But are we in danger of leaving the backdoor unguarded?
Alongside cash for the Police / SOCA, it’s been announced that more will be made available for building up the CSOC (Cyber Security Operations Centre) at GCHQ . Much of this will be focused on protecting CNI (Critical National Infrastructure), hence why the airlines, transport and utilities were brought into the data sharing fold.
All of this is great, and it’s hard to fault. However, I’m still worried that we’ve yet to see our hard-pressed chums in Local Government getting any cash, and this makes me nervous. My thought process runs something like this…
Local Gov is joining up to PSN (tick). PSN will connect Government in its widest sense – the Schengen agreement of our Government network (tick). Information flows from Authority to NHS, to Central Gov to Police, all secured at RESTRICTED (tick, just lovely).
However, here’s my problem. As every aficionado of Bond or the Man from UNCLE knows, the easiest way to break into a secure base is to find a small unguarded pipe and crawl through it, right into the head honcho’s lair. I have studied the work of Robert Vaughan over many rainy summer holidays, and this works in 99% of cases.
In the case of PSN, this is Local Government. And guess what, they can’t be blamed for their unguarded pipe. (Deep breath) In order to formally hold stuff at RESTRICTED, you need to use CESG approved encryption technology, and to do that you need to use CESG key mat (key material – the stuff that makes encryption work). But you can’t hold CESG key mat unless you have a crypto-custodian (the chap who is charged and trained to look after it in an appropriate manner). And Local Authorities haven’t been mandated to have a crypto-custodian, and certainly can’t afford to employ one off their own back. Which means they have to erm….wing it.
In many cases winging it is fine and works well (it’s formally called having the accreditor sign off the risk delta, but I’m going for brevity here). I’m a big fan of winging it in this context, as often the requirements of RESTRICTED are too onerous for data that only just scrapes into that category, and CESG certified products cost a fortune to buy, install and maintain. BUT, it also places very high standards on the procedural element of the product’s use, and it’s here where the winging it approach falls down. Glibly, you assume that Local Authorities in far flung places you can’t spell would have a problem meeting procedural security requirements, but in my experience, there are plenty of big Authorities in places you know very well that get it wrong. And lots of incorrectly deployed security products means lots of unguarded pipes for the bad guys to shimmy up.
So, I’m calling for some of the Cyber war chest to be used to help the organisations under the most fiscal pressure achieve the right level to allow PSN to function correctly. A chain is only as strong as its weakest link, and right now my fear is that the austerity measures will lead to too much winging and too many unguarded pipes being available.