Tuesday 13 November 2012

Cybersecurity, and GDS's fantasy strategy

For some time now, the Government Digital Service (GDS) have made the meaning of their digital-by-default agenda clear – they want the UK to be like Estonia.

It is thanks to the fact that practically every service in Estonia is delivered over the web that, back in 2007, Russia was able to bring the country to its knees in a matter of days. If GDS succeed with their "modernisation" plans, there will be nothing to stop that happening here in the UK.

GDS are in awe of the financial success and popularity of Apple, Amazon, eBay/PayPal, Google and Facebook. With no experience of government behind them, the over-promoted software engineers at the head of GDS want to bring their heroes' tricks to the delivery of public services in the UK.

Sensible people will see Facebook et al as latter-day Pied Pipers of Hamelin – sensible people, including the tens of thousands of public servants who will be laid off and replaced by GDS's computers when government is, as they say, "transformed".

Many of these organisations are famous for avoiding tax on their UK profits and for using their near-monopolies to tyrannise their suppliers and to milk their customers. But GDS somehow maintain their naïve veneration and on 6 November 2012 they published their Government Digital Strategy.

This fantasy strategy is an elaboration of Martha Lane Fox's ideas, set out in her October 2010 letter to Francis Maude, Directgov 2010 and beyond: revolution not evolution. Ms Lane Fox is the Prime Minister's digital champion, she's a historian, and when she says "revolution" she means it.

Her revolutionary fervour is carried over into last week's GDS strategy, which Sir Bob Kerslake – head of the home civil service, permanent secretary at the Department for Communities and Local Government (DCLG) and previously the chief executive of first the London Borough of Hounslow and then Sheffield City Council – has greeted with a post on GDS's blog, Welcoming the Digital Strategy:
Our reform plan also made a clear commitment to improve the quality of the government’s digital services, and to do this by publishing a Government Digital Strategy setting out how we would support the transformation of digital services [how does publishing a wishlist improve the quality of public services?].

We fulfilled that commitment yesterday with the launch of the Government Digital Strategy, Digital Efficiency Report and Digital Landscape Report and I very much welcome their publication.
But why? Why does Sir Bob "welcome" this emmental cheese of a strategy? It's full of holes. Consider cybersecurity for example.

Iain Lobban, the Director of GCHQ, writing in the Foreword to 10 steps to cyber security says:
Every day, all around the world, thousands of IT systems are compromised. Some are attacked purely for the kudos of doing so, others for political motives, but most commonly they are attacked to steal money or commercial secrets. Are you confident that your cyber security governance regime minimises the risks of this happening to your business? My experience suggests that in practice, few companies have got this right.
Mr Lobban's advice on cybersecurity was pressed on FTSE 100 companies at a 5 September 2012 event organised by the Department for Business, Innovation and Skills (BIS), the Foreign Office, the Cabinet Office, the Home Office and senior figures from the intelligence agencies, please see Business leaders urged to step up response to cyber threats.

It's hardly news. The newspapers are full of cybersecurity stories and have been for years – there's an incomplete digest in With their head in the clouds:
29 March 2009: Spy chiefs fear Chinese cyber attack
8 March 2010: Cyberwar declared as China hunts for the West’s intelligence secrets
10 October 2010: Worm cripples Iran nuclear plant
13 October 2010: UK infrastructure faces cyber threat, says GCHQ chief
4 November 2010: Europe attacks itself in cyber-warfare test – As OECD admits major security fail
8 November 2010: Royal Navy website infiltrated by computer hacker
18 November 2010: China 'hijacks' 15 per cent of world's internet traffic
9 November 2010: US embassy cables: The background
9 December 2010: Hackers hit Mastercard and Visa over Wikileaks row
13 December 2010: Gawker falls victim to hackers
13 December 2010: WikiLeaks: government websites could be hacked in revenge attacks
20 December 2010: Hackers leak e-mail account details of government and defence staff
20 December 2010: English Defence League donor details 'stolen' after database hacked
29 December 2010: Gawker was hacked six months ago, say sources close to Gnosis
9 January 2011: Army adds cyberattack to arsenal
14 January 2011: Reducing Systemic Cybersecurity Risk
17 January 2011: Security & Resilience in Governmental Clouds
20 January 2011: Carbon trade cyber-theft hits €30m
21 January 2011: Lush hackers cash in on stolen cards
26 January 2011: Facebook's Mark Zuckerberg 'attacked by hackers'
31 January 2011: British and US stock exchanges fend off cyber raids
4 April 2011: Epsilon email hack: millions of customers' details stolen
26 April 2011: PlayStation Network hackers access data of 77 million users
3 May 2011: Sony says 25m more users hit in second cyber attack
26 May 2011: China admits training cyberwarfare elite unit
29 May 2011: Lockheed Martin computers under 'significant attack'
31 May 2011: Cyber weapons 'now integral part of Britain's armoury'
1 June 2011: Google phishing: Chinese Gmail attack raises cyberwar tensions
12 June 2011: IMF hit by cyber attack from unknown nation state
16 June 2011: LulzSec hackers claim breach of CIA website
12 July 2011: Hackers steal 90,000 email addresses in cyber attack on US military contractor Booz Allen Hamilton
15 July 2011: US forced to redesign secret weapon after cyber breach
15 July 2011: Pentagon reveals 24,000 files stolen in cyber-attack
25 July 2011: Anonymous hacks Italy's critical-national-IT protection
1 August 2011: LulzSec hacking: teenager ‘had cache of 750,000 passwords’
1 October 2011: Flaw in software puts online savers at risk
19 October 2011: Stuxnet-based cyber espionage virus targets European firms
27 October 2011: Chinese hackers suspected of interfering with US satellites
20 November 2011: Cyber-attack claims at US water facility
24 December 2011: Hidden Dragon: The Chinese cyber menace
25 December 2011: Hackers 'steal US data in Christmas-inspired assault'
8 January 2012: Hackers expose defence and intelligence officials in US and UK
16 January 2012: Israel hit by cyber-attacks on stock exchange, airline and banks
3 February 2012: Anonymous spies on FBI / UK Police hacking investigation conference call
7 March 2012: LulzSec leader Sabu was working for us, says FBI
11 March 2012: Chinese steal jet secrets from BAE
27 March 2012: NSA Chief: China Behind RSA Attacks
31 March 2012: Hackers steal details of millions of credit cards
23 April 2012: Iranian oil ministry hit by cyber-attack
3 May 2012: Attack takes Soca crime agency website down
3 May 2012: Hackers have breached top secret MoD systems, cyber-security chief admits
1 June 2012: US role in cyber attack on Iran nuclear plant revealed
7 June 2012: LinkedIn passwords leaked by hackers
5 August 2012: Iranian state goes offline to dodge cyber-attacks
21 September 2012: Chinese hacktivists launch cyber attack on Japan
You get the idea. The web is a dangerous place to do business. Dangerous for individuals, companies and governments.

But do GDS get the idea? Do they listen to GCHQ? Do they read the newspapers? Read the GDS blog, and you get the impression that digital-by-default is a warm, safe, cosy tea party. In reality, all the magnificent power and convenience of the web is at the disposal of criminals and spies and cyberterrorists to wreak havoc. It's a double-edged sword, the web.

You may notice that the only solution to the problem that Iran can come up with, after long and painful experience of cyber attack, is to secede from the worldwide web altogether and try to create an Iranwide web.

Meanwhile, with no such experience, GDS blithely recommend that all public services should be delivered over the web. They are luring the public into a war zone. Irresponsible? Malign? Or just gullible? But who is more gullible? GDS, or us proles?

What do GDS have to offer by way of defence? The Government Digital Strategy says:
Legality, security and resilience
Transactional services will be redesigned to:
• be robustly protective of the security of sensitive user information
• maintain the privacy and security of all personal information
• be resilient, to ensure continuity of service to users and departments
And that's it. No strategy. Just a wishlist. No defence.

Where there should be answers to these questions in the Government Digital Strategy there are just holes. Revolution is proposed with no justification. And yet Sir Bob, the head of the home civil service, welcomes this fantasy.

No comments:

Post a Comment