Let us suppose you are a hugely wealthy celebrity trying to secure your mansion: electronic locks, CCTV on the gates, unbreakable doors and windows, secure panic room, electronic movement alarms covering the acres of garden and all the other high-tech security paraphernalia. Who would you go to for advice?
Well I just have had a brilliant idea. Why not go to the police and ask them “I need secure my home; who is the best house burglar on your books so I can contact him for advice?”. I suspect that you would conclude that I have gone “Jacobs”.
Not sure what “Jacobs” means? Well it was a term that was used by one medical professional (some years ago I must add) to describe patients who were “crackers”; not so funny when on subject access, the term had to be translated into an “intelligible form” (see S.7(1)(c) of the DPA).
Now, suppose you want to obtain security advice; for instance on the best electronic measures to identify intrusion into your systems, or encryption, or access control, or password selection or on surveillance of internet traffic. Who would you go to?
Would it be “Jacobs”, for instance, for those who have very confidential data to protect to ask GCHQ for detailed security advice on how to protect their key electronic systems? Because that is what all the public sector have done for over a decade; they go to the Communications-Electronics Security Group (CESG) which is part of GCHQ.
Don’t get me wrong; CESG is in the forefront of getting organisations to take security seriously. It is the UK Government's National Technical Authority for Information Assurance and advises UK's central government departments, agencies, Armed Forces, Health Service, law enforcement and local government. (Those who are unaware of CESG’s Information Assurance Maturity Model (IAMM) should correct this oversight as soon as possible).
The problem with CESG is not “what it does”; the problem “who it is”– and because of this, you get some wholly daft consequences.
For instance, three years ago I put an FOI request into the Cabinet Office for the sexily entitled: “HMG IA Standard No.6: Protecting Personal Data and Managing Information Risk” (see references).
Despite the fact that each page is headed with the capital bold letters “NOT PROTECTIVELY MARKED” (which shows that there are no national security considerations with the content) and that the document has been very widely distributed, a footer states that “This information is exempt under the Freedom of Information Act 2000 (FOIA)...”.
So I tested this with a FOI request to the Cabinet Office which contacted GCHQ and the S.23 exemption of FOIA was applied (even on review!). The outcome is that the publicly available “HMG Security Framework documentation” refers to a secret “HMG IA Standard No. 6...” as being a key document in helping to implement and understand the HMG Security Policy in the context of the processing of personal data.
This widely distributed, unclassified document is still a state secret - what nonsense.
However, today’s revelations about NSA/GCHQ surveillance raise the “Jacobs” question in all seriousness. According to the BBC News, the organisation that is advising the public sector how to secure electronic systems is also:
• forcing “tech firms to install backdoors in software”.
• subverting “a US federal program to create new encryption algorithms so it can more easily get at any messages or data they were supposed to protect”.
• collaborating “with unnamed technology companies to build so-called back doors into their software”.
When organisations go to CESG advice, they need to be very sure that their advice is “kosher”; today’s revelations totally undermine that. This explains why I think CESG has to be separated from GCHQ in order to ensure trust in its advice.
In my view, the current state of affairs where CESG is part of GCHQ cannot continue; you can’t have the “gamekeeper” working to the instructions of the “poacher”.
References
BBC News Report http://www.bbc.co.uk/news/world-us-canada-23981291
The blog on my FOI request that involves the S.23 FOIA exemption: http://amberhawk.typepad.com/amberhawk/2010/12/as-gchq-keeps-tabs-on-foi-requestors-what-does-national-security-mean.html
Can I take the opportunity to refer readers to the very valuable security stuff on https://www.gov.uk/government/publications/security-policy-framework and from CESG: www.cesg.gov.uk (or mentioned in our CISMP course in December; follow link middle left).
Comments