Two recent events inspired this article: In August 2023, SDN published an article with the same title. And SECOIA's procurement evaluation services for a government agency prompted similar thoughts. What are these observations and considerations?
For many years, the public sector has been aware of a dilemma: the dilemma of tendering for secure document issuance systems in a fair, WTO-compliant manner, while protecting critical secrets, achieving effective security while remaining vendor-neutral, avoiding vendor lock-in, and getting it all - sometimes more, sometimes less - at the best price.
There are actually several dilemmas. But they all boil down to public procurement of national security items on the basis of the best price for the product.
We could discuss here the system boundaries for "price-product ratio", e.g. the use of local industry and labour, which pay taxes and generate GDP and technological expertise. Or we could assess the cost of not having effective safety or functionality (opportunity cost). For now, we will focus on the latter. Francis Tuffy put it like this:
"Focusing on the cheapest security solution may appear cost-effective in the short term but can end up creating vulnerabilities and additional costs over the lifetime of a document. A best-value approach, on the other hand, prioritises technical aspects, particularly the inclusion of specific advanced security features that go well beyond available baseline standards." Secure Document News, August 2, 2023, Francis Tuffy
Observed situation
The best documents are featured in the news as shining examples. Sometimes they even win awards and recognition. What seems to be the norm is far from being a given. During a recent tendering process in which a SECOIA specialist was assisting the authorities, some rather shocking observations were made. The authorities were procuring a secure document system with a focus on performance. While cost was relevant, there were no real hard criteria on how performance and cost would be weighed against each other. Therefore, there was no real downpush on the price at the cost of a suitable concept.
The proposals listed security features. Lots of them. Great features. Brilliant. Most were of the well-known, generic type. Some were based on proprietary developments. In general, there is no shortage of features, and they are being used. We spotted the problem elsewhere:
Security is not about creating a - beautiful? - mosaic of security features from reputable brands. Nor is it about creating a "Christmas tree" of features, the more the merrier. Security is a masterpiece of thinking about attack vectors, both professional and amateur, and creating orchestrated lines of defence. When vendors were asked to provide evidence of their effectiveness in mitigating these attack vectors, they either provided a bunch of marketing buzzwords or simply listed compliance with standards. Not very convincing. It was as though bid managers and their teams were completely unaware of the fundamental objective of such documents. And so it seemed that the situation of poor document security was not only driven by cost, but also by a lack of expertise. This observation is supported by the law enforcement agencies we spoke to. Although training is organised from time to time, awareness doesn't seem to be sustained. The incentive is missing: If the procurement rules only require a certain number of features, materials and references at low cost, treating effectiveness as an unevaluated and undervalued variable in the equation, then making use this knowledge will actually turn into a showstopper for a successful bid.
Even the construction of the documents (cards, datapages) has been drastically simplified. On the upside, they are designed for cost efficiency and short production times. On the downside, they offer less quality for laser engraving (if required), less interlocking of security elements and personalisation, and less adhesion of foils when complex designs are used. Here we end up at the same spot.
Driver of the situation
It is in the hands of both industry and primarily the authorities to get the priorities right. It shouldn't just be about proposing or reciving proposals for documents at a low price. It is about setting clear objectives and providing solutions that are effective at achieving them. A low price evaluation is short sited on the part of the authoriites and disincentivized industry from proposing the adequately secure solutions.
More and more we see the software development culture encroaching on this "old school" domain: Green Banana development (letting the product mature with the customer) with short development, fast release iterations and a strong emphasis on feature functionality. This is in stark contrast to the rather lengthy development cycles of secure documents, often with lead times of several years. Cross-discipline competition and inspiration is beneficial. However, this can become toxic, if the objectives and boundaries are lost in action.
Two short examples:
Patching document security after their issuance is practically unrealistic. For IT systems, this is a common and essential practice;
The myth that document security is expensive and digital security is free is not correct and needs to be challenged. Too often we have heard that secure materials, logistics and forensic labs are so costly and can be saved by using digital technologies because they are secure from the outset. The almost daily reports of successful infrastructure attacks and exploits prove this to be false.
Conclusion
All in all, whether it is physical or digital documents, government needs to get the focus right their objectives, be accountable and hold suppliers accountable. And for this, the objectives need to be identified, aligned, and enforced. If not, then "Secure Credentials" should be called what they are: "cheap excuse for an incredible security risk".
About SECOIA Executive Consultants Ltd
SECOIA Executive Consultants (SECOIA) is a consulting company for identity management, civil registry and border management. Most governments are eager to participate in best practice in identity and border management. SECOIA combines knowledge, needs and competencies to guide governments and specialised industry in implementing compliant, leading multi-factor identity solutions.
SECOIA is a network of experienced professionals working in the public sector and specialized industry. Our mission is to consult the involved parties and join needs and solutions as match makers. We oversee the identification of requirements, development, evaluation, search and implementation.