Reported UK Data Losses - It's Worse Than You Think

It comes as no surprise to me that we're seeing a lot of news reports lately regarding lost or stolen government laptops and removable media containing personal information. In the last week alone we've seen records of 600,00 people have been lost by the Royal Navy, as well as the loss of 4000 patient records by Stockport Primary Care Trust.

The truth is, this has been happening for years and the incidents that are being reported to the press are probably only a fraction of the actual incidents. In the UK there are no legal requirements for government departments or companies to publicly disclose data losses, so you have to draw the conclusion that the only reason why the Government is being upfront about losses at the moment is because they know this is an hot issue in the press and if they didn't offer full disclose it would probably be leaked anyway.

I was watching the news yesterday when David Milliband, the Foreign Secretary, made the remark that we cannot legislate against people having their laptops stolen from cars. That's all very well but he's missing the point entirely. You can't legislate against laptop theft but you can legislate against how data is stored and protected in the first place.

Another investigation on its own isn't going to stop this from happening again. As an Information Security Consultant who has worked with both local and central government, I've seen at first hand the systems and processes that are in place governing data protection, or rather lack of them. Unless there's a fundamental change to the approach to security within the Government this type of incident will occur again and again.

Based on my own experiences, there are a number of problems with current arrangements that make these incidents likely, including a lack of clearly defined legislation governing data security, insufficient independent regulatory oversight of security in government departments, and a lack of due diligence and contracts management when it comes to outsourcing services to the private sector.

For what it's worth, here's my two pennies worth of how I believe these issues could be resolved:

1. New legislation needs to be passed mandating strict standards for government systems

The Data Protection Act is not specific enough when it comes to requirements, and can be interpreted in a number of ways. That's why the Information Commissioner has such an hard job with enforcing the requirements and issuing penalties when things go wrong. The DPA has eight principles, one of which specifically addresses data security - Principle 7:

'Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.'

The key word here is 'appropriate'. Appropriate is subjective. The interpretation of Principle 7 in the Act itself doesn't particularly help either because it uses words such as 'reasonable measures'. In guidelines produced by the Information Commissioner supporting the Data Protection Act reference is made to more specific security requirements, but it can be argued that there is nothing on the Statute book that specifies the exact minimum requirements for protecting personal data. Similarly the Act does not properly reflect new technologies and new threats.

The government could address this by first updating the Data Protection Act to strengthen requirements which I believe it is already planning, but also implement new legislation that specifically addresses security standards for Government held data. This should be something similar to the US Federal Information Security Management Act (FISMA). FISMA is a comprehensive framework that has strict requirements for all federal agencies. The UK legislation would need to make it clear that government departments are required by law to implement the requirements of the HMG Manual of Protective Security, HMG Information Security Standards, as well as the recently published Information Assurance Policy. Whilst the MPS and security standards have been around for a while now, the continuation of these types of security breaches just goes to show that they are not being properly implemented or enforced.

2. The CSIA and CESG should be given a larger budget and more powers

In 2003, the Central Sponsor for Information Assurance (CSIA) was established in the Cabinet Office with responsibilities for providing strategic direction in information assurance across all government departments, guided by a National Strategy for Information Assurance.

The Computer Electronics Support Group (CESG) is the Information Assurance arm of GCHQ (GCHQ is responsible for electronic surveillance, similar to the NSA in the US) and acts as the National Technical Authority for the UK Government, similar to the National Institute for Standards (NIST) in the US. However, if you look at the output of the CESG and need for the CESG to rely on private sector specialists to carry out work on their behalf (through the CLAS scheme), it's clear that they have a long way to go before their standards become as clear or prolific as NIST, or they have the ability address Government security in a way that NIST is doing through the FISMA Implementation Programme.

As for the CLAS programme, even though HMG Security Standards specify that that IT projects should go through formal security accreditation by a CLAS consultant, many don't.

It seems to me that both CSIA and CESG don't have the budget or resources to properly fulfil their obligations, because if they did, we wouldn't keep having to read about data losses. If the CSIA and/or CLAS had the powers and resources to carry out regular, in-depth audits of all government departments and carry out full security accreditation and certification then issues such as poor data handling procedures and lack of encryption on laptops and backup tapes would be picked up and addressed.

3. Government departments should be given a dedicate Information Security budget

This may have changed now but from what I've seen IT security expenditure is usually taken out of the general IT budget. Companies that have good security generally ring-fence approx 15-20% of their IT budget specifically for security. Government departments should do the same.

4. Government departments should be subjected to more stringent regulatory oversight

When the Nationwide Building Society was fined £1 million by the Financial Services Authority (FSA) after a laptop was stolen containing thousands of customer's banking details, this was enough of a wake-up call to other banks to finally implement the end-device security programmes that their security departments had been recommending. A good proportion of the banks are now using technology such as that provided by the likes of PointSec and Safeboot to lock down laptops and encrypt the hard drives. I personally use TrueCrypt on my home laptop which is open source (free).

Government departments should be subject to similar compliance penalties. Now I'm not one who particularly believes that financial penalties for public sector bodies is the right way to go. After all, it's tax payers money that pays the penalty and it's tax payers, not company directors or shareholders as with a PLC, who ultimately lose out because there's less money to put into government services. However, it's clear that the current situation, where the Government suffers some embarrassment and a Civil Servant is forced to hand in his resignation (sometimes, not always), is not enough of a penalty. This is a tricky one, because if the penalties are severe then the departments concerned will be less likely to publicly disclose the incident in the first place.

How about this: what if (1) a law was introduced similar to the California Security Breach Notification Law making it compulsory to publicly disclose security incidents that impact personal data, and (2) senior management and ministers are made directly accountable for any security breaches. Depending upon the severity of the incident the Civil Servant up to the Minister and finally the Secretary of State will be forced to resign (completely from Government, not just shuffled to another post) and/or personally fined. That could work?

By the way, I believe strongly that a security breach notification law should be introduced that also applies to all companies. I've seen many a security breach that has been completely covered up internally and not even reported to the authorities through fear of damage to reputation and contractual penalties.

5. Improve due diligence and contracts management for outsourced contracts

The scary thing is that large parts of government services have been outsourced to the private sector, and many of these private sector companies have not made the investment in security that you would expect when we're talking about the protection of government systems and government held data.

I've seen at first-hand how companies bid for government contracts, promise the world in the bid so that they'll win the contract, and then fail to deliver what they've promised and get away with it because the Government doesn't carry out sufficient due diligence before awarding the contract, or in-depth audits for the duration of the contracts.

The likes of EDS and Capita have large multi-million pound contracts to manage a huge proportion of government IT systems and services. Some of these contracts run for 10 years and were written at a time when security wasn't the issue it was today. Even the contracts that are written today don't go far enough to mandate security requirements. The contracts that I've seen have some reference to the Manual of Protective Security and usually state that providers should 'demonstrate compliance with' ISO 27001 - the international best practice standard for Information Security Management. However, there's a big difference between compliance and certification.

ISO 27001 certification should be a minimum requirement, at least this would demonstrate that the company has a formal security risk management and governance framework in place, and this has been independantly verified by an external auditor. However, even this does not go far enough. I help companies achieve ISO 27001 certification and I know how easy it is to get certified by simply choosing the right auditor (there's a massive difference between success criteria from one auditor to the next) and producing documentation that looks the part but does not necessarily reflect reality. Government contracts should specify in detail the exact security requirements. Instead of having security specifications which have ambiguous statements like 'Data should be protected according to risk' they should say, for example, 'data held on backup media must be encrypted, and as a minimum AES encryption with a bit-strength of 256 must be used'. This would make it clear to service providers that investment in technology such as data encryption is not optional.

As for due diligence, what tends to happen in my experience is that bidding companies are asked to provide copies of company security policies and standards. This is not good enough. Just because the security policy stipulates that a certain level of security is required that doesn't mean that it's standard practice for the company to implement it. No, there needs to be thorough due-diligence which includes in-depth investigation, inspection of systems and processes, and even visits to reference sites.

Furthermore, once the contract is awarded, it's not good enough, as is usually the case at the moment, to simply send out an annual security questionnaire to the service provider. Again, just because someone puts some good sounding words in a completed security questionnaire it doesn't mean that those answers reflect reality. There needs to be regular, full, independent audits of all aspects of the IT environment and services being provided.

Anyway, I've said my piece. How are we supposed to have trust that the UK national ID card programme will securely hold our biometric identifier, an identifier that we can't revoke or change, or that the NHS Spine, which has been contracted out to BT, will securely hold all our health records? You may think so what if someone gets hold of my personal information, they can't do anything with it. Think again. The risk of identity theft should not be underestimated. Identity theft is said to be the fasting growing crime and with a few pieces of personal information it's possible for a fraudster to take over your entire life - access your bank account, get your mail redirected, get identity documents such as passports and driving licences issued to them in your name with their photo. There's many documented incidents that prove this is happening all the time.

I worry because my details are on UK and Australia government systems!

When I read about the loss of the Royal Navy laptop it made me wonder if I could be affected. It's been over 16 years since I joined the Navy but 600,00 records were lost and there's only 36,500 personnel currently in the Navy. I know the 600,000 figure includes people who have just expressed an interest in joining the Navy but even so, it makes you wonder how many years back the records go. After all, if they're allowing full recruitment records to be copied out of a central database and onto a laptop, and they're not encrypting the laptop hard disk, they're probably not doing much to enforce the fifth principle of the Data Protection Act - ‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes'.