Can government change its risk-averse take on security?

Risk-averse policy has long curbed government IT reform, but in simplifying security, Whitehall hopes to widen its range of commodity IT

A risk-averse approach to securing data has long been a bugbear to those trying to change the way government does IT. But by introducing simplified government security rules, Whitehall aims to bring in a greater range of commodity IT.

The new security marking system will see government regroup its current six security bands into a simplified three-tier system. The hope is this will reduce IT running costs by moving away from bespoke systems, increase availability of cloud services and introduce wider commercial technology, such as with a greater range of smartphone devices.

The Cabinet Office hopes a simplified marking system will push down much information previously classified as restricted (impact level 3) to the lower “official” band. This means that data will be cleared for use on commodity IT services.

“The security required for the official level is still very strong, we have just placed a greater emphasis on using proven commercial technology, such as the type routinely used by banks and other major businesses, rather than expensive and bespoke government solutions – which often don’t provide the functionality that we need,” said guidelines seen by Computer Weekly.

Cost of risk aversion

Bill McCluggage, former deputy government CIO and chief technologist at EMC, said the current system conflates privacy concerns with those of national security. “So we end up with lot of material classified at IL3, from a risk-averse civil service perspective.”

He said with each tier the costs of running data escalate, estimating a three-fold increase in the cost of running data on devices and systems accredited for restricted use, compared to those categorised at IL0.

“Nearly 80-90% of information is not sensitive. When I was in government, I can’t remember when I got a confidential document," McCluggage said.

“The key benefit is that use it will allow for commercially available off-the-shelf equipment and a move toward public cloud infrastructure, for the best price point and commercial deals. So I will be less of a burden in terms of network security.

“That isn’t to say departments shouldn’t encrypt hard disks, which there is still no excuse for not doing.”

Complexity, restriction and cost

Steve Tuppen, director of independent system integrator Mozaic, has long experience of working with the public sector. He said departments are often restricted by the complexity of the current multiple-tier system.

“That is unnecessary compared to other organisations. Often the complexity is not needed, when you compare the security system with what they are trying to achieve. A new system would be more effective, efficient and cost less."

He added it would also reduce duplicating infrastructure, as data is stored in a more standardised infrastructure and hosting.

Don Smith, technology director at Dell SecureWorks, agreed: “The difficulty is that the standards are confusing, organisations seem to have different interpretations of them," he said.

“I could think a couple of scenarios where data doesn’t need to be classified at impact level 3. And as a security professional, I would always say it is good for to err on the side of caution.

“The proposals would simplify the landscape for a huge number of local authorities, NGOs. But it will be interesting to see how they are wrapped with guidance.”

Rik Ferguson, analyst at Trend Micro, said three labels classified as a verbal description would be easier to work with.  However, he said the flipside was that it could reduce the granularity of control.

He added this could also be an opportune moment to rethink security classifications and architecture. “We need to now work on the assumption that it’s not always possible to keep intruders out of systems. They will at some point be successful. We should be designing architecture from the inside out and secure the data at the heart of the network."

Power in departments' hands

It will be up to departments to determine where information will sit in the new system. Existing information will not be remarked.

McCluggage said it will be crucial that departments understand the business reasons for driving through savings, accessibility and trying to get to a point for value judgements about security.

“That change is not technical, but about business process. Realistically, I imagine it will take two to three years before we recognise the value of simplifying the system.”

But despite government's intention to open up the market for lower-cost consumer technology, the guidelines so far appear to lack detail about how lower cost technology could be introduced. There remains much uncertainty around cloud, bring your own device (BYOD) schemes, and opening up the smartphone estate beyond BlackBerry. 

Without a strong business case from the Cabinet Office outlining the benefits of the new marking system, there is a danger that departments will simply ignore the system as a pointless change. That potentially means a missed opportunity for government to make much-needed immediate savings and improve efficiency through more flexible technology.

Read more on Hackers and cybercrime prevention