Thursday 27 June 2013

The Tragedy of the Commons

Public cloud benefits
outweigh security and data sovereignty risks,
says head of Parliament IT

Back in the 1970s, few organisations could afford their own computer. Timesharing bureaux grew up as a result. You'd nip round to your local IBM or Burroughs or ICL bureau with a deck of punched cards and a couple of tapes and come back with a printout. Timesharing wasn't cheap. But it made computing a bit more widely affordable.

That all changed with the advent of microcomputers and cheap high-speed telecommunications. The timesharing bureaux went out of business during the 1980s.

30 years later, they're back. Cloud computing suppliers are the timesharing bureaux de nos jours.

It's the same pitch. Outsourcing to a cloud computing supplier is cheaper than running your own data centre. There's more flexibility. You can get up and running more quickly. Backup and security are handled by dedicated experts and not by your own staff.

(Of course, prices could go up once there's no alternative to the cloud. And the cloud computing suppliers' backup and security staff could turn out to be just as flaky as your own. But these points are rarely made. Your attention is distracted by the modern and exciting hippy lure of the web, which is somehow deemed to be a good in itself.)

Outsourcing in government IT has been going on for decades. During which time an oligopoly of systems integrators (SIs) has developed in the UK and has allegedly grown used to charging the government eye-wateringly disproportionate fees for their services.

The SIs operate expensive data centres. Shifting to the government cloud (G-Cloud), it is hoped, will cut costs hugely while at the same time reducing development lead times and improving the response to change.

That's the pitch. That's the picture which is drawn for you to admire. And if that's all there was to it, there could hardly be any objection to cloud computing.

... the Houses of Parliament [are] now in the process
of moving a number of applications to the public cloud
as part of plans to create a ‘digital parliament’

From the dept of useless statistics:
  • 325 posts have been published on this blog, starting on 3 October 2011.
  • 61 of them are tagged "G-Cloud".
Clearly, DMossesq thinks there is something more to it, some important problem with cloud computing that needs to be communicated to readers.

He is not alone.

The OECD think that "cloud computing creates security problems in the form of loss of confidentiality if authentication is not robust and loss of service if internet connectivity is unavailable or the supplier is in financial difficulties".

ENISA think that "its adoption should be limited to non-sensitive or non-critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy".

Larry Ellison, the President of Oracle, says "maybe I'm an idiot, but I have no idea what anyone is talking about. What is it? It's complete gibberish. It's insane. When is this idiocy going to stop?".

Richard Stallman, venerable IT person, says "cloud computing [is] simply a trap aimed at forcing more people to buy into locked, proprietary systems that [will] cost them more and more over time ... It's stupidity. It's worse than stupidity: it's a marketing hype campaign".

Sergey Brin, one of the founders of Google, "acknowledged that some people were anxious about the amount of their data that was now in the reach of US authorities because it sits on Google's servers. He said the company was periodically forced to hand over data and sometimes prevented by legal restrictions from even notifying users that it had done so".

Gordon Frazer, managing director of Microsoft UK, "gave the first admission that cloud data — regardless of where it is in the world — is not protected against the USA PATRIOT Act".

... there were challenges around
the legal requirements of where data is stored,
explained Joan Miller, Director of Parliamentary ICT,
... at the
Think G-Cloud event in London.

Then there's Mayer Brown, the US lawyers, who tell us that "US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service provider that is US based, has a US office, or conducts systematic or continuous US business—even if the data is stored outside the United States".

And, further, "US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service customer that is US based, has a US branch, or conducts systematic or continuous US business—even if the data is stored outside the United States".

There's the indefatigable Caspar Bowden, former chief privacy adviser to Microsoft Europe, who has issued more warnings of the coming war than Cassandra, see for example Experts warn on wire-tapping of the cloud.

And there's the larger-than-life Kim Dotcom whose cloud computing company,, was put out of business by the FBI.

“The big outstanding element was data sovereignty,”
said Miller. “We needed to know
what was happening to that data in the cloud,
and that anything that happened to that data
was in our control.”

Which is where we get to the nub of the cloud computing problem.

Customers of had their data hosted in the cloud by Carpathia, acting under contract to When the business was shut down, the customers lost access to their data which, in some cases, imperils their business.

Kyle Goodwin is one of these customers and his lawyers say "the [US] government maintains that Mr. Goodwin lost his property rights in his data by storing it on a cloud computing service ... both the contract between Megaupload and Mr. Goodwin ... and the contract between Megaupload and the server host, Carpathia ..., likely limit any property interest he may have in his data".

Sign a cloud computing contract in other words and you lose the rights to your property.

You lose control of it.

“We were thinking we have to go back ...
and make sure that what we have done to measure the risk
is adequate to deal with ... the American government’s use of data 
In fact, we are reassured 
that everything we thought about
is still covered in the work we have already done.”

You already knew that – the media report the activities of hackers every day. Even the US military seem to be helpless in the face of cyberattacks allegedly carried out by the Chinese. You knew that the web is a dangerous place to store your data. There is no such thing as a secure website. "Secure website" is an oxymoron.

Cloud computing adds to the risks:
  • The website is no longer in-house.
  • The staff who operate the equipment are not on your payroll and have not been vetted by you.
  • Your contractor will have sub-contractors, like Carpathia, which makes the line of command longer.
  • And, thanks to the internet, your data can pop up on servers anywhere in the world, in or out of the jurisdiction of English law.
And as we have discovered this month thanks to Edward Snowden, you also need to know that the National Security Agency in the US and the UK's GCHQ will also have access to the data in the cloud and may share it with anyone.

The advocates of cloud computing know all that. They know about the loss of control and the hacking. And yet they persist.

According to Miller
much of the data held by the Houses of Parliament
is actually relatively low risk.
She explained that, other than in certain circumstances,
the majority of the data is already destined for the public domain.

If your lawyers promise to keep your data confidential and then store it in the cloud, you can fire them. That threat is sufficient to force all but the mad to try hard to keep your data confidential.

It is the tragedy of the commons that that incentive doesn't work with the UK public sector.

You won't catch the US losing control of their data if they can help it, nor China, nor Russia, nor Germany – GCHQ surveillance: Germany blasts UK over mass monitoring. Those are states that clearly aim to survive.

But in the UK, local government, central government and now Parliament itself seem to be determined knowingly to risk storing our data in the cloud. They are abdicating their sovereignty and with it their responsibility. Has the state lost the will to survive?


(Hat tip: The tragedy of the commons)
(Hat tip: Matthew Finnegan from whom the big italic quotations above are taken)
(Hat tip: Glyn Moody)
(See also House of Lords Management Board Minutes 16 January 2013)
(And Think G-Cloud 2013)


Update 3.3.14

Last June when the post above was written we were assured that the security arrangements for the UK parliamentary website are adequate.

Just under nine months later, what do we learn?
The official website of the UK Parliament contained basic flaws that left it vulnerable to hacking, a programmer has discovered.

In a well-known loophole that has now been closed, the internal search engine on allowed users to enter computer code that meant it displayed images, video and even requests for passwords where the results would ordinarily appear.
See Revealed: key UK websites vulnerable to hackers in today's Telegraph.

From today's Telegraph
don't worry,
just their little joke
"Basic flaw"?

"Well-known loophole"?

The Telegraph are talking about the website. Or are they talking about Joan Miller, Director of Parliamentary ICT? And all the other officials in Westminster and Whitehall who just can't take security seriously, headed by Public Servant of the Year ex-Guardian man Mike Bracken CBE?

Public Servant of the Year ex-Guardian man Mike Bracken CBE, you will remember, is the executive director of the Government Digital Service. He is the "head of digital", as they say, for the whole of Whitehall. And, setting a dubious example, he told a conference last October that security ought to be relaxed because he'd just had a daughter. He was so tired as a result that he couldn't remember the answers to all the Whitehall security questions he had to answer to use his account:

And as for Ms Miller, Director of Parliamentary ICT, it's the old story – just because someone tells you a website is secure doesn't mean it's true. Even if your interlocutor has a technical- and senior-sounding job title and works for the most respected organisation in the world.

On-line security is like unicorns.

And if that website is in the cloud, forget it.

Updated 4.4.14

Terence Eden, the blogger who discovered the security hole in the UK Parliament website and brought it to their attention, is too polite to use the word "muppet". Instead, he says:
The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people.

That's why it's so depressing to see such a basic error as this XSS flaw in their search engine.
He goes on to explain how the website security weakness could be exploited, explaining the procedures step by step and giving examples.

This is the first in a series he hopes to publish on what he calls The Unsecured State. Perhaps Whitehall and Westminster will take note.

Updated 7.4.14

Joan Miller steps down from role as director of parliamentary ICT

No comments:

Post a Comment