Please no - not another security inquiry

Tory MP Grant Shapps has used the Freedom of Information Act to discover that the government lost 53 computers over the last year, and is demanding an inquiry. If this claim is to be believed, then it works out at one computer a week. And I don’t believe a word of that.

The FoIA responses also revealed the loss of 36 Blackberries, 30 mobile phones and 4 memory sticks. The Department of Health apparently had the highest loss rate, with 14 PCs going missing. However, they claim that all the machines were encrypted and marked with invisible dye, and that only one incident involved the loss of personal information.

But let’s think about this for a moment – how many government employees work across the whole of central government, and at how many locations? How many PCs, laptops, blackberries and memory sticks are in use? I don’t know either, but I’ll bet it’s tens or even hundreds of thousands of items. And we’re asked to believe that just 53 have been lost? Sorry, I’m not buying that for a minute. There’s a distinctly unpleasant smell about that statistic. Interestingly, the broad media response seems to have been shock that as many as 53 have gone, but if I were the CISO of a massive and distributed organisation that had lost just 53 machines, I’d be damned pleased with that statistic. And if I were a politician releasing that data, I’d be damned pleased that nobody had noticed that it was completely unrealistic.

So, let’s assume that Mr Shapps gets his wish and there’s another inquiry into the 53 lost PCs (rather than a promotion for the CISO who only lost 53 of his thousands of PCs), what exactly would that achieve? We’ve been inquired to death over the past twelve months: Thomas/Walport, Burton, Hannigan, O’Donnell, Coleman, to name but a few. These are all good investigations that have come up with insightful and worthy recommendations, but what has become of those recommendations? Where are all the Privacy Impact Assessments we were promised? When are all the government systems going to have Accreditation Document Sets and appropriate security controls? When, in fact, will we see any culture of respect for personal information at all?

If we’re going to hold an inquiry, I’d like to see one into how HM Government has been so successful in protecting its PC hardware assets, so that industry can learn from this incredible commitment to security and get its own loss levels down to the same scale. That would be an inquiry worth having…