Speaking to the audience at the Security for a Digital Britain conference in Nottingham on 24 September, Laing said the current Labour government was being dragged “kicking and screaming into the 21st Century”, and that its information security strategy is disjointed and behind industry standards.
A first step would be for policy makers to cooperate with the information security industry, and policies must be brought together with what end-users of security need. “We must give the industry structures it can work with”, Laing said.
“Bottom up security must be supported by top down strategy.”
Laing added that the current strategy for information security is not complete – it is all in bits and pieces, and there is “no holistic approach. The UK needs a cyber-security strategy, but a better one than Obama’s”.
Government losing our data
Laing mentioned the many cases of data loss in both the private and public sector in recent years, and warned that high profile data losses can “damage the UK’s commercial reputation – the UK could be seen as the sick man of cyber-security”.
Furthermore, by gathering more and more information on its citizens, the British government is creating a “honey pot effect” increasing the temptation and interest of criminals. “We will see massive identity fraud on a scale never seen before”, she warned.
She especially warned against the planned ID register, which will count over 50 separate pieces of information on each individual – amounting to about 300 billion pieces of information in total across the UK. The UK “will become a utopia for ID theft criminals”, Laing claimed before adding that the government is hindering the digital economy by not paying enough attention to information security.
The Conservatives have already published plans to scrap the ID database immediately if they come to power in the next general election. The 11-point plan, Reversing the Rise of the Database State, outlines the Conservatives’ proposed measures for reducing the surveillance.
The UK is becoming a surveillance society, and that the Government is planning “a single point of truth on each citizen”, takes surveillance further than what George Orwell could have foreseen, according to the Conservative MP.
Not only is the government collecting huge amount of data on its citizens, but it then goes on to lose it, Laing told the audience, mentioning the HMRC loss of 25 million records.
Less is more
Laing pointed out that a simple way to increase information security in the public sector would be to collect less information as a principle. It should be restricted to a need-to-know basis and that a very strong business case should be in place before data is collected.
This is also part of the Conservatives plans to reverse the surveillance state, as mentioned above. They want to scarp plans for the ID cards, have more scrutiny on data legislation and privacy, make the public sector accountable according to industry standards on information security and they want to bring corporate IT governance into the public sector as soon as possible.
Information security regulator
Laing said the Information Commissioner’s Office (ICO) needs full independence from the government and that it should make sure the government conforms with information security standards and legislation. It should be able to hold the government to account and to fine it, if necessary.
The information security regulator also needs to be closer to the industry it is regulating.
She criticised the government for having a very disjointed approach to information security, saying there are seven departments and 15 offices that deal with cyber-security. There is a Cyber Security Operation Centre and an Office of Cyber Security set up by the government, but there is no public assessment, and so the public does not know whether these have been successful or not.
Laing proposed that rather than having several centres and offices dealing with information security, there should be a clear cybercrime reporting centre where all comes together. At the moment there is a worry about underreporting of cybercrime as there is no network to find out what is going on. As Laing pointed out, if no-one knows what is going on, “how are we then going to do anything about it?”
Laing said the UK needs a one-stop-shop to report cybercrime and data breaches.