If what this Times commentator describes is true, somebody should go to jail. The rest of us should take note. As we may have mentioned one or two thousand times before, security technology and security procedures mean absolutely nothing if there is not an organisational commitment to the security of information.

That senior officers of Norwich Union and Avivia would protect their own data following news of the leak without informing their customers is quite simply disgusting. I personally will remember this when making my own banking decisions, especially as all concerned remain in post, for some unfathomable reason.

It’s so easy to get caught up in the protection of data (or lack thereof) that it is easy to forget about the other primary goal of information assurance–getting correct information to the right place in good shape, accurately and on time, to preserve the confidence of the public in government’s ability to manage its own affairs.

“THOUSANDS of servicemen and women, including many fighting on the front line, are being underpaid because of failures in a new computerised pay system.”

…”The computer system, known as Joint Personnel Administration (JPA), was introduced in March last year in the Royal Navy and saw a flood of complaints from sailors not being paid their full pay. The RAF was taken on to the system in October last year, followed by the Army in April this year. The £250m system was implemented by EDS, which was widely criticised for its computerisation of the Child Support Agency.

One of the key problems with the system is that it requires senior officers to log in to authorise payments, which means that if they are away on operations, the whole procedure grinds to a halt. “The system is based on the design for a civilian pay system and takes no account of the complexities of the armed forces pay system,” one officer said.”

It’s a good thing that the British are so patient–these people are armed. It’s a very bad thing that we can’t get JPA right–ADP would have taken this on as an outsourcing project for a lot less than £250 million.

This is going to get interesting, and the Economist says that this topic will be covered in their upcoming technology quarterly (which is really one of the best things about the Economist). We’ve been following UAVs here since summertime, and I really think it is a) emerging as a technology that has information assurance implications for UK government and b) it’s really cool.

Ranging from powered model airplanes for children to the Predator, UAVs are currently lightly regulated and not at all policed, which should worry law enforcement as well as IA practitioners. With progress in miniaturization in full swing, an unmanned aerial vehicle can carry a camera (the UK is already using them to carry CCTV)… or something quite a bit deadlier. It is clear that legislation and regulation hasn’t caught up to the implications of this.

Meanwhile, at the Popular Mechanics website, there’s a story about the Houston Police Department’s trials of a UAV. The story walks through a lot of the issues revolving around this stuff.

Remember the main IA issue is going to be integrating information flows to, from and about potentially large numbers of these critters into information about more conventional air traffic. As I’ve mentioned before, between UAVs, ultralights and normal increases in air traffic (as point-to-point becomes more popular than hub and spoke and small jets become more ‘affordable’), those charged with keeping air traffic safe are going to have a lot on their hands.

Related stories (copied off the PM site–thanks!)

Civilian UAVs: No Pilot, No Problem

Britain’s Police Drone: Could It Stop Next Terror Plot?

Miami’s New Test Aircraft Gets Look from Army, Navy

Air Scouts: FA-18s Take On UAV Reconnaissance Duties in Iraq

Unmanned NASA Aircraft Enlisted in SoCal Firefight

Sunday Update: “Police and border control authorities are to use an unmanned aircraft to patrol the south coast to catch illegal immigrants trying to enter Britain by boat.” …”It is understood the police have expressed interest in using the £5m drone to monitor crowds during demonstrations and events such as football matches.”

“Andrew Mellors, head of civil autonomous systems at BAE, told the conference: “From 2012 fully autonomous unmanned air systems could be routinely used by border agencies, the police and government bodies.”

Key Section Here: “On-board sensors also give the drone the ability to deal with unexpected incidents, for example by automatically changing course to avoid coming close to other planes in the crowded airspace.

BAE Systems is in talks with the authorities to ensure that the drone does not interfere with civil or military flying. It said that the Herti, in addition to its sensors, had transponders to allow other aircraft and ground controllers to see it on their radar.”

If BAE has the brains God gave a gnat it will put the sensors and transponders in a black box, sell it to everyone who wants to use a UAV, and politely inform government that they have the power to mandate inclusion in all unmanned aircraft….

Information Assurance almost by definition starts from the top of an organisation and works down. (Well, at least by my definition, which involves a board-level commitment to risk management, smooth flow of information to appropriate resources, and protection of information from those not explicitly authorised to view it).

But can this work in the public sector? Obviously, it currently does not, but is it feasible? I guess what I would like feedback on is if there is an Information Assurance briefing for those who move into senior levels of public service, get elected, change organisations, etc. Is there a Book? (a movie…?) Is there an IA Seminar 101 for those who move into positions of responsibility?

Then moving down, is there appropriate training for mid-level management? Should cover most of the same issues, but in greater depth as they will have to execute the broad strategies developed up above, right? And then, of course, the front lines. What dedicated training do they receive in information security, good data hygiene, etc.?

If it’s all there and up and running, I’d like to know.

Afterthought: On a Toyota assembly line, any production worker can stop the line if s/he suspects something is going wrong. I would wager that similar devolved authority to front line workers in government would stop a lot of these problems, especially if accompanied by appropriate training beforehand.

Here’s the story on the day after…

I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.

But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.

Via Kable: “Buckinghamshire and Milton Keynes Fire and Rescue Service is planning to use handheld technology for fire risk inspections. It intends to replace its paper based scheme with electronic forms on handheld devices, which make it possible to transmit the reports immediately to headquarters servers.”

Progress marches on. However, “Information captured is stored on the device until completed and automatically updated to a Fire Safety Management application provided by Consilium, which manages Fire Safety Inspections and produces statutory reports.”

A couple of things I hope they’ve thought of: What happens to the data in the device after the Consilium Fire Safety Management application is automatically updated? Does it stay on the device? Is it transmitted securely? And, of course, what happens if a device is left in a pub?

I don’t (at first glance) see that this information needs MI5 level of security, but the providers of this information do have rights under the Data Protection Act, and as property is money these days, I should hope there is some provision regarding this.

I think we tend to pay lip service to the idea that many information assurance issues are rooted in human behaviour. I wonder if we really tend to look at this proposition carefully. We might be reluctant because of the daunting scope of human-caused problems, or we might be reluctant because we understand how difficult it really is to change human behaviour.

“Two-thirds of IT managers don’t stop company employees from downloading music online, and only 1 in 5 block them from social networking Web sites. While a study found managers are worried about lost productivity and security issues, they also are concerned that blocking access to sites might hurt staff morale. The study, funded by antivirus software maker McAfee, also found that about 20% of workers let their friends and family use company computers, about 50% connect their own gadgets to their workstations and about 60% store personal content on company PCs.”

Via Kable: “The Land Registry has pulled potentially sensitive documents from its online service. As from midnight on 5 November 2007, online access to documents such as mortgage deeds and leases will be removed. Members of the public wishing to inspect or have copies of any such documents can do so by applying in writing to Land Registry. The move followed a report in The Daily Mail that criminal gangs have stolen £12m over the past two years by exploiting loopholes in the website. They gained access to documents such as title deeds to make it possible to sell properties they did not own.”

It’s a pity legitimate users of Land Registry information will no longer have access to these details, I guess, but what were sensitive documents like these doing lying around in the open air in the first place? Did any review of this take place?

After the fact, the Land Registry tried to ‘put this in perspective,’ saying that the £12 million in fraud was a small percentage of the fee income it generated.

WAKE UP. The £12 million in fraud in all probability represented a very large percentage of the total wealth of the individuals who were defrauded, each of whom had to go through a long and laborious compensation exercise and probably had to get the services of a solicitor to help them. Of course it had minimal impact on the Land Registry. It’s not their money. It’s not their information. It’s not their privacy.

The world is changing now.

Ramps may replace stairs in homes and businesses to facilitate access to domestic robots. (Pure speculation on my part, this.)

Domestic robots charged with cleaning and other duties will be equipped with CCTV cameras. (Already exist and offered as a commercial service.)

Some bright lass or lad will equip these domestic robots with prosthetic arms for manipulating objects on command–or autonomously (already exist and working in the lab).

In addition to opening doors and pulling levers, etc., those arms will be able to manipulate tasers or pepper-spray projectors. Domestic robots will then have security responsibilities.

However, to prevent misuse and frivolous use, it is quite possible that the use of robots for security purposes must involve an enabling command from a certified security operator or even a law-enforcement agency, looped in on the feed from the robot’s CCTV camera. It might be a dual decision, with the security operator enabling the owner to actuate the device.

Which of course means the integrity and authenticity of all messaging must be iron-clad–encrypted, authenticated and secure.

So when, 10 years down the line, you are choosing which type of wood to use in the ramp that replaces your stairs, remember the information assurance implications.

And just in case you think this is too futuristic and science-fictiony to worry about, have a look at the first private spaceport–due to be finished in 2010–before Crossrail.

Hat tip to Robert Heinlein’s Door Into Summer, 1957.

Via Kable, I learn that “A group of MPs has recommended that a senior official be appointed to lead a coordinated approach to tackle identity fraud. The All Party Identity Fraud Group published a report on 6 October 2007 calling on the government to appoint an identity fraud tsar. It says this would ensure a joined up approach to tackling the problem by creating a single point of contact across government, the police and private sector. In the last two years there have been three ministers with responsibility for identity fraud, and the group believes this has undermined efforts to create a coordinated approach to the threat. The report sees the secure sharing of data between the government and the private sector as a key way to tackle identity fraud, and suggests that a central shared database could be set up to allow financial institutions to verify identities and quickly establish cases of deceased fraud.”

Okay–government involved: check. Single government point of contact–er, check? (Kind of a big government…). Private industry involved: Check.

Er, excuse me? If you don’t involve the citizen you will not resolve the issue.