Anti-protection racket

The Information Assurance Advisory Council has been quoted as threatening government with a refusal to change existing contracts in order to comply with the requirements of the Hannigan review of Data Handling. In a statement bizarrely reminiscent of the public spat between the Tories’ David Davis and Intellect’s John Higgins

Neil Fisher, vice chair of the Information Assurance Advisory Council, a think tank of government, industry and security bodies, said it is unrealistic of the government to attempt to change terms on contracts that still have years to run. Changing contracts stirs up the difficult issue of who carries the risk of something going wrong, he said.

“Industry will be quite robust about this,” he said. “They are not a charity. They do work for payment and they do it against clear instructions from the client, and that is the way these relationships work. By doing so, they limit their liability.

“What the government would like is for industry to try to meet it half way somewhere. I’m not sure that’s a clever way of doing it or one which will contractually will be enforceable,” he added.

This ridiculous situation where major System Integrators who have profited massively from public sector contracts deny any moral or legal responsibility for data security has to come to an end. CESG, Cabinet Office, MoD have been issuing mandatory security instructions for many years, so failure to implement is not because they had nothing to comply with. All the major SIs are represented in the various CLAS and LIST X directories, so they cannot claim to be unaware of their duties.

That leaves us with three main ways that this mess could have arisen in the first place:

  1. government failed to specify the need for security controls (and the SIs chose not to enlighten them during the procurement process);
  2. senior civil servants bypassed the accreditation process by signing off the system without sight of an accreditation documentation set;
  3. the oligopoly of SIs have collectively failed to represent security needs properly in their bid documents in order to present the ‘lowest possible’ price to government.

Regardless of which circumstance created this situation – and it is most likely a combination of the three – it has to be fixed. Where civil servants are shown to have been negligent by not specifying proper security controls, clearly it is the government’s responsibility to accept reasonable costs to remedy the problem. Where the SIs simply failed to implement controls that they should have known were needed, then the government will have to crack out the lawyers and knuckle down for a fight.

And to stop this mess arising again? We require more prescriptive security controls issued by a single national authority for information assurance – controls that cannot be signed away by a Whitehall mandarin. We need to completely reform government procurement to break the stranglehold that half a dozen vendors have over the lion’s share of public ICT spending. And we need to recognise that these so-called industry representative bodies do not speak for all of the UK ICT vendors – just those that are doing very nicely out of the current protection racket where nobody gets protection at all.