The IT industry, unsurprisingly, is at pains to reassure the public that IT systems are safe and secure. The government is even more anxious that we should believe this to be so. Public confidence in IT security is thought to be vital to the growth of the economy. The population must be convinced that despite the continual stream of evidence to the contrary, the government and corporate institution, are looking after theirinterests.
Ok, you’ve already worked out that I take a rather more jaundiced view but this isn’t just paranoia and posturing. It is a view developed and hardened through 40 years experience in both public and private sector IT in the City, in Europe, in the States and in North Africa.
The vulgar reality is in my view , that if your data is on-line, it is not confidential, it is not safe.
There are a number of reasons why this is case but this I think, is the most important, the holders of the information have greater priorities than data security.
The priority may be the pursuit of profit as in the case of private companies and large corporate organisations, or it may be service delivery, or getting the job done, as in much of the public services but approve of the motivation or not, the reality is that security gets only as much attention as is absolutely necessary to comply with the law and even then, only when the law is actively enforced. Privacy, the punters privacy, gets almost no attention at all.
There are always other more peripheral issues as well, such as lack of resources, ignorance and plain stupidity but in the end it comes back to the same thing, security is not the main priority.
I’m probably not going to convince you by reasoned argument, any more than I have ever been able to convince senior managers that their systems are vulnerable, or rather that they are vulnerable and that that is important enough to make it a top priority. The priority of a successful,"go getting", "customer focused", "high flying" manager is always, first and foremost, to keep their jobs and then to move on to a higher salary. Nothing wrong with that in itself, but it is not IT. If you’ve ever wondered why such fortunes are spent on consultants to install, develop and run corporate and public sector systems, it is quite simply this: if a manager is seen to be engaging large, well known companies to select, install, develop or support their systems, then they can hope to seen as blameless when things do go wrong.
If a manager attempts to understand the problems themselves or if they use in-house staff, with genuine expertise on the systems employed and even more importantly, with expertise on the way those systems are used and how that use relates to other systems within an organisation, then if an error is made, it may not be possible to restrict the flack to the foot soldiers. Some of the bric bats may fly in the direction of the manager. As he or she is responsible for the staff employed on the project,, issues may be raised about "failing to provide adequate resources", "insufficient training", "lack of supervision" and "lines of communication". It may be suggested that manager was "not keeping their eye on the ball" nor "their finger on the pulse".
Security in transmission.
Many of us now know about or have at least heard of things like data encryption, public key exchange and all the other security paraphernalia which is talked about to reassure the public that their data is safe from prying eyes. Well the good news is that where encryption is in place and is used properly, it can be pretty good. Yes I know there are all sorts of issues and vulnerabilities including password selection but in many practical situations, the stuff going over the wire between your PC and the servers web site, can be very hard to crack. The bad news is that much of the time, at critical moments, encryption may not be used at all and where it is the weakness that are exploited by crackers have little to do with transmission of encrypted information but are in the myriad of supporting systems both technical and non-technical, disgruntled employees and what is called "social engineering" are usually far easier methods of attack.
Most of us have heard of instances of files left on trains or in taxis, stolen laptops and lost thumb sticks but they are rarely discussed in the context of data transmission which is always assumed to be by secure electronic transmission mechanisms. When electronic data was on mainframes with access only possible by wired terminals printout was produced centrally, their was an audit trail and you had to sign for any any copies of the output. Now with local area networks, wireless networks, e-mail, thumb sticks and desktop printers accessing "confidential" data can be almost trivial to achieve but below is another vulnerability in data transmission that's almost comical until you think about the possible consequences.
An example from the Public Sector.
I was administering a database system for a city authority which was used to process data on public health, trading standards, environmental health, noise pollution, health and safety, that kind of thing.
Under central government aegis a new system was being developed that would integrate data from multiple authorities into a much "bigger" and "better" centralised management system. You’ve heard of this kind of caper many times before I suspect. In this instance, other than a small group of enthusiasts who saw and were excited by, the potential, few gave more than fig for the development but hey! there was central government funding involved, it cost the authority nothing to do it, there were expenses available for the participants and regardless of outcome, there was a profit to be made by the developers. As a bonus the authority got it’s data cleansed by a major corporate credit agency for nothing and even I approved of that.
There came a point in the system development cycle when the developers needed a substantial quantity of real data with which to test and subsequently demonstrate, the new system. I was asked to provide this data on magnetic media to the development company which was about 100 miles away.
Now there was no reason on earth, that I could see, why we could not use secure electronic transmission systems to move the data but no, my objections were over ruled, the data needed to be archived on to CDs and physically sent to the developers.
I explained the risks to the Senior Service Manager and the Assistant Director and invited them to consider what might happen if
a) personal details, witness statements, complaints and prosecution evidence got into the wrong hands and
b) what repercussions there might be if knowledge of a) got into the hands of the press (this being a far more worrying prospect from the perspective of the elected members)..
If the data was not to be sent electronically we needed I insisted, to use a secure data courier service.
But, you know, the council had a policy. As part of that policy the council had a contract and the council had confidence in the terms of that contract and a courier service had succeeded in the competitive tender process for that contract and the long and the short was that we had to use that service. That, you see, was the priority, ensuring that their was a process of competitive tendering and that everyone was sticking to the rules. Follow the agreed procedure and no one, well no senior manager, could be held to blame if things went wrong.
I was aghast when the package was picked up by a hippy on on a bicycle.
Now I have nothing against hippies, on or off bicycles. I was one myself back in the late 60s and early 70’s, just a hippie that is, I was never to be seen on bicycle at that time but I was concerned there was no formal handover, no documentation, no locked case chained the cyclists wrist, it was just a hippy on a bicycle. He threw the package into a loose shoulder bag with lots of other packages and pedaled off down the road.
Well the package did arrive, as I know you’ll be glad to hear and as far as we know, and the reality is we don’t know at all, without being copied while in transit. I called the software company to ask if they had seen the package arrive at their premises as I was curious as to how this pedal power crew were getting packages cross country. Well surprise, surprise, the package was delivered by the post office parcel service along with a lot of other packages, and no, it wasn’t registered, recorded or special D.
Security, you wish!..
Scott McNeally founder and then CEO of SunMicrosystem a member of the Online Privacy Alliance, said, way back in 1999, in regard of the internet of things, "You have zero privacy anyway. Get over it".
Clifford W Fulford