Skip to content | Skip to comments

Information Assurance and Cybersecurity

Government data needs to be kept safe and public services running, including under deliberate attack from malevolent people, organisations and states. Today, many government systems are vulnerable – to both insider and external abuse. The recent trend in the UK towards data aggregration and concentration in centralised databases has exacerbated these risks and vulnerabilities. The UK’s approach is high risk and out of line with other developed nations who hold sensitive personal information as locally as possible – rather than aggregating it all in one central location. Penetration testers refer to examples of taking just 5 minutes from outside a firewall to gain full root permission to government systems.

Threats need to be assessed properly. At present, threat modelling may take account of factors such as the time taken to get a system back online, but completely overlook what might happen if all users of a system were phished. Effective information assurance depends on analysing information assets and assessing the levels of risk and security associated with them. In the absence of an information architecture (addressed in the section on architecture), systematic information assurance remains highly complex. Once the information architecture and information assets have been properly audited and assessed, a more effective information assurance and risk management regime can be established, one which fundamentally reviews the current levels of security classification of content (including recognising that much day-to-day content may not require protective markings at all).

Common security vulnerabilities are not being routinely assessed and addressed. Government is not moving at the same pace as the Internet and the external digital world. There is some involvement here of the system integrators who are often slow to roll out new security patches and fixes. Their defence is often the sheer number and complexity of systems in place in many departments, meaning that they need to check backwards compatibility first to ensure the latest security fix does not break anything. Such complexity is the enemy of many things including good information assurance (IA) and security.

The key principles

  1. Don’t collect and aggregate personal data when there is no real need to do so: and where there is a genuine need, do not hold it any longer than absolutely necessary
  2. Recognise that the “insider” risk is often the main risk and design all systems accordingly (minimising the impact of any security/privacy breach that does occur)
  3. No computer system is 100% secure: design and operate all systems with that in mind, ensuring any system or person compromise is tightly constrained

Specific Recommendations

Things to do

  1. based on the development of an information architecture, review the current levels of security classification of public and private data held in government systems, ensuring they are appropriately marked and protected
  2. explore a new, more realistic and risk-based approach to the majority of information in the public sector (protectively marking it when not required has enormous cost implications)
  3. undertake a 90 day review of current information assurance and cybersecurity strategies (including the impact of federated identity and trust and intermediary models and open APIs)
  4. ensure privacy engineering is an integrated part of systems development, alongside security engineering, when developing or commissioning new systems or updates
  5. provide much clearer guidance to CESG about what is useful and how to raise standards in an effective way
  6. implement a campaign to promote cybersecurity awareness and digital literacy across the civil service, with a particular focus on senior levels to ensure they are better able to assess and manage decisions relating to risk in the context of technology

Stop, challenge or review

  1. Stop analysing and identifying risk without also putting forward recommendations for remediation or management of that risk
  2. Don’t over-classify routine daily administrative and operational information: it causes exponential and knock-on in technology and operational costs, and prevents the public sector taking advantage of the economies and efficiencies of commodity software (everything ends up heavily bespoked)

Continue, support or resume

  1. The UK has some world class security and privacy specialists: ensure academics and professional bodies’ expertise is tapped into and acted on by government prior to, during and post-implementation of public sector projects

RSS feed of comments 4 Responses to “Information Assurance and Cybersecurity”

  1. Fraser says:

    Demystify Gov Connect. It is being used as a barrier to good stuff like the use of Skype

  2. Fraser says:

    Remove web filtering (or at least tell people if it is active!)

  3. william says:

    * How does one make the case: “what if I don’t spend the £10m?

    * not all depts are equal. DWP non-issuing cash vs people not getting their tax discs

    Things to stop:

    Hard to work out. But perhaps there’s less oingon in govt than it supports through CPNI.

  4. Joseph says:

    Demystify Gov Connect. It is being used as a barrier to good stuff like the use of Skype

Your feedback

Comments are now closed.