From top secret to toilet paper

Until last week, HMG information assurance policy assumed that hundred of thousands of public servants would follow security procedures better than the Wermacht, Luftwaffe and Gestapo whose codes were broken by Bletchley Park.

I agreed when Martyn Thomas put a posting on my blog “Death by Data Protection” suggesting that files like those lost by HMRC should have been treated as “secret” and such a recommendation might well come out of the current reviews – with all the controls that it would entail – including vetting all with access and an end to discussion of outsourcing personal data overseas.

Then “Dick Vinegar” put a posting on my previous blog “There but for the grace of god goes your CISO/CFO” that brought my thinking crashing back to earth. His story of “top secret” documents being used as toilet paper reminds us of the need to design systems around human beings – not vice versa.

Last night I attended the launch of the appeal for funds for the National Museum of Computing at Bletchley Park, where success (including well into the Cold War) depended on 110,000 bright youngsters, including much of the future intellectual cream of the UK, keeping quiet about their collective achievements until well after the first controlled leaks were finally authorised, thirty years later.

The plans of the trustees to put the technologies of the past into application context (housed in H Block, the world’s first custom built computer room) offer a point of leverage to not only help clarify the muddled debates of today but also to help enthuse the youngsters of tomorrow and show them why intellectual rigour, clarity of purpose and proper risk management matter.

Last night there were many splendid stories of the past and some well informed comment about the present but a common thread was that security has to be built around human motivation and behaviour. The first American liaison officer supposedly pillaged all the secrets of Bletchley in return for supplies of “real coffee”. John Cairncross apparently passed to the Russians only what they needed to know in order to win the battle of Kirsk (arguably the “real” turning point of World War 2), despite Stalin’s refusal to believe anything passed to him officially. There then are all the stories of how German short cuts in the mass deployment of a secure technology (derivations of Enigma were used well into the Cold war) had negated its inherent security.

I signed my pledge form and handed over my cheque. So too should all those who take the need for confidence in the on-line world seriously. I would also argue that support for the museum and its education programmes should be an integral part of the corporate sponsorship programmes of all orgnisations whose business models depend on confidence in the secure use of technology.