Identity management is a foundation of cyberdefence

The government is battening down the hatches and repelling all boarders, even if they have e-tickets. And not before time!

Foreign intelligence agencies are carrying out sustained cyberattacks on the UK Treasury, targeting it with malicious emails and programs designed to steal information, the Chancellor, George Osborne, has revealed. He said that government systems are the target of up to 20,000 malicious emails every month

[From Osborne: Treasury under sustained cyberattack | Technology | guardian.co.uk]

And that’s not counting the ones from taxpayers, I imagine. Setting aside how ludicrous and meaningless this figure is, there is nonetheless a serious point. If Son-of-Stuxnet crashes the Treasury, that might well be a net benefit to the economy, but if it crashes the electricity distribution network, even I won’t be laughing. We need effective cyberdefences. So what should the authorities do to bolster these defences? I would have thought that have some kind of working identity infrastructure might be a first step, and in that respect things haven’t been going to well in the UK.

The Home Office slipped out the final report of the Independent Scheme Advisory Panel (ISAP) this week, more than a year after it was written. The ostensibly independent report, which reveals how the ID system had been compromised by poor design and management, was submitted to the Home Office in December 2009.

[From Henry Porter – Home Office suppressed embarrassing ID cards report]

The report says that there were no specifications for usage or verification (which we knew – this was one of my constant complaints at the time) and, revealingly, that (in section 3.3) that “it is likely that European travel” will emerge as the key consumer benefit. This, I think, is an interesting comment. As I have pointed, what the Identity & Passport Service (IPS) delivered was, well, a passport. It had no other functionality and, given the heritage, was never going to have. Hence my idea of renaming it “Passport Plus” and selling it to frequent travellers (eg, me) as a convenience, and idea that really should have been taken more seriously by the coalition administration.

As an aside, the report also says (in section 5.5) that the “significant” number of change requests after the contracts had been awarded would likely increase risk, cost and timescale. Again, while this is a predictable comment, it is a reflection on the outdated consultation, specification and procurement processes used. Instead of a flagship government project heralding a new economy, we ended up with the usual fare: incomplete specifications, huge management consultant bills, massive and inflexible supply contracts.

The report repeated the same warnings ISAP had given the Home Office every year since the system blueprint was published in December 2006 by Liam Byrne and Joan Ryan, then Home Office Ministers, and James Hall, then head of the Identity and Passport Service (IPS).

[From Home Office suppressed embarrassing ID cards report – 1/7/2011 – Computer Weekly]

How did it all go do wrong? Liam Byrne was supposed something about IT as he used to work for Accenture, as did the James Hall (Joan Ryan was a sociology teacher who later became famous for claiming more than £170k/annum in expenses). All in all, it was a pretty disastrous period for those of us who think that identity infrastructure is crucial to the future of UK plc, let alone the UK government. This is not to say that, despite all of the evidence (including today’s fascinating FT piece on the UK government’s equally disastrous NHS infrastructure project), that the UK is uniquely hopeless at developing identity infrastructure for the 21st century.

Thai citizens who applied for their first national identity card or who applied to have their ID card renewed, have been issued with a yellow slip instead of the new microchip-embedded “smart” cards. The reason behind the problem is that the Interior Ministry refused to accept the new “smart” cards which were supplied by the Ministry of Information and Communications Technology, claiming that they did not meet the prescribed specifications stipulated in the ministerial regulation.

[From Bangkok Post : The silly saga of ‘smart’ cards]

Now, this may seem funny, but I ought to point out in the interests of international balance that there are, right now, in 2011, many people walking around branches of the British government with printed pictures of smart cards hanging around their necks. Yes, that’s right: pictures of smart cards, rather than actual smart cards. I’m afraid our cyberdefences are more a cyber home guard at the moment.