Terrific conversation about the technology threats of 10 years hence with Marcus Ranum on the Bruce Schneier blog.

Insert Oscar Wilde quote here, if you wish: “A new fraud alert was issued by the government this weekend as it confirmed that it had lost another computer disc containing the personal financial details of 40,000 housing benefit claimants.”

…”In a separate incident, it was disclosed this weekend that another disc containing the bank details, salaries, National Insurance numbers and home addresses of more than 6,500 public sector workers has also been lost.”

Maybe we can send them all a letter of apology that also contains confidential information.

Seriously, it has to be clear now that the institutional governance mechanisms regarding the safeguarding of personal information have broken down, if indeed they were functional previously. This is all a flagrant violation of the Data Privacy Act. These are all, essentially, crimes.

Government needs to put down tools, get together in a large room, and talk through the implications. To have three further incidents after what happened at HMRC is devastating–as devastating as the first incident, as it means there has been no response. (The third incident I refer to is the letter of appology sent out by HMRC which contained confidential information).

Perhaps it is time to revive TrainerNet–junior employees with trainers who hand carry data discs to the proper destination. But HM Government (as a whole, not as differing bodies) needs to come up with a data transmission protocol that protects our personal information from people who will steal it and injure our reputations, cost us money and time, and have a serious negative impact on our lives. That is what is at stake here. Government is seriously prejudicing the quality of life for half the population. What good are they doing that can overcome this?

Americans like to think of American football as a proxy for war, with strategy, tactics, heroics and planned, scheduled feats of athletic derring do. The British have a slightly different opinion of American football… but let’s not go there.

Technology and information flows have played a large part in American football, from signalling to recording action to radio communication. And a lot of time and money has been spent on protective gear for the footballers.

Welcome to the world of HITs (Helmet Impact Telemetry).

Check out this video and tell me if resource tracking and monitoring in unconventional spaces (like battlefields, fire scenes and hostage situations) has not just received a real asset boost from the Yank football scene. A helmet that monitors impacts and relays information wirelessly to a central source for analysis. Yeah, that sounds useful.

Here’s glaring evidence that giant screens aren’t yet ready to replace old-fashioned billboards…

It looks as if Galileo, the EU satellite project, will go forward. This means that there will be competition to the American GPS services, and an alternative to location and timing signals. It’s an expensive back-up, but it’s important to have a back-up.

MI5 has issued a warning to a host of companies and organisations that they are being hacked–quite possibly by the Chinese. As we reported this summer when it was Whitehall and the MoD getting hacked, it’s important to remember that the Red Army, blamed for so much of this, has a lot of private enterprise initiatives out there, and this may not be seeking military advantage (although they wouldn’t throw that away if it came to hand) but seeking straightforward competitive advantage over UK companies doing (or hoping to do) business in China.

Here’s how it’s painted on the CPNI website. “The UK is a high priority espionage target and a number of countries are actively seeking UK information and material to advance their own military, technological, political and economic interests.”

And look at it this way–UK information protection schemes obviously need the exercise. Better be tested and found wanting in a time of peace. In a weird way, maybe we should thank the Chinese for this–if we act on the lessons learned…

This is going to get interesting, and the Economist says that this topic will be covered in their upcoming technology quarterly (which is really one of the best things about the Economist). We’ve been following UAVs here since summertime, and I really think it is a) emerging as a technology that has information assurance implications for UK government and b) it’s really cool.

Ranging from powered model airplanes for children to the Predator, UAVs are currently lightly regulated and not at all policed, which should worry law enforcement as well as IA practitioners. With progress in miniaturization in full swing, an unmanned aerial vehicle can carry a camera (the UK is already using them to carry CCTV)… or something quite a bit deadlier. It is clear that legislation and regulation hasn’t caught up to the implications of this.

Meanwhile, at the Popular Mechanics website, there’s a story about the Houston Police Department’s trials of a UAV. The story walks through a lot of the issues revolving around this stuff.

Remember the main IA issue is going to be integrating information flows to, from and about potentially large numbers of these critters into information about more conventional air traffic. As I’ve mentioned before, between UAVs, ultralights and normal increases in air traffic (as point-to-point becomes more popular than hub and spoke and small jets become more ‘affordable’), those charged with keeping air traffic safe are going to have a lot on their hands.

Related stories (copied off the PM site–thanks!)

Civilian UAVs: No Pilot, No Problem

Britain’s Police Drone: Could It Stop Next Terror Plot?

Miami’s New Test Aircraft Gets Look from Army, Navy

Air Scouts: FA-18s Take On UAV Reconnaissance Duties in Iraq

Unmanned NASA Aircraft Enlisted in SoCal Firefight

Sunday Update: “Police and border control authorities are to use an unmanned aircraft to patrol the south coast to catch illegal immigrants trying to enter Britain by boat.” …”It is understood the police have expressed interest in using the £5m drone to monitor crowds during demonstrations and events such as football matches.”

“Andrew Mellors, head of civil autonomous systems at BAE, told the conference: “From 2012 fully autonomous unmanned air systems could be routinely used by border agencies, the police and government bodies.”

Key Section Here: “On-board sensors also give the drone the ability to deal with unexpected incidents, for example by automatically changing course to avoid coming close to other planes in the crowded airspace.

BAE Systems is in talks with the authorities to ensure that the drone does not interfere with civil or military flying. It said that the Herti, in addition to its sensors, had transponders to allow other aircraft and ground controllers to see it on their radar.”

If BAE has the brains God gave a gnat it will put the sensors and transponders in a black box, sell it to everyone who wants to use a UAV, and politely inform government that they have the power to mandate inclusion in all unmanned aircraft….

How easy would it be to find this information for UK and continental Europe?

“An estimated 8.3 million Americans over the age of 18 were victims of identity theft in 2005, according to an analysis of a phone survey released Tuesday by the FTC. That represented a decline of about 16 percent from an estimated 9.9 million victims in 2003, when the agency last conducted its survey.”

“Identity theft cost U.S. businesses $55.7 billion in 2006, according to Javelin Strategy & Research. The FTC estimates that in 2006 the cost to consumers was $1.2 billion.

But experts say complaints filed with the FTC offer only a glimpse of the actual damage. “Most people don’t even think about calling the government because they are not going to help them get their money back,” Litan said.

The FTC estimates that 1.8 million Americans discovered some type of fraud committed using their personal information, 3.2 million had their credit card accounts misused and 3.3 million experienced misuse of other financial accounts.

Javelin’s estimates back the FTC’s findings. It said 8.4 million people were victims of identity theft in 2007, down from 8.9 million in 2006 and 9.3 million in 2005.”

How can the endless array of people transforming government use social networking to get faster to good outcomes?

That’s a big question we considered when we conceived “Blindside”. If only government knew what it knew about technology, customers, and social evidence and if only the good people doing good things could connect better hozontally, based on ability and ideas regardless of hierarchy, who knows how liberating and effective it would be. This applied especially to how we keep our society and our systems safe. Much of that is based on secrecy, but far more is surely based on openness and what we share.

Note for example progress on the US intelligence blog Intellipedia. It’s not itself open, but there is a blog about its progress and issues here, with links to intelligent discussion about the strengths and weaknesses of webs and wikis in this culture.

And there’s A-Space (a classified version of MySpace or the CIA-backed Facebook) - see description here (there may be better links).

The point is: are we using these things safely and to good effect here in the UK to understand information assurance and the role of good IT in creating the e-enabled society we want? It’s essential this should be a cross-disciplinary conversation. It doesn’t do anyone any good if we put very secure IT procedures onto a fundamentally ill-conceived project, but the IA people may end up carrying the can. We saw what happened at HMRC. Do we really think good IT security procedures will make ContactPoint/eCAF, Connecting for Health, and the ID System/eBorders acceptable and safe socially? The point is that effective, broad, respectful engagement ACROSS disciplines is essential up front. Social networking is a great way to support this.

You don’t need a £multi-m investment with some hungry, old-fashioned IT supplier or rancid old consultancy to do this. Technically don’t need anything more than the tools we use for Blindside (a blog and a wiki hosted on our mate Chris’s server). It needs some moderation and commitment to participate. We need to learn two things better: to express ourselves, and to listen. Web 2.x can help; that’s what it does.

Information Assurance almost by definition starts from the top of an organisation and works down. (Well, at least by my definition, which involves a board-level commitment to risk management, smooth flow of information to appropriate resources, and protection of information from those not explicitly authorised to view it).

But can this work in the public sector? Obviously, it currently does not, but is it feasible? I guess what I would like feedback on is if there is an Information Assurance briefing for those who move into senior levels of public service, get elected, change organisations, etc. Is there a Book? (a movie…?) Is there an IA Seminar 101 for those who move into positions of responsibility?

Then moving down, is there appropriate training for mid-level management? Should cover most of the same issues, but in greater depth as they will have to execute the broad strategies developed up above, right? And then, of course, the front lines. What dedicated training do they receive in information security, good data hygiene, etc.?

If it’s all there and up and running, I’d like to know.

Afterthought: On a Toyota assembly line, any production worker can stop the line if s/he suspects something is going wrong. I would wager that similar devolved authority to front line workers in government would stop a lot of these problems, especially if accompanied by appropriate training beforehand.

If people lose faith in either the technology ennabling next generation public services or the ability of public servants to effectively administer these systems, it becomes an information assurance issue. We can abandon discussion of biometrics, encryption, passwords and identity management. This is strategic corporate governance and risk management, and needs to be analysed at Board (read Cabinet) level.

If the Conservative Party says that it will disassemble the National Identity Card project if elected, this affects tenders and contracts as well as elections. While no government can bind the hands of its successors, and certainly government tenders are less important than treaties, recent events have added unwanted risk to the government’s transformation and shared services agenda and should, in all honesty, cause a rethink of much-discussed initiatives such as the National ID Card project.

If the ID Card project becomes a political football, it could come down to either being continued or abandoned based on public opinion polls. It is recent government experience that has made this a possibility. Should the government of the day wish to defuse this as a possible issue, it needs to have a pretty long period without negative incident to let memories fade and new issues arise.

Does anyone feel confident that government can go through any significant period of time without an IA disaster?

Chris Smith of Vega rather succinctly encapsulates the problem by saying that good health and safety practices are the result of clear lines of responsibility including personal contracts with employees, and that no such regulatory framework exists for information assurance issues–Chris posts here from time to time, and I hope he takes time to elaborate on this here.

What happened at HMRC is an information assurance issue and it affects the future of information assurance in the public sector. To think otherwise is daft, frankly. While we here at Blindside normally look through the other end of the telescope at these issues, to ignore the political reality of recent events does no-one any good.