My Christmas Message sparked a small flame war with an accusation (probably tongue in check) that those who q uery doom and gloom scenarios are damaging bids for information security budgets and research projects by introducing a dose of reality. I then spent a couple of hours of on-line research (alias semi-random browsing) beginning with Alex Muffett’s blog entry on “Londoncyber: our very own Star Trek Conference“ and his presentation “Why Cybersecurity is Rubbish” and ending with “Pirates of the ISPs: tactics for turning on-line crooks into international pariahs“.
I then enjoyed a discussion on how much of the growing jungle of regulation to supposedly “reduce” the risk of fraud and compromise is not only worthless, but serves to actively increase it. The first example was all those “know you customer” routines which require you to carry that which a mugger can sell to those who will use it to obtain electronic credentials in your name. Copies are then stored with sometimes spectacular insecurity.
The second example was the growing requirement by government agencies (often with seriously inadequate security) toprovide certified copies of original source documents (which can be used to thensteal land or property) via insecure communications channels.
Then there areall the requirements to retain data that is no longer required for business purposes”in case a law enforcement agency or regulator might want access”.Finally came the requirements for airline passenger data (includingdietary requirements) to be retained and passed to the US to be made available to a multiitude of agencies via contractors whosesecurity certificates have been compromised.
Removing the need to “prove” your identity whenit is irrelevant to the transaction and scrapping the need to retain data thatis no longer needed for business purposes is a very much cheaper way of improvingcustomer protection than adding more layers of complexity on top of irrelevantregulation. Value-added fasttracks for frequent flier programmes and low risk passengers improveoverall customer satisfaction and security at the same time – even if thosewho insist on wearing a Niqab or Burka might have to travel via ports and airportswhich have body scanners manned by female staff.
We need to join up the action plans in the CybersecurityStrategy with those in the Fighting Fraud Together Programme of Activity and bring both alongsidethe plans of global private sector players to better protect themselves and their customers.
Actions 11 and 12 in the Fighting Fraud Together programmeof activity are: “Strengthen systems and controls to limit the risk ofGovernment issued identity documents being exploited for criminal purposes …” and “Strengthenassurance processes for main government documents used to establish ID and facilitateonline identity verification checks against government databases to supportonline services delivery”
In that context we need to take a cool look at the “Costto Trust” and “Cost to Risk” ratios implied by current Government regulatoryand identity requirements and at the “Trust” and “Identity” regimes beingproposed by Cabinet Office. We need to compare these with the dozens of existingprivate sector services that are already in use around the world to authenticate contracts andauthorise financial transactions from micropayments to millions.The obvious difference is that the latter are based on routines for managing cost, responsibility and liability according to the nature and scale of risk. Where does that leave those whose business models are based on liabiity avoidance?
In that context I am delighted to note the report in the Guardian that DWP haswithdrawn its identity services tender pending the outcome of the peer reviewof the Cabinet Office identity framework strategy. It would be morally unforgivable (as well aspolitically disastrous) if the most vulnerable in society were to be urged togo on line, only for their identities to be systemically compromised and their benefits stolen during the run-up tothe next election.