Anti-protection racket

The Information Assurance Advisory Council has been quoted as threatening government with a refusal to change existing contracts in order to comply with the requirements of the Hannigan review of Data Handling. In a statement bizarrely reminiscent of the public spat between the Tories’ David Davis and Intellect’s John Higgins

Neil Fisher, vice chair of the Information Assurance Advisory Council, a think tank of government, industry and security bodies, said it is unrealistic of the government to attempt to change terms on contracts that still have years to run. Changing contracts stirs up the difficult issue of who carries the risk of something going wrong, he said.

“Industry will be quite robust about this,” he said. “They are not a charity. They do work for payment and they do it against clear instructions from the client, and that is the way these relationships work. By doing so, they limit their liability.

“What the government would like is for industry to try to meet it half way somewhere. I’m not sure that’s a clever way of doing it or one which will contractually will be enforceable,” he added.

This ridiculous situation where major System Integrators who have profited massively from public sector contracts deny any moral or legal responsibility for data security has to come to an end. CESG, Cabinet Office, MoD have been issuing mandatory security instructions for many years, so failure to implement is not because they had nothing to comply with. All the major SIs are represented in the various CLAS and LIST X directories, so they cannot claim to be unaware of their duties.

That leaves us with three main ways that this mess could have arisen in the first place:

  1. government failed to specify the need for security controls (and the SIs chose not to enlighten them during the procurement process);
  2. senior civil servants bypassed the accreditation process by signing off the system without sight of an accreditation documentation set;
  3. the oligopoly of SIs have collectively failed to represent security needs properly in their bid documents in order to present the ‘lowest possible’ price to government.

Regardless of which circumstance created this situation – and it is most likely a combination of the three – it has to be fixed. Where civil servants are shown to have been negligent by not specifying proper security controls, clearly it is the government’s responsibility to accept reasonable costs to remedy the problem. Where the SIs simply failed to implement controls that they should have known were needed, then the government will have to crack out the lawyers and knuckle down for a fight.

And to stop this mess arising again? We require more prescriptive security controls issued by a single national authority for information assurance – controls that cannot be signed away by a Whitehall mandarin. We need to completely reform government procurement to break the stranglehold that half a dozen vendors have over the lion’s share of public ICT spending. And we need to recognise that these so-called industry representative bodies do not speak for all of the UK ICT vendors – just those that are doing very nicely out of the current protection racket where nobody gets protection at all.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I can see why Mr Fisher said what he said... but taking his logic one step further, presumably an incoming conservative govt would argue that it's legitimate to revise the "clear instructions from the client", because the client which issued them no longer exists.
In years working between government and the IT industry as researcher and publisher the only way I found to align them constructively was to confront them together with the most extreme cases of the effects of their work on people with chaotic lives. Does Neil and do the IAAC members really want to look people in the eye and say "we charged government £x00ms to deliver systems which don't hold your data dont matter that much to us"? This change cannot be driven by contract lawyers. It must be driven by moral authority conveyed via politics, and legally well-informed. Will it really be necessary to drag government's IT suppliers into the eye of public opprobrium, and for them to succeed bankers and MPs as a public enemy? Ps - Since when is IAAC a think tank? Isnt it just a trade body?