The following roundtable discussion, which I participated in, was originally published in Public Service Executive, December 2006:
“In early November, Public Sector Executive held a roundtable discussion with the UK’s leading experts on IT security in the public sector. The Editor was joined by John Widdowson, director of CESG, the Government National Technical Authority; Gareth Niblett, chair of the British Computer Society’s Information Security Specialist Group; Neil Fisher, vice chair of the Information Assurance Advisory Council; and Keith Foggon and Graeme Cox, senior decision makers at leading IT security firm DNS.
The debate raised several pertinent questions regarding the future of IT in the public sector, and suggested various ways and means for public servants to communicate more safely.
Does the public sector need to focus more clearly on IT security?
Keith: I’ll pick this one up. The problem with this question is that the public sector is such a large area. On one hand you’ve got the Police, Ministry of Defence and several national assemblies which focus heavily on IT security, and on the other hand you’ve got local government which takes the issue less seriously, and public-private partnerships like PFI and utilities, which don’t really know if they’re public or private and so can’t take a clear stance on the issue.
Generally, I’d say some areas of the public sector focus heavily on IT security, and others pay it lip service because they feel they have to.
Gareth: From my day-to-day job I’d absolutely concur. Many of our public sector clients from the police and the Ministry of Defence are very focused, but talking to some of our public sector team, some of our clients, especially those in education and local government, are not even asking the relevant questions, and are far less focused on information security issues.
I think in local government it’s can be the case of being “someone else’s problem” – the organisations are so large that people can pass the buck more readily. In other public sector areas, such as police forces, who are quite hierarchical and structured, responsibility is easier to identify and harder to shift.
Keith: Within local government they don’t really realise the benefits good information security can give them, whereas the benefits to the police are tangible straightaway.
Ga: For the police, I think it’s less about benefits, and more about reduction of risks.
Graham: When local governments are trying to meet their targets, some of the demands associated with the 24/7 delivery of e-services simply can’t be met. That is because the pressure on an organisation that is not driven to high levels of procedurisation and risk management can be too much to handle.
John: I’m not as sanguine about central government as other people are. Again, I think the picture is very mixed – some departments pay lots of attention to information security, others try and ignore the issue. I also think we need to be careful using the word security; a lot of people would think the issues surrounding security are not about confidentiality, but are more about availability and data protection. Personally I think these areas are much more important, but people don’t pay enough attention.
I’d also like to point out the changes in things like shared services, and the potential problems of people who do value security connecting to those who don’t. Ultimately, a secure network’s only as strong as its weakest link.
What are the principal drivers for information security in the public sector?
J: For me it’s all about data management and making sure the right people can access the right data at the right time. As more and more people need to share data, and we see a greater need to provide services which connect with citizens, so these issues will become more important.
K: Do you think the citizens are driving the move towards increased security? Do you think there’s public pressure?
J: I’m not sure. I think there’s a lack of understanding about the issues involved – even though several online activities, like bank accounts, are well protected. Unfortunately, it’s only when Mrs Smith’s medical records are published in the Sun that people wake up to the need to focus on information security.
Ga: I think that in the past there’s been a mix of apathy and ignorance, but with more media coverage people are gradually becoming more aware. But people still think information security is “someone else’s problem” – “the bank will sort this out for me”, “my local authority look after that” – that’s the kind of culture we’re dealing with.
K: How much pressure do you think the Cabinet Office is putting on where information security is concerned?
Ga: I see focus shifting more towards contingency planning – it’s almost as if people accept that, whatever preventative measures are in place, something bad is going to happen and so are working more on response measures.
K: So, perhaps the Cabinet Office is trying to be more friendly and co-operative when considering IT security issues?
J: The current departmental model, which basically allows departments to make their own decisions, doesn’t actually give the Cabinet Office much of a platform to put much pressure on departments. I think this is going to change as the Government moves forward, but I think they’ve found themselves in a difficult position, trying to persuade people who didn’t previously care much about information security to take it seriously.
What are the likely threats facing the public sector in the short and medium term?
K: I was thinking about that this morning, and trying to put together something a bit different from hackers and viruses – those things are old news. The threats I thought were relevant were things like the potential change in the governing party; when they changed previously there was a bit of a security lull, because government departments didn’t know what they were going to be doing for a short period, and I wondered if a similar lull in future might present a window of opportunity for potential attack when a would-be attacker knows defences are down.
Ga: But how is that different from attacking an office, simply because the phone or e-mail presents an out-of-office message?
K: Because, when a Government changes, funding is put on hold while budgets are sorted out – and information security is one area to be affected when the budgets are reviewed. If I was an attacker I might think about attacking when the money’s low and defences are lax.
Ga: My most likely threats in the medium term are budgets and willingness to apply the required measures. It’s not really technology and people threats we need to consider; it’s the policy and procedure ones.
K: I also think there’s a culture of low accountability in local government – the attitude seems to be if it happens, then it happens. I’d also put terrorism down as a threat, but again that’s something we’ve lived with for years. I don’t think we have yet seen the big terrorist attack, and a big loss of life resulting from an information security attack.
Also, regarding the retention of communications – you have the Anti-Terrorism Crime and Security Act which places obligations on providers to retain their data, which gives serious consideration to service providers. If you read into this further, you realise it’s the service provider that’s responsible for the service network. Which means a greater onus on public sector bodies to manage their network properly.
Ga: As you rightly say this stipulation covers everyone – not just the telecoms company providing the network connectivity. We’re all providing services electronically – why should telecoms be treated any differently to say, a bank?
K: The EU passed a directive in this area, which will hit us next year. This directive could be seen as a threat – because any service provider will be faced by an obligation to release their information.
Ga: But the public sector might not realise they fall under this obligation. They are now providing their own service networks – schools and libraries are buying service networks from their local authorities, who in turn buy from major telecoms companies, and thus in effect the councils providing these amenities are legally considered the communication service provider.
What sort of security measures should be taken against these threats?
K: When we talk about security measures you can always go back to the traditional procedural, technical and physical procedures. You can’t really get around those, and there are certainly technical and procedural solutions that can help counter today’s threats. For example, ISO 27001 certification is a vital aspect of good security procedures, and manual protective security awareness is also very relevant. You can’t ignore what’s there already.
Gr: Just going back to a comment that John made earlier about the drive for shared services, and the risks that arise from connecting well-secured organisations to those less well protected, the drive for improved management of identity in the public sector is a crucial element in the need for shared services.
J: I completely support this view. Identity is going to be a major issue, and one of the things that needs careful thought. But if I could get one message across to Government departments, I would stress that a number of security problems have fairly basic problems. If public sector bodies patch their systems regularly, and keep them up to date, a lot of potential security threats can be avoided.
Neil: I think we are living in very dynamic times, and, like a lot of things, security doesn’t stand still, and so we need to keep reappraising things we’d otherwise take for granted. Identity is right on the button. Authentication of identity is the single most important organisational principle in the modern economy. The use of private sector call centres and shared services means it is vital you know people are who they say they are. I think we need more control over public sector networks, and greater certainty over who’s involved in that network.
Ga: We need to avoid inappropriate requests by the public sector for things like the wholesale application of the Manual of Protective Security (MPS) or blanket staff vetting. The public sector certainly needs to be educated in the appropriate vetting of staff.
J: I agree with that. What we’re really talking is risk management – it’s about balancing threats and risks, and what they mean in specific circumstances. Threats and risks are different in different parts of the public sector, and the issue of connectivity has to be fed into that.
What sort of regulation policies are likely to affect the public sector in future?
K: I think we’ve covered quite a few of these already – things like the Anti-Terrorism Crime and Security Act and the FOI Act 2000. You’ll also have lawful business practices regulations, data issues under the Data Protection Act, and a lot of these are only coming to the forefront now. I think organisations and citizens are now feeling a little more empowered to query value for money – there is a greater need for accountability and transparency.
Ga: There is a flipside. The lack of regulation can also be harmful to information security – the removal of a central requirement on operators in telecoms was designed to make a more competitive environment, but this is impacting upon the security of those next generation services that existing operators can offer. If someone isn’t going to mandate or pay for security and resilience measures, the Government shouldn’t be surprised if they don’t get it.
J: I think we’re not going to see massive change and a raft of brand-new regulations in the near future. What we are going to see are changes in government contracts – e.g. procurement – and I think we are going to face a conflict between regulation and competition. If we have complete outright competition, we may as well forget a number of aspects of information assurance.
N: When 17799 was introduced there was a clamour to incorporate it into several government contracts. Do you think 27001 should be similarly incorporated?
J: There’s not enough consideration of specific circumstances to warrant that.
Ga: There’s a big problem with the scope of certifications – it comes down to the types of services, the locations involved, and which departments of the certified organisation are actually providing the service to the public sector.
N: In terms of authentication of identity, in the IAAC we would like to see some more regulation surrounding assured identity. We would like to see a consumer’s bill of rights based on their data – simple things like ‘I have a right that government doesn’t give others my information without my permission,’ I have a right that they don’t lose that information’ etc.
Ga: I should have the right to restrict the wholesale transfer of my personal data, for example whenever I get on a plane.
K: When you talk about ISO 27001, when it was first mooted it was designed to provide a common basis to discuss information security counter-measures. Over the years I’ve taken many companies through certification, and I think the standard has pretty much lost its way. The certification process is pretty simple, and based on fairly old procedures. It cannot keep up with modern technology, and those carrying out the assessment do not have the skills and aptitude to administer the required certification.
We need a framework to develop, monitor, audit and react to information security. I don’t think asking for ISO certification is enough to prove that you’re handling your information in a controlled manner. I think you need a bit more depth, and to carry out some audits of your own organisation. I don’t think reliance can be placed on ISO 27001 certification. For example, you can have a scope for certification in India and deliver services out of the UK.
Ga: I’ve seen companies with BS7799 certification doing some things that I would cringe at! They certainly knew how to manage their audits and certificates, rather than their risks.
J: I think there’s a good point there about regulation and standards. People will always find ways, if their objective is to pass a test, to get by without worrying too much about the purpose of the test. We’ve got to make local authorities and government departments aware of the need for the test – there’s a definite culture change involved.
Are you in favour of outsourcing IT security to private sector experts?
J: There’s no reason why you wouldn’t do it – outsourcing is perfectly acceptable in some circumstances, and there’s other circumstances where it’s not. The worst thing would be outsourcing things you don’t understand.
N: Ultimately, where we think security is integrated into public service projects, the truth is that it isn’t. The community of trained IT professionals within the public sector, and indeed the private sector, is quite small. So it makes sense to outsource to companies with an enriched source of trained professional people.
How can the public sector strike a better balance between IT security and the need to share information?
Gr: I’m not convinced that there is a fundamental conflict between the two. The drive to share information is by no means at odds with the drive to secure it.
Ga: It comes down to a misunderstanding – people think the Data Protection Act prevents them from sharing information, and in the same way people perceive information security as a barrier to the open sharing of information. They provide a framework in which it can be done properly. This needs to be cleared up.
J: There is no conflict between the two – but to deliver the benefits of shared services and transformational government, you’re going to have to have an appropriate level of assurance to meet the risks at the moment.
K: I’d like to get an opinion on how the other delegates feel about the impact of US standards and practices in the US in the UK? What, for example, does everyone think about the CAN-SPAM Act and Sarbanes-Oxley? How are these going to have an impact on public sector service? How will public sector organisations meet their obligations under Sarbanes-Oxley?
Ga: From my perspective I see the requirements impacting the US-listed companies, especially the financial institutions, more than the UK public sector. Unfortunately, sometimes Sarbanes-Oxley is implemented simply as an auditor checklist. Recently, for a simple data transit service, I had to face a 38-page IT auditor checklist, with no benefit to us except to prove we’ve met their requirements on third party suppliers! We’ve started to see a trend towards ‘one-size fits all’ checklist audit rather than real audits.
CAN-SPAM hasn’t been a problem in UK telecommunications as far as I’ve seen, but there is more appropriate UK and EU coverage in this area.
J: I haven’t seen anything on my side of Government where these regulations are having an impact.
N: I’ve heard that the National Infrastructure Security Coordinating Centre is joining with the National Physical Security Authority. Is this a strengthening of our information security effort, or is it a dilution?
J: I’m afraid it’s one of those awful occasions when I can neither confirm nor deny the existing position!!”