I’m breaking form here to discuss something I have consciously left off of my blog: discussion about my work in Information Security; specifically, my four years working on The Secure Channel.

Saturday’s Ottawa Citizen features an ‘exclusive’ by Kathryn May titled Government to replace $1B online service ‘boondoggle’.  The article is relatively fair in its criticism of several Government departments that oversaw the Government of Canada’s federated online service project called Secure Channel and the private sector consortium that won the contract to deliver it.  However, I feel that Ms. May left out several key points in her piece.

One of the two most significant technology requirements was the capacity requirements of Secure Channel.  The Canada Customs and Revenue Agency (as it was known then) required that the infrastructure be able to accommodate the demands for the final two weeks of tax filing season.  The demands faced by that agency during those 14-days are almost more than most of us can imagine.  And, despite CCRA’s requirement for 99.999% uptime, that agency has (historically) prided itself on exceeding that obligation even during the most demanding of times (unfortunately, they met with some challenges in the last two years of tax filing season).  That means that the Secure Channel infrastructure was over-architected for 50 weeks each year for CCRA, and entirely for all other government departments.

Another big concern for the government was the requirement of cross-departmental anonymity of all users.  That is, each department needs to know with strong assurance which user they are servicing without being able to share information about that user with other government departments or being able to identify the user through any element or elements of information (anonymous or identifiable) from other government departments without the express permission of the user.  This means that each user must be assigned an electronic pass (or e-pass) which uses a Meaningless But Unique Number (MBUN).  The MBUN ensures that each user has a secure and verified identity with the Secure Channel authentication and authorization components, and allows each user to validate themselves to each department/agency it wishes to interact with using an anonymous and unique version of his/her Secure Channel identity.

The MBUN is just one example of the demands for rigorous security.  The Certification and Authorization process (the process of verifying and approving an acceptable level of security risk before putting any technology into production) seemed world class to me.  That’s a good thing for Canadians.  However, that comes at a significant cost and schedule impact.  As Ms. May’s article points out, that amount of rigor that was practiced far exceeds the practical amount of security for any business requirements of many of the departments and agencies expected to use Secure Channel.

The original consortium was made up of seven tier-one partners, several of them otherwise competitors, working together in a delicate agreement.  One of those organizations was both a key contributor to the project while being responsible for management of the consortium and the delivery of the project.  This created an environment in which several of the other partners felt the project office was looking out for its own organization’s interests first and the rest of the consortium second.  The inter-partner relationship felt tenuous at best to me and would have benefited greatly from a team responsible for culture, relationship and partnership.

Another issue on the technology side was the desire of one of the consortium partners to custom build its components instead of integrating as much off-the-shelf software as possible and filling in the holes with custom development.  Most people recognized this as being a way of ensuring a long-term requirement for support, maintenance and management — in other words, recurring revenue.

I always felt that the Government of Canada’s requirements were fairly well itemized even if their merit was open to debate.  My memory is that the consortium frequently questioned specific requirements even if not in writing.  With so many departments involved in identifying their service requirements and still other departments tasked with overseeing the project and the rigorous security validation, I wonder if going through a written business case process would have made much of a difference in the project’s budget and schedule.