We have been used to myriad approaches for information security in Whitehall and other parts of the public sector in recent years. With a total of 16 agencies in Government having responsibility for information assurance on top of the individual departments, this is hardly a surprise. The Cabinet Office developed a series of hurried standards in response to the HMRC child-benefit, DVLA learner driver and MOD personnel data losses, but it was still up to CIOs and SRIOs to implement their own departmental bespoke solutions.
Often they did just that, resulting in the current patchwork of tailored security systems and solutions, reflecting the CIO’s dominant position in the last decade. It now looks like those days are coming to an end.
March’s ICT Strategy outlined a desire for shared solutions across government, both to reduce costs across Whitehall and to enable greater cross-government co-operation. The Government’s vision is for compulsory open standards in the public sector, starting with inter-operability and security. This will form the basis for the development of a suite of off-the-shelf information security solutions sitting in an online “Applications Store”, from which civil servants can choose, re-use and share. In the longer-term, the now long-trumpeted G-Cloud aims to provide the public sector with a common infrastructure based on these open standards in order to deliver flexible ICT solutions.
Any security architecture will need to be compatible across government, including shared services, off-the shelf software and hardware solutions, and third-party cloud computing. A grand vision indeed, but the devil lies in the details. And government needs industry to decide exactly what those details will be.
The next 12 months is the crucial delivery period, as the new CIO Delivery Board publishes an ICT Capability Strategy. This will include establishing a set of agreed and mandatory open technical standards that will underpin all further necessary work for building a common ICT landscape. In the meantime, the National Security Adviser, Sir Peter Ricketts, is undertaking a data security review of all departments. The water is further muddied by the upcoming National Cyber Security Programme and its attached £650m of funding in recognition of cyber-attacks being a Tier 1 national security issue.
At the same, the wider policy environment is ever more complex, which will inform the operational architecture and give officials food for thought. The Government has determined that SMEs form at least 25% of all departmental contracts, providing new opportunities for innovative suppliers. The digitalisation of government services by moving them online through single portals creates potentially new and large security headaches.
Thus a new era of transparency and openness in government activity affords citizens new opportunities, but it creates ever more risks. The localism agenda means more services will be delivered on a more diverse basis through local authorities, the private sector, mutuals and voluntary groups. The standards may be set centrally, but the delivery will be ever more local. The civil liberties agenda also continues to bubble away, with ministers demanding greater cross-government co-operation while mitigating against mis-use and over-collation of information by bureaucrats.
Now is the time for industry to make itself heard, both in terms of offering to government innovative solutions and acting as a trusted adviser for some of the pitfalls to watch out for in implementing the vision. Your Government needs you.
William Wallace is a former IT security adviser to the Conservative Party and was an author of the data security Green Paper, Reversing the rise of the Surveillance State. He now works at Grayling.