The loss in 2007 by Her Majesty's Revenue and Customs of 25 million people's details was a major warning to the public sector. Rob Buckley says that the private sector should also take heed.
Thanks to Her Majesty's Revenue and Customs (HMRC), the final months of 2007 were a wake-up call for more or less everybody in information assurance (IA), but particularly those in the public sector. The HMRC's headline-making loss of 25 million people's personal information was a worst-case scenario that many UK security officers were glad hadn't happened to them. Since then, government departments – and HMRC – have tightened up information security, but questions remain: how are they doing it, are the chances of such an event happening again truly a thing of the past – and is there anything that the private sector can learn from what has been done?
The HMRC's big data loss wasn't the first that year. In October, a laptop containing 400 customers' names and addresses was stolen from the car of an HMRC employee. With such a relatively small number of customers involved, few people were concerned. It was something that could happen to more or less any organisation, wasn't it? In fact, HMRC was praised for coming clean.
By November, however, the scale of HMRC's IA problem became clearer as it admitted it had lost pension records for 15,000 people, which were put on a CD and sent, possibly unencrypted, by courier to Standard Life's Edinburgh HQ.
HMRC had little time to apologise, let alone examine what had gone wrong, before an incident that had happened in October finally hit the headlines in November. It made all other data losses in the UK pale into insignificance: 25 million names, addresses and bank account details went astray after courier company TNT lost the CDs – unrecorded and unregistered – containing the information. Even worse, HMRC compounded the offence by again sending two unencrypted disks with 25 million names later in October, although this time the package was registered and arrived safely.
The Government's response was to get Kieran Poynter, then chairman of PricewaterhouseCoopers, to investigate the loss and to recommend ways of changing data-handling procedures to prevent similar losses occurring. No fewer than five reports into data security and assurance – including Poynter's – were published in the following years: Poynter's in June, 2008; the Independent Police Complaints Commission (IPCC) 2010 report into the HMRC incident; cabinet secretary Gus O'Donnell's 2008 report into government information security; Information Assurance Advisory Council chairman Sir Edmund Burton's 2008 report into the loss of the MoD laptop; and ex-Information Commissioner Richard Thomas and Wellcome Trust director Mark Walport's 2009 report for the Ministry of Justice on data sharing and data protection.
Poynter concluded that the loss was “entirely avoidable” and said the incident showed “serious institutional deficiencies at HMRC”, while the IPCC report said “staff found themselves working on a day-to-day basis without adequate support, training or guidance about how to handle sensitive personal data appropriately. While an ongoing review of data procedures was being conducted within HMRC at the time of these events, it had not been finalised. Had this internal review received a higher priority, this incident may have been avoided.”
HMRC clearly wasn't alone in worrying about how it was dealing with information assurance. The Cabinet Office had been pushing for greater priority for IA for a number of years. It had created internally a Central Sponsor for Information Assurance (CSIA) in 2003 to direct information assurance across government, guided by a National Strategy for Information Assurance (NSIA), which was updated in 2007. There were good information assurance standards, IA1 and IA2, dating back to 2005, that were more or less identical to ISO 27001.
However, there was little impetus to follow these standards. There were also problems with their implementation. Peter McAllister, who leads the ‘Close in Government' cyber security practice at HP's Vistorm, was one of the people who helped revise the NSIA with the Cabinet Office and GCHQ's IA agency, CESG. He says people within the civil service had been pushing for greater awareness of data security among different departments and agencies, but had been unable to get the necessary backing for it to be taken seriously.
James Nunn-Price, associate partner and public sector security lead at consultancy Deloitte, says the problem was “you needed a doctorate to understand” IA1 and IA2. The result was that very few people on the ground understood what was needed and even those in charge of security had problems. McAllister adds that the “security manual was classified and some who needed to access it couldn't”. The guidelines had also been very “tick box”, he added, with users having to state whether they had complied with a procedure or not, without any real understanding.
However, says McAllister, the HMRC incident “helped people who wanted to move things along”. What Poynter and the other reviews instigated was a more centralised approach to government security. O'Donnell's report introduced mandatory minimum security measures across government when handling personal data, including encryption and compulsory testing by independent experts of the resilience of systems. Among requirements O'Donnell laid down are: mandatory annual training of civil servants dealing with personal data; standardisation of data security roles within departments, to ensure clear lines of responsibility; departments to report on their performance under the scrutiny of the National Audit Office; and the right of the Information Commissioner to perform spot checks.
This has meant that technical requirements that had once been glossed over were suddenly being complied with. KPMG's director of information protection and business resilience, Kerry Davies, says that mandates about encryption used to be “quite widely ignored. After the review, people went to town. Now you can't use iPhones, only BlackBerries – because they can be encrypted. All laptops are encrypted. They've gone from worrying about just material to realising that personal data loss can be just as damaging.”
In fact, as well as outlining the legalities of what could be shared and what couldn't, the various recommendations from the reports more or less amount to ISO 27001. “The HMRC incident, the reviews and recommendations that came out of that really stressed the importance of good governance,” says Peter Fischer, a consultant to CESG.
The combined reports have resulted in a sea change throughout government. Fischer, who has been running courses on information security for five years at the UK's National School of Government, hitherto mainly for MoD personnel, says MoD people are now in the minority. “We're having to create new courses to deal with the demand.”
Although each individual government department is still autonomous and can decide for itself how it is going to implement security, it has to report back annually with an audit of its security situation. Unlike the previous tick box approach, the individual departments through their senior information risk officer or ‘SIRO' have to state annually how far along they are, on a scale of one to six, in achieving security objectives – an approach known as the ‘information assurance maturity model' (IAMM). If the department is below a certain standard, action can be taken; each year, the department has to improve on its previous year's score.
It is an approach that Davies calls the “standard of standards” – something so good the private sector would be advised to adopt it, too.
Pre-Poynter, agencies, subsidiary to the various ministries, had little reason to investigate their own security. “Before, agencies were arms-length bodies,” says Deloitte's Nunn-Price. “It was hard for the ministries to tell them what to do, since they could easily say, ‘No, we don't feel like it'. There's a new impetus now.” Even post-Poynter, it was easy for agencies to be masked by their governing ministries and departments, since the ministry filled in the IAMM questionnaire and submitted it on behalf of itself and its agencies, frequently weighting its scores in favour of its own results. This year, for the first time, individual agencies have to fill in their own questionnaires.
This individual approach by all the departments and agencies has both benefits and side-effects. The benefit is that the SIRO of each department can decide how best to tailor security and security budgets for the department's needs. While there is a risk of ‘silo-ing', SIROs do try to share best practice. Peter Fischer says all the SIROs he comes into contact with are interested in mainstays of IT security, such as intrusion detection systems (IDS), technologies for parsing audit records and ways of ensuring ‘forensic readiness' in case of a breach.
While there are some areas of the Poynter report that were technologically prescriptive – much in the same way as PCI DSS mandates particular technologies – other aspects of IA are left to the SIRO's discretion. The Ministry of Defence may have to ensure security in Afghanistan and would rarely have to deal with an individual taxpayer's personal information, for instance, while the opposite is true for the department of work and pensions. Nevertheless, says Sophos UK's head of public sector, Ollie Hart: “At present, it is not clear that the Government is demonstrating best practice. There is still too much reactionary and isolated procurement of data protection software by different areas of government, and IA specialists in individual departments do not have enough power to mandate what data protection strategy their associated agencies should follow. The fact remains that, although positive steps have been taken since the HMRC breach in 2007, these breaches are still happening, with over 1,000 taking place in the public sector since HMRC,” according to the Information Commissioner.
Hart adds that “strong guidance from the very top” is needed to ensure a cohesive approach to data protection across the entire government, including a consistent set of watertight processes and procedures covering all departments and agencies.
The individual approaches taken by departments also lead to duplication and problems for third-party suppliers of services. Individual agencies will go to suppliers to assess how well they comply with their own security needs. This might involve asking them to fill out a questionnaire or it might require a site visit. As a result, according to Davies, a small supplier can find as much as 20 per cent of its day taken up with answering questions from individual agencies – and the questions being asked will usually be the same.
Davies is working with government agencies to develop a more centralised approach, where suppliers would pay to be accredited by a centralised body, according to various criteria. The agencies would go to this body to find out which suppliers are able to supply the services they need. The advantage of this system is that agencies wouldn't have to investigate suppliers for themselves and would no longer need to perform their own audits. Suppliers would pay for it – but would also save money, since they would no longer have to go through so many audits.
Another post-Poynter change was the conversion of CESG into an advisory agency. Previously, it provided information assurance and security knowledge and advice purely to the likes of the MoD in the ‘top-secret' realm, but now it provides advice and more day-to-day information to other departments and agencies. It tends to be focused on more technical matters, rather than processes, however. In particular, it offers services such as Information Assurance and Consultancy Services (IACS), which test security products to see if they meet government requirements.
“CESG has gone through a lot,” says Deloitte's Nunn-Price. “It has changed quite a bit to improve security. There are more staff now. But they're very technical. They don't really ‘get' people's behaviour or have a culture of risk management. They struggle on the people side and are just at the training and awareness stage.” Next year, CESG's main ‘to do' will be around how to improve the risk culture in the civil service, Nunn-Price adds.
Vistorm's McAllister says: “CESG is small, but it does have some excellent people. For the next year or two, CESG is going to have to identify a number of partner suppliers to drive capability and to upscale in a way that wouldn't be sensible to do with civil servants.”
Government departments are also now more willing to bring in vendors and consultants, sometimes on secondment, to provide advice. “We have a presence in most of the major ministries,” says PricewaterhouseCoopers consultant Simon Doyle. “PwC staff and staff from the other big consultancies have been known to sit in on meetings with other suppliers, carrying civil service rather than PwC job titles, such is the degree of trust,” he says.
“Particularly for the past four years,” says McAllister, “there has been a transactional purchaser-supplier relationship. But more recently, partnership has been the way forward.”
Cyber-Ark's Mark Fullbrook agrees. “They're pushing in the right direction, but it's taking longer than it should. There's a multitude of relationships traditional in Whitehall, with many parties involved, sometimes with long-term relationships going back years. But it's infinitely easier than it ever has been. As more private-sector people are going in, they know each other, they're much more open to new technology, they're changing to more off-the-shelf technology. It's a breath of fresh air.”
How long will the interest in data security continue and how likely is another HMRC-type incident? The coalition government will probably maintain it as a priority in the comprehensive spending review. However, says Fischer, “the pendulum is swinging back past the midpoint. The current breed of SIROs has not lived through – or has forgotten – the problems of 2007. There are one or two indications that SIROs are becoming more and more open in their risk appetite than they were two or three years ago. More and more often, you will hear questions such as ‘Do we have to use CLAS (CESG listed-adviser scheme) consultants, or can we do it ourselves?' ‘Do we have to use CESG assurance schemes, or other schemes that are cheaper?'” And as appetite for risk increases, the chances of another breach occurring are only going to increase, too.
We must hope that, with best practice being followed and calculations made, there will never be another breach as bad as HMRC's. Fingers crossed.
What is a ‘SIRO'?
One of the major recommendations of the 2008 Poynter Report on HMRC's security breaches was that HMRC's CFO should be designated as the department's SIRO (senior information risk officer), “in line with the requirement defined by the Cabinet Office that every department should identify a board member as its SIRO”.
The Cabinet Office developed the idea of the SIRO as early as 2004, but it wasn't until the HMRC incident and Poynter's data handling review that the measure took on its current importance.
Now present throughout the public sector, particularly in the NHS, SIROs are different to CISOs, in that they are executives familiar with information risks and whose focus is the management of information risk at board level. The idea is that someone who understands the value of data and the importance of not losing it should be on the board to advocate measures and to point out problems with departmental plans that might bring about data loss.
SIROs have typically either come from an IT background within government or been recruited from industry. Martin Bellamy, the Cabinet Office's CIO and SIRO, came from the department of health and is a former KPMG partner, while Bill McCluggage, his deputy, was SIRO for the Northern Ireland Civil Service, after being IT director for Harland and Wolff Heavy Industries.
James Nunn-Price, associate partner at Deloitte, says the post of SIRO has helped considerably with information assurance. “It is very good to have a mandated board member for risk.”
Peter McAllister, who leads the ‘Close in Government' cyber security practice at HP's Vistorm, says: “The SIRO has had a dramatic effect. It is still bedding down, but now you have someone who is personally liable in the event of a breach, in a way there hasn't been before.” McAllister says it is not necessarily a very attractive post to have. “It is so vulnerable to mistakes,” he says.
However, SIROs may be becoming less effective as they become less hands-on. Nunn-Price says that the degree to which the SIRO is involved in day-to-day matters varies widely. He's noticing that the SIROs are tending to be more occupied with board-level matters. “These days, we see more junior people in meetings, instead of SIROs. Last year, most of the SIROs would have gone, now we have IT managers and CSOs.” He says the risk is that SIROs are going to end up as figureheads, with decisions in the hands of junior staff lacking senior knowledge. “If IA isn't represented on the board, how can it be kept on the agenda?” he wonders.
What HMRC did next
Following the 2007 incident and the 2008 Poynter Report, HMRC had to take a long look at its procedures. “HMRC was in the process of conducting an internal review of data security from a process view,” says Jeff Brooker, head of security and business continuity for HMRC. “The incident accelerated what we were doing and raised the profile of staff security awareness. Changes were driven by the acting chairman. Support at the highest levels of management really helped.”
HMRC created all the job roles specified by the Poynter Report and by the Cabinet Office. This included recruiting a CISO, a SIRO and appointing a ‘data guardian' for every directorate. “The data guardians support their business director on security matters, champion security within their business unit and have been invaluable in helping coordinate change,” says Brooker.
Most of the processes and technologies HMRC implemented were driven by the Poynter Report, but they were also generated internally in response to Cabinet Office recommendations and advice from external partners, including James Nunn-Price, associate partner at Deloitte. “When we went into HMRC, it was like doing the whole of Sarbanes-Oxley again. We did what we did around Basel and SOX and reapplied that to the government space.” He says the risk-based approach was new to HMRC, used to “a compliance mentality. What we brought from the private sector was risk management.”
Some things were rapidly deployed, such as removing the ability to write data to USB devices or disks from standard desktop profiles. HMRC has also implemented network access control and has created secure online channels for sending bulk information electronically – there's no longer the need to courier mobile media with 25 million people's details. “In general, we have tried to reduce unnecessary movement of information, setting up a central service to track all of our data movements, helping to monitor where we are sending things and to verify their safe arrival,” says Brooker.
A half-day training course is mandatory for all staff and recruits, followed by annual online refresher training. “We have put all of our security guidance in one site on our intranet so it is easy to find, but we also put the key things everyone needs to know in a handy pocketbook we gave to all staff.”
HMRC annually reviews its entire business, but individual processes are also reviewed more frequently. “Senior management is aware that there was not to be a single ‘fix', so it has committed to change for the long term and set itself challenging, three-year targets to improve security,” says Brooker. If there is a security incident, he adds, “we will investigate the causes and seek to rectify the root cause. We specifically encourage people to report concerns or risks as soon as possible.”
It seems to be working. Kerry Davies, who heads KPMG's government sector information protection business, says Brooker has been able to alter HMRC's corporate culture. “Instead of using fear, uncertainty and doubt, he has put out the message that good security is good business – it's a business enabler rather than a road block.”
But of those two missing disks, although heads have rolled, including that of HMRC chairman Paul Gray, nothing has been heard: neither HMRC nor the police has been able to trace them.
With a new coalition government in power – at a time of massive planned spending cuts – no one is sure exactly what is going to happen to information assurance. While the coalition has expressed a commitment to protecting Britain against cyber terrorism, it has no specific policies about IA and is unwilling to comment further until after the comprehensive spending review.
Security minister Baroness Pauline Neville-Jones has said that central government departments will need “understanding and confidence… to make the bold decisions demanded by our future strategy for ICT. Essential efficiency savings will not be realised if departments fail to protect personal data, resulting in a loss of public trust.” She has also announced the forthcoming merger of the Office of Cyber Security and the Cabinet Office's Central Sponsor of Information Assurance.
James Nunn-Price, associate partner at Deloitte, says he sees signs of low morale at CESG, with staff worried about the threat of redundancies. The government's IT policy is “wrapped up in the National Security Council cyber security agenda. The focus will be on crime, targets of terrorism.”
Vistorm's Peter McAllister says: “The fear of forthcoming cuts is causing infosec thinking to become more radical – but pragmatic, rather than ideological. It is turning out to be game-changing.
“Previously unaskable questions are being asked. The idea of outsourcing used to be very hard to get across, now we're getting signs of traction. It can generate large savings, so we can now have the conversation.” Cloud computing for government – the ‘g-cloud', as it's known – is likely to become a high priority, because of the cost-savings involved.
McAllister believes the general attitude of the coalition to business means the way industry engages with government is going to change. “There will be better access for SMEs,” he says.
Nevertheless, there is division over whether there will be cuts to IA spending. Mark Fullbrook, UK and Ireland director at Cyber-Ark, says that such spending is “recession-proof”. “Poynter and the ICO dictate that these things will not affected by the spending review.” Despite the recession, budgets have still been available for products that work.
However, Peter Fischer of Check Point is less sure. “The previous government lived with events this government hasn't. The coalition hasn't got the remembered pain or history. Lastminute.com founder Martha Lane-Fox, the UK's ‘digital inclusion champion', has some influence, so she might realise the importance of IS in delivering web-based services. Baroness Neville-Jones seems to be shuffling for position and the debate is ongoing.”
Sophos' head of public sector, Ollie Hart, however, says Neville-Jones “really understands the ‘supplier-to-government' point of view. When and where the cuts come, she will help to continue to protect IA.”
'Don't be too hard on the Government'
Martin Smith is chairman and founder of Cambridgeshire-based Security Company (International) (SCI). He says he feels criticism levelled at government departments has often been unfair. “As chairman of the Security Awareness Special Interest Group (SASIG) – a forum set up by SCI – and in my day job working with large organisations across Europe, I have a unique perspective. The HMRC data security breach is simply a higher-profile repeat of breaches that surface with monotonous regularity in organisations of all sizes from all sectors, public and private. In almost every case, these breaches are the result of simple human error and of breakdowns in process rather than technology. It is simplistic to pillory these organisations. There but for the grace of everyman's god go the rest of us. There is indeed no patch for stupidity.
“Of course, the Government has a solemn responsibility to protect the personal and sensitive data it stores, uses and transmits. But in this respect it is no different to any other organisation. Perhaps the public feels more possessive and less forgiving towards public bodies – especially HMRC – than it does towards commercial entities such as banks or retailers. Moreover, public sector bodies are compelled to declare their mistakes, while private companies can hide their sins a little more easily. The Government's failings have been no worse or better than the private sector; they are just more conspicuous.
“Since November 2007, the Government has made an enormous effort to improve accountability for data and to ensure that minimum mandatory standards of protection are enforced across the public sector. With the HMRC loss, it had the mother of all wake-up calls and has responded to it. There is still much to do and it is unlikely that risk will ever be wholly eliminated, but the problem has been recognised and tackled head on. The biggest challenge now is to keep up the momentum.
“I believe the work in the public sector compares favourably with that in the private sector; in some respects, it is better. HMRC in particular continues to invest heavily in data security and has been conscientious in describing its work to the information security industry. While many security professionals in the private sector have commented enviously about the scale and cost of this work and the impossibility of implementing its equivalent in commercial organisations, the harsh reality is that the bar set by HMRC is not some nirvana, but simply the minimum we should all be striving for.
“It is possible to improve standards of data security quickly and cost-effectively. There must be commitment from the very highest levels of management. Then we must tap into the enormous willingness among workforces to follow good practice. The Government has recognised that the human factor is crucial to further improvements in information security. It is seeking to educate every one of our public servants about what exactly is required of them in their everyday behaviour to handle sensitive information in all its forms in a safe and secure manner and to prevent further data losses. After all, ‘problems cannot be solved at the same level of awareness that created them' (Albert Einstein).
“The lessons that have been learned the hard way by the Government can and must be learned by the private sector. I believe the public sector is striving genuinely to set a good example; the onus is now on the private sector to match it.”