The Australian National Audit Office has just released a report 'The Protection and Security of Electronic Information Held by Australian Government Agencies' based on a review of the approaches to information security by four agencies, the Office of Financial Management, ComSuper, Medicare Australia, and the Department of the Prime Minister and Cabinet.

Amongst other recommendations was one which has been much discussed on Twitter this morning, "emails using public Web-based email services should be blocked on agency ICT systems, as these can provide an easily accessible point of entry for an external attack and subject the agency to the potential for intended or unintended information disclosure."

This reflects the recommendation in the Defense Signal Directorate's Information Security Manual, the 'bible' for Australian Government agencies when it comes to ICT security, which states on page 100 that:
Agencies should not allow personnel to send and receive emails using public web-based email services.

The concerns are very clear and relevant - web-based email systems can easily be used, inadvertently or deliberately, to distribute large quantities of citizen's personal information, or an agency's In Confidence or other classified information rapidly and to large numbers of people, making it impossible to contain the spread of the information.

Web-based email is also a potential source of attacks against an agency, through viruses, worms and trojans in email attachments (which may not be able to be scanned at the same level as Departmental email can be) and through web-links in emails to compromised websites.

I don't dispute these real concerns. They are concerns for corporations as well.

However, I do ask - what is 'web-based email'?

Most people are aware of the classic web-based email services, Windows Live Hotmail, Yahoo mail and Gmail amongst many, many, many similar services (here's a list of 18 web-based email services - and that's just a start!)

These services follow a standard email model - an inbox, outbox, capability to send and receive email, with attachments and some ability to organise and file emails into folders. Most have automated spam-checkers too, some exceptionally good.

However while they LOOK like email software, they aren't really email software. They are simply web pages providing access to text, links, file upload/download and some buttons.

Any webpage can be designed the same way. In fact it would be hard to find any webpage without at least two of the same features.

In other words, while they look like email and act like email, they're really no different from going to any website which allows people to click on a link or download a file.

Regarding the risk of downloading or clicking on a link with a malicious payload (virus, trojan, etc), web-based email web pages provide no additional risk to standard web pages except, perhaps, that they have content targeted to an individual with a government email address.

There may actually be less risk in using popular and widespread web-based email services as they do employ sophisticated scanning techniques to limit spam and malicious payloads. It is in their interest to not allow their users to become infected with viruses as their business would suffer as a result.

In fact, in some cases the large web-based email providers may offer more security in preventing spam and viruses than a corporation or government agency can offer to its staff using official email accounts. The large web-based email providers have hundreds of millions of users and their business is providing web-based email, meaning they hire the best talent, employ leading edge solutions and invest far more into their email security than most corporations or government agencies can afford.

I've only talked about the identifiable web-based email systems so far, there's also several broader considerations.

More and more online services are implementing systems like web-based email for sending and receiving messages within a web browser.

This includes services like Facebook, LinkedIn, YouTube, Slideshare, Ning, Amazon, all forum systems and micro-blogging services like Twitter (allowing direct messages). Most ISPs offer web-based access to home email accounts. Even your bank probably does it.

In all cases these services provide you with the ability to send and receive messages, including links and sometimes also attachments.

They effectively act like web-based email services, without having the same name.

To block web-based email systems can be tricky without blocking access to the provider's other services, such as Google's analytics and webmaster systems. However it is (mostly) possible.

To block these other pseudo-web-based email services without blocking their service is most probably impossible in most cases. That would mean blocking staff from being able to monitor or interact (officially) over social media services, or even from accessing their bank accounts from work.

Another consideration is the vast array of services that could not remotely be described as having web-based email qualities but still allow people to share information online.

These services, like YouSendIt, DropBox, Scribd and a host of others (including web-based FTP services provided by ISPs and others) allow people to upload a file, or often many files, and share them widely. There are also services for making comments - every newspaper has one - and many services for anonymising where the data is coming from to prevent detection.

Now all of this may still be manageable if it were only defined organisations who provided all these services. However the barrier to setting up a new service that looks and performs like web-based mail, or allow files to be transferred is almost invisible.

Open source software exists to allow any person to create their own service in a matter of hours. Web-based systems allow you to create a web-based email facsimile in a matter of minutes. These services are widespread, easily discoverable and cheap.

People can set one up from home, or any public access computer and then access it at work. That's if they are not amongst the nearly 40% of Australians with personal smartphones, or the millions of others with laptops, netbooks and tablets and 3G connections to the internet. Personal internet connections at the office, every day.

I don't envy the job of ICT Security Advisors.

If an agency wished to prevent staff from sending files and information online to unauthorised recipients, or prevent the possibility of staff clicking on links or downloading files from the web that may carry viruses, there are only three solutions.
  • Whitelist a bare minimum number of sites that staff can access,
  • turn off internet access completely, or
  • establish effective policy guidance and education for staff, have managers monitor use and ICT Security advisers provide support and training.
While it may be easier for organisations to pick one of the first two options, they will experience staff backlashes, have difficulty recruiting younger people (now including people in their 40s) and be unable to effectively engage and respond to changing global and national events.

These approaches won't necessarily limit the use of personal internet-connected devices at work, many more staff might bring them in to get around the security settings (so they can do their banking and respond to critical personal events). These approaches may even increase the incident of information leakage as disgruntled staff use the fax or photocopy and walk out the door.

The third option, which requires extensive senior leadership and support, is more effective in the long-run, however a harder sell due to the time and ongoing education commitment. However it is, in my view, the only approach to managing the use of web-based email and all similar services - in effect the entire internet - which serves the long-term interests of governments, agencies and staff.