Sunday, 14 June 2015

RIP IDA – security through the looking-glass

No need to say it, it goes without saying, it should be obvious to all but,
just in case it isn't obvious to all,
IDA is dead.

IDA, now known as "GOV.UK Verify (RIP)",
is the Cabinet Office Identity Assurance programme.
And it's dead.

It's been a torrid week for computer security. Worldwide:
  • Over there in the US "the Obama administration is scrambling to assess the impact of a massive data breach involving the agency that handles security clearances and US government employee records ...", the Guardian newspaper told us, "Government officials familiar with the situation told the Associated Press the hack occurred at the Office of Personnel Management (OPM) and the Interior Department, and could potentially affect four million people at every federal agency".
  • "Although reports are conflicting about how the OPM discovered the breach, it took investigators four months to uncover it", Wired magazine tells us, "which means the EINSTEIN system failed" – EINSTEIN is the US government's anti-hacking/hack detection system. Or not.
  • Dossiers on US spies, military snatched in 'SECOND govt data leak', says ElReg and everyone else, "China said to have stolen detailed info on employees in sensitive federal positions".
  • Meantime in Germany, "two weeks on from the revelations of a serious cyber attack on the German Bundestag, insiders have told The Register that the tech department is 'clueless' about what is going on ... On Friday it emerged that data had almost certainly been stolen ... As yet techies inside the Bundestag don’t know who is behind the attack – or even when it started ... The Trojan malware which penetrated the entire Bundestag network, including MPs' computers, could have been sitting on computers for months or even years".
But then it always is. A torrid week. For computer security. Every week.

You don't need DMossEsq to tell you that. But we have anyway. Repeatedly. Hyperinflation hits the unicorn market we told you, back in October 2013, with links further back to a collection of hacking stories which started in October 2010.

By now, you may agree that computer security is like a unicorn. A lovely idea but there's no such thing. You may agree that marketing computer services on the basis of security is old-fashioned or other-worldly or downright suspicious – what fools do the marketing persons take us for if they imagine we'll fall for that when even US defence contractors can't ... hack it, cybersecuritywise?

You know that, the US Office of Personnel Management knows that, the German parliament knows that, everyone knows that – except the UK Government Digital Service, apparently, who blithely continue to promise that their identity management scheme, GOV.UK Verify (RIP), is secure: "GOV.UK Verify (RIP) will provide users with a simple, trustworthy and secure means of accessing public services".

Sometimes GDS replace their glib promise of security with a glib promise of safety: "GOV.UK Verify is the new way to prove who you are online so you can use government services safely, like viewing your driving licence or assessing your tax". Changing the word doesn't alter the risk. It's still manifest nonsense:
"I can't believe that!" said Alice.
"Can't you?" the Queen said in a pitying tone. "Try again: draw a long breath, and shut your eyes."
Alice laughed. "There's no use trying," she said: "one can't believe impossible things."
"I dare say you haven't had much practice," said the Queen. "When I was your age, I always did it for half-an-hour a day. Why, sometimes I've believed as many as six impossible things before breakfast."

Perhaps GDS are the real thing, delightful eccentrics living in a looking-glass world of their own where they believe without qualification that their parishioners can safely/securely use GOV.UK Verify (RIP).

And perhaps they are cynically manipulative would-be snake oil salesmen exploiting fashion.

It's one or the other and it doesn't matter which because either way the British public is being lured into dangerous territory and that's not what Whitehall is for.
Most of us use on-line payments and we would hate to be deprived of that convenience. The banks work hard to try to make on-line payments as safe/secure as possible. When our accounts are nevertheless hacked, as long as we have followed procedures, we are compensated – it's the banks that get defrauded, not us.

Up to a certain point, those compensation payments keep the banks' noses clean, they are motivated to keep on trying hard to increase security. Beyond that point, it won't be worth it, the banks will withdraw on-line payments and it will be goodbye convenience.

GOV.UK Verify (RIP) doesn't follow that model. The "identity providers" limit compensation payments to derisory levels. They operate their parts of GOV.UK Verify (RIP) under contract to GDS, and GDS only. GDS acknowledge no duty of their own to compensate people. What is there to keep GDS's nose clean or their agents' noses?

What Alice found through the looking-glass makes for an enchanting children's story. You can check with the Office of Personnel Management or the German parliament but the world of GOV.UK Verify (RIP) would be altogether grubbier and more unpleasant.

It's one or the other and it doesn't matter which
because either way
the British public is being lured into dangerous territory
and that's not what Whitehall is for.

No comments:

Post a Comment