15 August 2011
By John Reid
Government responses to cyber attacks have been reactive and fragmentary. With no clear authority to mandate better security, the importance of cyber issues will only increase in the move to cloud computing
The US Computer Fraud & Abuse Act was the first example of liberal democracy’s attempts to protect itself and its citizens from what are now better understood as cyber crimes or cyber attacks. 25 years since the CFAA was introduced, public reports of these types of attacks – whether mischievous hacks, criminal frauds, or state-perpetrated – have become ever more prevalent in recent months and years.
Networks have transformed our economic, financial, political and social affairs. Traditional levers of power are being rendered less effective, appropriate and legitimate. The distinction between users, consumers and developers is blurring.
But the response from authorities has been reactive, fragmentary and all too often overtaken by events. As yet, there is no clear authority to mandate better security in critical infrastructures, or to develop new ways to work with the private sector. The importance of these issues will increase as there is a move to active defence and cloud computing. The cloud’s economies of scale and flexibility bring further and mixed concerns for security and regulations.
The government is determined to drive down costs and drive up efficiency in the public sector. The scope for rationalising the many systems that identify its employees, contractors and customers – and deliver public services to the UK’s citizens, residents and visitors – offers the prospect of significant savings. Allowing the citizen access to a safer internet experience and to entitlements (including being able to inspect their own data and eliminate identity fraud) are outcomes not to be compromised. These are demanding requirements; in the long term, cloud computing could offer ways to achieve them simultaneously. But at present, it is posing major problems alongside the potential solution; problems such as the untimely but inevitable discovery that the limited capacity for computer forensics is thwarted by clouds conveniently spanning multiple jurisdictions. At its best, cloud computing holds out obvious attractions in an age of limited public resources; but at worst, unless the challenges are met, it could be offering the kind of security-through-diversification the banking sector was offering on the brink of the crash. That is one that turned out to be bogus.
A coherent public policy framework for trusted collaborative identity governance is fundamental.
Until now, digital forensics have been a sovereign capability. Going forward, public bodies will have to consider the consequences of surrendering a certain amount of control to the cloud provider. Similar issues will arise for corporate and third sector bodies as data comes together on any particular cloud. The Foreign & Commonwealth Office (through FCO Services) has already pointed the way via its partnership with Huddle to facilitate the sharing of classified documents.
The liberation of “big data” will have major consequences for every citizen.
The combination of sensors harvesting massive streams of data (such as smart phones) and real-time business analytics may present marketeers with a dream but could prove a nightmare even to the least privacy conscious. Freeing “big data” is a major step forward into the post-bureaucratic age but opening up government’s data cemeteries could prove a horrifying prelude to “data determinacy”. Dazzling statistical precision can be misused to extrapolate bogus certainties about people’s lives that foreclose chances for change.
Conversely, the uncertainties inherent to the uptake of innovation could also make cloud-based resilience achievable on healthier terms. The lessons from early adopters of cloud computing – largely in the private sector – need to be learned. The benefits are most successfully realised when going with the grain of users’ skills and aspirations. This extends to the empowerment of critical infrastructure providers and broadening and deepening their understanding of dependable software and reliable systems.
On 28 July, the Public Administration Select Committee published its much anticipated report on government ICT procurement. It has described the current system as “a recipe for rip-offs”, almost operating as a cartel. Its main conclusions – opening price and project information, widening the supplier base (especially to SMEs), and more agility in ICT programmes’ adaptability -are not just crucial to public spending but also to national security.
Not enough competition in government ICT procurement means not enough entrepreneurialism and innovation in government ICT security. Unless new approaches are rapidly deployed, it will therefore be completely unfit to meet the challenge of innovative and entrepreneurial hackers.
Cyberspace both enriches and endangers our lives in unprecedented ways.
Today, constant vigilance is only half the task in ensuring our freedom and security. The greatest rewards will flow from unrelenting innovation – and the healthy competition and cooperation it inspires. Perhaps most significantly, this could have a positive knock-on effect to public sector productivity more widely, with gains finally beginning to rival those made in the private sector.
Lord Reid of Cardowan was both Defence Secretary and Home Secretary under Tony Blair’s government. He is now chair of the Institute for Security & Resilience Studies (ISRS) at UCL, and a principal in the Chertoff Group.
In June, he co-authored “Cyber Doctrine: a new framework for resilience”, available from http://www.ucl.ac.uk/isrs