So, Gov.UK infosec in 2015. 'Chaotic'. Cost £300m. NINE THOUSAND data breaches... The Cabinet Office is failing to coordinate the UK's government departments' efforts to protect their information according to a damning report by the National Audit Office. The NAO found that the Cabinet Office failed in its duty and ambition to coordinate and lead government departments’ efforts in protecting such …
Ah yes, the paperless office! Back then, in the golden days when strong AI was "just around the corner", and people so easily mistook science fiction for reality.
I still recall a wonderful cartoon from (I think) "Computer Weekly", maybe in the early 1980s. It showed two people in an office setting, manoeuvring carefully past each other in a doorway. The man is carrying a huge, tottering pile of books, folders, papers, tapes, disks, etc. that reaches well above his head. The young woman asks him, "What on earth is that?"
To which the immortal reply is: "This is the documentation for the new paperless office system".
A paperless office is not quite possible, because it is based on the belief that all your clients and service providers are also paperless.
However, if you have big printers, you certainly can purchase a proper document system and only ever print out what has to be sent by snail mail (so live with much smaller printers), the rest can be kept digital. Anything that comes in can be scanned, identified, and stored along in your document repository in the right folder ... takes less room, costs much less, and saves trees ... if you are not doing that, then you holding it wrong!
This post has been deleted by its author
Until there is due respect given to peoples' data in Governmental policies, there will be be no proper provisions in place, or planned for. Protection and privacy of data is dead until this is done. You can only take steps yourself, which seems to, more often than not, mark you out as someone who is trying to hide something.
This extends into the private world, since usually companies will often 'comply'* with local law.
This current state of affairs leaves me feeling incredibly sad and tired.
*Or, like right now, just wing it until they get caught and are fined inverse-proportionately.
I keep running up against shock from members of the public that the government doesn't take the same care of personal data that the public expects government to take of personal data. It seems to have escaped attention that the government openly declared in 2013 and implemented in 2014 changes to the way that government classifies and handles data that contains an implicit assumption that data can and will leak and that government will not spend a lot of time and resources preventing leaks. See: Government Security Classifications note that on page 17 "Threat Model and Security Outcomes" that there is acceptance that "a risk based decision has been taken not to invest in controls to assure protection against [determined threat actors]."
Add this more relaxed attitude to the security of personal data to the confusion caused by the new marking of OFFICIAL that now covers a range from the old unclassified to confidential and it's not too surprising that many government departments are confused about what they should be doing.
Government guidance says "commercial practice" but is that at the level of (say) a bank or at the level of Talk Talk? The guidance doesn't say. Also unlike commercial practice the government is not going to hand out compensation if it loses your data.
"If not, perhaps they should share their infosec methodologies with other government departments."
Errm what do you think they already do? There's a GCHQ outfit called "CESG".
"As the Information Security arm of GCHQ, we protect the vital interests of the UK by providing advice on Information Assurance Architecture and cyber security to UK government, critical national infrastructure, the wider public sector and suppliers to UK government."
well, as any GCHQ spook allegedly needs to be approved by someone called the National Security Agency before hiring, let's look at their best practise (pre Snowthing)
There's no such thing as 'secure' any more. The most sophisticated adversaries are going to go unnoticed on our networks. We have to build our systems on the assumption that adversaries will get in. We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly.
refreshing stuff from December 2010 : http://www.dailytech.com/NSA+Switches+to+Assuming+Security+Has+Always+Been+Compromised/article20424.htm
It's OUR data, not yours.
As with ALL governments.
Most "government" is actually CITIZENS data, which they demand from their citizens or subjects.
And a lot of the time the voters would prefer neither to give it not that it be stored in the first place.
No wonder the typical (so called) civil servant is confused about security.
On the one hand, civil servants working for HMG are building a modern STASI in Cheltenham, a STASI which depends on EVERYONE ELSE'S security being s**t so that they can hoover up emails, bank records, phone records, phone conversations, web browsing histories, mortgage records, and on and on and on........
And on the other hand, these confused civil servants are wondering why on earth they need to harden the business systems which they use every day.
.....no wonder it's chaos.
....
"On the one hand, civil servants working for HMG are building a modern STASI in Cheltenham"
That really is a consignment of geriatric shoe-menders, stupid scare-mongering of the worst kind. GCHQ has advised the public and industry to tighten up their security for as long as I can recall. They publish, openly, detailed guidance on how to best protect information on-line. They are deeply involved via initiatives such as Cyber Essentials and their support for IASME in helping industry, the civil service and individuals to become aware of what needs to be done and to do it. This is about as far away from the childish picture of "STASI" as it is possible to be.
The problem is not the body tasked with establishing best practice in government security and with operating the UK's response to cyber threat, it is with the fact that the people who should be looking after our data do not take their responsibilities seriously.
What would be really interesting is to hack in and find out what they actually store on us. They being some nosey small minority of us given cart blanche to ensure the rest of us are not allowed to argue. Have you noticed the lack of protests, strikes, demonstrations, even the lack of pop protest songs. Everyone who even thinks it is locked up. The fact the government has no ability to look after data doesnt stop them collecting exponentially more of it and stupidly sharing it with anyone and everyone.
Stasi... gestapo... nope, those guys never had a single candle to the groups at nsa and gchq and the governments that fund them
"perhaps you have never heard of Edward Snowdon"
You're right, I haven't. Did Mr Snowdon do anything of interest? Or are you getting him confused with Edward Snowden?
BTW, if you want to look less like a net-loon, stop typing lines of full stops between words. It's the web equivalent of writing in green ink. Ellipsis, used to indicate something has been omitted from text, is just three dots. A simple, coherent, argument will get your point across. Pointing fingers and shouting STASI! Is about the best way to get people to ignore your comment as that of someone bereft of clue.
I hate to say it but the picture presented is always a #vendor-backed fluffy one, no wonder it's a steaming pile. Some dip-stick 5, 10, 20 years ago set them on a path they cannot deviate from (likely because the corrupt ministers and upper management have shares); they have to buy in lots of things from established vendors and there is no question legacy systems have to be maintained with the cost directly from the tax payer.
Half the stuff they know to be expensive, old s**t, I know I've spoken to people in Government IT. Nobody seems to have the wherehwithal or backbone to question what is going on. Take Gov UK verify for example... They built a system to allow private businesses (with history of data breaches) to gain legitimate access to your data so the government can use it from them WTF!
As usual I think we need stronger opinions, more public information and a complete ban for procurement from any vendor that has even one outstanding bug between two terms of service, with a cap of 5 years terms of service. As a private sector business owner you won't believe the crap some private buyers try to pull. Whilst I don't advocate for douchery, perhaps from something so tied to the public pocket we need a lot more oversight
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
