My Christmas Message sparked a small flame war with an accusation (probably tongue in check) that those who q uery doom and gloom scenarios are damaging bids for information security budgets and research projects by introducing a dose of reality. I then spent a couple of hours of on-line research (alias semi-random browsing) beginning with Alex Muffett's blog entry on "Londoncyber: our very own Star Trek Conference" and his presentation "Why Cybersecurity is Rubbish" and ending with "Pirates of the ISPs: tactics for turning on-line crooks into international pariahs".I then enjoyed a discussion on how much of the growing jungle of regulation to supposedly "reduce" the risk of fraud and compromise is not only worthless, but serves to actively increase it. The first example was all those "know you customer" routines which require you to carry that which a mugger can sell to those who will use it to obtain electronic credentials in your name. Copies are then stored with sometimes spectacular insecurity.
The second example was the growing requirement by government agencies (often with seriously inadequate security) to
provide certified copies of original source documents (which can be used to then
steal land or property) via insecure communications channels.
Then there are all the requirements to retain data that is no longer required for business purposes "in case a law enforcement agency or regulator might want access".Finally came the requirements for airline passenger data (including dietary requirements) to be retained and passed to the US to be made available to a multiitude of agencies via contractors whose security certificates have been compromised.
Removing the need to "prove" your identity when it is irrelevant to the transaction and scrapping the need to retain data that is no longer needed for business purposes is a very much cheaper way of improving customer protection than adding more layers of complexity on top of irrelevant regulation. Value-added fast tracks for frequent flier programmes and low risk passengers improve overall customer satisfaction and security at the same time - even if those who insist on wearing a Niqab or Burka might have to travel via ports and airports which have body scanners manned by female staff.
We need to join up the action plans in the Cybersecurity Strategy with those in the Fighting Fraud Together Programme of Activity and bring both alongside the plans of global private sector players to better protect themselves and their customers.
Actions 11 and 12 in the Fighting Fraud Together programme of activity are: "Strengthen systems and controls to limit the risk of Government issued identity documents being exploited for criminal purposes ..." and "Strengthen assurance processes for main government documents used to establish ID and facilitate online identity verification checks against government databases to support online services delivery"
In that context we need to take a cool look at the "Cost to Trust" and "Cost to Risk" ratios implied by current Government regulatory and identity requirements and at the "Trust" and "Identity" regimes being proposed by Cabinet Office. We need to compare these with the dozens of existing private sector services that are already in use around the world to authenticate contracts and authorise financial transactions from micropayments to millions.The obvious difference is that the latter are based on routines for managing cost, responsibility and liability according to the nature and scale of risk. Where does that leave those whose business models are based on liabiity avoidance?In that context I am delighted to note the report in the Guardian that DWP has withdrawn its identity services tender pending the outcome of the peer review of the Cabinet Office identity framework strategy. It would be morally unforgivable (as well as politically disastrous) if the most vulnerable in society were to be urged to go on line, only for their identities to be systemically compromised and their benefits stolen during the run-up to the next election.