My data is very personal to me so, like many other people, I take great exception when it is lost or stolen by incompetent organisations. If data is lost by a private sector company I can vote with my feet and take my custom elsewhere. This doesn't solve the data loss issue but it makes me feel a bit better.
Contrast this with a government body that loses my data. I have nowhere else to go, short of maybe leaving the country. This issue, coupled with the fact that government in all its guises handles what is my most sensitive data, presents us as citizens with a challenge—how can we make our governments handle our data more securely?
In the UK, public confidence in government, of whatever description, is extremely low. Fuelled by expense claims that fail the "reasonableness" test by the man or woman in the street the view is that politicians, the government and the ruling classes are hopeless at best and criminal at worst. There is no sign that this confidence is returning.
Meanwhile government collects vast amounts of data that enables it to conduct its day to day business—licencing vehicles, paying benefits, running hospitals, tracking criminals and so on. Unfortunately it becomes a heady mix when one considers the amount of very personal, sensitive data that is being held in databases.
Even the most personal of personal data, our unique DNA code, is now, for many people, in the hands of the government. Data loss incidents raise the cry of "something must be done" but what is that something? What can we as IT professionals do to help solve the problem?
When thinking about the government use of citizen data it quite often shocks people when they realise the amount of data that is stored across government systems. The vast majority of these databases are perfectly legitimate and form a vital tool for the administration of a country.
Here is a sample of some government databases being used, or planned, in the UK.
- The national DNA database stores records of over 4.5 million people which is around 5.2% of the UK population. Everyone that is arrested in the UK has their DNA taken and kept on file even if they are not found guilty or even charged, which has raised some interesting civil liberties concerns.
- The National Identity Register, or ID database, is another politically sensitive database currently in the design phase. It is believed by some that over time this will contain all citizen's data as a prelude to the enforced carrying of ID cards—a very sensitive issue for the British.
- The TV licensing database contains 28 million addresses and the DVLA database stores records of 38 million vehicles registered in the UK alongside driver and vehicle licensing information
- The Department for Work and Pensions customer database has 85 million records that are accessible to 80,000 departmental staff plus 60,000 staff in other departments and 445 local authorities.
- ContactPoint is a database designed to hold the name, address, gender, date of birth, school and health provider of every child in England.
- The communications database is planned to centralise details of calls and websites visited by users by utilising data from phone companies and internet providers. This data will then be open for inspection by over 500 public bodies.
According to the Joseph Rowntree Reform Trust the UK government spends £16bn a year on databases and plans to spend a further £105bn on projects over the next five years.
Ultimately government needs to be avoiding headlines such as one that appeared in March 2009 concerning the ContactPoint database. Security flaws halted work on the database after the Department for Children, Schools and Families (DCSF) admitted that it had uncovered problems in the system for shielding details of an estimated 55,000 vulnerable children.
These include children who are victims of domestic violence, those in difficult adoptions or witness protection programmes and the children of the rich and famous, whose whereabouts may need to be kept secret.
The shielding system for vulnerable children is supposed to withdraw everything but a child's name, sex and age from the computer record that will be available to 400,000 children's services workers with access to the database.
But local authority staff who had been uploading information on to ContactPoint discovered that the shielding did not always work.
The executive director of family and children's services for the borough of Kensington & Chelsea in West London said that "Some people are seeing this as an IT issue but, in reality, it is a child protection issue,"
In my view this really starts to focus ones mind on IT security issues.
The Inside Threat -
I believe that the biggest threat to government data actually comes from within. Despite exciting stories of hackers breaking into government databases the vast majority of data loss incidents have stemmed from the inside threat.
I use the term inside rather than insider as I believe it better articulates this problem, which breaks down into two areas.
- Incompetent and non-malicious: i.e. I sent all of the HMRC database in the post
- Competent and malicious: i.e. I am going to steal this medical data and blackmail the patient
The incompetent and non-malicious is by far and away the most prevalent actor in any data loss incident. We have all read the headlines and seen the news reports. I guess someone leaving an unencrypted laptop on a train isn't as exciting as a targeted hacking attack, but it is the reality when it comes to government data losses.
That said, of course there are competent and malicious data loss incidents where an attacker is in a position to steal data. Again I believe a lot of this is by users that already have privileged access to data in the first instance, and then go rogue. Espionage and break ins are far less common.
So what steps can government take today to help prevent data loss?
Data encryption is one of the more well established data security tools. Vendors have produced a number of easy to use encryption solutions that enable users to rapidly encrypt their data, be it at file level, folder level or the entire hard disk.
Alongside these many implementations comes the inevitable downside.
For encryption this has always been key management. Relying on users to remember their encryption passwords is a risky business and can result in corporate data being locked away, sometimes never to be seen again. Clearly this is an unacceptable state of affairs and needs to be addressed before encryption has been widely adopted. Unfortunately departments that have purchased an encryption solution as a tactical add on, rather than as a part of a strategic encryption roll out, quickly realise that their quick fix ends up causing horrendous problems later on.
The most appealing aspect of data encryption is the fact that if hardware that contains encrypted data is lost the associated dramas are far less exciting. After all, only some hardware has been lost which contains an incomprehensible bunch of gibberish. Bad that hardware has been lost but no where near as bad as if it had contained valuable government data.
Strategic data encryption is a must for any system that contains sensitive data. But great care needs to be taken in rolling it out. It is vital that implementers fully understand the environment in which they are working so that all relevant hardware is encrypted. Discovery is vital—forgetting about one single USB drive may invalidate an encryption solution that has been deployed across an entire government department.
Patch management, like data encryption, is one of those basic IT hygiene tasks we all need to undertake day in and day out.
The rampant success of the Conficker code late last year was attributed to neglected patching. This included 8,000 PCs on a hospital network in Sheffield that were infected after managers apparently told staff to turn off automatic security updates. A patch, released by Microsoft in October 2008 and 3 months before the Sheffield incident, would have prevented the problem. Likewise the Ministry of Defence was still subject to a Conficker infection early in 2009.
Patches need to be tested and deployed under a controlled environment, following advice from the software manufacturer as to its urgency. Testing has traditionally been a problem as an untested patch my end up affecting production systems, so IT managers need to take a view as to the time to complete appropriate testing and the need to deploy a patch to combat a known exploit.
With good, well managed data encryption and a robust patch testing and deployment strategy an organisation will be a long way down the road of establishing a safe, secure and compliant IT infrastructure...
Compliance is something that all those working in IT need to get their heads around. If anything is guaranteed for the future it is the realisation of more and more rules and regulations for both the public and private sector as governments look at preventing a repeat of the current financial situation.
Even now, before any more draconian legislation is introduced, there is an awful lot that needs to be considered by organisations working in the EU. Not all of them apply to every sector, industry or geography, which makes things even more complicated when trying to unearth which acts you should be worrying about.
IT compliance in both the public and private sector is normally a good thing as it often instils good practices and procedures. On the other hand over compliance can be detrimental as the organisation can be bogged down in achieving a goal that delivers little direct business benefit. Medium sized businesses often have a real struggle ensuring their systems are compliant.
Compliance failure may escape regulatory attention for a while, that is until something goes wrong and then IT systems will be explored in fine detail. This also applies when a company is being sold or floated, with newly discovered compliance failures having a direct negative impact on a businesses valuation.
Ultimately compliance is a balance that legislators need to achieve, with our assistance.
As organisations switch onto the world of compliance they realise that it is far more cost effective to run compliant systems 24/7 rather than hastily scrabble to clean up prior to an audit. Those days should be long gone and organisations should ideally be "audit ready" at all times, or at least strive to be.
The public sector is often revealed as having poor data security practices, and the vast majority of headlines relate to public sector organisations failing in their data protection duty. The private sector appears to have been able to hide their mistakes away from public eyes unless a data breach attracts a prosecution or the company owns up of their own accord.
Regulators are getting more intrusive and aggressive. The UK government is now actively dealing with data protection issues with the Data Handling Procedures in Government report published in June 2008 that set out clear and mandatory procedures to be followed by all government employees that have access to and responsibility for citizen data.
The report was drafted in response to HMRC's loss of 25 million child benefit records in November 2007. As a result of this data loss and to thwart future episodes related to this type of preventable loss, all departments placed immediate restrictions on their use of removable media and subsequently all departments have initiated programmes to encrypt laptops and USB memory sticks.
All organisations—public and private—need to avoid being caught up in the headlines for the wrong reason. In the past a good flogging by the media appeared to shake a response from the public sector, but should we really rely on the fourth estate to be the ultimate sanction for data loss offenders?
It is vital that we as IT security professionals remain aware of the acts and regulations that apply to our specific geography, market place or industry sector. Government departments face increased scrutiny, quite rightly, as they store more and more data on citizens.
With the current turmoil in the worldwide finance sector there is no doubt that legislation, oversight and regulation will be under more scrutiny than ever before. The risk is that politicians will see heavier compliance requirements as a quick fix to managing far more complex and difficult issues, and that will have a knock on effect to the IT security community.
In the meantime all we can do is keep our own house in order and make sure we are able to deliver compliant and well managed systems to the business. To achieve this we all need to understand our IT environments, manage our known risk, protect against unknown risks, prevent device misuse and secure mobile devices.