I’ve said before, government information security is pretty good. We’ve had leaks and data losses in the past – noticeably “low tech” problems. In terms of issues in the public domain involving technology, there’s a pretty good story to tell.
However, times are different now, there is no money left. There’s a lot of security controls in place to mitigate against risks. Is it time to accept some of these risks and pare down the controls ? Let’s look at what can be done, comparing against a normal large business as our “sanity control”. Similarly, most businesses do not have to deal with “life and death” information, so I’m not considering that classification of information.
Government policy will not allow a wide area network to be run without complex encryption over the top. So, whilst most companies buy MPLS from the likes of Cable and Wireless and BT, government will do the same, then overlay a complex and expensive VPN. Removing this as a mandatory requirement would reduce costs in future, and even for currently deployed networks there’s a need to support all these extra boxes (and give them power, cooling). Plus, removing the extra encryption would improve speeds! As long as the migration cost is less than the support cost, everyone wins!
There’s a requirement for hard-disk encryption. Most corporates have woken up to this as an issue, and central government is no different. However, rather than effectively mandating a few, expensively approved products, perhaps the use of common commercial alternatives would save tens of pounds per machine.
VPN is another common business operation. Again, common in Government but mainly done with exotic VPN products you’ve never heard of. Ditch this, and go with Juniper and Cisco that everyone else uses. Many corporates will provide webmail for their employees. This will allow employees to access their email, probably from their home PC. This might alleviate the need for a blackberry, laptop and so on. You just won’t see this on a central government system. So, provide this and see mobile comms costs tumble.
Each government department is an autonomous organisation. They are joined up via the “Government Secure intranet”. This is a private WAN used to ship email and allow access to each others private websites. For email, if you’re feeling bold you could enforce TLS between your partners, or have a select few use PGP. But use the internet like everyone else. And when business want to share information, they setup VPNs over the internet. Do all this, and scrap the GSi
You’ll note none of these suggestions are fundamental. I’m not suggesting everyone run linux, or some sort of single, unified IT system. Mainly because change == cost, and drastic change == lots of cost.
However, there has to be a downside, and that is risk. Our attackers will have an easier ride, and those who seek to get at our information will have more success. As cyber-terrorism becomes a reality, would we be setting ourselves us for attack? At the more trivial end there’s bound to be stories about Nigerian scammers getting into government accounts.
The controls that are in place are not there because some security nerd wanted to install the latest gizmo. The question is therefore, is there anyone senior enough to take these decisions and also genuinely accept the risks and guaranteed issues?