If the government is serious about its policy objectives of slashing administrative costs, bolstering the UK's cyber defences, moving away from proprietary software systems, putting data into the Cloud, and treating personal data with the respect it deserves, then it is time to reassess the role of information assurance and how it is delivered. There is a pressing need to reform the information assurance function so that we have proper security governance, and so that information assurance supports, not hinders, the government’s policy objectives.
Public Sector Data Leaks
With the announcement of a £650m budget for cybersecurity, coupled with the axing of defence infrastructure that until recently would have been considered critical to the protection of Britain's national interests, Prime Minister David Cameron has delivered the unequivocal message that cybersecurity is a cornerstone of the UK's broader defence interests. UK defence companies will be switching their research budgets away from military hardware and into homeland security products, and information security companies around the world will doubtless be examining the UK security market, keen to get their share of the new government spend.
All this has to be a good thing for the central and local government authorities who have seen public confidence in their ability to protect information eroded by a seemingly endless string of high-profile data loss incidents. Ever since Chancellor Alastair Darling informed Parliament that HM Revenue & Customs had misplaced the details of child tax credit claimants, we have been bombarded with reports of files left on trains, memory sticks dropped in the street, emails accidentally sent to the wrong mailing lists, hard disc units lost, laptops stolen from cars; and despite senior managers time and again promising the Information Commissioner that 'lessons have been learned' the incidents keep on happening. Public authorities appear to be incapable of protecting information. What can possibly have gone so badly wrong with information assurance that our authorities are apparently unable to keep anything secret, at a time when the Prime Minister tells us that our cyber security has never been more important to the nation?
The Department of ‘No’
The UK government’s information assurance function is distributed across government through a number of agencies. Perhaps the best known of these is CESG (formerly known as the ‘Communications Electronic Security Group’ of Government Communication Headquarters), the national technical authority for information assurance. Based in Cheltenham, and reporting to the Cabinet Office, CESG is tasked with delivering a range of products and services including threat monitoring, product assessment, advisor training and system testing.
The information assurance function is not exclusive to CESG. The Cabinet Office has a Security Policy Division (COSPD) which produces part of the Security Policy Framework (SPF) that replaced the Manual of Protective Security (the government’s primary standards document for information assurance), and CESG produces the rest of the SPF. The National Cybersecurity Strategy also sits within Cabinet Office, but focuses more on protecting the broader Critical National Infrastructure (CNI) from major disasters, terrorist threats, foreign intelligence services and serious/organised crime, than general systems security. The MoD uses equivalent standards and administration internally, which refer back to the products and services provided by the government’s other security centres (all of which have a common root in standards that evolved into ISO/IEC27001:2005), but which operate completely separately. Other parts of the security governance function are fragmented across many committees and boards.
Significantly, this substantial infrastructure is focussed mainly upon advisory services rather than actually implementing and managing systems security: that burden falls upon the Senior Information Risk Owner (SIRO) in individual public authorities. This individual, who should ideally be from an information risk background, is the focus for information assurance delivery at a Board level within their authority. In smaller bodies, the role of SIRO is often shared with other duties such as Chief Information Officer.
The Cabinet Office has recently established the Office of Cyber Security and Information Assurance (OCSIA) , which has yet to have an opportunity to reform the information assurance function, but publicly appears to be more focussed upon the cyber defence agenda than the day-to-day mechanics of running information assurance.
With this advisory capability, one would imagine that the government’s information assurance function would be robust and strong, drawing upon a wealth of shared expertise that is delivered in such a way that security enables and supports service delivery. Unfortunately, all too often the opposite is true.
Cost-Effective Information Assurance? The Department Says ‘No’
Government lacks a focal point for information security: there is no ‘Government Chief Information Security Officer’ or ‘Office for Government Information Assurance’ - in other words, no one individual or organisation accepts accountability for the proper governance of data in the public sector.
The fragmented approach to information assurance has developed over many decades, and the cultural unwillingness for government bodies to accept responsibility for an issue as ‘toxic’ as information assurance has left the subject in the long grass as far as most CIOs are concerned. Even the proliferation of Quangos under the last Labour government did not lead to the creation of a body that might deal with this critical issues, despite some of the highest-profile data loss incidents ever to impact the public sector occurring during their term of office.
Instead the various bodies tasked with information assurance focus upon their own jurisdictions and rarely cooperate successfully: the MoD does not discuss its security standards, although they are little different from those in use across the rest of government; CESG and COSPD will only release information to suitably cleared individuals, and rarely reference each other’s work. Each department and agency has to pay to support its own security infrastructure rather than drawing upon the economies of scale that might be achieved by a central security team working for the common good of government. The information assurance environment is far from cost-effective.
Information Risk Management? The Department Says ‘No’
This lack of cooperation doesn’t just mean that key activities are duplicated: it also means that without support from their managers, those tasked with protecting systems are afraid to take risks, for fear of being blamed if an incident occurs.
The problem is that information assurance is not about absolute control, and any professional security manager will acknowledge that there is no such thing as 100% risk avoidance. Instead, it is about assessing the information risks faced by the organisation, developing mitigating controls and actions, and ensuring that they are managed properly so that the risk levels are reduced to a point where they are proportionate and acceptable.
This means that incidents will always happen. This may be because security controls are judged to be disproportionately expensive (for example, spending many millions of pounds on security to protect assets worth only some thousands of pounds); because individuals failed to comply with the instructions given to them (for example, downloading unprotected files on to a memory stick to take home, then losing that memory stick); because the system is attacked by a capable and dedicated enemy (for example, an authorised user taking copies of MP’s expense claims); or because of a ‘zero day’ exploit (for example, a hacker breaking into a system using a weakness that was previously unknown to the security officer).
Whatever the cause, security incidents will always occur, and the public sector culture is to look for someone to blame - remember how the HMRC incident was almost immediately blamed upon a ‘junior clerical officer’ before it was revealed that systemic failures were at the root of the problem? Security officers are rightly fearful of being blamed for incidents, and in the absence of someone who will act as an advocate for them when things go wrong, they are forced to fall back on the only safe path available to them, which is to say ‘no’ when the business wants to do anything which might carry an associated security risk. The likelihood of the current information assurance community being willing to support the government’s cloud computing ambitions seems slim indeed.
As a result, most public servants view information assurance as an obstacle, not an asset. Because of poor leadership, excessive bureaucracy, and a culture of unnecessary secrecy, public authorities are unable to obtain cost-effective information security controls. The current infrastructure will neither permit nor support the new commitment to respecting personal data, making government data available, or protecting data that needs to be kept secret.
Secure Systems? The Department Says ‘No’
Ironically, the culture of ‘No’ has not resulted in better security within the public sector. Project managers, afraid of having their plans thrown into disarray by uncooperative security professionals, simply avoid seeking security advice. Enterprising users who need to get their jobs done seek out risky ways to bypass security controls because the security departments won’t allow them to get on with what they have to do. For example, it is common to find use of unauthorised online file sharing services to exchange information because the security department has shut down USB memory sticks and CD drives without providing an alternative. That’s how accidents happen.
The problem has even deeper consequences outside of Westminster and Whitehall. Most important standards, guidelines and publications are protectively marked such that they are only available to individuals with appropriate levels of security clearance working on appropriately secured PCs. But local government bodies, for example, rarely conduct background checks on their staff beyond a basic criminal records check, so individuals tasked with securing local authority systems don’t know how to secure them in line with government requirements because they are not cleared to see those requirements - and aren’t allowed to hold copies because their PCs aren’t sufficiently secure. Without the intervention of costly consultants who have the correct clearances and computers, this paradox can’t be broken.
Those consultants are a very special breed indeed. Only the few hundred members of the CESG Listed Advisor Scheme (CLAS) are officially qualified to provide security advice across government. They hold the necessary clearances, and have access to CESG’s source materials. What they do is not particularly ‘special’ compared with their private-sector colleagues, and because the pool of available talent is so small, and the barriers to entry are high (CESG only accepts a limited number of candidates once a year, and they need to pay a substantial fee for clearance, acceptance and training), public authorities have to draw from a relatively small - and therefore uncompetitive - pool of consultants for their information assurance advice.
CESG has for some years been attempting to move parts of the CLAS environment into the private sector, but this has yet to deliver any significant change in the way that systems are secured. The outcome of this ‘closed shop’ is that local authorities and arm’s length bodies very often fail to comply with government security standards simply because they don’t know that those standards even exist, and if they do, they can’t gain access to either the standards or cost-effective individuals who are able to assist them. We therefore have a public sector environment in which the prevailing culture and practices conspire against effective information assurance.
Privacy by Design? The Department Says ‘No’
Clearly a public sector that struggles with information assurance will also struggle to respect privacy: if personal data cannot be kept secret, then it cannot be kept private either. But public authorities’ inability to effectively manage personal data runs much deeper than that, since CESG’s formal policies until recently simply didn’t get the idea of privacy. Formal risk assessment processes tried to assign protective markings according to the volumes of personal records rather than the sensitivity of the data: so, 999 personal records might be considered Not Protectively Marked, whilst 1,000 would be marked at the higher level of Restricted. Authorities could circumvent the more onerous controls by simply breaking databases down into smaller files of less than 1,000 individual records.
What’s more, those risk assessment models are designed around an assumption that authorised users are always trustworthy - how else could designs such as the ill-fated Contactpoint, or the NHS Summary Care Record, be allowed to exist where hundreds of thousands of users can access millions of individuals’ sensitive private records? The risk assessment processes treat individuals as low-value assets whose privacy is significantly less valuable than, say, a Minister’s public reputation.
Private companies, and in particular those in the financial sector where the FSA has demonstrated an appetite to impose punitive fines for misuse of personal data, woke up long ago to the need to show greater respect for personal data. The public sector, where senior public servants are rarely held accountable, and the sternest sanction generally applied is a letter from the Information Commissioner’s Office, has not kept up with the change. In their defence, CESG have made some positive revisions to their personal data handling rules in recent years, but much more needs to be done if the government is ever to meet individuals’ expectations of privacy.
Open Source Software? The Department Says ‘No’
The new government’s commitment to open source systems represents perhaps the greatest challenge that the information assurance community has faced in many years. The use of software that has been collectively developed, with publicly available source code, flies in the face of long-established security policies and practices, which have traditionally demanded that source code comes from an approved developer, is scrutinised for vulnerabilities, and is kept out of the public domain.
In general, software and hardware vendors are expected to have their products pre-tested for use in government systems (something which is not required in the private sector), and to pay up front for that testing. CESG has a number of services such as the CESG Claims Tested Mark (CCTM) and CESG Assisted Products Service (CAPS), that are used to test the security of products that are being sold to public sector organisations. When private companies sell to government, they can justify the expense of the testing process, since that will grant them access to a lucrative new market. But the same does not hold true for open source software: in the same way that drugs companies won’t pay for clinical trials on products that they can’t patent, vendors won’t pay for the testing of public domain software when they cannot expect to charge for it at the end of the process. Furthermore, the test processes are notoriously long-winded and complicated, so even vendors of proprietary systems are reluctant to invest in them. Whilst not all products have to be subject to this test approach, failure to demonstrate test approval can count against them during procurement, and as a result public authorities are driven towards a small number of approved, tested, and often outdated technologies.
Once products have been selected, and designs are in place, the complicated process of accreditation begins. Security Officers - or more commonly CLAS consultants - conduct a tightly-proscribed risk assessment that is used to determine whether the system requires formal accreditation (a certificate to prove that a system is fit to handle a given level of data, and to interconnect with similarly secure systems), and potentially to prepare a Risk Management Accreditation Document Set (RMADS) that is used to define security controls. Accreditation of open source systems, where there are no vendors to make assertions about security levels, is very difficult indeed using current processes.
But accreditation isn’t the end of the problem: like all software, open source software requires patching and upgrading to keep up with technology developments and newly-discovered security vulnerabilities. Without a vendor to pay for security testing the patches and updates under the current regime, open source software will remain largely inaccessible for government.
In the private sector, where there is no obligation to verify the security claims of systems vendors, and organisations can select their own risk assessment approaches, these problems simply doesn’t exist. Independent testing schemes can be used to provide customers with greater assurance of security capabilities, but in general market forces drive vendors towards delivering secure systems, since a major failure will count against them in procurement processes. Government’s open source goals will remain hampered by information assurance until a new way of dealing with the security of open source software can be developed.
The Department of ‘Yes’: Treating Information Assurance as a Business Enabler
The relative success of private-sector security practices, and the fact that large corporations do not struggle to manage information security in the way that government does, shows that it should be perfectly possible to move to an environment in which information assurance helps, rather than hinders, delivery of public services. In particular, we need to ensure that:
• information is available to all that legitimately require it, is appropriately protected, delivered, and of assured integrity and accuracy, so that information can support the needs of government, industry and individuals;
• public confidence in the ability of public authorities to handle personal information is restored;
• public authorities can adopt open source systems and cloud technologies without security being a disproportionate burden;
• public authorities break away from the negative mentality of information assurance that blocks innovation, and instead move towards a new culture that is able to support, rather than hinder, the delivery of new technology policies.
The significant changes in government IT policy, the shake-up of its delivery driven by the spending review, the government’s commitment to cybersecurity as a cornerstone of the UK’s defence strategy, and the establishment of the Office of Cybersecurity and Information Assurance (OCSIA) within the Cabinet Office collectively drive the need for reform. OCSIA may be the best hope for achieving reform, but will only succeed if there is a collective will in that office to do things differently. Ministers and senior civil servants are too quick to defer to Cheltenham on the assumption they are ‘the experts,’ when evidence suggests they are behind the times and operating in a mainframe mindset in an Internet age. They have become unaccountable arbiters of what does and does not happen, and what can and cannot be used. There is a clear need for leadership, to remove duplication of responsibilities, to improve availability of security standards and technologies, and to change the way that security is perceived across government. There is also a need for greater participation by local government and the private sector, whilst recognising that some aspects are better suited to remaining under government control.
A few simple actions would suffice to create the ‘Department of Yes.’
1. Appoint a pan-government Chief Information Security Officer as a new focal point for information assurance
Just as a large company would be expected to have a Chief Information Security Officer (CISO), the OCSIA should appoint a Government CISO responsible for the proper implementation of information assurance across government. This role must not be one that is any way combined with the cyber defence agenda (which invariably becomes politicised and distracted from the day to day running of information assurance), but rather a ‘hands on’ leadership position that provides a figurehead for information assurance issues. Bringing in a CISO from industry, rather than public service, would ensure a break with past practices and a fresh approach to the task in hand.
2. Create a government CISO Council
The Government CISO should chair a new Government CISO Council within the OCSIA. This group, comprising CISOs and/or SIROs from all major parts of government, should act as the focal point for all information assurance issues, and hold responsibility for development and maintenance of security standards, accreditation, product certification and professional development across government. The CISO Council should be engaged in policy development across central and local government to ensure compliance with national and international legal obligations. Where public sector security incidents occur, the CISO Council should be involved in independent investigation and reporting.
3. Consolidate existing duplicate information assurance services
The Government CISO should work with OCSIA across government to amalgamate existing policy and solutions branches, including CESG, COSPD and the relevant parts of MoD, into OCSIA. This by implication will require consolidation of duplicated services and roles. The newly-amalgamated security body should take responsibility for all aspects of establishing standards and procedures for the defence of public sector ICT infrastructure, and should develop and publish security standards for use in government and the private sector. The body should also operate ‘How To’ teams of experts who look for cost-effective solutions to security problems, and constantly improve the advice and controls available to government, drawing upon the best the private sector has to offer.
4. Ease the administrative security regime for lower-value data
The UK government operates a protective marking policy for its data assets to ensure that they are used and secured in accordance with the value of those assets. Clearly some of that information - particularly when assigned a Top Secret or Secret marking - requires very robust security controls. But the vast majority of data, particularly outside of Whitehall, sits at Restricted or even lower, and the nature of the data is not dissimilar to that which might be held by a private company such as a bank. Yet that information is subject to ‘special’ information assurance controls that are often significantly more onerous and administratively complicated than might be found in the private sector, despite those controls having their roots in the same standards.
If OCSIA were to relax the administrative processes for securing Restricted data, such that authorities may use any commercial services or products so long as they comply with the basic security policy requirements defined in the Security Policy Framework and supporting materials, then the market would be opened up for any commercial product or service vendor to compete in the public sector. Rules will need to remain in place to ensure that data is correctly marked, and not ‘upgraded’ to higher protective marking levels than appropriate. Implemented correctly, this change would not result in chaos or insecurity, but instead allow greater competition to bring down the cost of delivery, and free up local authorities to get on with securing their information without the burden of complying with security frameworks that are intended to deal with data at much higher levels of security. CLAS consultants could shift their focus to systems operating at the higher protective marking levels.
5. Sort out the existing mess of unaccredited Whitehall systems
The imperative for information assurance reform does not apply solely to new systems: there is little value in securing new ICT infrastructure if it has to interface with older systems with unproven levels of security. The government’s own report into data losses (the Hannigan report) identified approximately 2,300 government systems that have not been subject to any form of assurance certification (known as accreditation) but made no demands that those legacy systems should be secured. Significantly, recent changes to the Security Policy Framework introduced a new marking level of Protect which was, in part, intended to ease the burden of accreditation, but anecdotal evidence suggests that it has the opposite effect, and is instead seen as a new, unfunded administrative burden. This needs to be addressed as a matter of urgency: those systems must either be secured or scrapped.
Equally importantly, senior civil servants still have the power to over-ride the need for accreditation if they so choose: in other words, to disregard security requirements if these are too expensive or likely to take too long. This exemption must also be dropped: if system security is too expensive, then the system itself is too expensive, and other more affordable ways must be found to deliver the same outcomes.
6. Voluntarily accredit open source software where appropriate
If the current approach to accreditation remains in place, then government must take responsibility for accrediting testing and maintaining the security of open source software. There is no reason why OCSIA, or even a private company, could not provide and maintain its own secure builds of the likes of Linux, OpenOffice or OpenSQL for use in government. Builds and patches would be checked and tested by a central team without the need for a vendor to sponsor the work, thus making the software available across government, and saving costs on software licensing and duplicated testing.
7. Develop the information assurance profession
If the government is to obtain access to the best possible security expertise, then the profession needs major reform. OCSIA should take responsibility for development of the information assurance profession, working in close partnership with relevant information security professional bodies. This will include:
• defining a career structure for information assurance in the public sector;
• developing information assurance professional development and training syllabuses for delivery by commercial organisations;
• providing examination and certification of government security professionals, with an emphasis on facilitating simple and affordable cross-qualification from the private sector, so as to expand the pool of professionals available to government;
• governing the certification and management of inspectors and accreditors;
• maintaining a pool of expert instructors and project managers to coach and where necessary manage particularly large, innovative or sensitive public-sector projects.
CESG has already taken steps down this route by moving aspects of the professional qualifications across to the Institute of Information Security Professionals (IISP). If it were to go a little further and insist that all government information assurance professionals must become IISP members who maintain Continuing Professional Development (CPD) training, and could be struck off for malpractice, unprofessional conduct or incompetence, then there would be a case to argue for abandoning the overhead of CLAS altogether.
More for Less from the Department of ‘Yes’
In the world of the Department of ‘Yes,’ information assurance will be a service enabler. Public authorities will have the confidence to adopt innovative new technology schemes, knowing that they will be supported in doing so by their information assurance teams. They will be look to their information assurance groups for support at the earliest stages in projects, rather than trying to hide from them. They will understand that on the rare occasions that their security advisers say ‘No,’ there is a good reason for them to do so.
If we want an information assurance function that really supports public authorities, and that can deliver more for less, then these changes are cheap and easily done. We simply have to ask OCSIA to reform the information assurance function, give that office the power to do so, and support it when it encounters inevitable resistance from within the security establishment. All it takes is the will to say ‘Yes.’