This is now old news (it takes me a long time to get to the blog!), but anyone in the UK will know the story of the missing child benefit disks – 25 million records containing parents and children’s names addresses, dates of birth, bank account and national insurance details … an identity fraudsters’ gold mine. This has caused worries of millions of parents and embarrassment for Alistair Darling in Parliament. The BBC has a timeline of the events and Computer Weekly has (very) slightly more techie focused account.
Anyway a week ago last Thursday (22nd Nov) I did a short radio interview on Radio Cumbria, which forced me to consider the issue in a little more detail. I think they expected more a security angle, but obviously this is very much a human story also.
Despite the gravity of the event I was shocked but not surprised. In the end if you put people in a severely time pressured, cost-controlled context mistakes will inevitable happen.
So what went wrong? …
understanding and using encryption
First, but not most significantly, are the raw technical encryption issues. Like everyone else, I only know what was said in public statements, but these repeatedly said the disk was password protected, but not encrypted. One of the problems on radio was how to explain this difference.
The best I could come up with was that the password protected disk was like a briefcase with a lock – once you broke the lock the papers inside could all be easily read. In contrast the encryption was like a briefcase full of papers all in code.
But notice, the fact that I had to struggle to think of an analogy says something about the complexity of the issue. For the poor official sending the disks it could well have appeared secure. You couldn’t (without specialist knowledge) access the disks without the password. And if he had encrypted them it would have looked very similar: type a password (now an encryption key, not just a key to check) and access the data.
Even when you know the difference, security systems are notoriously difficult to use. Fiona still maintains a particular mail system on her machine because it is the only one where she has managed to get PGP installed to digitally sign mails. … and if I needed to encrypt something I think I’d reach down into the UNIX crypt commend or start scouring the web for a download (would I trust it?) … or more likely stick it on a disk and hope for the best :-/
outsourcing expertise
One of the most telling aspects of this story was the mail from the HMRC official to the National Audit Office who had requested a far less sensitive extract of the information:
“we must make use of the data we hold and not over burden the business by asking them to run additional scans/filters that may incur a cost to the department,”
This was not just a matter of internal effort, but also because producing a copy of the data with some of the fields removed would have required going to the external contractor (EDS) to produce the report. That is Her Majesties Revenue and Customs does not have internal IT staff who are able, or have not been give suitable permissions/documentation, in order to produce what sounds like a simple database download.
If there are not staff around who can extract records from a database what hope advising on information security.
procedures were not followed
Repeatedly when interviewed Alistair Darling blamed the staff at HMRC; the procedures were in place but not followed. It was of course nothing to do with the merging of department, resulting staff cuts and mounting pressure at HMRC.
As in so many stories of ‘human error’ (e.g. Zeebgrugge disaster) people are put into situations where they know they need to meet certain targets, within tight time or financial constraints. The ‘procedures’ may be in place to make things safe/secure, but keeping to the letter of those procedures is often not possible … even if everyone knows what the procedures are. Rarely are such procedures costed and so an official or operator on the ground is forced to make, on a day-by-day basis, what are effectively strategic policy decisions – things are bound to go wrong.
We can choose to spend more and have things utterly secure/safe … or choose not to.
However, if we choose the latter, it is utterly unfair is to blame those on the ground seeking to do the best job they can under tight circumstances.