I pity for the admins who have the near-impossible job of securing data for UK government departments. What chance do they have against a single USB data stick in the hands of a management consultant?
Everyone blames the government for the loss of 84,000 UK prisoner records by PA Consulting, despite the fact that the government is in some ways just as much a victim.
It is the PC-fixated industry and its IT consultancy shape shifers, that have promoted the dizzying array of storage technologies of ever greater capacity, none of which, until very recently, were shipped with any security. And when the security is provided - encryption for instance - it turns out to cost the earth to buy, manage and integrate with what are euphemistically called ‘legacy systems'.
If the USB stick in question had been used with encryption, would the government or PA Consulting have managed things like key recovery? It is tricky questions like this that stop it being used at all. It costs money, it adds layers of complexity, and it slows projects down. And if encryption was in place, doesn't that dodge the deeper issue of why the data was being copied in the first place?
As ever, if in doubt, wing it. Then hope nobody notices.
The government's real responsibility is for the way it has spent the last decade opening up its systems and data to a mass of prying third-parties, many of which are mining huge cheques in return for remarkably little return in terms of functioning IT. If this sounds a bit unfair, ponder the long and still-growing list of failed, near-failed, late, over-budget UK government IT projects.
The answer isn't more technology, but better use of what is already out there. That means:
1. Don't embrace every new bit of kit that comes along. No matter how humble, technologies should have to prove themselves before being used in core projects.
2. Don't let third-parties do certain things. If you have no way of stopping them from doing things, or can't actually monitor them anyway, then is the right agency doing them?
3. If necessary, do less, better. Don't assume more security will make an insecure technology or working method secure.
4. The creation of security policies and thinking needs to come from the people who administer it. Too much of it appears to be diktat from above, usually from people who still think the Rolling Stones are a popular rock and roll act.