UK Government Data Handling – Some Thoughts
My data is
very personal to me so, like many other people, I take great exception when it
is lost or stolen by incompetent organisations. If data is lost by a private
sector company I can vote with my feet and take my custom elsewhere. This
doesn’t solve the data loss issue but it makes me feel a bit better.
Contrast
this with a government body that loses my data. I have nowhere else to go,
short of maybe leaving the country. This issue, coupled with the fact that government
in all its guises handles what is my most sensitive data, presents us as
citizens with a challenge—how can we make our governments handle our data
more securely?
In the UK, public confidence in government, of whatever
description, is extremely low. Fuelled by expense claims that fail the
“reasonableness” test by the man or woman in the street the view is that
politicians, the government and the ruling classes are hopeless at best and
criminal at worst. There is no sign that this confidence is returning.
Meanwhile government collects vast amounts of data that
enables it to conduct its day to day business—licencing vehicles, paying
benefits, running hospitals, tracking criminals and so on. Unfortunately it
becomes a heady mix when one considers the amount of very personal, sensitive
data that is being held in databases.
Even the most personal of personal data, our unique DNA
code, is now, for many people, in the hands of the government. Data loss
incidents raise the cry of “something must be done” but what is that something?
What can we as IT professionals do to help solve the problem?
When thinking about the government use of citizen data it
quite often shocks people when they realise the amount of data that is stored
across government systems. The vast majority of these databases are perfectly
legitimate and form a vital tool for the administration of a country.
Here is a sample of some government databases being used, or
planned, in the UK.
- The national DNA database
stores records of over 4.5 million people which is around 5.2% of the UK
population. Everyone that is arrested in the UK has their DNA taken and
kept on file even if they are not found guilty or even charged, which has
raised some interesting civil liberties concerns. - The National Identity
Register, or ID database, is another politically sensitive database
currently in the design phase. It is believed by some that over time this
will contain all citizen’s data as a prelude to the enforced carrying of
ID cards—a very sensitive issue for the British. - The TV licensing database
contains 28 million addresses and the DVLA database stores records of 38
million vehicles registered in the UK alongside driver and vehicle
licensing information - The Department for Work
and Pensions customer database has 85 million records that are accessible
to 80,000 departmental staff plus 60,000 staff in other departments and
445 local authorities. - ContactPoint is a database
designed to hold the name, address, gender, date of birth, school and
health provider of every child in England. - The communications
database is planned to centralise details of calls and websites visited by
users by utilising data from phone companies and internet providers. This
data will then be open for inspection by over 500 public bodies.
According to the Joseph Rowntree Reform Trust the UK government spends £16bn a year on databases
and plans to spend a further £105bn on projects over the next five years.
Ultimately government needs to be avoiding headlines such as
one that appeared in March 2009 concerning the ContactPoint database. Security
flaws halted work on the database after the Department for Children, Schools
and Families (DCSF) admitted that it had uncovered problems in the system for
shielding details of an estimated 55,000 vulnerable children.
These include children who are victims of domestic violence,
those in difficult adoptions or witness protection programmes and the children
of the rich and famous, whose whereabouts may need to be kept secret.
The shielding system for vulnerable children is supposed to
withdraw everything but a child’s name, sex and age from the computer record
that will be available to 400,000 children’s services workers with access to
the database.
But local authority staff who had been uploading information
on to ContactPoint discovered that the shielding did not always work.
The executive director of family and children’s services for
the borough of Kensington & Chelsea in West London said that “Some people are seeing this as an IT issue
but, in reality, it is a child protection issue,”
In my view this really starts to focus ones mind on IT
security issues.
The Inside Threat –
Again
I believe that the biggest threat to government data
actually comes from within. Despite exciting stories of hackers breaking into
government databases the vast majority of data loss incidents have stemmed from
the inside threat.
I use the term inside rather than insider as I believe it
better articulates this problem, which breaks down into two areas.
- Incompetent
and non-malicious: i.e. I sent all of the HMRC database in the post - Competent
and malicious: i.e. I am going to steal this medical data and blackmail the
patient
The incompetent and non-malicious is by far and away the
most prevalent actor in any data loss incident. We have all read the headlines
and seen the news reports. I guess someone leaving an unencrypted laptop on a
train isn’t as exciting as a targeted hacking attack, but it is the reality
when it comes to government data losses.
That said, of course there are competent and malicious data
loss incidents where an attacker is in a position to steal data. Again I
believe a lot of this is by users that already have privileged access to data
in the first instance, and then go rogue. Espionage and break ins are far less
common.
So what steps can government take today to help prevent data
loss?
Data encryption is one of the more well established data
security tools. Vendors have produced a number of easy to use encryption
solutions that enable users to rapidly encrypt their data, be it at file level,
folder level or the entire hard disk.
Alongside these many implementations comes the inevitable downside.
For encryption this has always been key management. Relying
on users to remember their encryption passwords is a risky business and can
result in corporate data being locked away, sometimes never to be seen again.
Clearly this is an unacceptable state of affairs and needs to be addressed
before encryption has been widely adopted. Unfortunately departments that have
purchased an encryption solution as a tactical add on, rather than as a part of
a strategic encryption roll out, quickly realise that their quick fix ends up
causing horrendous problems later on.
The most appealing aspect of data encryption is the fact
that if hardware that contains encrypted data is lost the associated dramas are
far less exciting. After all, only some hardware has been lost which contains
an incomprehensible bunch of gibberish. Bad that hardware has been lost but no
where near as bad as if it had contained valuable government data.
Strategic data encryption is a must for any system that
contains sensitive data. But great care needs to be taken in rolling it out. It
is vital that implementers fully understand the environment in which they are
working so that all relevant hardware is encrypted. Discovery is vital—forgetting about one single USB drive may invalidate an encryption solution
that has been deployed across an entire government department.
Patch management, like data encryption, is one of those
basic IT hygiene tasks we all need to undertake day in and day out.
The rampant success of the Conficker code late last year was
attributed to neglected patching. This included 8,000 PCs on a hospital network
in Sheffield that were infected after managers apparently told staff to turn
off automatic security updates. A patch, released by Microsoft in October 2008
and 3 months before the Sheffield incident, would have prevented the problem.
Likewise the Ministry of Defence was still subject to a Conficker infection
early in 2009.
Patches need to be tested and deployed under a controlled
environment, following advice from the software manufacturer as to its urgency.
Testing has traditionally been a problem as an untested patch my end up
affecting production systems, so IT managers need to take a view as to the time
to complete appropriate testing and the need to deploy a patch to combat a
known exploit.
With good, well managed data encryption and a robust patch
testing and deployment strategy an organisation will be a long way down the
road of establishing a safe, secure and compliant IT infrastructure…
Compliance
Compliance is something that all those working in IT need to
get their heads around. If anything is guaranteed for the future it is the
realisation of more and more rules and regulations for both the public and
private sector as governments look at preventing a repeat of the current
financial situation.
Even now, before any more draconian legislation is
introduced, there is an awful lot that needs to be considered by organisations
working in the EU. Not all of them apply to every sector, industry or geography,
which makes things even more complicated when trying to unearth which acts you
should be worrying about.
IT compliance in both the public and private sector is
normally a good thing as it often instils good practices and procedures. On the
other hand over compliance can be detrimental as the organisation can be bogged
down in achieving a goal that delivers little direct business benefit. Medium
sized businesses often have a real struggle ensuring their systems are
compliant.
Compliance failure may escape regulatory attention for a
while, that is until something goes wrong and then IT systems will be explored
in fine detail. This also applies when a company is being sold or floated, with
newly discovered compliance failures having a direct negative impact on a
businesses valuation.
Ultimately compliance is a balance that legislators need to
achieve, with our assistance.
As organisations switch onto the world of compliance they
realise that it is far more cost effective to run compliant systems 24/7 rather
than hastily scrabble to clean up prior to an audit. Those days should be long gone
and organisations should ideally be “audit ready” at all times, or at least
strive to be.
The public sector is often revealed as having poor data
security practices, and the vast majority of headlines relate to public sector
organisations failing in their data protection duty. The private sector appears
to have been able to hide their mistakes away from public eyes unless a data
breach attracts a prosecution or the company owns up of their own accord.
Regulators are getting more intrusive and aggressive. The UK
government is now actively dealing with data protection issues with the Data
Handling Procedures in Government report published in June 2008 that set out
clear and mandatory procedures to be followed by all government employees that
have access to and responsibility for citizen data.
The report was drafted in response to HMRC’s loss of 25
million child benefit records in November 2007. As a result of this data loss
and to thwart future episodes related to this type of preventable loss, all
departments placed immediate restrictions on their use of removable media and
subsequently all departments have initiated programmes to encrypt laptops and
USB memory sticks.
All organisations—public and private—need to avoid being
caught up in the headlines for the wrong reason. In the past a good flogging by
the media appeared to shake a response from the public sector, but should we
really rely on the fourth estate to be the ultimate sanction for data loss
offenders?
It is vital that we as IT security professionals remain
aware of the acts and regulations that apply to our specific geography, market
place or industry sector. Government departments face increased scrutiny, quite
rightly, as they store more and more data on citizens.
With the current turmoil in the worldwide finance sector
there is no doubt that legislation, oversight and regulation will be under more
scrutiny than ever before. The risk is that politicians will see heavier
compliance requirements as a quick fix to managing far more complex and
difficult issues, and that will have a knock on effect to the IT security
community.
In the meantime all we can do is keep our own house in order
and make sure we are able to deliver compliant and well managed systems to the
business. To achieve this we all need to understand our IT environments, manage
our known risk, protect against unknown risks, prevent device misuse and secure
mobile devices.