Archive for News
PCC – Tweets Aren’t Private
Posted by: | Comments
The British Press Complaints Commission (PCC) has ruled that journalists are within their rights to quote tweets from Twitter because they are not private.
The case centres around Department of Transport employee Sarah Bakersville’s tweets that were quoted in two national newspapers without her consent. Ms. Baskerville complained to the PCC that she had a “reasonable expectation” that the tweets would only be accessible to her followers.
But the PCC said her potential audience is much wider than that, “not least because any message could easily be retweeted to a wider audience,” the organization ruled. She’d also neglected to restrict public access to her tweets and apparently forgot that Tweets in feed that is not invitation-only show up in a public timeline anyone can browse or search.
http://www.wired.com/epicenter/2011/02/uk-tweets-are-public-info/
And in other news, the PCC ruled that the Editor’s Code of Practice was not breached when one newspaper stated that the Pope is catholic and Bears do indeed shit in the woods.
Mourning For The City I Love
Posted by: | CommentsIt has been devastating watching the catastrophe unfold in the city that I’ve grown to love. I’ve said before that this is the first place where I’ve truly felt settled. It’s the city we chose to live in when deciding to emigrate, and we’ve never once regretted it.
Many parts of Brisbane are now a disaster zone, including some of my favourite places. Of course buildings and places can be re-built; there’s nothing that can be done to replace the lives that have been lost.
The heart and soul of Brisbane has been damaged and it’s going to be a long time before things are back to normal.
When we’ve had visitors arrive from the UK, to give them a good taste of what’s best about Brisbane we always used to drive to Bulimba or Hawthorne and take the CityCat catamaran service down the river, around the Central Business District (CBD), and get off at South Bank. The South Bank Parklands being my favourite place in the city.
The CityCat service has largely been destroyed. Not the catamarans as such, but the majority of the terminals. Similarly, South Bank Parklands have been inundated by the floods.
Images courtesy of Channel 9
It looks like it’s going to take 2 years to re-build the areas that are affected. It’s going to be a long clean-up process requiring lots of resources. More than 26,000 homes and 5000 businesses in 67 suburbs have been affected. More than 150 roads remain closed and many part of the city are still without power.
We’ve been very lucky that we chose to move to the Redlands area. We did look at rental properties in Milton, Toowong and other inner-Brisbane suburbs which have been hit, but chose to move out here instead.
At work (the day job) we’re also looking at what we can do to help out in the community. Our engineers are already hard at work helping out our customers who have been impacted. Many customers had to invoke their Disaster Recovery plans, and we’ve got quite a few customers who need help re-building their networks to get their business up and running again. Besides that I know a lot of us want to help out with the clean-up effort in the local community. Our office is near Fortitude Valley which has been impacted by the flood, but we’re situated on a hill so the office is unaffected. We also haven’t been hit by the power cuts.
I appreciate how lucky we’ve been that’s why I want to help out as much as possible. Our Premier, Anna Bligh, who has been doing a sterling job, says that they need two things: volunteers and money. This couldn’t come at a worse time for us if they want money. However, while we’re short on cash I have been able to find another way that I can donate. Virgin Blue allows you to cash in your velocity points for cash donations. I’ve got plenty of those so that’s what I’ve done. The page to make donations from Velocity Points is here (it’s quite hard to find on their website). I’ve also signed up with Volunteering Queensland. The form for that is here.
It’s very easy to start a new year and think about personal plans (see my last post). Then something like this comes along and puts it all into perspective.
Fair and Balanced?
Posted by: | CommentsWe’re getting closer to General Election time again in the UK and as I’m still a British citizen and eligible to vote, my interest in British politics remains. Don’t ask me why, I just can’t seem to switch it off.
With Twitter, Google Reader and iphone apps providing an ever constant news feed, being on the other side of the world no longer means that we expats are out of touch with events in the motherland.
With the election looming ever closer it’s interesting to see how the media is reporting political stories and portraying the three main parties. Very few of the newspapers or TV networks can honestly claim to be non-partisan but at least they make the pretence of being fair and balanced. Some manage it more successfully than others.
So it’s been particular interesting this week to see the reporting over Lord Ashcroft’s admission of his non-dom status.
As expected, the unashamedly left wing papers have made a big thing of it, covering the story on the front pages. And then there’s the BBC.
I hold the BBC in high regard. The BBC news website is always the main source of international news for me. It generally has high editorial standards and, in most cases, can truly claim to be fair and balanced.
I am aware, however, that the BBC gets a lot of stick and is continuously accused of being too sympathetic towards Labour. I remember reading My Trade: A Short History of British Journalism by Andrew Marr who tacked this accusation by saying BBC editorial policy per se is not biased towards Labour, it’s just that the BBC happens to attract a lot of left-leaning journalists so there ends up being a de-facto bias towards Labour. Or words to that effect.
So with a strong editorial policy you would hope that any inherent bias in a story would get a re-write by the editor before being published, and when it comes to political stories, you would hope that the editing would be top-notch particularly when the political parties have started campaigning for election.
In the case of the Lord Ashcroft story the editorial policies have clearly failed. Why haven’t the BBC put equal emphasis on Labour’s Lord Paul and other Labour peers who are non-doms and large donors to the Labour party. Same goes with the Lib Dems. Lord Paul has even reportedly stated that he would rather give up his seat in the Lords than change his non-dom status.
Some of the BBC stories have been quite misleading and the reader could be led to believe that he’s been avoiding paying any tax for the last 10 years and completely props up the Conservative party, which simply isn’t true. He’s paid tax to the Inland Revenue on his UK earnings, he probably will have paid tax to another country on his oversees earnings (as most countries have a double-taxation agreement in place with Britain so that those earning income in the UK and overseas don’t have to get taxed twice on the same income), and furthermore his contributions to the Tories have accounted for less than 1% of donations this year.
Alan Johnson, the Home Secretary, has accused Michael Ashcroft of being unpatriotic. The same Michael Ashcroft who formed Crimestoppers, has raised millions for Help for Heroes and many other charities; and donated his Victoria Cross collection to the Imperial War Museum. That doesn’t sound unpatriotic to me.
At least the BBC are 100 times more fair and balanced than the network that has Fair and Balanced as its byline – Fox News.
If I was American I’d be embarrassed to have Fox News as the country’s biggest cable news network. This is a ‘Fair and Balanced’ news network that employes Republican governers, takes every opportunity it can to label Obama a marxist or communist, and even goes as far as organising rallies against government policy (the Tea Party rallies). Aren’t they supposed to report the news not make it? Fox News is akin to the Völkischer Beobachter – the newspaper of the Nazi Party.
Monster Password Issues
Posted by: | CommentsThis week, the massive online job site Monster.com released a security notice that their database had been hacked, potentially releasing the personal details of millions of registered users. This isn’t the first time this has happened, and I’m sure it won’t be the last.
Leave aside the fact that Monster don’t seem to be encrypting passwords in their databases, which is extremely shoddy, this is a timely reminder of the importance of thinking about how we all use passwords. The big threat with this type of attack is that if you tend to use the same passwords across multiple sites, if you’re a Monster.com user (or user of their other international sites such as monster.co.uk), your password is now out in the open and could potentially be used to gain access to any other site that you’ve registered with using that password.
So, it’s dangerous practice to use the same password across multiple sites, but at the same time there’s no way you’re going to remember different passwords for all the sites you use.
The answer to this problem is to use a password manager such as 1Password. This is a Mac application but there’s also PC password managers such as Roboform. The beauty of 1Password is that there’s both a Mac version and a free iPhone version which can be set up to wirelessly sync between each other. It also plugs in to the major web browsers (I use Firefox) so that it can automatically enter your username and password into the form each time you visit a site. The way I use it is to let 1Password generate a random strong password for each site that I use, which then gets added to the application’s database. I now only have to remember one password – the password to open up 1Password. The thing you have to remember with Password Managers though is that the encryption is only as strong as the one password you use. Therefore the normal rules apply – make it long, include numbers, letters (uppercase and lowercase) and special characters such as $.!["]?*&#”, etc.
It’s basic maths. If an hacker tries a brute force attack against your password, the time it takes to crack your password will be dependant upon the number of variables in the characters you use, the length of the password, and the processing power of the application and PC used to try and crack the password. Just by using both upper case and lower case letters you are doubling the number of characters that the password cracker must use, from 26 to 52. Add numbers and the figure becomes 62, and then there’s a large number of special characters you can use to add even more possibilities. Then, every time you increase the length of your password you are increasing the strength to the power of x. Although, this can be undermined if the application you use doesn’t ‘salt’ your password and the hacker uses Rainbow Tables, but I won’t go in to that here.
When using a Password Manager it’s also important to set a time out value in the settings so that you’re required to re-enter your master password after a period of time, just in case your PC/Mac/iPhone gets stolen while you have a session open.
If you are using the same password for multiple sites by using something like OpenID, it’s particularly important to make sure your OpenID password is strong.
I’m in no way affiliated with 1Password, honest, I just think it’s a particularly useful application!
You can find news of other hacked websites at The Breach Blog.
The End of Darkness?
Posted by: | CommentsIn just a few hours time, after what’s been the longest, most expensive, and perhaps most exciting presidential election ever, we’ll know who is going to be the 44th President of the United States.
Being a political news junkie, I’ve been following the race fairly closely for the last 18 months, and, like pretty much the rest of the world outside of America, I’m praying (figuratively speaking given I’m an atheist) that Barack Obama wins.
The world can’t handle another 4 years of a Republican administration in the White House.
A while back I read Bill Clinton’s autobiography – ‘My Life’, and he stated that although history will ultimately judge his presidency, his own view was based on a simple mental list he kept:- jobs created, increased access to healthcare, increased funding for childcare, number of people lifted out of poverty, etc.
Now lets apply that principle to George W. Bush. Here’s my mental list:
- Over 4,500 coalition troop deaths in the Iraq War and hundreds of thousands civilian casualties resulting from a war, lest we forget, which was sold to us based on the threat of weapons of mass destruction which never materialised;
- The trampling of human rights and civil liberties via the Patriot Act, Extraordinary Rendition, Water Boarding torture, Guantanamo Bay, Abu Ghraib, and other such terms we had all never heard of before 2001;
- The failure to sign the Kyoto Treaty, and furthermore, the continual effort to block and hamper the fight against climate change;
- The abysmal failure to act or show any leadership in the immediate aftermath of Hurricane Katrina’s devastation of New Orleans;
- The complete wipeout of the federal budget surplus and creation of America’s biggest ever budget deficit;
- etc, etc.
Maybe I’m being a bit unfair. On the plus side he did give records amount of financial relief to AIDS riddled countries in Africa, and was the first US president to acknowledge that a two-state solution was the only way to resolve the Israeli-Palestine issue.
However, on the first, the amount of money given to the fight against AIDS ($30bn if I remember correctly) now seems a pittance in comparison to the $1 trillion spent on the Iraq War to date and the $700 bail-out of the banks (a figure which looks like it could double). And on the second, what progress has been made? We seem no closer to a solution now than 8 years ago. At least 8 years ago there was no wall built around the West Bank. Given what many people believe are the root-causes of 9/11, you’d think that pushing the middle-east peace process would be right up there with catching Osama Bin Laden. Yet both seem to have took a back seat to what I believe is Bush’s number one priority – ‘Energy Security’.
I remember a few years ago visiting the White House website to see what his administration had to say about climate change. If you go there now there is a section titled Environment but a few years ago no such section existed. Yet there was a section titled Energy Security.
Some cynics may say that Energy Security was the entire basis for the invasion of Iraq. After all, we all know that the Bush family’s links to the oil companies are long and well documented.
The last 8 years have been a disaster and George W. Bush will probably be remembered as one of the worst and most unpopular American presidents ever.
So, will we see an end to this darkness?
I’m not naive enough to think that America will completely change its foreign policy and stance on climate change overnight if Barack Obama wins.
Lets just hope it is a new direction and an Obama win will go some way to reverse the damage inflicted by 8 years of the Neo-Cons in charge.
As for John McCain, I had a lot of respect for him before this process began. I’ve read about his 6 years imprisonment and torture during the Vietnam war, and his refusal to be released ahead of his compatriots. He truly is a war hero. But the way he has fought this campaign has surely undone a lot of the goodwill many people had for him.
Some political analysts say that he has simply learnt from his 2000 campaign to become the Republican presidential nominee against George Bush. In that campaign he mainly refused to go negative and resort to nasty tactics. Bush on the other hand had no such qualms and many Americans, bombarded with adverts and push-poll phone calls, fell hook, line and sinker for the Bush campaign’s smear tactics.
McCain has clearly taken some political campaigning lessons from Karl Rove and thrown his morals out of the window. At every step he has attempted to dumb the campaign issues down to the lowest common denominator; painting complex issues as black and white, and virtually labeling Obama as everything from a terrorist to a socialist.
The soundbites coming out of the McCain team over the last few weeks since the economic meltdown really has represented a low-point in intellectual debate. How many times did McCain quote Obama as using the words ‘share the wealth’, insinuating that Obama is somewhere to the left of Karl Marx with his policy of reducing income tax on the middle tax, as opposed to McCain’s policy of cutting corporation tax for big business. It amazes me how that word ‘socialist’ is used in american politics. It’s as if no american has ever visited Western Europe and seen the balance between economic growth and state welfare that has given a high standard of living with free(ish) health care for all.
Obviously I’m making grand generalisations here. It’s mainly commentators on the right side of politics in America (right as in opposite to left, not right as in opposite to wrong), such as the state news channel that is Fox News that have done the most to brainwash some Americans into believing that all the issues are black and white; free-markets – good, regulation – bad; religion – good, atheism – bad; etc.
I sometimes play a little game. I put on the Bill O’Reilly show on Fox News and see how long it is until I want to throw a brick at the TV or start laughing uncontrollably in an effort to hide the tears of frustration at the ridiculousness that is the pompous, egotistical Bill O’Reilly. It’s been particular amazing to hear his rants lately against the democratic bias of the MS-NBC news channel. Talk about ‘pot this is kettle’.
Anyway, speaking of black and white, some commentators are looking out for the purported Bradley Effect to see if the polls are wrong and McCain can clutch victory from the claws of defeat. The Bradley Effect is a theory that many voters tend to lie in polls when asked if they voted for the black candidate because they don’t want the pollster to think that they are racist. I guess we’ll find out in a few hours time whether there are truths to this theory.
I’ve been watching the Emmy award-winning drama John Adams over the last few weeks which is currently showing over here. I wonder what Adams, Washington, Franklin, et all would make of the circus that now exists as a result of Article 2 of the United States Constitution? Whatever happens, these are certainly interesting times we are living through.
UK National Risk Register
Posted by: | CommentsThe UK Cabinet Office has now made public information from the previously classified UK National Risk Register. This is available at http://www.cabinetoffice.gov.uk/reports/national_risk_register.aspx.
This seems to backup what many scientists have been saying. The greatest risk to the UK is not terrorism, or even global warming. It’s an Influenza Pandemic.
Google Street View
Posted by: | CommentsGoogle is facing a tough time when it comes to privacy. Only 2 days ago Google lost a court case with Viacom (the parent company of MTV and Paramount Pictures) where the judge ruled that they must hand over the log files detailing everyone who has ever accessed a YouTube video. This ruling could set a dangerous precedent. It effectively forces one company to hand over personal user information to another company (Viacom is a company after all, not a federal agency) containing personal information related to millions of users around the world. Google is appealing the decision and requesting that it be allowed to anonymise the data.
We may have the Privacy Act in Australia, and the Data Protection Act in the UK, but that means absolutely nothing when your data is hosted on a server in the US. It’s clear to me that there’s now a desparate need for international laws governing data privacy.
In another blow to Google, Google’s plans to launch Google Street View in the UK is being referred to the Information Commissioner. Google Street View is criticised by privacy advocates because it could potentially show the faces of individuals. Google can remove the image on request, which it has done for many instances in the US, but in the UK there is an argument that this could breach the Data Protection Act because they’re not getting the user’s consent before using the image.
Google is currently trialling facial recognition software in the hopes of being able to automatically pixalate the face of anyone that might show up in it’s images.
By the way, you may not have seen the following picture. Google have taken this down now but the original photo (below) accidentally caught someone pulling a gun out on a kid at the side of the road.
I personally think Google Street Views is amazing and I can’t wait for it to come to Australia. If you thing Google Earth is good check out Google Street View!
BBC – Google Faces Street Views Block
BBC – Google Must Divulge YouTube Log
Grant is Gone
Posted by: | CommentsWho would be a football manager? It seems that coming second in the Premier League and making the final of the Champions League (something Mourinho didn’t manage for Chelsea) isn’t good enough if you’re a manager for a club that’s owned by a billionaire.
Sadly, it looks like the top clubs in the EPL are going to start suffering the same fate as Real Madrid and Barcelona, with a constantly revolving door ushering in a new Manager each season. It pains me to say it being a Liverpool supporter, but you’ve got to admire Manchester United. Alex Ferguson achieved tremendous success in the 90′s but in the last few years when Man Utd played second fiddle to Chelsea and Arsenal the board at Man Utd kept faith with their manager. It makes you wonder how many more seasons Wenger could last in the current climate if he doesn’t deliver the Premiership trophy for Arsenal again.
I’d be embarrassed to be a Chelsea fan right now. Where is the heart and soul of the club? How can you support a club whose formula for success is to pour hundreds of millions of pounds into the club and then sack the Manager if he doesn’t achieve miracles within months of joining?
It’s a sad state of affairs.
Daylight Savings Chaos
Posted by: | CommentsIt was chaos on Monday here in Sydney. For the very first time, the New South Wales State Government had decided to extend daylight savings a week. Unfortunately I don’t think they publicised it very well or thought through the impact, as a lot of computer software that was set to automatically adjust the time was not amended to reflect the change. I saw the result first hand when I went to the client site on Monday morning.
Microsoft quickly released a patch to fix the clock on Windows. However, the patch didn’t extend to the Calendar in Microsoft Outlook – so everyone’s appointments and meetings were out by an hour.
Apparently even many mobile phones were affected, and phone services, including the Telstra speaking clock. It comes to something when the phone company’s speaking clock is an hour wrong!
We don’t have such problems in Queensland as the Queensland State Government has so far refused to adopt daylight saving hours. A backwards and stupid decision if you ask me. We’re only in Autumn and I’m already getting up in the dark and coming home from work in the dark.
http://www.news.com.au/technology/story/0,25642,23458405-5014239,00.html
Reported UK Data Losses – It’s Worse Than You Think
Posted by: | CommentsIt comes as no surprise to me that we’re seeing a lot of news reports lately regarding lost or stolen government laptops and removable media containing personal information. In the last week alone we’ve seen records of 600,00 people have been lost by the Royal Navy, as well as the loss of 4000 patient records by Stockport Primary Care Trust.
The truth is, this has been happening for years and the incidents that are being reported to the press are probably only a fraction of the actual incidents. In the UK there are no legal requirements for government departments or companies to publicly disclose data losses, so you have to draw the conclusion that the only reason why the Government is being upfront about losses at the moment is because they know this is an hot issue in the press and if they didn’t offer full disclose it would probably be leaked anyway.
I was watching the news yesterday when David Milliband, the Foreign Secretary, made the remark that we cannot legislate against people having their laptops stolen from cars. That’s all very well but he’s missing the point entirely. You can’t legislate against laptop theft but you can legislate against how data is stored and protected in the first place.
Another investigation on its own isn’t going to stop this from happening again. As an Information Security Consultant who has worked with both local and central government, I’ve seen at first hand the systems and processes that are in place governing data protection, or rather lack of them. Unless there’s a fundamental change to the approach to security within the Government this type of incident will occur again and again.
Based on my own experiences, there are a number of problems with current arrangements that make these incidents likely, including a lack of clearly defined legislation governing data security, insufficient independent regulatory oversight of security in government departments, and a lack of due diligence and contracts management when it comes to outsourcing services to the private sector.
For what it’s worth, here’s my two pennies worth of how I believe these issues could be resolved:
1. New legislation needs to be passed mandating strict standards for government systems
The Data Protection Act is not specific enough when it comes to requirements, and can be interpreted in a number of ways. That’s why the Information Commissioner has such an hard job with enforcing the requirements and issuing penalties when things go wrong. The DPA has eight principles, one of which specifically addresses data security – Principle 7:
‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’
The key word here is ‘appropriate’. Appropriate is subjective. The interpretation of Principle 7 in the Act itself doesn’t particularly help either because it uses words such as ‘reasonable measures’. In guidelines produced by the Information Commissioner supporting the Data Protection Act reference is made to more specific security requirements, but it can be argued that there is nothing on the Statute book that specifies the exact minimum requirements for protecting personal data. Similarly the Act does not properly reflect new technologies and new threats.
The government could address this by first updating the Data Protection Act to strengthen requirements which I believe it is already planning, but also implement new legislation that specifically addresses security standards for Government held data. This should be something similar to the US Federal Information Security Management Act (FISMA). FISMA is a comprehensive framework that has strict requirements for all federal agencies. The UK legislation would need to make it clear that government departments are required by law to implement the requirements of the HMG Manual of Protective Security, HMG Information Security Standards, as well as the recently published Information Assurance Policy. Whilst the MPS and security standards have been around for a while now, the continuation of these types of security breaches just goes to show that they are not being properly implemented or enforced.
2. The CSIA and CESG should be given a larger budget and more powers
In 2003, the Central Sponsor for Information Assurance (CSIA) was established in the Cabinet Office with responsibilities for providing strategic direction in information assurance across all government departments, guided by a National Strategy for Information Assurance.
The Computer Electronics Support Group (CESG) is the Information Assurance arm of GCHQ (GCHQ is responsible for electronic surveillance, similar to the NSA in the US) and acts as the National Technical Authority for the UK Government, similar to the National Institute for Standards (NIST) in the US. However, if you look at the output of the CESG and need for the CESG to rely on private sector specialists to carry out work on their behalf (through the CLAS scheme), it’s clear that they have a long way to go before their standards become as clear or prolific as NIST, or they have the ability address Government security in a way that NIST is doing through the FISMA Implementation Programme.
As for the CLAS programme, even though HMG Security Standards specify that that IT projects should go through formal security accreditation by a CLAS consultant, many don’t.
It seems to me that both CSIA and CESG don’t have the budget or resources to properly fulfil their obligations, because if they did, we wouldn’t keep having to read about data losses. If the CSIA and/or CLAS had the powers and resources to carry out regular, in-depth audits of all government departments and carry out full security accreditation and certification then issues such as poor data handling procedures and lack of encryption on laptops and backup tapes would be picked up and addressed.
3. Government departments should be given a dedicate Information Security budget
This may have changed now but from what I’ve seen IT security expenditure is usually taken out of the general IT budget. Companies that have good security generally ring-fence approx 15-20% of their IT budget specifically for security. Government departments should do the same.
4. Government departments should be subjected to more stringent regulatory oversight
When the Nationwide Building Society was fined £1 million by the Financial Services Authority (FSA) after a laptop was stolen containing thousands of customer’s banking details, this was enough of a wake-up call to other banks to finally implement the end-device security programmes that their security departments had been recommending. A good proportion of the banks are now using technology such as that provided by the likes of PointSec and Safeboot to lock down laptops and encrypt the hard drives. I personally use TrueCrypt on my home laptop which is open source (free).
Government departments should be subject to similar compliance penalties. Now I’m not one who particularly believes that financial penalties for public sector bodies is the right way to go. After all, it’s tax payers money that pays the penalty and it’s tax payers, not company directors or shareholders as with a PLC, who ultimately lose out because there’s less money to put into government services. However, it’s clear that the current situation, where the Government suffers some embarrassment and a Civil Servant is forced to hand in his resignation (sometimes, not always), is not enough of a penalty. This is a tricky one, because if the penalties are severe then the departments concerned will be less likely to publicly disclose the incident in the first place.
How about this: what if (1) a law was introduced similar to the California Security Breach Notification Law making it compulsory to publicly disclose security incidents that impact personal data, and (2) senior management and ministers are made directly accountable for any security breaches. Depending upon the severity of the incident the Civil Servant up to the Minister and finally the Secretary of State will be forced to resign (completely from Government, not just shuffled to another post) and/or personally fined. That could work?
By the way, I believe strongly that a security breach notification law should be introduced that also applies to all companies. I’ve seen many a security breach that has been completely covered up internally and not even reported to the authorities through fear of damage to reputation and contractual penalties.
5. Improve due diligence and contracts management for outsourced contracts
The scary thing is that large parts of government services have been outsourced to the private sector, and many of these private sector companies have not made the investment in security that you would expect when we’re talking about the protection of government systems and government held data.
I’ve seen at first-hand how companies bid for government contracts, promise the world in the bid so that they’ll win the contract, and then fail to deliver what they’ve promised and get away with it because the Government doesn’t carry out sufficient due diligence before awarding the contract, or in-depth audits for the duration of the contracts.
The likes of EDS and Capita have large multi-million pound contracts to manage a huge proportion of government IT systems and services. Some of these contracts run for 10 years and were written at a time when security wasn’t the issue it was today. Even the contracts that are written today don’t go far enough to mandate security requirements. The contracts that I’ve seen have some reference to the Manual of Protective Security and usually state that providers should ‘demonstrate compliance with’ ISO 27001 – the international best practice standard for Information Security Management. However, there’s a big difference between compliance and certification.
ISO 27001 certification should be a minimum requirement, at least this would demonstrate that the company has a formal security risk management and governance framework in place, and this has been independantly verified by an external auditor. However, even this does not go far enough. I help companies achieve ISO 27001 certification and I know how easy it is to get certified by simply choosing the right auditor (there’s a massive difference between success criteria from one auditor to the next) and producing documentation that looks the part but does not necessarily reflect reality. Government contracts should specify in detail the exact security requirements. Instead of having security specifications which have ambiguous statements like ‘Data should be protected according to risk’ they should say, for example, ‘data held on backup media must be encrypted, and as a minimum AES encryption with a bit-strength of 256 must be used’. This would make it clear to service providers that investment in technology such as data encryption is not optional.
As for due diligence, what tends to happen in my experience is that bidding companies are asked to provide copies of company security policies and standards. This is not good enough. Just because the security policy stipulates that a certain level of security is required that doesn’t mean that it’s standard practice for the company to implement it. No, there needs to be thorough due-diligence which includes in-depth investigation, inspection of systems and processes, and even visits to reference sites.
Furthermore, once the contract is awarded, it’s not good enough, as is usually the case at the moment, to simply send out an annual security questionnaire to the service provider. Again, just because someone puts some good sounding words in a completed security questionnaire it doesn’t mean that those answers reflect reality. There needs to be regular, full, independent audits of all aspects of the IT environment and services being provided.
Anyway, I’ve said my piece. How are we supposed to have trust that the UK national ID card programme will securely hold our biometric identifier, an identifier that we can’t revoke or change, or that the NHS Spine, which has been contracted out to BT, will securely hold all our health records? You may think so what if someone gets hold of my personal information, they can’t do anything with it. Think again. The risk of identity theft should not be underestimated. Identity theft is said to be the fasting growing crime and with a few pieces of personal information it’s possible for a fraudster to take over your entire life – access your bank account, get your mail redirected, get identity documents such as passports and driving licences issued to them in your name with their photo. There’s many documented incidents that prove this is happening all the time.
I worry because my details are on UK and Australia government systems!
When I read about the loss of the Royal Navy laptop it made me wonder if I could be affected. It’s been over 16 years since I joined the Navy but 600,00 records were lost and there’s only 36,500 personnel currently in the Navy. I know the 600,000 figure includes people who have just expressed an interest in joining the Navy but even so, it makes you wonder how many years back the records go. After all, if they’re allowing full recruitment records to be copied out of a central database and onto a laptop, and they’re not encrypting the laptop hard disk, they’re probably not doing much to enforce the fifth principle of the Data Protection Act – ‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes’.
