BBC NEWS | UK | Questions asked after data loss

Peter Tomlinson ukcrypto at chiark.greenend.org.uk
Sat, 23 Aug 2008 15:35:13 +0100 

Its only about 10 years ago that a middle ranking civil servant told a 
group of us that the maintenance men had been round the offices and put 
secure locks on the filing cabinets. 50 years ago I could walk 
unchallenged into my father's office in a shared civil service building 
(numerous depts with small numbers of staff in that city shared it). 
Those civil servants had the right to buy lunch in the city centre's 
Post Office staff canteen, and there was no bar to children being taken 
along - indeed, anyone could walk in, be served (and pay the subsidised 
prices).

Today anyone with a little knowledge and some persistence can get into 
much of the govt's virtual dimensions, and the amount of information 
that they can then easily copy is vastly larger than a single filing 
cabinet of papers holds. CESG can give advice but Ministers can allow it 
to be ignored.

I'm on the BERR/Technology Strategy Board/ICO sponsored (ex DTI) 
Knowledge Transfer Network Cyber Security User Centric ID Management 
Working Group (you can take a breath now). What hope is there for 
deployment (although we hear that there may be some funding for a 
demonstrator) across the public sector with the present 1970s style 
punched card, mag tape and line printer batch computing attitude to 
information security at the top of central govt depts responsible for 
public administration? Ever heard of auditing contractors?

Peter

Ian Miller wrote:
> All of the recent reported data losses have been accidents.  Where as
> accidents are a worry, they are nothing like as much of a worry as the
> deliberate stealing of data.
>
> It is far far harder to build systems that are proof against a determined
> resourceful and well-funded attacker, than those that are proof against
> inept personnel.  Any system were an inept employee can lose data, a bent
> employee in the same role can trivially steal it.  The stealing of data is
> also far less likely to be detected as the data-thief will avoid anything
> obvious like missing media if they possibly can.
>
> Given that HMG is manifestly incapable of building systems that proof
> against the inept, there is no real doubt that all data collected by HMG
> will be availble to any resourceful malefactor who has enough reason to
> want it.  I really don't think that the necessary change of culture within
> Whitehall to prevent this is possible.  Indeed I don't think the government
> is capable of appreciating the magnitude of the problem.
>
> Ian
>
> --
> 32 Stockwell St, Cambridge, CB1 3ND
> Tel:  +44 1223 511943	            Mobile: +44 777 5536663
> Fax:  +44 870 0514333	 (e-mail preferred to Fax)
>
>
>
>
>
>
>
>