressjournals.org/doi/pdf/10.1162/INOV_a_00056

2. The Economist (2016). Regulating technology companies, taming the beast.  https://www.economist.com/business/2016/05/28/taming-the-beasts  (retrieved on 2/10/2018)