Not a particularly snappy and exciting subject for a first blog. Nor is it a subject free from danger of upsetting anyone, in fact I would say it’s a political hot potato! That said, one of my favourite quotes is from Aristotle and is simply this “to avoid criticism, say nothing, do nothing, be nothing”, so in that spirit I’ll give it a go and offer some slightly opinionated commentary on the subject.
For the uninitiated, and in summary, GCHQ (the National Technical Authority) are in the process of a dramatic overhaul of the existing data classification programme. The formulation of this programme (GPMS) is still progressing and subject to change before it is officially unleashed upon the public sector next year. However, indications are that PRIVATE (Impact Level 2), RESTRICTED (IL3), & CONFIDENTIAL (IL4) classifications will move across to a classification called “OFFICIAL”. The higher levels of classification SECRET (IL5) and TOP SECRET (IL6), the apex of the security pyramid, will prevail. Or so we believe. I caveat that the situation still has a degree of fluidity, and I can only comment upon the detail that has so far been discussed within the various forums.
There is no doubt that despite the final detail; this will have profound and far reaching implications across all security decisions throughout the public sector. There will a huge degree of complexity and with it, market confusion. That said I have chosen the subject of encryption as it provides a good lens through which we can start to understand these implications because the choice of encryption technology is/was fixed and aligned to the old/current CESG Accreditation Scheme (CAPS) and the GPMS will act as the proverbial nuke to that system.
Common criticisms of the CAPS programme (with maybe one or two of my own thrown in) are:
- It was too expensive, and the costs of accreditation and certification were invariably passed on to customers who had to pay more for certified technology.
- It was far too slow. It lagged behind the pace of technology innovation, which meant that customers buying CAPS products were often buying old technology. This was not as new, good or capable as that of their potential adversaries for example. And, the gap was widening at an exponential rate.
- To attain certification some functionality may have been restricted or removed which compounds the above, because customers often knew they were paying more money for less functionality and less capability.
- It created a culture whereby IT and security practitioners would use these products in anger, and then defend bad decisions or inappropriate use of technology by producing certificates that would in some way validate their choices.
- Where there were gaps, areas that had no certified products, nothing was used! Email encryption is a well know and used example. This culture of defend the decision with a certificate, meant that it was deemed safer to ignore a problem, rather than use a commercially available product that would function perfectly well up to a certain level, albeit uncertified. There are a collection of rather embarrassing anecdotes doing the rounds on this specific subject. This subject is a whole blog in and of itself, however here is one to whet your appetite regarding email encryption: http://www.computing.co.uk/ctg/news/2120226/blunkett-france-tapped-uk-government-emails
- The scheme was not commensurate with the reality of handling RESTRICTED data as a whole. For example a Baseline CAPS product would need a strong HMG algorithm, long and complex passwords, and GCHQ generated key material, yet once data was out of the digital and into the analogue printed domain, to say the controls were somewhat weaker would be an understatement. The effects of this would often manifest themselves in some bizarre decision making when it came to the classification of data and data types. Decisions that would focus on making processes easier as opposed to classifying the data appropriately.
There are more, but I think the point is made, a point to which the National Technical Authority actually pretty much agree, or at least their recent actions would seem to suggest: It’s broken, no longer relevant, falling further behind and needs fixing with some urgency.
To compound this further GCHQ’s customer base expands exponentially as we all scramble to get UK PLC ready to defend itself in the brave new interconnected world of the Cyber Domain.
In light of the above then, do I think GPMS is a good thing? On balance and from what I’ve heard the answer is an emphatic yes! My main reasons for this view are:
- It will move the public sector away from the unhealthy bureaucratic culture of defending decisions based solely upon certification.
- It will require the public sector to make its own decisions regarding security. Decisions that will be local, and with local context. For example, decisions that will take into account the risks, the threats, the impacts, and crucially the business requirements of each organisation.
- It will enable better data classification decisions to be made. This will open up new choices for customers, e.g. can we use COTS technology? Can we implement a Cloud Service? Can we utilise technology we may already own e.g. Bit Locker? There! I’ve said it! Tin hat goes on.
- Crucially and above all, accountability moves to the business and data owners. Where it should be, locally, and where context can be applied. As with everything thing in life context is critical in order to provide rationale and reasoning.
Speaking from the industry perspective, another effect of the GPMS will be a rapid reconfiguration of the technology and service market in this space. This is great! It has been needed from a long time, and I am convinced will come as a breath of fresh air to the benefit of us all. We will all need to up our game; we will all need to innovate; we all have a more consultative role to play because the National Technical Authority need to have a wider affect across a much wider customer base, and to do so they need to complete their evolution to the organisation that provides guidance and support rather than mandate and certification.
GPMS will make customers responsible and accountable for data classification and data protection decisions. This will enable them to explore new technologies and techniques. It will give them access to new ideas and new technology. It will enable them to access capability in a much more cost effective way, which will be driven also from the direction of the economic and budgetary pressures that they are under.
To succeed in this new environment they will need our experience and advice. They will need our help to implement it properly, appropriately and to their best advantage. Within industry we all have a duty to make the changes necessary to support these initiatives. UK PLC will have to change and adapt at some pace to support our electronic safety, security and our economy in the Cyber Domain. The GPMS is merely a component in a wider program of change vital to this sector, and we all now have an instrumental role in making this the success it needs to be.
Author: Scott Cattaneo