Tuesday 11 February 2014

RIP IDA – if you've got nothing to say, say it

No need to say it, it goes without saying, it should be obvious to all but, just in case it isn't obvious to all, IDA is dead.

IDA is the Cabinet Office Identity Assurance programme. And it's dead.


17:09, yesterday afternoon, Monday 10 February 2014, an email arrives saying that the Government Digital Service (GDS) have published a new blog post, Striking a balance between security and usability.

Read it, and one question keeps asking itself – why? Why did they publish this interview with James Stewart, the director of technical architecture at GDS? What was publication supposed to achieve? What is the message they're trying to convey?

A number of messages do come across. But unless GDS is trying to undermine itself these messages can't possibly have been intended. Mr Stewart's topic is the balance between security and usability. That's the question. And his answer is – you have to balance them.

Yes James, thank you, we know that, that's the title of the blog post, the question is how? How do you balance security and usability? And since he doesn't answer that question, the inference is that he can't answer it – GDS don't know how to balance security and usability. That's the message that comes across.

That ignorance doesn't seem to worry them. That's another message that comes across. GDS aren't interested in security. Only in usability.

This isn't the first time. We saw this lack of interest in security in Public Servant of the Year ex-Guardian man Mike Bracken CBE's speech last October to the Code for America Summit 2013 and we saw signs of it again two weeks ago in the blog post by GDS's Janet Hughes and Leisa Reichelt, Security and convenience: Meeting user needs.

GDS may not be interested in security. But other people are. They understand its importance.

When GDS's David Rennie spoke at the US Identity Ecosystem Steering Group conference in January, he said that the reason there are none of the big retail banks signed up to IDA, the identity assurance programme, is that they've been too busy sorting out the aftermath of 2008's credit crunch (31'22"-32:32").

That's silly. Identity assurance is what retail banks do all day every day – they can't be "too busy" to do it.

Is the real reason that the banks won't sign up that they don't want to be associated with IDA? And they don't want to be associated with it because, without a proper understanding of security, IDA will crash on take-off, destroying the reputation and the share price of everyone connected with it?

Is that perhaps the reason why Cassidian and PayPal, who were signed up to IDA, have subsequently pulled out?

Security isn't important. What does that imply for HMRC, who are being asked to give up the long-established Government Gateway and to rely instead on IDA?

And what does it imply for the remaining "identity providers"?

It would be a shame to see the Post Office's good name besmirched. The fates of Digidentity, Mydex and Verizon don't concern us much in the UK, they don't have a reputation here to lose. But Experian should worry us all.

They don't need GDS. Experian already do identity assurance in the UK and overseas. They're good at it. They have a global brand, a global good name, and DMossEsq, for one, would like to see them keep it, not least because his pension fund is quite heavily invested in Experian. Their association with GDS and IDA is a threat to DMossEsq's retirement, and the retirement of many others – we're talking about a FTSE-100 company here.

The message from James Stewart's blog post is – Experian, get out, like Cassidian and PayPal, before the shareholders revolt. Why did GDS want to publish that?


Updated 23.5.14
Ebay urges users to reset passwords after cyberattack

Auction site eBay has urged users to change their passwords after suffering what may have been the biggest-ever cyber-attack when hackers broke into a database holding its 233m customers’ personal data ...

The attack is even bigger than that which affected the US retailer Target in December, when around 40m customer credit cards were stolen by hackers, who broke into the company’s systems. The fallout from that security breach led to the resignation of Target’s chief executive in May ...
The latest in a long line of security breaches. And a harbinger of things to come unless GDS starts to take security seriously.

Updated 9.6.14

GDS published a blog post today, Sensible Security. At first it looks as if they're starting to take security seriously ...
... for routine government business and the delivery of public services, government should think about security just as a large and well-run company would do – consider the organisations who look after your savings, manufacture medicines or produce the smartphone in your pocket ... The answer is to think about security as part of the user needs ...
... but the effort proves once again to be too great and we are left with them thinking about security as ...
... something that is integral to (and should be balanced against) every other facet of the service. If we can achieve this balance, and users and risk owners alike can understand it, then we’ll have been successful.
They're no further forward than 10 February 2014 and Striking a balance between security and usability. Luckily the banks and other organisations GDS claim to want to emulate are way ahead.

Updated 20.1.15

No stopping GDS. Now they're responsible for the Public Services Network (PSN).

The what?

"Simply put, the Public Services Network (PSN) is the government’s high-performance network". That's James A Duncan's take on the matter in Making the PSN better. And he's the new new Chief Technology Officer for the PSN so he should know.

According to Mr Duncan:
For suppliers previously, a Pan-Government Accreditor (PGA) would accredit services against the requirements for the Impact Levels. This created an unwieldy bottleneck that has actively added cost to supplier services, and slowed down the rate at which new services are made available on the network. We are changing the over-the-top Service assurance to be more in-line with G-Cloud and the Cloud Service Security Principles.
The Cloud Security Principles remove the "unwieldy bottleneck" which cost money and took time by making the users responsible for assessing security themselves on the basis of unaudited assertions made by the suppliers. You can see why Mr Duncan fits in well with GDS. He has the same relaxed view of security.

What is not clear is how this makes the PSN "better".

Does Mr Duncan have any security advice for his users? For all those central government departments and local authorities and "schools, doctors’ surgeries, pharmacies, emergency services, hospitals and charities large and small"? You bet:
… we’re creating an option for connectivity that allows customers to connect using suitable encryption, via the internet.
"Suitable"? What does that mean? Like "balanced" (please see James Stewart in the post above), it means nothing.

There goes the PSN.


Updated 23.11.16

Updated 23.1.17

Mystery: the departing James Stewart on DirectGov and BusinessLink.

No comments:

Post a Comment