The Biggest Threats to UK Information Assurance Issues
After my weekend sweep of emerging technology news, it’s time to go back to a major point–and to get comments on it.
If you scroll down and look at the last half dozen or so posts, you can easily see that in areas like healthcare, robotics, wearable computing, etc., change and innovation is happening at a fast and furious pace, and must surely lead to both new services and new methods of delivery that the British people will want from UK government, ranging from healthcare to location-based services, but really much more.
We also see that standard information security approaches, such as embodied by national programmes for identification or transmission of healthcare records, are not only expensive and difficult to build right the first time, are also a threat to information assurance by way of being a honey pot that increases the rewards of successful hacking or intrusion. They also stand a chance of being more or less obsolete by the time they are finished. Societal needs and changes, EU legislation or court rulings, further advances in technology, or some combination thereof may make NPfIT or the national identity scheme unworkable the day they unwrap the package.
We also see at every level of UK government an inability to get the simple rules of hygiene right, leaving valuable and sensitive information exposed by error or criminal practice.
Paradoxically, we see very useful services being implemented at a smaller scale, using Web 2.0 tactics such as mashing easily obtainable data from disparate sources together and presenting them in a useful manner.
So, let’s put forward some assumptions, see if they lead to a useful point, and ask for comment:
1. This is the golden age for funding of information assurance schemes. Demography will compel large transfers of government resources to pensions and healthcare and perhaps other programmes (Olympics and CrossRail). Information Assurance efforts are taking place now within a window of opportunity that may soon close.
2. Large scale programmes that are the raison d’etre for large scale information assurance schemes are both contentious and expensive, and there are few reference cases that point to a model for successful design, construction and implementation.
3. Relevant technologies are in the middle of an explosion of innovation, combination and recombination that is going to completely rewrite the rules of the game for information assurance, making it almost inevitable that systems designed in the present or recent past will not be fit for purpose absent considerable and expensive modification.
If those assumptions are true, (please, please tell me where and why my assumptions are wrong–challenge these!), then it seems clear to me that,
a) data should be held and guarded in lots that are as small as possible, and should be combined and recombined at destination using innovative procedures to add value
b) responsibility for data integrity, instead of migrating upwards to national level, should migrate downwards to user level
c) key decisions and initial actions should be taken within the next 5 years, or the concept of information assurance as used today will move towards irrelevance, pushed aside by spending constraints and technological progress
I would love to see comments on any or all of this.
October 8th, 2007 at 11:18 pm
Definitely agree with a; think there are real problems with b; not sure about c. The problem with b is that you *can’t* make users (if by users you mean the general public) responsible for everything. It’s not *our* fault if, for example, a government department deploys poor security to protect its database. That’s the situation we have now wrt identity theft and the banks, and it’s a real problem for consumers.
wg
October 9th, 2007 at 6:26 am
Hi Wendy,
The point of devolving data management is to reduce the value and complexity of data held centrally. Of course it’s not our fault if government deploys poor security. It’s not our fault that there are criminals exploiting it, either. But if government, banks, et al, appeal to a social ethic where the citizen is part of the cure, rather than a passive recipient of the results, the time needed to correct bad inputting and flag up anomalies in account activity is spread across the population.
I don’t believe governments and banks are physically or organisationally capable of doing this. If we want these services, we need to pitch in.
October 15th, 2007 at 12:03 pm
Data integrity is key. You only have one name, one main address, one set of information held that explicitly identifies who you are. Yet we fill this information in time and time again, across public and private sectors. Over time, as your circumstances change, information becomes outdated (Unless individuals know all location and how to update all informtation held about them). I certainly dont. Clearly less pots of information held about you, the easier it is to make sure it is accurate, and the easier it is to secure them because it would be possible to develop and utilise trusted networks.
The Data Protection Act (DPA) has not helped, as this has developed a highly silo approach to information storage very much in the private sector and particualrly across government departments basic information is not shared. I can give many, many examples where lack of information sharing is far riskier than the risks of sharing and the DPA consequences; the tragic Soham case is a prime example.
Data Integrity key ingredients:
1 version of the truth
1 secure system to allow logged access by trusted parties only
1 place where the public can view and update their basic demographic records
Fit for purpose legislation that explicitly punishes “data misuse”.
Andrew Doughton
www.threepillars.co.uk