Wednesday, November 21, 2007

An inquiry should review every Government system

The scale of yesterdays admission by the Government of a catastrophic failure of basic security procedures is, as you'd expect, the talk of the papers this morning. The Government's defensive line on the incident however do not stand up to any serious scrutiny.

1: The disk was password protected but the data was not encrypted - this is sheer bloody insanity. How was the disc password protected for a start? Are we talking about a password protected zip file? Crackable in seconds and you can bet it's a dictionary word too? If it's not a zip file then what operating system dependencies are there on the protection? If the disc was entered into a machine running Linux or OSX then what happens?

2: It was a 'junior official' that did it - what is a junior official doing have read access to that data? How did they get the data? Did they extract it themselves? If so what does this say about the system's internal policy procedures that someone who should not have done this had access to production data? Who else, and how many more junior officials have this level of access to this sort of data across Government? Why do they have CD burners available to them? Remember that the Government has a vision to share our data across the whole of Whitehall.

3: The second disc was sent by registered post and arrived - whether it arrived or not is irrelevant, as is using registered post. Once the data leaves your hands into a third party then it is an unknown quantity. The trust relationship should be explicity known throughout transfer. In other words you use an encrypted tunnel and transfer electronically. This reduces the risk down to the security condition of the two systems talking to each other which is far more manageable that handing it to a bloody courier who could copy the disc enroute.

4: It is not believed the data is in the wrong hands - it doesn't matter what you believe. The minute you lose data and the potentiality of compromise is known you assume that the worst possible scenario is the case. Period. You can hope of course, but trying to reassure people that your hope is a certainty is politiking at best and dishonest at worst.

5: There will be a thorough review of what happened - this is the second time in a month that HMRC have been found to be transferring secure data by stupidly insecure means. This does not look like an isolated incident it looks like standard bloody practice. A review may bring this to light, but should it do so how many more security breaches of this kind have occured that we do not know about? Security by obscurity is not a sound model for anyone especially Government.

There are also other very serious questions that need to be raised across Government systems now. This is not just about the data on the discs. The first and foremost is whether any data of financial significance is stored on actual databases in an unencrypted format.

In the private sector, companies are heavily governed by regulations on this matter and have to meet all manner of compliancy testing else face PR hell and massive penalty fines. If the company is listed on a US market they have to meet Sarbanes-Oxley compliance which is even stricter too and can result in jail time for directors. Are Government systems anywhere close to compliance?

It is not a thorough review of this incident that is needed, there needs to be an inquiry that looks at every single Government system - central, regional and local - that holds data about the public and ensuing legislation to restore any semblace of confidence in the systems.

This doesn't mean an inquiry that asks some mandarin if something is secure. It means a full security review of architecture designs with added penetration testing. Any legislation should include a requirement for security reviews throughout new system design phases as well as regular penetration testing through the lifcycle of a project. These reviews and testing should become a part of standard operating practice. Any legacy systems found to be failing should be taken offline immediately.

What's more, there should be an Information Security Committee drawn up that oversees Government systems. This should be a body that places information security at its core, not political expedience, and it should be independent of Government. It should be made up of people that actually know about this subject and are not afraid to say "No" and block a system from going live or take a system offline when it fails to meet the required standards. There should be a ministerial level role specifically for information security and legislation should ensure that the buck stops at that position.

16 comments:

nadds said...

Dizzy

Why are these muppets posting data anyway. Haven't they got any secure FTP connections?

Amex, Visa, etc simply could not do this and if they tried to mail data, they would be liable for closure

Its like the governments data is managed by school children.

No, mistake, school kids wouldn't be that stupid

Anonymous said...

The bigger question is why did the NAO want the full data file in the first place? I can't think of any legitimate audit reason. If the NAO wanted to test the existence of people claiming benefits then they would need only a sample of hundreds, possibly a few thousand, but without bank details(would you take checking against a fraudulent bank account as evidence of existence of a valid claim?). If the auditor wanted to do some analytical reviews on the pattern of payments to look for anomalies then it would be done on anonomised data with the personal identifiers removed.

The only audit test I can think of requiring full details of all record would be to cross match the database with some other data base (may be the new child register, school or NHS records). However if they are doing that then this would be a massive breach of trust that information is only being used for the purposes for which it is supplied. I know the scum weaken the original data protection legislation removing the absolute bar of such use, but it still has to pass a test that it is "in the public interest".

Stop focusing on items lost in the mail and get to the heart of why they were doing it at all?????

Praguetory said...

Agreed.

The missing package is a red herring.

Anonymous said...

It is worrying that the NAO still thinks that auditing the accounts involves ticking individual transactions. Years ago, commercial auditors stopped doing this in favour of auditing the systems and processes to make sure they produce the right results. If they'd done that, they might have uncovered deeper problems including the poor security.

Anonymous said...

How anyone can just shove something in the post and think it's secure is beyond me. The lack of respect for the taxpayer is frightening.

Anonymous said...

Remarkable also that the NAO didn't raise the alarm as soon as it knew the data was being provided in such an insecure way.

If the NAO had spotted the breach in May when MHRC first(?) posted disks then the data loss in Nov would not have occurred.

Anonymous said...

I presume these will have been DVDs rather than CDs, if 25 million records including addresses could be squeezed onto them. Be that as it may, from the description given by the chancellor I'll bet that the data was indeed zipped with a password. And as you say, that protection should take all of 2 seconds to break.

But why, oh why, did the NAO need all the records? This question really needs to be asked - at PMQs, perhaps?

Dusanne said...

Apropos Robert Davidson's comment...one interesting contribution to the commons debate was a suggestion from one MP, who seemed to be speaking from knowledge and Darling with who took no issue, that the NAO had indeed asked for the full database, but wanted it as anonymized data. This does seem plausible, as doing some totting up over all claimants seems pretty reasonable, even if it does run against Darling's general line that really the NAO just needed a handful of records - showing just how much they are failing to get on top of the situation.

Of Dizzy's points the one that stood out to me too was (2) The 'lone junior official' theory. It's hard to imagine that the type of system that this data would be held on would have a 'dump all production data to multiple removable media' option accessible to the type of person the NAO would have initally contacted and it's hard to believe there were not several people directly involved in the breakdown.

I can't think of any organisation I've been involved with where an external auditor would directly contact someone with the required access rights and technical ability to produce a large data extract like this.

Anonymous said...

The bigger question is why did the NAO want the full data file in the first place?

They didn't. The NAO requested data on only 12 random individuals, with all identifying data removed.

HMRC though it'd be best to send over the whole database "just in case"

Anonymous said...

if a junior official has the ability to dump all this data onto DVD, what is in place to prevent a wholesale copying of government held information by criminal gangs?

The data was safer in the hands of the Royal Mail than it was in the office where it was burnt to disc.

dreamingspire said...

Dizzy's about factual stuff, so here's a bit more: Cabinet Office has an Information Assurance policy, but depts operating what I classify as 'public administration' don't have to abide by it. Just like they don't have to have for all staff a mandatory check list of other policies and even legislation (such as Data Protection law) that they must abide by and will be examined and audited on. The whole process hasn't moved on from the days of filing cabinets and batch processors.
Dr David Everett made the point yesterday in his daily news email that these depts do not have to use the provisions of the Manual of Protective Security when they are merely handling data about citizens and businesses.
And don't blame CESG, please: they have no jurisdiction in this area.

dizzy said...

CESG? I wouldn't blame them. It seems to me that practice across Goevrnment is not thorough on these matters though. CESG should probably be strengthened even more.

Anonymous said...

I'm sure they'll announce a new CIO-type position next week. And they'll pick some twat like Alex Hilton to be that bloke.

Alex said...

Answers: No, the NAO didn't ask for the full DB. No surprise that risible troll Praguetory is wanking about this.

And yes, they are CD-Rs; the total data is given as 1.2GB. A CD-R=650MB. 650
x2=1300. I thang yew!

dizzy said...

Can you define "total data"?

dizzy said...

What I mean by that is that are you saying that was the size of the data after extraction ot raw format and then compression?