Information - Assurance or Atrophy?

Over the past few years the Government’s reputation for Information Assurance (IA) – managing the risks associated with information handling – has taken a beating. Individual incidents and serious systemic failures prompted a slew of reviews and reports, and whilst major enhancements have been made to systems, standards and the profession, there is much still to do.

But this year things will get tougher. When the dust settles over the election, the new Government will have little choice but to cut public spending radically, and that will mean two things: demanding reduced delivery costs, and greater innovation in public service efficiency.

Experience from previous downturns shows that cuts in security budgets are inevitable and largely survivable. By far the greater IA challenge will be that of supporting radical innovation: the Conservatives are floating policy ideas that include abandoning major database programmes such as ID Cards and Contactpoint; using ‘crowdsourcing’ approaches to promote public engagement; and adopting cloud approaches such as ‘Google Health’ that fly in the face of traditional public sector IT and IA philosophies.

But if the Conservatives win the poll, then the IA community is ill-prepared to support their ideas. We have multiple IA authorities in COSPD, CESG, CPNI, MoD and other bodies, all of which require funding despite obvious areas of duplication, yet there is no focal point for IA leadership within Government. The Security Policy Framework, Manual of Protective Security and related publications are struggling to respond to the surge in personal information processing, and outdated attitudes towards testing and certification of vendor technologies mean that end users are often unable to purchase off-the-shelf software that would be available to their commercial counterparts simply because the manufacturer cannot afford the speculative cost of obtaining relevant approvals from CESG. The Data Handling Review called for accreditation of new systems, yet the Transformational Government agenda mandates the sharing of personal information between new accredited systems and a mass of unaccredited legacy systems. Finally, the IA profession (CLAS) is moving from the control of CESG to the Institute of Information Security Professionals (IISP), and whilst this is a positive step, it has not been without its problems.

Thus without reform the IA community will be an obstacle to change under the next Government. SIROs and Accreditors will be under pressure to approve new systems that simply don’t fit with current security approaches. Conflicts will inevitably arise.

So what’s gone wrong? These problems are not the fault of any one individual, but rather a product of chronic and widespread disrespect for the value of information assets, a long-standing underinvestment in security, and the sidelining of IA needs in favour of perceived ‘cost savings’ where systems are built and operated with inadequate security controls. If we are to build confidence in innovative approaches to Government IT, then that technology has to be trustworthy, and that means these problems must be resolved.

Fortunately, the problems can be fixed whilst at the same time saving money and supporting technology innovation. The next government must create focal points for the IA profession: a Minister for Information Assurance (distinct from the current terrorism-focused role held by Lord West) who can represent needs at the most senior levels, and a Cybersecurity Coordinator drawn from the IA community who can lead and represent the profession (in much the same way as the Obama Administration appointed Howard Schmidt to such a role).

These individuals should be empowered to create a National Authority for Information Assurance (NAIA) that operates independently of individual Government departments, and is tasked with supporting innovation through the provision of commercial-style security standards, accreditation processes, product certification schemes and professional development programmes. NAIA could ultimately take over IA responsibilities from all the existing bodies, thus eradicating duplication and gaining procurement efficiencies.

Such a centralization of expertise represents a critical national asset, but NAIA should not hide behind Cheltenham’s closed doors, either physically or organisationally: instead, all of UK industry would benefit from an ‘open door’ approach whereby NAIA draws upon and contributes to the best practices available to public and private sectors, and provides commercial expertise to businesses, potentially in a ‘for profit’ role. This interchange can only benefit all parties, and should allow NAIA to recover part or even all of its operating costs.

Finally, we need to promote and enforce a new attitude to IA: security must be a ‘deal breaker’ in any new system. Projects must no longer be able to bypass accreditation simply because the budgets or timescales are inconvenient. Data sharing must only be permitted between accredited systems. If security costs render a system design too expensive, then it was a bad idea in the first place. And if we want to use technology effectively then it’s time that Information Assurance is taken seriously – let’s hope that the next Government is ready to do so.

[This article originally appeared in February’s GC Magazine]