Last week I was among those asked for nominations for candidates who had made the most difference to the world of information security in 2103. There can be only one candidate.
He reminded us of three core security messages:
• People are the key: culture, discipline and probity are at least as important as competence, process and the supporting technologies. [hence also the competition on trust]
• Big data is insecure data: the wider the access, the greater the risk of abuse.
• You cannot outsource risk: he was employed by one outsource contractor and vetted by another (despite being flagged as a security risk years earlier).
Sir David Omand was undoubtedly correct in saying that he had done more damage that the Cambridge Spies. A more interesting comparison, in terms of lessons for information security, might have been with Melita Norwood, the secretary who supposedly cut between two and five years off the time it took to make an atomic bomb by passing copies of all the papers put in the safe (and therefore presumably important) at the British Non-Ferrous Metals Association (the UK-end of the Atom Bomb programme) to the Russians. Her contribution to history was unknown until a KGB archivist defected . Even now there is more than a little uncertainty about its impact because it is not at at clear what she actually passed and when. She supposedly received a higher award than Philby (albeit never publicly presented) and almost certainly never appreciated the impact of her behaviour. Her activities, however, provide a classic example of a data breach whose existance was not known until after its impact was history. So much for the value of data breach notification.
Edward Snowden has similarly changed the course of history – whether he intended to or not.
He may not have told the terrorists anything they did not suspect already – but he has set in train the processes under which United States will lose control over the Internet.
He has also fractured the special relationship between the Britain and the United State by not only giving our intelligence crown jewels, as well as theirs, to Russia but also destroying faith that anything available to US government agencies, including that accessible under the Patriot Act, is secure.
The “side effects” appears to include an impending UK ban on using US suppliers (including network operators and cloud services) to handle classified information and an EU suspension of “safe harbour” fast track provisions. Such actions may yet be extended to include the bar on “exporting” personal or corporate information collected by Government under statutory powers (including tax and health records) that was being called for during the last days of the Major Government [i.e. before the Labour election victory in 1997 and the subsequent acceleration of wholesale outsourcing and off-shoring], after HMRC had learned that UK tax information was being processed in the United States and it could not prevent its contractors from doing so.
We may be able to rebuild relations with our EU partners, but will NATO ever be the same again? Meanwhile the world of global clouds appears set to fragment – as does the governance of the Internet – unless Russia and China agree a new rapprochement with the United States. Thanks to Mr Snowden they are in a very much stronger negotiating position than before.
There is also the interesting question of whether members of the Guardian staff committed Treason. I have little doubt as to the likely fate of a 1930s editorial team (UK or US) which did not facilitate the immediate arrest of a source offering them such a mine of information, albeit the politics of today are very different.
So what are the actions that HMG should take to help undo the damage?
One of the first should be to repeal IR35 and make it very much easier (as well as cheaper) for both public and private sectors to employ and to vet security consultants direct – and not via hierarchies of outsource contractors and integrators who may or may not know what they are doing and do what they say they are.
This will also help HMG meet its targets for employing SMEs and get full value from the changes it has already made to the processes for vetting trusted and experienced employees who took advantage of recent generous early retirement packages which were intended to clear dead wood – not talent.
Interestingly it looks as though repealing IR35 will also increase tax take – by helping remove those staffing agencies and outsourcing operations which take profits outside the UK and leave HMG with unfunded pension and welfare obligations.