Twenty-five million. Two. Those two numbers raised the British public's awareness of government information security issues to a new level last November. The incident was widely reported: in responding to a National Audit Office request, HMRC officials bundled 25 million households from its child benefit database onto two CDs and stuck them in the post. They got, famously, lost.
In the aftermath, many hard questions were asked. Why did HMRC send so much data? Why were junior staff able to burn it to CDs? Why were the discs not encrypted? Where were the access controls, the culture of care, and the plain common sense?
But government infosecurity failures are not limited to data breaches. The recently released report Security Economics and the Internal Market, written for the European Network and Information Security Agency, details a range of other issues needing attention: cybercrime, lack of statistics, insecure mass market computers, abusive online marketing such as spam and spyware, online fraud, internet stability, and inappropriate regulation. The report's 15 recommendations to the EU included introducing a security breach notification law, publishing statistics, punishing ISPs for not removing compromised machines from the internet, pressuring EU states to ratify the cybercrime treaty, and establishing a NATO-style EU-wide body to facilitate international cooperation on cybercrime.
|"The government gets in the way of infosecurity professionals,"|
"The government gets in the way of infosecurity professionals," says Ross Anderson, one of the report's authors and a security engineer at Cambridge. "There are some things only governments can do, and locking up bad guys is a very good example of that."
But for Anderson, current priorities are backwards. The focus on child pornography, for example, drove the National High-Tech Crime Unit into Operation Ore – "a disaster however you look at it" – at the expense of other computer crimes.
As another example, Anderson cites the decision that bank frauds should be reported to the banks, not the police. "It's great for the crime figures," he says. "Yet online fraud is one of the typical outputs of organised criminality." Plus, banks are no help if they're the source of the problem. "The incentives are completely screwed up."
Turning a blind eye
Much more could be done, he says, to take down machines that perpetrate fraud and other online crimes. According to Anderson’s research, "Mule recruitment" sites – which recruit the innocent and clueless to transfer money and reship fraudulently obtained high-value goods – stay live "forever", and the victims "find themselves with a huge unsecured overdraft. The bank screws them rotten and their lives are trashed. Nobody cares about them." His recommendation: a change in policing priorities and restricting Western Union's financial service licence to limit such transfers.
Similarly, online auction fraud, one of the biggest sources of consumer complaints, is rarely investigated because most fall below local police department thresholds.
"They're not hearing from government that cybercrime is something they need to do something about compared to car crime," says a former lobbyist.
Everyone agrees that politicians and civil servants alike tend to be ignorant of IT. One reason is age. Many leave their typing to secretaries. Snobbishness about science and mathematics is still pervasive. And many badly conceived government IT systems invite workarounds that introduce vulnerabilities. For example, a former MP commonly heard people ask to be emailed at Hotmail or Gmail because they couldn't log into the official system at home. Or take the NHS IT programme's planned full audit trail; whole A&E departments use a single login to save time.
In general, adds the former MP, politicians need to understand infosecurity as a risk management process that needs to include contingency plans for when things go wrong. "A minister would ask, is this system secure, yes or no? But the answer should be, ‘is it secure at the level of what we're trying to do?’ I don't think these kinds of conversations take place."
It's an additional complication that people have double standards. Ian Taylor, the conservative MP for Esher and Walton who was minister for science and technology at the DTI from 1994 to 1997, cites the Soham murder case outcry over data protection laws as an example. "Everybody assumes they're innocent but everybody else's information should be available."
Taylor endorses the conservative proposal to create a minister of cybersecurity. Given that not every minister can be equally aware of infosecurity issues, he says, "We may have to have someone who chairs a Cabinet committee whose sole responsibility is to tighten up security and work with industry. The critical national infrastructure is increasingly owned by the private sector rather than government – for example, energy companies and pipelines."
But would Government listen? William Heath, founder of Ideal Government, points at last year's House of Lords report on ecrime. "The House of Lords said this is serious; the government said it's all in hand."
Help or hinder?
In some areas, government policies work against security for individuals, such as the government's history of attempts to prevent the widespread deployment of encryption.
"It's fair enough to say that Government needs to be able to monitor the communications of a very small minority of people for the wider protection of everybody," says Heath, "but if you leave everybody's communications insecure in order to achieve that very narrow aim the result is that they're open to the scrutiny of the bad guys as well as the secret service. So we're presented with this false choice of whether we want privacy or security when it's quite clear that if you want a secure online society people will need a high degree of privacy and if they haven't got it they're not secure."
Today's government, however, shows little interest in privacy-enhancing technologies when rolling out public services, says Heath. "I've observed a dangerous and worrying tendency to focus on the privacy of the elite – politicians' kids who won't be in the databases, the health records of establishment figures – which seems to me to betray a real inequality."
The biggest change needed, he says, is among the middle-ranking civil servants who do the detail work and make most recommendations. For them, the HMRC debacle's biggest shock may have been the resulting resignation of permanent secretary Paul Gray.
"Every other permanent secretary will say, he was one of the best of us and he ran one of the best IT departments – who's safe?" However, he adds, the other danger is that the incident will be taken so seriously that no one will be able to do anything with data at all.
A former MP agrees: the pendulum swings back and forth, and politicians must pick a side. "At the political level you won't get the discussion that x data was lost but 12 lives were saved because they were sharing data. You don't get that kind of debate."
As data breaches go, HMRC was different, says Ross Anderson, whose book Security Engineering was recently released in its second edition. "It came to the attention of the Cabinet rather than being dealt with by junior civil servants that cover them up."
Yet even there it's not clear whether government has learned the right lesson, says Ian Brown, a research fellow at the Oxford Internet Institute. He thinks the recently published interim report by professional services company KPMG chair Kieren Poynter missed the point.
|The idea that you can have a big, national, centralised database and good security is the broken thing. It's always going to be an attractive target."|
"They've been talking about how to make civil servants follow procedure, like not burning data onto CDs and sending them through the post," he says. "But the problem with that approach – whether it's for ID cards, children's database, or payment of child benefit – is that you're never going to get the procedures perfect. People are going to make mistakes, some people will sell elements of the databases, some people will be bribed. The idea that you can have a big, national, centralised database and good security is the broken thing. It's always going to be an attractive target."
Brown's comments highlight a fundamental mismatch that goes beyond understanding IT. Infosecurity specialists recognise that security is a process; while governments just want it to be an answer.
|You might think that information security would grab a larger amount of government mind share in the US,|
|given that so much technology is invented there. But that’s not really the case, says Dave Farber, a professor at|
|Carnegie-Mellon who has served on many government committees, including the Clinton-Gore|
|administration's presidential technology advisory committee.|
|"The attention paid at the highest levels is reasonably modest," he says, "and in fact you can see the results of|
|that – or maybe the cause – in industry, whose attention is also modest." The status of infosecurity officers in|
|companies has been downgraded, he says, and often the response is to isolate internal systems from the|
|internet, a limited approach. "There are too many sneak paths in," he says. It just takes one portable|
|computer…or one disc thrown away without being properly erased.|
|Farber believes that US attention won't really focus on infosecurity until there's a breach that affects members|
|of Congress directly.|
|In the corporate world, he says, "For a while the Sarbanes-Oxley legislation (http://en.wikipedia.org|
|/wiki/Sarbanes-Oxley_Act) brought a lot of attention to security because people perceived they would be held|
|liable and responsible for the loss of information. But it's been fundamentally defanged – there have been|
|precious few prosecutions any place under those laws."|
|Worse, earlier efforts to improve infosecurity expertise have ended or failed. A programme begun after 9/11, for|
|example, sent government staff and infosecurity professionals back to school for advanced degrees and|
|training. "Most of the graduates of those courses couldn't find jobs in government when they went back," he|
|says. "It's a real problem and I don't think it's been fixed."|
|What's needed is real career paths – in government, the military, and industry – and direct access to senior|
|levels. "We need a national science advisor who understands the issues," he says.|