The messages in the Cabinet Office, HMRC, IPCC and MoD reports and recommendations released on 25th June will keep security experts occupied years. But the responses to the recommendations of recent Parliamentary reports and its own Independent Reviewer, raise far wider questions.
These are hidden away in “Annex V: Cross-references to other work” starting on page 37 of the report on “Data Handling Procedures in Government“,
First come the responses to a selection of the recommendations from the report of the Joint Committee on Human Rights report on “Data Protection and Human Rights” . Then come those to the Select Committee on Justice report on “The Protection of Personal Data”
Then come those to “Protecting Government Information: Independent review of Government information assurance, by Nick Coleman“. These are interesting for what is not addressed even more than for what is. That review ranged well beyond the issues raised by the “mere” loss of data. Nick’s recommendations covered information risk management as a whole and included greatly improving the professionalism of those responsible. The government response included clarifying the split of responsbility between the Information Commissioner, the National Audit Office and CESG. “through peer review and other independent experts”. However, it failed to address many of the wider issues. This was not surprising because several of the recommendations represented major threats to departmental automony.
Then comes the surprise: page 41 includes Government promises to “consider” some of the sharper recommendations of the House of Lords report on Personal Internet Safety “in the light of the Walport/Thomas review due shortly.” – including with regard to on-line banking liabilities akin to thsoe in the Bills of Exchange Act (1992) on which I recently blogged
I have been scanning the responses to date from the flock of security experts. Most share the tunnel vision of the Government response to the Coleman review: they mouth the words “culture change” and then support the creation of a”Chief Information Risk Owner” with his own add-on security silo.
The time has come for a far wider vision.
Either the security of information, and the resilience of the systems giving access to it, really are important, in which case systems should be designed, from the start, to embed BOTH “security by default” (i.e. it takes a conscious effort to over-ride the safeguards and do it insecurely) AND “graceful degradation” (e.g. default to equally secure federated and/or local access).
Or they are not that important – in which case we should resign ourselves to a world in which no electronic communication can be trusted or relied on for life or business critical functions at a time of rising fraud, impersonation and cyber-assault.
It they really are important – then we need to stop talking about “mere information security professionalism” and start overhauling mainstream information systems and computer science education and training – so that information security and resilient access are at the heart, not the periphery of ICT professionalism as a whole.
And that means beginning with an overhaul of the courses accredited by BCS, IET and others.
That is why, two days ago, I said these reports might well be the most important of the decade for the ICT industry. Hence also the refocus of the EURIM Personal Identity and Data Sharing Group on Informaton Governance.
Then I spent two days at the ACPO E-Crime conference at Wyboston: listening to the concerns of a hundred or so, dedicated professionals fighting a rearguard action against a rising, not falling, tide of reports of paedophile activity across social networks – unable to make time to seriously address anything else.
Are we on the cusp of a crisis of confidence in the on-line world?
And does that mean we are on the brink of catastrophe (the fall of Rome or Byzantium to the Barbarians or Turks) or on the brink of the turning point of the war (the start of “the real fight back” and the run up Midway or Kirsk – depending on whether you are American or Russian, German or Japanese).
I do not know – but I do urge you to read the reports and recommendations and then put them into overall context – beginning with Nick Coleman’s wider vision.