Sunday, 11 March 2012

Cabinet Office using cyber security budget to increase risks to the public

Can someone advise, please, is there a polite way of asking can any British government tell its arse from its elbow?

The Cabinet Office want to deliver all public services over the web. Public services should be "digital by default", as they say.

The web is a dangerous place to be if you want to maintain secrecy/privacy and if there's any money around. The web is perfectly adapted to breach confidences and to steal money. Let today's Sunday Times make the point. In Chinese steal jet secrets from BAE they tell us that:
CHINESE spies hacked into computers belonging to BAE Systems, Britain’s biggest defence company, to steal details about the design, performance and electronic systems of the West’s latest fighter jet, senior security figures have disclosed.

The Chinese have exploited vulnerabilities in BAE’s computer defences to steal vast amounts of data on the £200 billion F-35 Joint Strike Fighter (JSF), a multinational project to create a plane that will give the West air supremacy for years to come ...

Professor Anthony Glees, director of the Centre for Security and Intelligence Studies ... said: “It seems the Chinese were getting plans which allow them to undermine the defence capacity of the country. It’s deeply unsettling that GCHQ [the government eavesdropping centre in Cheltenham] didn’t spot this for so long because they are the people who are meant to be leading the fight against cyber crime.”
There's a wide selection of cock-ups to choose from here:
  • With £200 billion at stake, the Sunday Times reported on 12 January 2012 that Royal Navy’s new jet cannot land on aircraft carriers. Never mind, you may say, it's only £200 billion and we haven't got an aircraft carrier anyway.
  • And three years ago, the Sunday Times reported that BT had bought equipment from China's Huawei telecommunications equipment company despite warnings that it could be used to "shut down Britain by crippling its telecoms and utilities" and that "government departments, the intelligence services and the military will all use the new BT network". Patricia Hewitt, trade and industry secretary at the time the contract was being negotiated, declined to intervene because it was "a competitive tender between two commercial companies". How very upright of Ms Hewitt not to let security interfere with competition.
But put those cock-ups aside. For current purposes, consider instead the following.

Rt Hon Francis Maude MP is the Cabinet Office Minister and according to his entry on the Cabinet Office website:
He leads on:

• Public Sector Efficiency and Reform
• UK Statistics
• Civil Service issues
• Government transparency
• Civil Contingencies
• Cyber security
• Overall responsibility for Cabinet Office policy and the Department
With his cyber security hat on, Mr Maude disposes of a budget of £650 million. Much-needed, judging by the success of GCHQ and BAE's attempts to fend off the Chinese.

With his public sector efficiency and reform hat on, Mr Maude wants to put Whitehall on the web. That's what "digital by default " means and that requires him to ignore his cyber security hat.

But it's worse than that. Digital by default requires something called identity assurance, a service which doesn't exist yet but is supposed one day to allow us all to prove who we are, over the web, while we're busy communicating with the government. The development of this service was unfunded until 31 October 2011 when Mr Maude announced that he'd found £10 million of public money to give it.

And where did he get this cyber security-busting £10 million from?

You can have 650 million guesses.

----------

Updated 23.6.14

Whitehall considers security shake-up

The government is understood to be carrying out a review of Whitehall organisations with a remit for electronic and computer security to determine any possibility of consolidation.

Informed sources say that one of the suggestions being considered is that CESG, the government's National Technical Authority for information assurance, should be separated from GCHQ, the signals intelligence agency.

That could mean the Cabinet Office taking over responsibility for CESG, with whom it has an ongoing relationship.
 "That could mean the Cabinet Office taking over responsibility for CESG". Oh God.

No comments:

Post a Comment