The UK government is not known for its world-class approach to data governance. In the digital age, it has been at the center of repeated leaks, breaches and issues. Take the infamous case in 2007 when two HMRC CDs containing personal details on 25 million children, parents and careers went missing in the post. Or more recently, a “technical issue” that led to 150,000 arrest records being accidentally wiped from national police databases. These incidents matter even more today, because every citizen in the country, bar Scotland, has just handed over a trove of personal information to the government after completing Census 2021.
As the first census of its kind to be completed and sent primarily online, it begs the question: how secure is our data? Not only must it be kept under digital lock and key for today’s policymakers, but for the next 100 years.
At the Heart of Policy Making
There has been a census in the UK every decade since 1801, with the exception of the 1941 poll which fell during the Second World War. Run by non-ministerial department the Office of National Statistics (ONS) in England and Wales and the Northern Ireland Statistics and Research Agency (NISRA), the census is a vital undertaking for governments of the day. That’s because the information it collects on households and individuals is used to build an in-depth picture of society at the time, which can then be used to inform important policy decisions and allocation of resources.
As the ONS explains, census data illustrating how many people work in different jobs and sectors can be used to design employment and training policies. Information on how people get to work and how many cars they have may be used in transport and urban planning. Statistics on children can be utilized to ensure there are enough schools in local areas.
However, in a post-GDPR age of data breaches and privacy awareness, citizens are more skeptical than before about how their information is being used, and how effectively it is protected. Census data offers a complete picture of an individual’s life, from their contact details to educational background, current employment to sexual preference. This year, a controversial question was added about gender identity.
An Independent Review
It goes without saying that this data would be extremely useful to cyber-criminals, who could monetize it in follow-on fraud or, in the case of the more personal information, even online extortion. So should we be worried? After all, in 2020, data on over 200 million Americans traced back to the US Census Bureau ended up leaking online. Hacktivists have also previously claimed to have accessed citizen data in the UK, although this was later exposed as a hoax.
“Any key findings were highlighted to project leads across ONS and NISRA during the assessment and prior to concluding the assessment they were re-visited by our teams and had been addressed”
To better understand the current picture we need to look at an Independent Information Assurance Review (IIAR) which scrutinized the census systems used by the ONS and NISRA, including their supply chains. The good news is that the security experts Infosecurity spoke to who had reviewed the document, attested to its rigor and praised the engagement of a National Cyber Security Centre (NCSC)-certified cybersecurity consultancy, Bridewell Consulting, to conduct the IIAR.
Its co-CEO, Scott Nicholson, claims the firm left “no stone unturned” in its review of the people, processes and technology involved in Census 2021. He tells Infosecurity that it’s “very rare” to attain such a strong security posture given the level of detail his team went into. Among the internationally recognized control frameworks used in the review were ISO27001, the NIST Cyber Security Framework, the Open Web Application Security Project Software Assurance Maturity Model, the UK Security Policy Framework, NCSC principles and other guidance.
“Bridewell deployed a multi-faceted team of highly skilled and security cleared personnel to deliver the review. This covered skills across cloud security, application development, infrastructure, cyber-risk professionals and a penetration testing team to ensure a robust assessment was completed. The review covers the design, implementation and assurance activities across the program, which was to ensure that security was part of the design and after implementation was being managed effectively,” Nicholson explains.
“Any key findings were highlighted to project leads across ONS and NISRA during the assessment and prior to concluding the assessment they were re-visited by our teams and had been addressed.”
The Insider Threat
Yet as Exabeam head of security strategy EMEA, Samantha Humphries, argues, it’s virtually impossible to eradicate cyber-risk entirely.
“Unfortunately, even with the very best security posture, if someone with the technological power of a nation state is thoroughly determined to access data, as we’ve seen previously, they will throw everything against it until they can. So whilst these things are very uncommon, there is an element of risk,” she tells Infosecurity.
However, arguably the greater risks stem from insider threats – malicious or curious individuals who access info on someone they know or a celebrity and decide to leak that data maliciously or for profit.
“Having the right access controls in place is important, but it can be difficult to detect authorized personnel doing things that they shouldn’t,” says Humphries. “Curiosity is hard to spot because people can turn very quickly. If they chose to look up a famous person and find something interesting, it can quickly result in them acting on this information – risking a knock-on effect.”
There’s also the next century to consider. It’s hard to imagine where technology innovation will be even in a quarter of that time, but the advent of quantum computing for one will force organizations to make any encryption they use “quantum safe” in as soon as a decade.
“We would expect assurance responsibilities maintained and evolved, so that data is protected and retained throughout its lifecycle,” says Bridewell Consulting’s Nicholson. “Threats are constantly evolving, as are the technologies, therefore it will be vital the controls and assurance over this data continue to also evolve to identify, protect and detect attacks.”
“You should be able to trust the government, but have they acted in a way over the past few years that is completely trustworthy? Arguably no”
Convincing the Public
Perhaps the biggest risk facing the government is a loss of public confidence in its data handling, which could impact the quality of census data in future, even though citizens refusing to complete the form could face a £1000 fine. A survey in January found that 68% of Brits don’t trust the authorities with their data, the third highest in Europe. A separate poll by Exabeam this month claimed that over a quarter of UK residents (26%) are concerned about how census data will be used, rising to 35% when asked about how data will be stored. Two-fifths (41%) said they think it will be stolen by a nation state.
The problem is that, although the IIAR was welcome, it fails to share its findings in a way non-security experts would find easy to understand. There’s a double irony here: for one, the same individuals suspicious of completing census data are more than happy to overshare on social media. The other is that the government for once appears to be getting it right on cybersecurity, but is failing to convince the public, due to poor communication and a legacy of memorable gaffes.
“You should be able to trust the government, but have they acted in a way over the past few years that is completely trustworthy? Arguably no,” concludes Humphries. “Various campaigns of interference have tarnished public confidence.”