Welcome to the CIO toolkit for Government.

This toolkit has been designed for agency CIOs looking to exploit the large-scale investments all major portfolios have made in digital infrastructure, systems and practices. 

As digital government becomes a reality, the kit draws on global and Australian expertise and experience to detail the next phase of transformation and the core capabilities and technologies public sector CIOs will need to focus on.

Managing legacy technology is a key challenge for every CIO, and the kit outlines a powerful framework to de-risk what, to date, have been notoriously challenging, legacy renewal projects. This includes how agencies can adopt a hybrid approach to cloud migration.

Distributed ledgers are opening powerful opportunities to rethink government registry and supply chains, and we explore early examples of real-world applications of blockchain-type technologies and pathbreaking blockchain work.

Security is now undoubtedly a global play and the kit focuses on how agencies can realistically secure their data and networks, in a world where threats are intertwined and malevolent actors range from nation states to teen hackers.

Identity management is a critical part of digital government. As the federal government's GovID identity solution is deployed, attention will quickly move to the powerful suite of personalised smart services that become possible around a well-managed identity system.

Across all these areas, the rapid emergence of powerful, self-learning computers and intelligent applications offer a springboard into cognitive era government. Be it smart gate technologies, identifying revenue fraud, or reading (and understanding) – tens of thousands of old case files – the public sector is set to be transformed by the suite of applications that exploit cognitive computing.

Tom Burton
Publisher - The Mandarin

Digital Change

Six steps to accelerating Australia’s digital government

By Tom Burton

Access IBM's solutions for digital change

Public agencies wanting to be effective in a citizen-empowered world need to focus on developing key foundational strengths.

Governments and councils across Australia – at all levels – are about to embark upon a critical phase of their digital transformations.

The Federal Government has laid out an ambitious goal for Australia to be one of the top three digital governments in world by 2025. This will see a major transformation in the Australian public sector, delivering smarter and easier services across all jurisdictions and in the very way government works.

The work done to date – from investing in and adopting new technologies, building better websites, moving to the cloud, and enabling more collaborative and agile workplaces – has simply been laying the groundwork for what’s to come.

In essence, it’s involved doing digital rather than being digital.

Those public agencies advanced in their digital endeavours are now ready to become truly digital by moving to an era of intelligent personalised services and data informed programs. This shift requires a major adoption of smart services, remade government processes, and outcome driven programs.

We are already seeing examples of this: predictive systems help identify security and border risks, applications to identify fraudulent and suspicious tax claims, and diagnostic tools to better detect disease.

However, these projects are still the exception rather than the norm. Discussing the progress made, IBM Global Government Industry lead Dr. Julia Glidden says while we have broadly digitised the status quo so far, progress is just around the corner.

“We’re on the cusp of the most exciting phase of the digital transformation of government. The rapidly emerging world of artificial intelligence, virtual reality, 5G mobile broadband and the internet of things is unlocking a wealth of opportunities, and the landscape is rapidly looking monumentally different to how it does today.”


1. Simplify through integration and automation

The underlying forces shifting digital from something you do to becoming a state of being are neatly captured in IBM’s Centre for the Business Government “The Seven Drivers Transforming Government” study.

It involves the automated integration and use of data in the majority of processes, and will be underpinned by intelligent and secure technology platforms. In light of citizen concerns around data security, trust and transparency, this new way of work must be governed by well-considered, open, accountable, risk and benefits frameworks.

Considering the agile and collaborative work practices between public and private sectors, systems will be highly integrated and automated.

2. Be clear and committed to your strategy

IBM’s Dr Glidden argues a lesson we must draw from the many other sectors that have undergone profound digital change is a drive to provide best-of-breed program and outcomes.

This makes critical the need for a clear strategic vision for every agency – a vision that comprehends the impact of these changes and frames agency missions for the digital era.

At its most basic, digital is transforming agencies from traditional, activity- based enterprises into informational organisations, delivering a powerful set of data-led products, ranging from public transport apps to sophisticated real-time revenue collecting systems. This change into information-centric enterprise implies a very different governance regime from traditional bricks and mortar agencies.

The nature of digital means agencies have real choices what role they play – from app developers to managers of digital infrastructure – and everything in between. Just as Uber and Airbnb operate without owning any cars or homes, government agencies also have the option to play only in the virtual world. And while most public agencies remain rooted in traditional service provision and program delivery, there are now important strategic options agencies must consider.

This is where strong leadership is critical. The drive to build the basic capabilities needs to be framed around a strong agency-wide vision for its core role, and the shift to digitally-centric work practices will slumber along unless tethered to a clear all-of-agency commitment and buy in.

CIOs and their digital colleagues are uniquely placed to be major influencers in the design of the overall strategy and to develop and execute a robust delivery plan. A plan that frames success in tangible improvements in service, program and outcomes for citizens and stakeholders is key.

3. Let technology do the heavy lifting

Dr Glidden points to the important role artificial intelligence solutions will play in the move to digital.

“Cognitive government is how we use artificial intelligence to take the volumes of data captured to unlock insights. The desired outcome of each needs to be a fluid, ecosystem whereby agencies are constantly learning from data, improving service delivery from data, and delivering a more personalised experience.”

"How do you tap the insight? How do you stop it being static, becoming a fluid, ecosystem, constantly learning from that data, improving service delivery from that data, delivering a more personalised experience. That is what cognitive government means."

It is important to acknowledge the context this profound change is occurring under. We know citizens are restless, untrusting of traditional institutions and empowered by their own networks and devices.

The demand for better government is universal, however, and a simple focus on getting basic life services sorted will go a long way to restoring satisfaction.

We are already seeing some rapid improvements, service bots included, driven by the big federal, state and local service agencies. And there is some impressive work in the transport, revenue collection and border gate arenas.

“How do you tap the insight? How do you stop it being static, becoming a fluid, ecosystem, constantly learning from that data, improving service delivery from that data, delivering a more personalised experience. That is what cognitive government means.”

4. Focus on what needs fixing

Dealing with the mountain of legacy systems and program complexity remains the elephant in the room. Unsexy, back office stuff, but absolutely critical to being digital on the inside as well as outside.

Much legacy modernisation is primarily about moving to shared data infrastructure and making software-as-a-service applications the foundations of all core systems.

After two decades of legacy renewal, we have learnt that focusing on what needs fixing, rather than grand “rip-and-replace” projects, is a better strategy. IBM has brought together all these legacy learnings into a strategic set of patterns that enable CIOs to de-risk modernisation projects.

5. Ensure cyber security is front of mind

Security remains the Achilles heel of digital,which is why agencies need to be persistent in building cyber resilience into their systems.  The pervasive nature of cyber vulnerability means agencies need partners offering depth and global perspective in managing this rapidly changing environment. In particular, it’s an area where intelligent, self-learning computing has a critical role to play. The vast amounts of threat data and analysis mean cognitive applications can read and recommend mitigation strategies in near real-time.

6. Citizen-driven personalisation

The shift to a data-driven world opens a whole arena of precision delivery of services, where each engagement is personalised to the needs of the individual.  We are rapidly approaching a time when we will have the data sets and technologies to create integrated and intelligent services across multiple agencies and jurisdictions. This will enable complex tasks – such as the winding up of a deceased relatives affairs – to be consolidated into one easy-to-use service.

Dr Glidden argues this personalisation is going to be increasingly directed by the citizen. “The way to talk about it is citizen-driven services, not just government anticipating my needs but governments actually engaging with me to drive that personalisation.”

And distributed blockchain technologies are readymade for the maze of interaction between government agencies and the massive diaspora of people and organisations government will inevitably be dealing with as services are integrated across the economy.

Intelligent systems offer a real opportunity to rethink service and program design and delivery in a much more radical fashion and in a way that drives economic value. For example, the redesign of the conveyancing system by three east coast governments has turned a major cost into a valuable asset, now trading under the brand of Pexa.

Seize the opportunity of digital government

To seize the huge opportunity to transform government service and program design and delivery for the modern era requires agencies to build depth across a set of key capabilities and methodologies. These are the building blocks for digital government and provide the foundational strength for agencies looking to apply digital-like methodologies to their work.

The foundations of digital government

By Tom Burton

We have articulated the key building blocks for CIOs to focus on for this critical phase of digital government. These have been drawn from discussions with Australian government leaders, CIOs and digital leads, major vendors and consultants, together with the insights from the transformation research undertaken by the Centre for the Business of Government.

These are the foundational elements of governments successfully embracing the digital era. They are markers of digital maturity and capability and provide a road map for CIOs wanting to develop an all-of-agency strategy:

Defining an agency's purpose for the digital era

Many government agencies are shifting from their traditional activities to new mandates built around being information providers and brokers. Transport agencies now run sophisticated real-time apps, the ATO has developed a major system that integrates with private payroll and other enterprise systems. Regulators are experimenting with real-time compliance systems. Enunciating this new information-defined mandate is critical for setting the strategic direction of the agency and what the core purpose of the agency is in the digital era.

Citizen engagement

Digital technologies enable agencies to interact with their citizens on a variety of policy and regulatory matters, at scale and in real time. There are huge opportunities to enable citizens, business, NGOs and communities to participate in the design, development and ongoing management of government programs.

Data empowerment

Data enables agencies to precisely tailor a wide suite of services to specific users, removing waste and enabling government to be far more effective in program delivery. Combined with business automation and powerful algorithms, the embracing of data offers the opportunity a build a plethora of new services and applications.
All governments are rapidly building advanced data analytics capability and behavioural units, to help inform policy design. In the most recent Budget, the Federal government has committed $65 million to facilitate data sharing and release.

End-to-end systems

An estimated 80 per cent of government is built around common processes and there is huge upside to reform the litany of bespoke manual systems – many still paper based – and offer automated processing from the beginning to the end of these common processes. The banks have learnt how important straight-through processing is for continually improving applications and services.

Business simplification

Many government systems are innately complex because of their history of legislative and program changes. Trying to digitise this complexity ends up simply paving the cow path and is typically very bespoke and, as a result, very costly to develop and maintain.

Intelligent applications

Almost all government functions can be vastly improved by applying self-learning technologies. These include better decision making through computer interrogation of previous cases, smart revenue compliance, and use of artificial intelligence to profile and predictively track criminals and terrorists. AI applications are now available to "digest" years of case files, helping frontline workers and policy makers alike learn what works best.

Easy-to-use joined-up services

Citizens continue to be frustrated by having to navigate and deal with multiple agencies for core life needs.  Logging on once and being able to deal with say, the birth of a child or the death of a parent, in one well designed system is a simple, but important way of providing real value for citizens. At the same time, many states have duplicated systems which cry out for unification. As an example, Australia has eight different Birth, Death and Marriages registers and associated back-office systems.

Agile organisations

The speed of change and disruption coming from new digital technologies means the old bureaucratic project methodologies need to be reset for a much more fast-paced world. Digital systems can be quickly evolved, enabling agencies to tap the power and dynamism that comes from no longer being constrained by hardwired technologies.


Building automation, intelligence, security and collaboration into core systems means staff no longer have to manually manage clunky bureaucratic systems and can instead concentrate on offering high-value advice and delivery.

Identity management

As services become increasingly joined up, the need for a well-managed federated identity framework is critical. Governments have real choices how identity is managed – single number to a federated system – but it is well understood that there is now a real urgency to settle on an agreed framework across all tiers of government. This system will need to interact with all the major identity providers, public and private, and be workable and highly secure across the many networks any federated identity system needs to use.


The internet of threats is proving to be a real blocker for agencies looking to exploit the value of digital networks. Building agency resilience is critical for creating citizen trust around use of data and information for public good. This includes cyber defences around critical infrastructure. The explosion in network devices, the roll out of super fast mobile and fixed wireless broadband, coupled with industrial level automation, means cyber security will remain a key priority for every CIO and CISO.


As agencies pivot to being information-led, they need to develop an information governance framework that balances the various public values inherent in information sharing and release. This framework needs to recognise the rapid shift to real-time applications and that much of the data will be sourced from other agencies and private providers. Building robust engagement with data stakeholders is going to be critical to build trust and permission to share data across government.


By Tom Burton

Access IBM's solutions for legacy change

An end to rip-and-replace? How learning from patterns can take the risk out of legacy change

Taking the pain out of legacy

System modernisation is consistently cited as the number one concern of CIOs inside and outside of government.

For Australian public agencies, it’s a formidable challenge.  The sheer complexity of statutory and business rules, relentless machinery of government and program changes and reluctance to be seen spending on low-visibility, but vital infrastructure has created an enormous legacy backlog and that’s growing everyday.

These legacy reform projects typically come with large risks, with many examples of major project cost and time overruns, operational limitations and economic and reputational damage stemming from the unintended consequences of so-called ‘big bang’ technology modernisations.

Unfortunate as it may be, the truth is that in many cases mature information systems have grown old 'disgracefully'. Repeated waves of change tend to petrify the system further, removing any flexibility and creating 'software entropy'.

Successive waves of change then convolute ageing software as the artefacts in the code become co-mingled. They become difficult to separate and change independently of each other, driving up maintenance costs and making it increasingly difficult to modify a mature information system to reflect ongoing business process change.

Add to this mix the unrelenting pressure on chief information officers to bridge the experiential gap between commercial and government systems for end users, and it’s not hard to see why legacy system reform has become the iceberg issue that keeps leadership awake at night.

Fortunately, there is a middle ground.

Fear drives over-specification

Fear of the many unknowns surrounding upgrades has often produced a strongly conservative and highly intensive planning and requirements process that attempts to capture all risks and deliverables.

Once the accepted norm, this monolithic or ‘big bang’ approach is often contrasted with faster and more nimble practices like agile that ostensibly start again from the very beginning – fine for a start-up, but more difficult for established organisations bound by strong governance requirements, which need to retain corporate memory.

What’s less recognised is that there’s a way to leverage the best of both practices that’s not mutually exclusive.

The embracing of agile practices promotes consistent delivery of software coupled with the emergence of DevOps and more modularised procurement practices, opening up the opportunity to take a more iterative approach to ICT renewal.

But there are also vital lessons to learn from what is now a long experience of systems modernisation and how not to reinvent the wheel.

Unlocking why legacy systems survive and exist ‒ and the need to continually modernise  ‒ is the key to a highly strategic approach now being advocated by IBM, the company that has arguably more heritage and experience in executing technological change than any other.

Learning from experience

Through their work with organisations worldwide, an IBM California research group, led by Jan Gravensen, have identified a variety of actions and activities – dubbed  ‘patterns’ – that are relatively consistent in any ICT modernisation project.

Software and systems are ultimately human constructs, so it’s vital to understand the behaviour behind how and why they are built, as much as their ultimate or original purpose. It also pays to know the how and why of changes, modification and customisation over time.

Gravensen contends using a patterns-based approach enables CIOs to take a structured, evolutionary, and iterative approach to legacy renewal, thus removing much of the risk typically associated with big bang, rip-and-replace approaches.

“We have 20 years of lessons learned. We have good roadmaps rooted in what works and what hasn’t worked. By and large, we know what hasn’t worked are the large-scale, ten-year out, transformation programs,” says IBM Global Government Industry lead, Dr Julia Glidden, who recently visited Australia to appraise government and business CIOs about evolving transformation cultures.

“We now have a footprint of where best to start, depending on your use case.  The understanding you start with [is] the problem you are trying to solve, instead of taking on the whole of the enterprise."  

Referring to the work by Gravensen’s team work, Dr Glidden said: “I think this is a really important step change and it is now something that is packaged, it is a roadmap, it is consumable for CIOs everywhere based on the common problems.

“I have the privilege of flying around the world over 20 years working with various governments in their digital journey. And with rare exception, most CIOs will think there is a uniqueness to their challenge. But when you scratch below the surface, there tends to be common patterns of problems, which leads to common sets of solutions for mitigating those problems – depending on the business outcomes desired.

“I think the message to CIOs, when they are looking to stabilise their infrastructure or modernise, is they are not alone and their problems are not unique.”

Patterns everywhere

Gravensen and his team have identified what is common in most legacy considerations. These start with the patterns that describe the organisation’s behaviours, perceptions, biases and which, typically, heavily influence the strategy chosen to modernise its systems.

Importantly, there are also a cluster of economic patterns that influence the organisational choice of strategy. These lucid descriptions of economy patterns in some respects draw from behavioural economics (think nudge and motivations) to better understand why organisations in some instances chose dramatic and risky modernisation strategies.

The patterns Gravensen posits are identifiable, but they are also interrelated.

Developed behaviour, strategy and economy patterns identify the factors leading to the decision to modernise and the approaches selected. Understanding the behaviours, or perceptions and biases, that exist inside an organisation can help understand the challenge as well as misconceptions about the systems that exist.

Sometimes, the strategies selected are influenced by internal capability as well as economic factors. The availability of sufficient capital, or a lack of it, both influence the approaches selected.

Dark matter: technology anti-patterns

A third distinct group is a phenomena called anti-patterns, best characterised as the ‘technical debt’ that has accrued in the particular system.

It’s tempting to interpret these as the accrued price of just putting things off, especially if there’s a perceived imperative to find a quick ‘out of the box’ solution. The reality is it’s as much about understanding what you actually have – and why you have it – to critically evaluate what best next steps may be.

Understanding these anti-patterns – which lead to a system becoming a legacy – provides insights about the underlying cause of obsolescence. Understanding how the system was maintained over time, what information is lacking and the intricacies of the systems helps to determine what can potentially be undone to the system to improve its operations.

This deeper insight can derive deeper value. For many years mainframes – the heavy lifters of transactional processing ‒ were eschewed as legacy infrastructure and architecture. Yet their genesis in distributed architecture – and knowing what are solid architectural foundations – can give you the blueprint to build a better wheel, rather than designing one from scratch.

Mapping practicality

There are also patterns of practice. These can include declared dependencies, inversion of control, and externalisation which can all help to maintain important features and functions of legacy systems within a modern setting to reduce risk to agencies and organisations.

Often, it’s about identifying what’s important – think corporate memory or systemic knowledge – that’s been baked into systems across successive waves of technology and reflects wider organisational systemics as much as specific functions that need upgrading.

Understanding the ins and outs of legacy systems – call them heritage systems if you will – helps the development of efficiently targeted system designs, or architecture patterns.

These patterns can be used by teams following an agile methodology to sketch out the architectural runway, using a modular approach. Thus the transition can be gradual, effective, affordable, and reduce risk and burden for the organisation.

It’s about knowing what to look for to guide informed evolution, as opposed to starting again from scratch.

Hedging for the future

When significant investment and operational uptime are at stake, knowing what to hold as much as what to fold is an acquired skill for public sector CIOs and leadership. Commodity and cutthroat pricing do not in themselves determine architectural quality.

Reduced instruction set computing (RISC) was once regarded as verging on obsolescence as more commoditised processors became cheaper and their power increased. Yet today, that same RISC architecture powers most smartphones.      

In technology, like other human endeavours, there can be a persistent duality of change and continuity.

The key message for Australian government agencies is that they are not alone in their struggles in balancing the cost of modernising legacy systems with the need to improve services and deliverables.

Thanks to expertise developed over decades working with public and private enterprises around the world, there are now research-informed and evidence-based approaches to help understand and balance the needs and deliver cost-effective and acceptable-risk modernisation approaches to any government agency.

Both ministers and technology trends may come and go in  short succession. Yet the machinery of government, systemic or informatic, will always need to know where its foundations lie to continuously serve.

Why legacy infrastructure holds large organisations back

By Professor Phil Simon

Throughout history, many organisations dominated their industries by virtue of their sheer size. That is, organisations that reached a certain level of revenue and/or market share could expect to realise some level of prolonged success – even with legacy infrastructure and technologies. To paraphrase from Seinfeld, to the victor belonged the spoils.

By and large, however, this is no longer the case. Today, and often without much warning, startups and small companies disrupt incumbents quickly. Uber, Airbnb, and other on-demand companies are cases in point.

Thorny people issues

At a high level, these upstarts often do many of the same things as their larger brethren. These ambitious newbies just do them better, quicker, and/or cheaper. For instance, Uber provides quick and affordable rides without the hassle of calling a cab and coordinating location.

Of course, in a fundamental way, it’s always been easier for startups to usurp or leapfrog incumbents. Has this always been the case? Sure. For instance, by starting over after World War II, Japan was able to quickly modernise its infrastructure, grow like a banshee, and establish itself as a manufacturing behemoth. It didn’t have to supplant legacy technologies.

At an enterprise level, greenfield sites need not deal with employee training, thorny data and integration issues, etc. I’ve said many times that there’s no magic “cloud” switch that ports mature applications to more modern delivery methods. Mature organisations further suffer from an ability to subtract and simplify. That is, they’ll add new applications, technologies, and components without retiring antiquated ones. The resulting morass of system eye charts and spaghetti architecture drive many CIOs to drink.

And let’s not forget the other elephant in the room: aversion to change, especially at high levels. As I’ve seen firsthand, plenty of CXOs are loathe to retire “their” applications. Personal pride stands in the way of updating antediluvian applications and technologies. These execs often block any attempt to modernise a company’s infrastructure.

Brass tacks: Lamentably, many organisations these days today can’t act quickly enough to respond to market conditions, but don’t take my word for it. An IBM Infrastructure White Paper makes the case that IT infrastructure prevents quite a few companies from meeting new business requirements and capitalising on new opportunities.

Post 1 - in post

Post 1 - in post 2

Consider subtraction by subtraction

There’s no simple solution to this problem. Cultural, regulatory, and internal political issues hamstring many organisations and enhance startups’ inherent advantage. Perhaps its best for C-level execs to think about how quickly their organisations can respond to new opportunities. If it takes too long, then adding more complexity only exacerbates matters. Consider subtraction by subtraction, not by addition.

Intro to the private cloud: security and flexibility in one service

Accelerate your digital transformation strategy by leveraging cognitive and hybrid cloud

How to tame legacy infrastructure for today’s use

Government agencies are mired in legacy infrastructure. Hesitant to scrap taxpayer investments outright and yet charged with new goals requiring more agile and advanced technologies, agencies and corporations alike find themselves stalled between the past and future.

There are many challenges with legacy systems, each with its own worst-case scenario. They include server sprawl, multivendor support services, multivendor hardware and a patchwork of legacy software – all added to, added on, broken from, joined with, hardwired and wireless. This creates a general mess of things knitted together, almost as archaic as working off rubber bands and paperclips.

Is it really that bad? Yes, but it could be much worse. It’s hard to tell what exactly is going on in legacy infrastructure when there’s no way to monitor all the moving parts and dead weights, or find the bottlenecks to unstopper them.

Using a third party to wrangle legacy infrastructure

These recurring problems with legacy infrastructure are only growing in cost. According to the Department of Finance ICT trends report, the Australian government spent 78 per cent of the total 2015-16 ICT budget on initiatives to keep current infrastructure operational (so-called "run" spending). This is high compared with other sectors and reveals how much spending and project focus is focused on  “just getting by” efforts.

This means hanging on to legacy components isn’t just a budget burn today; it’s burning budget dollars for tomorrow’s investments, too.

Replacing hardware and software that has outlived its usefulness is the ultimate game but outsourcing the support of this equipment to a third-party managed services provider can tame legacy systems so they can handle today’s operations.

By limiting outages, shortening downtime and providing common support for a system that may consist of multiple vendors, you can effectively modernise equipment that may otherwise act obsolete.

Optimising the past while preparing for the future

This is one of the best ways to wrangle legacy equipment into a manageable state so that work continues in the most efficient manner while certain parts of the system are being updated. Because a complete tear-out and rebuild is impractical as it is, these services also enable smoother planning, wherein systems are updated before any necessary replacements occur.

One way this third-party vendor can be of help is to optimise past spending while also extending these investments to new platforms.

“Private clouds appeal to enterprises looking to extend their legacy infrastructure and applications to the cloud while helping to optimise past investments,” said TBR Cloud Senior Analyst, Cassandra Mooshian.

Nonetheless, there are myriad ways to tame legacy infrastructure, both in hardware and software. For example, it is possible to receive support and procure contracts for varying types and ages of hardware. It’s also possible to solve operational issues in software that may exist in more than one location or cloud environment.

Indeed, many agencies are finding managed services from a third party to be a fast and cost-effective means to tame legacy infrastructure from end to end, thus harnessing new efficiencies in the transformation process.



By Julian Bajkowski

Access IBM's solutions for blockchain

Blockchain advancements in 2018 are bringing big opportunities for government at policy, regulatory and procurement levels.

Blockchain has shifted from being an ‘around the corner’ technology to a ‘here and now’ proposition across multiple economic sectors including finance, logistics and property. That creates big opportunities for government at policy, regulatory and procurement levels.

Peer-to-peer transactions, thwarting money laundering, seamless regulatory oversight, managing healthcare interactions, energy, records management and digital identity.

Ask for a list of the potential applications for blockchain evangelised over the past year alone and those are just the start. The fact is it may be a quiet revolution, but it’s happening now.

And with the logistics and financial services industry all rapidly trialling pilot projects, it’s a technology with very real potential to revolutionise the very foundations of government. 

It’s happening now

Ask yourself this: how many regulated multi-party transactions that demand high levels of assurance and integrity is government involved in? And could property, securities, registration and licensing all benefit from automation and harmonisation?

Applications and standards may still be forming, but they are forming fast even if they still don’t easily form mainstream media soundbites.

There are Australian government pilots and studies now underway across the welfare, health payment and identity spaces, and it is the ability for blockchain to be massively extensible that is capturing the attention of leading government technologists.

Differentiate to derive value

One of the biggest points of confusion around blockchain for non-technologists has been filtering out the din of consumer noise around bitcoin and cryptocurrencies, as opposed to its industrial application in government and enterprise processes and systems.

The simple fact is that there’s a lot more utility to the technology than you can put in a short soundbite if you dig a little further.

The bottom line for government and its many stakeholders is that quiet, yet powerful revolution, is now underway in the efficiency and integrity of transactions and records that underpin the daily activities of business, the public sector, regulators and registries.

So the challenge for many chief information officers will now be how to get their organisations ready and on top of blockchain quickly rather than being left in its wake.

Global supply chains already shifting to blockchain

In terms of real-world applications for blockchain with global impact, there is already significant movement in digitising the once paper and legacy standards-dependent sphere of international logistics and supply chains.

In January 2018, global freight, shipping and ports leader Maersk and IBM announced the creation of a pivotal joint venture company that will offer a co-created global trade digitisation platform built on open standards and designed for use by the entire global shipping ecosystem.

With the value of shipped goods now around US$4 trillion a year, the complexity and volume of trade documentation needed to process and administer has been estimated to be as high as 20% of actual physical transportation costs.

Now, by using blockchain in combination with other cloud-based open source technologies including artificial intelligence (AI), IoT and analytics, delivered via IBM Services businesses, regulators and consumers all stand to potential benefit from an uplift in productivity, security and efficiency.

It means that as global trade processes are digitised and start to use blockchain, a new form of command and consent can be applied to critical flows of information. This allows multiple trading partners to collaborate and create a single, authoritative and shared view of a transaction — without compromising sensitive details, privacy or confidentiality.

It’s a project that has been going since 2016 but will now start to deliver over the next six months with global manufacturers, freight forwarders, terminal operators and authorities and regulators coming on board.

They initially include Customs authorities in the US and the Netherlands, with strong interest also expressed by authorities in Singapore and as far afield as Peru.

The future is distributed

Put simply, blockchain is a digital distributed ledger – a shared, immutable record and history of transactions and who made them. Build on open standards, blockchain has the potential to create a new generation of transactional applications that establish trust, accountability and transparency.

When you consider the extent of authorisation, settlement, batching and reconciliation that many transactional sectors intersecting with government go through, it’s clear the uplift factor extends beyond the hype. In a confirmation blockchain is now being taken seriously, the Federal Budget committed $700,000 for the Digital Transformation Agency to develop an identity application using block chain. This initiative was personally supported by the Prime Minister. 

What’s driving blockchain implementation and exploration around the world is its potential to greatly improve data integrity and access, reduce costs and kill inefficiency, and deliver better and trusted outcomes with vastly improved oversight.

It’s logical the private sector has moved first, with blockchain adoption unfolding at such a pace there’s serious discussion about when it will be the underlying norm for any transaction.  That organic growth is not a bad thing for government.

Sharper focus, better vision

The broad vision is this: blockchain (done well) rapidly facilitates a network of automated and immutable digital ecosystems that span across industry and government registries and transactions; simultaneously they eliminate risks and friction endemic in manual processing.

Cast your mind to the extent government, business or any sector that relies on a combination of registries (who) and ledgers (what, where when) for day-to-day processes can benefit, and the appeal is clear.

This appeal is beyond formal registries.

Governments – like banks in the money markets – play a key intermediary role across numerous sections of the community.

Think of blockchain as a computerised notariser, time stamping “transactions” as diverse as the birth of a child, payment of a medicare payment, or the issue of a welfare benefit.

It is blockchain’s ability to act as the “honest bureaucrat” which makes it such a game-changing technology for governments and one the formal review of the Australian Public Service will need to centrally consider.

Rather than having the many interactions between government and its ecosystem managed bureaucratically, many of these are capable of being codified into blockchains and managed virtually. Safely.

Well-orchestrated implementations don’t just happen either. Government needs to be a collaborative participant that can nurture an ecosystem from inception to deployment, which requires attention and commitment.

More than a single solution

Notwithstanding it’s clear utility and potential, it’s fair to say that blockchain is not ‘one thing’ – it’s many. And the manner and pace at which it is unfolding isn’t necessarily uniform or linear, even if it is fast.

For the public sector as a whole, there are serious near and medium term implications in the way in which blockchain gets sectoral and industry take-up, not least because evolving adoption pathways will ultimately intersect with agencies, regulators and policymakers.

Transaction reporting standards, taxonomies, regulatory requirements authentication and identity integrity requirements all come into play. Standards –  as dry as they may be –  are everything.

Well-orchestrated implementations don’t just happen either. Government needs to be a collaborative participant that can nurture an ecosystem from inception to deployment, which requires attention and commitment.

So, for government organisations to influence how blockchain plays-out, rather than being a passenger, they need to become a leader on stewarding standards.

Need to know: where is blockchain getting traction and why it matters

There’s little doubt the financial sector is leading some of the largest and most innovative applications of the technology.

In Canada, major banks are now combining their resources to provide more efficient ways to approve loans and enable customers to move between banks. And to support this, blockchain technology is enabling identification verification between banks, both through the government’s national identification system and through mobile verification using Canada’s largest telecommunications service, Rogers.

That’s worth keeping in mind as Australia moves towards widespread adoption of digital identity credentials.

The technology to support the sharing of information between government, banking and telecommunications sectors in Canada is SecureKey which leverages Hyperledger Fabric –  a core blockchain technology running on IBM Cloud.

The system works through a customer’s mobile phone and its GPS locator. Assuming the customer has their phone, Rogers can tell where a customer is. Linking it to the government photo ID, the application provides a government-authenticated picture of the individual. And this can then be tied in with the banks around their ‘Know Your Customer’ processes.

Efficiency to the fore

For banks, this is an important efficiency play – they don't have to deal with the paperwork of background checks because another bank has done it. This requires collaboration between banks, and a willingness to share information, for this process to be successful.

For those in charge of government technology – whether at a regulatory or transactional level – there’s a tangible interest in achieving this sort of trusted interoperability. Automated income reporting, payments, taxation, licensing and property, assets and securities could all come along for the ride.

And beyond the finance sector, there are a range of new and emerging applications – including land titles, healthcare, refugee and humanitarian support.

Australia’s emerging leadership

Within Australia, blockchain has also already taken a strong hold in cornerstone commercial institutions.

The Australian Stock Exchange (ASX) announced in December 2017 a plan to upgrade their settlement and clearing system to blockchain technology with the support of Digital Asset Holdings, a financial distributed ledger developer whose strategic investors include global banks and market operators, including the ASX and IBM.

The decision was made to improve the transparency and efficiency of the market and drive down costs for participants, and it has unquestionably put Australia on the front foot for a widespread future.

Air cover for innovation

The move certainly didn’t go unnoticed in government, with Treasurer Scott Morrison applauding it as putting Australia at the forefront of digital innovation. Significantly, it came after both Australia’s Prime Minister Malcolm Turnbull and Morrison articulated ambitions for Australia to become a leading fintech hub.

Importantly, both Treasury itself and the CSIRO’s Data61 are closely tracking how fintech and blockchain developments are unfolding across the broader economy. For those leading technology efforts in government, this implies a strong expectation from policymakers that agencies cultivate an awareness of what’s coming down the line and how they can deal themselves into the game.  

Instructively, as an early adopter of the blockchain, the ASX was acutely aware their project would attract the spotlight. As a highly regulated entity, they undertook a complex due-diligence process to ensure they were confident with the technical capability of the system and it would provide the right level of visibility to regulators.

For those working in government, a key consideration will be how to stay on top of developments, with committed technology leaders like IBM remaining a valuable reference point.

Open standards. They matter

In terms of opportunity for government, a ‘permissioned blockchain’ environment like Hyperledger Fabric offers immense potential because of its ability to transfer trust and encourage and facilitate stakeholder collaboration.

It works like this: in a permissioned environment, essentially each partner in the chain knows who the organisations and users are in that network, enabling confidence and verification of who they are transacting with.

This, again, is where standards come into play – because the partners in a chain need to agree on the process through which a transaction will occur. Assisting this process are the open standards a permissioned blockchain is built upon.

By providing the various partners or sectors in a blockchain process with a broadly agreed set of standards, much of the negotiation is already done for the parties. And the open standards provide assurance that the  system will still be utilising relevant standards in years to come, with the flexibility that it can be expanded or evolve as needs change.

A secure and open sandpit

As a long-haul supporter of open standards over proprietary lock-ins (think rail gauges), IBM recognised early-on that open source standards would be pivotal to blockchain’s success and collaborated with the Linux Foundation to build a genuinely independent community of interest.

Today, Hyperledger Fabric is one of the fastest-growing open source blockchain projects, not least because of its genuinely collaborative and independent stance.

Crucially, its open standards provide vital certainty that systems will still be employing relevant standards as time and technology march on.

It’s these factors which have enabled the swift uptake and innovation of blockchain at a rate that requires government to pay urgent attention to the technology.

How blockchain helps government

The existing applications of blockchain are designed to improve efficiency in processes and be more effective in delivering outcomes through collaboration. Initially, it’s an opportunity to overhaul costly, paper-based manual processes or isolated legacy systems.

But it is also a pivotal opportunity to create vastly more efficient ways to manage registries, supply agreements and sharing of information between agencies and across jurisdictions.

Governance in today’s world requires greater interoperability not just between agencies and jurisdictions, but with the private sector. More and more, government is turning to the private sector to support government deliverables – from building infrastructure to the delivery of foreign aid and information sharing to supporting national security initiatives.

And the household impact from sectors including finance, energy and insurance are increasingly becoming political issues, with greater transparency urged by government.

Keeping it real

But the sales pitch for blockchain within government should be the efficiency and integrity it immediately delivers – with an add-on being better deliverables to its customers.

Today, many regulations have either validation of identity, authority or transactional behaviour at their core. Blockchain provides visibility and assurance for many of the systems government is rightly concerned about, especially regulators.

At the same time, automation reduces the regulatory burden as customers get faster, easier, more predictable transactions with government.

And while potential uses for blockchain seem endless, obvious wins include land and vehicle registrations, medication tracking and enhanced and automated identity verification.

Put simply, where one version of a truth is needed across sectors and government, blockchain is a potential solution that needs to be considered.

Thinking beyond technology

To harness blockchain’s full potential, its application should be more than a technical solution, even when that suffices. Today, governments need to think about existing and emerging ecosystems and burdensome business practices it wants to move away from. This requires not only conscious leadership from within agencies, but an open mind to assess new use cases and innovations.

Political push and willpower will undoubtedly be in the mix, as experiences overseas demonstrate.

The Smart Dubai initiative aims to create the world’s first blockchain city and is now investing substantially in innovative ideas that will further this agenda.

In Australia, the push within government is also evident. The Department of Industry, Innovation and Science’s recently-released Digital Economy initiative identifies Bbockchain as a technology that can “disrupt and revolutionise financial transactions and services” with its potential applications in “health, government services, real estate, media, energy and more”.

Government itself is investing in blockchain technology, with an $8 million grant awarded to a blockchain-powered distributed energy and water system last November.

What government did next

It is now a matter of Australia’s public service actively supporting wider adoption in developing a framework to support distributed ledgers – including legislation and regulatory frameworks – as well as bringing new sectors and the public along for the ride.

The health sector with its maze of manual processes, jungle of service providers and deep need to manage data and information securely, is a key candidate for blockchain consideration.

Distributed ledgers and the emerging ‘regtech’ sector are becoming purpose-made for any agency running a registry. Identity credentials, similarly, can be federated using blockchain enabling one agency to easily accept the identity check of another.

And any situation where government or regulated industries need to verify the provenance of an item – whether it’s ammunition, infant formula or abalone – is again a logical use of blockchain.

Where to start: real insight and the right support

There is, of course, time and money that needs to be invested to deliver an efficient, effective blockchain environment that can build the confidence of partners and the public to embrace the technology.

Services such as IBM Bluemix Garage, which includes a Melbourne-based garage, enable government to interact with technical and business experts trained to assist clients in understanding what blockchain is, what it can do, and how it can assist in solving the biggest pain points of an organisation.

Engaging experts in this space can also facilitate sharing of knowledge of how to encourage key stakeholders to become promoters of blockchain – including regulators that may commonly need to access government or sector information for oversight and reporting.

And there is more support continually growing on a daily basis from emerging examples of blockchain adoption and new technology providers willing to assist in supporting business assessments, cases and implementation.

Government is not alone on the blockchain journey – but it does need to be a leader in this space today, not tomorrow, to ensure its outcomes are achieved and not just the business objectives of the private sector.

Blockchain for government services

By Andrew Thurlow

The financial services sector are the early adopters of blockchain, but the use cases for government are compelling because they go to the heart of the business networks and underpin the core role of government: delivering services to enhance the lives of its citizens.

The key challenges that governments face in delivering government services (the interoperability, accessibility and integrity of data, privacy and security, and governance and compliance) can all be resolved with the blockchain concepts. We can create a unique immutable digital identity for a citizen or business that enables it to access the data required to deliver a service that enhances its well-being. We attach the history of transactions to the data object and not to the parties in the transactions. This provides one version of the truth that is available to all who have permission to see it. Imagine a world where all transactions are nearly instantaneous, personalised and all data is available on the basis of consent.

Blockchain will accelerate the move to cloud-based platforms and shared open data. It will enable developing countries to leapfrog developed ones as they deploy the new cloud-based architectures and establish e-government services without the constraints of legacy applications architecture.

With an open supply chain, the European Union’s demands for more information about corporate supply chains, with penalties for non-compliance, will be consigned to history as the regulator can see all parts of the supply chain whenever they chose to look. Consumers who want to know where and how their products are made can look at the blockchain.

Government use cases

Blockchain has the potential to break down departmental silos fuelling more efficient collaboration across government. Blockchain technology can share data securely across government and partner networks. Such networks may be private to government departments (authorised to non-government entities), permissioned so only authorised actors are allowed to join, and secured using cryptographic technology to ensure that participants only see what they are allowed to see. The shared ledger approach also has the potential to be more robust since it is replicated and distributed.

Good blockchain use cases for government therefore naturally cross internal and external organisational boundaries and depend on the ability to reliably share data in a secure, permissioned manner.  All transactions performed against the blockchain require consensus across the network, where provenance of information is clear and transparent. Transactions are immutable (unchangeable) and final.

Considering this, applications of blockchain technology could show a great promise across a broad range of government services. For example, use cases typically discussed by the community include:

  • maintaining registries for land, companies and physical assets such as vehicles
  • managing records of consent
  • payment processes that do not need a bank account
  • identity management and authentication that would enable electronic voting and other online services
  • smart contracts linking councils, contractors, local residents to enable personalised services
  • the ability to share open data more widely and at lower cost

We can summarise the use cases in the following diagram which shows that:


1) there are three types of base registries centered on Identities, Digital Assets and Physical Assets; and

2) Use cases are either generic components or very domain specific.

Use cases suitable for government will therefore have a business problem that specifically benefits from blockchain capabilities of consensus, provenance, immutability or finality, and will combine supporting capabilities with one or more registry types and one or more business domains.

Canadian case study: using blockchain for identity

In 2016, the World Economic Forum recognised that identity is central to the financial services industry, enabling delivery of core financial products and services. It is also a critical pain point for FinTech innovators who are trying to deliver pure digital offerings, as the process of identifying users consistently forces them to use physical channels.

Reliance on physical identity protocols introduces inefficiency and error to these processes. Identity also opens up new markets. As of 2014, two billion individuals, primarily in emerging markets, were cut off from financial services, in part because they lacked identification or didn’t have bank accounts. Digital identity has great potential to improve core financial services processes and create new opportunities.

In Canada, the financial institutions saw this coming and decided to do something about it. Recognising that the rules are changing, they decided that it was important to be relevant in customer authentication and ID validation. They recognised that it is essential that they deliver user experiences that re-intermediate them in their customer’s lives.

Using SecureKey technology, over seven million credentials have now been registered in the service, and hundreds of thousands are added per month. The service receives accolades for its privacy stance, in that the bank never knows the service a user is accessing and the government never knows the credential provider.

Royal Bank, TD Bank, Scotia Bank, CIBC, Bank of Montreal and Desjardins recently invested CAD $27 million into SecureKey to accelerate the journey, and help develop a true identity and attribute sharing ecosystem where the banks were relevant.

The new service enables attribute sharing and consumption to and from other parties as well (e.g. telco and government), but it is the bank that is central in both creating the digital enablement and managing the nodes of the network.

Each of the banks placed a senior executive on the SecureKey steering committee to manage governance and prioritisation. The banks felt strongly that while they needed to differentiate their own offerings, it was essential to work together in the development of a national standard, whereby the bank becomes relevant by providing value to customers in every experience – from renting an apartment, to opening a telco account, to accessing health and government services.

Monetisation of data was clearly a driver, but removing friction for customer onboarding with third party services, reducing risk for companies (with cross validation of attributes) and being present to improve the customer experience (with IDV, payment initiation, lending) – and doing all of this now before PSD2 regulation allows others to lead – were the main factors in banks deciding to move ahead with SecureKey.

The technology

In order to achieve the goals of privacy and resiliency, the service was implemented on a distributed ledger (blockchain), where each of the banks runs a trusted peer node. Having run the Canadian ecosystem for many years, and having worked closely with both the U.S. Government on Connect.Gov and with National Institute of Standards and Technology on their new guidelines, SecureKey felt this was the only way to solve the problem at scale.

Specific goals in the implementation include:
•  That no data is visible to the operator of the network
•  That there is no central database or 'honeypot' of data
•  That there is no central point of failure
•  That there is privacy so that an Identity Provider cannot tell where an identity claim is being used (imagine if the government knew every time a citizen went to the liquor store!)
• That there is no way to track an individual across relying parties

In fact, SecureKey recently won grants for its architecture and approach from both the US Department of Homeland Security Science & Technology Directorate and the Canadian Government. The foundation of the technology is built on Hyperledger Fabric, which is a blockchain framework and one of the Hyperledger projects hosted by The Linux Foundation.

SecureKey has been working closely with IBM on the development of the technology, ensuring that it will be able to scale to meet global demands while respecting the core security, privacy, integrity, and resiliency aspects needed for an identity network.

With the right set of partners, the benefits of a distributed ledger approach to identity management have the potential to outweigh the adoption risks perceived to be associated with a relatively new technology. The system’s strong anonymity standards enable potential competitors to work together in the same ecosystem.

Its decentralised nature eliminates single points of failure, dramatically improving resilience. It also assures complete privacy for individual users while maintaining convenience and ease of access. SecureKey has implemented blockchain so that network participants require very little blockchain operations experience, and IBM Blockchain enables customers to quickly get on the high-security business network with minimal operational effort. This will provide network participants with a strong customer proposition.

The business model

The business model of the service is quite straightforward.The providers of attributes get paid for each set they provide, and have no liability if they are wrong. The requestor of attributes pays for each set requested and generally will request more than one validator to be comfortable with the claims.

For example, a telco or a bank might request name, address and mobile number from a tier one bank (which requires a real-time bank login), but will also request that the mobile device being used by the user has been validated by the telco, and the SIM in the device matches the mobile number of record at the bank. They will also likely request a credit claim from a reputable agency, showing the credit score of the individuals over 700 and that there are no 90 day + delinquencies on file. The requestor pays for each claim received and has no ability to go back to the provider if the claims have errors. The network manages the billing and provides the vast majority of funds back to the providers of claims.

Users are able to add a variety of attributes over time and share them when requested to a valid requestor. The user provides explicit consent each time data is requested: e.g. 'Are you willing to share these attributes with this party for this purpose?'. Each action is recorded in the ledger and the user receives a secure notification on all actions.

Some sample attributes that we are enabling include:

So, imagine a user experience such as renting an apartment. The prospective tenant can share identity validation (from the bank), credit score over 700 from an agency, and a background check in seconds. They can get adjudicated on the spot, then pay the first and last month’s rent, set up an internet service and add contents insurance in a few more clicks. The bank has made the consumer process much better, earned good revenue and perhaps sold more products. This is an example of re-intermediation.

Entering other geographies

IBM believes the model will replicate well in other select geographies. In Canada, IBM asked the banks for startup funds to get the network built and deployed. This was done through a one-time capital injection, and not ongoing operating funds.

It has a contract with them that says a consumer cannot have an account unless it is linked to a bank. The bank is the setup and recovery partner. When we share attributes, we share the bank’s first. Once IBM achieves operational funding at SecureKey (a base level of revenue), then the majority of the revenue earned with bank attributes will be shared back to the partner banks.

IBM believes that the model is like SWIFT, whereby each geography has a license and local team focused on successful implementation. Governance would be managed with a cross-bank team of executives. We are working with local businesses who are excited to be part of the network launch in other geographies. Please reach out and schedule some time with us.

As the banks come together in Canada, we are already working on Bank Account Open, Telco Account Open, Accessing Government Services, Accessing Medical Records and Test Results, A Social Buying Network, and Apartment Rentals – with more requests each day. There are lots of incremental advantages for banks in having a cross-border identity mechanism, but the focus initially will be local.

Why hurry?

The banks recognise that the Silicon Valley companies are coming, creating new value propositions, slick user interfaces and compelling value propositions for customers.

Apple recently demonstrated the beginning of the threat when they took over the authentication for transactions and charged the bank a fee to use their interface. This is just the beginning. If the telcos or Apple or someone else enables true identity and use cases in the phone before we do, it will be a lost opportunity. PSD regulation and FinTechs are coming quickly.

What is the business case?

Most of the banks in Canada believe this is a positive or breakeven business case with respect to monetisation of attributes, because the bank will be buying attributes from others to improve onboarding and to reduce fraud (e.g. notifications when the SIM changes). So this is not a “move-the-needle” number.

They see digital onboarding as vital in the coming age, with each percentage increase in online onboarding being worth over $100m annually. They see re-intermediation in other activities like social selling, apartment rental, phone account opening, government account access and health IBM Blockchain services as vital to staying relevant. They see the opportunity to integrate their payment into all the ID validation use cases as another source of revenue as cash and cheques disappear.

Why was a blockchain architecture chosen?

Privacy is vitally important. The system was built from the ground up on Privacy by Design principals. The attribute sharing party must, in most cases, not know where an individual is sharing their data.

A distributed architecture provides resilience against denial of service attacks that will be vital in a nationwide identity ecosystem.There had to be no way the central broker could be honest but curious. Having built both SecureKey Concierge in Canada and Connect.Gov in the US, it was agreed blockchain was critical to the solution.


How agencies can realistically secure their data and networks

By Julian Bajkowski

Access IBM's solutions for digital security

Harnessing intelligent computing to secure government services

Across Australia, governments are creating previously unimagined amounts of data.

As all jurisdictions invest heavily in digital technologies, platforms and networks to significantly improve services and programs, the rapid arrival of cloud computing, the Internet of Things and high-performance 5G mobile networks has turbocharged the volume of data government agencies will be accountable for.

Ensuring data privacy – however it’s defined – and security sits at the core of citizen trust.

Let’s be real. Many of the intelligent service applications that public sector consumers now routinely experience with banking and ecommerce will need citizen usage data to be integrated – often in real time.

So, it follows that ensuring confidence in information and data security is critical for ensuring citizens buy into these services.

Yet unlike banks, utilities or online retail, there is often no competing or alternative provider for government. And often the service - such as paying a parking fine – is mandated, further intensifying public expectations.

So, when government goes digital, for the most part it must work first time ‘out of the box’. No pressure ...

Welcome to the multiplier

At the same time as agencies are pushing to create intelligent, joined-up services, the threat environment has become far more complex, with the types and scale of threats growing rapidly.

An array of hostile actors – fraudulent, state sponsored or both – now have at their disposal powerful and highly disruptive technologies to attack and exploit vulnerable networks. These threats are often interlinked and impervious to national boundaries.

They target both private and public sector networks, including critical infrastructure that keeps our highly-connected economy working.

In this era of massive data and threat complexity, enterprise CIOs say it is intelligence, speed and accuracy that are crucial to effective cyber defences.

New school rules: persistent evolution

Traditional threat intelligence is struggling to stay on top of this cacophony of digital noise, leading to resource leaching false positives, delayed responses and wastage of precious and finite analytic resources.

Reactive perimeter defence systems are giving way to proactive global systems which scan and parse the massive amounts of threat intelligence now on the open web. As much as 80 per cent of this information is unstructured. New cognitive systems are using powerful, artificial intelligence applications to rapidly digest this treasure trove of intelligence and recommend responses.

“Forward focused and continuously multi-tasking, cognitive systems scour for vulnerabilities, connect dots, detect variances and sift through billions of events to build upon a base of actionable knowledge.” — IBM Cognitive Security White Paper

Industrial commitment

A key pillar of the Australian Government cyber policy is the promotion of intelligence sharing across the public and private sector.

This requires industrial context to make sense of the daily waterfall of threat data. By applying cognitive intelligence to threat data, security analysts have a powerful context to detect and interpret even the subtlest change in activity.

These very same systems are now applying tremendous computer power – and intelligence – to rapidly give CIOs options to mitigate threats. IBM research reveals reducing average incident response and resolution time remains the top cyber security challenge for enterprise CIOs.

The 2017 Ponemon Cost of Data Breach Study for Australia found organisations were slowly bringing down response time, but that the number of days to identify the data breach was still an alarming 191 and the average days to contain the data breach, 66.

When demarcation evaporates

Detection and escalation must encompass global and seasoned expertise. It requires major investment in forensic and investigative activities, assessment and audit services, crisis team management and communications to senior agency executives and ministers.

Robust information governance and risk management programs are critical to effective management of infiltration attacks.

It’s certainly no cakewalk for CIOs and CISOs.

At a time of major fiscal pressures, technology leaders are looking for new ways to justify the cost of cybersecurity investments and demonstrate value – the challenge is attributing value to what was prevented as opposed to what was lost.

The view that security is simply an insurance policy or a cost of doing business must be dispelled. Reports back to IBM suggest the top two factors used to justify investments include clear communication of the current risk exposure in the organisation and getting the support from finance, risk management, operations and other key executives. This needs to be communicated in a language easily understood by non-technical executives.

Cyber defence in this day is very much a mix of modern technology, access to expertise, and partnerships with critical support institutions, locally and around the globe.

At a time of critical shortage of cyber skills, the key is working with partners with proven depth and international reach. Cyber today is very much a multi-vendor game, so finding partners that work in an open and collaborative fashion is also important. This is especially so as the world moves toward more sharing of threat intelligence and the emergence of major threat sharing platforms.

Mandate from the top

In Australia, the Prime Minister has established the Home Affairs portfolio to provide coordinated strategy and policy leadership as a direct response to this increasingly complex and challenging security environment.

This has seen the Prime Minister’s former cyber adviser, Alastair MacGibbon, become the National Cyber Co-ordinator in the new Home Affairs Department.

The new agency is expected to drive a strong unified approach to cyber and represents a major consolidation of federal government cyber agencies and expertise.

For government CIOs, federal, state or local, this resets the landscape and implies a far more sophisticated nationally-driven response to cyber attacks.

At the highest level, the message is clear: the cyber threat is very real and the public sector needs to be much better prepared and coordinated.

This includes agency resilience strategies that are robust and backed by the right mix of threat intelligence and mitigation technologies and expertise. As agencies move through the next phase of digital development and maturity, the need for a robust security platform is only going to intensify.

Digital Identity

A single identity to engage with government agencies

By Tom Burton

Access IBM's solutions for digital identity

Unlocking personalised services with a single ID

The federal government is investing over $90 million to build a federated identity system, to give citizens and firms, control and choice over their digital interactions with government and businesses.

Known as myGovID, the new identity solution means citizens will only need to establish their identity once, and can then re-use it numerous times to access multiple government services.

The aim is to build a robust identity system, among all the main government and non-government players – not dissimilar to the BPay and EFTPOS systems.

Several major pilots are now in planning to test the solution under high volumes. This system of trust includes a digital identity exchange to connect Commonwealth services to users. This will be operated by the Department of Human Services and for privacy and security reasons will be separate to the actual identity providers.

The Australian Taxation Office will manage identity verification on behalf of the federal government. The government is also encouraging other identity providers to be accredited, including Australia Post and the banks.

The federated model will be governed by a Trusted Digital Identity Framework (TDIF). The framework has been developed by the Digital Transformation Agency. It establishes the rules to ensure citizens can deal with government and major businesses, with confidence all players providing the solution comply with security and privacy protocols.

This new identity  solution is a game changer. It is expected to fundamentally reset the relationship between government agencies and their citizen users, creating a powerful opportunity to build a new suite of personalised public services for individual citizens.

New personalised (and useful) services

In this scenario, a family moving say from one state to another, will be able to update all their governmental address records in one place, using a so-called ‘tell us once’ functionality.

For citizens, this will be a huge personal benefit, but the far larger prize is the suite of ‘add-on’ personalised services that will be able to be implemented once a single trusted identity framework is in place. These services could include new travel cards, drivers licences, electoral enrolments, school enrolments and even an appointment with a local health care provider.

Similarly, with the birth of a child, once an identity is verified and authorised, there is an opportunity to seamlessly offer a rich smorgasbord of services from a variety of public institutions, including hospitals, child care centres and schools.

Rather than multiple agencies delivering a series of discrete bespoke services, it is expected these new integrated services will be increasingly managed through one portal, that will over time set the relationship governments have with citizens. Early examples of this are the big service portals, such as Service NSW and the federal service gateway, MyGov.

An end to citizen pain

In this world, citizens will no longer have to navigate the alphabet soup of agencies and morass of complex statutory requirements that come after, say, a close relative passes away. Nor fight their way through the complexity that comes with a dissolution of a marriage, or de facto relationship.

For many citizens, this is exactly what they find most frustrating dealing with government. And the key to solving this problem is a permissions-based unified and trusted identity system that enables services to be brought together into a highly usable citizen solution.

Given governments’ dominance in the health, education, transport and public safety sectors, there is a rich possibility of services that become viable once government agencies across all jurisdictions begin to focus on core citizen and business needs.

At its simplest, this would include event-based notifications – be it a local emergency services update, a health check-up or a weather alert. More sophisticated integrations could include immigration portals that bring together all the governmental requirements into one easy-to-understand user journey.

Health is an area of virtually unlimited potential for new personalised services, either from broad demographics like age and location or more ambitiously around personalised medicine, from genomic and other biomarker data.

Once verified, a citizen potentially can be provided with a service without even having to ask, like a school travel card for newly enrolling students, or a seniors card.

We are already seeing early signs of this new thinking with a pilot in Parramatta to enable small business registrations  to happen through one portal, instead of owners having to deal with three tiers of government, across a complex (and often unknown) set of regulatory requirements.

And the recent Ferris Innovation Report has recommended Australia embraces the concept of precision medicine, where personal health data can ensure patients gets the best treatment for their particular body.

Services built around shared standards and data

All this becomes possible once there is a trusted system for identity built around a set of standards, enabling governments to confidently design services from multiple agencies, integrated through shared data environments and powerful algorithms.

This comes as cognitive computing offers powerful ways to parse the large structured and unstructured data, and, when tied with other advanced intelligence applications, opens enormous service design options and capabilities.

Just as private enterprises use the data from their customers to finetune and develop their products and services, government agencies can also use citizen administrative data to improve their services. These customised offerings can be designed around key demographics such as location, gender, age as well as citizens’ actual use of public services.

The design of these services can be highly personalised and, if permission is given, can involve mixing a person’s government and private data. For example, an app that brought together public and private energy data from a citizen’s daily usage could prove highly useful to households seeking to better manage their power usage.

When the various interactions are managed through a single system, this will emerge as a powerful pivot point through which the relationship between citizen and government will be managed and experienced.

This experience includes security, privacy, governance and usability requirements that will need to be strongly supported to maintain trust and compliance in the framework and the door it opens to a world of powerful, integrated and highly intelligent services.

Collaborative, top-level commitment needed

Built around powerful intelligent computers and superfast digital networks, these services will need strong collaboration and strategic leadership from all agencies. Governments has struggled to establish  shared service centres across portfolios, let alone join up services across multiple jurisdictions. In NSW it has taken real political and top-level Cabinet commitment to overcome the resistance that comes from agencies fearing the outcome of service unification and integration.

CIOs with their understanding of what is required and what is possible will play a critical role in designing the technical architecture to support this integrated service model, and in advising CEOs of the approaches and strategies for enabling this next generation of services.

Identity management is a key piece of any foundational security strategy and requires a comprehensive approach and the employment of sophisticated controls to ensure outsider and insider risks are consistently managed. IBM’s Identity Governance and Intelligence suite, for example, offers end-to-end protection across the technology stack, providing auditable compliance. Segregation of duties and violations helps ensure risk is well understood and managed.

To date, service transformation has tended to digitise the status quo. But in a world where agencies can trust identity, leaders will have a real opportunity to rethink services that take much of the pain and frustration out of dealing with government, and to fundamentally reset the relationship with citizens and stakeholders.