Dominic Grieve has published a Conservative Party policy paper that promises to “reverse the rise of the surveillance state.”  Much of it is inevitably about ID Cards, DNA samples and the like.

There is also the usual stuff about repealing the Human Rights Act.  This, of course, is the Act that has given the citizen all sorts of legally-enshrined rights to protect him or herself against the power of the State – notably that any action by the Government which impacts adversely on an individual has to pass a proportionality test in relation to the supposed benefits that are intended to flow from it.  This can be tested in the Courts – as successive Home Secretaries have discovered to their cost in respect of Control Orders etc.  So why the repeal of the Human Rights Act is going to protect the public is not clear.

And then there is the strange (if you are Tory who normally fulminates against such politically-correct notions) proposal that a Privacy Impact Assessment must be prepared for new laws and regulations.  This is no doubt modelled on the requirement for Equality Impact Assessments – a requirement that as far as I am aware has not received universal approval from most Conservatives.

However, tucked away in the paper are a number of proposals on improving information security that I have to acknowledge are eminently sensible.  I have to acknowledge it because they are things for which I have been calling for years.

So I welcome proposals to strengthen the role of the Information Commissioner.  Not only have I been saying this for the last six years or so, but it also formed part of the report of the House of Lords Select Committee (I happened to be a member of it) on Personal Internet Security published in August 2007.

Likewise, I welcome the proposal for industry-wide kitemarks on data security best practice – another recommendation of the Select Committee.

And the proposal that a Minister and a senior civil servant in each Government Department should be designated as having personal responsibility for data security in that Department is also welcome (and again has a familiar ring to it).

I have long argued that requiring individual Ministers to champion information security and senior Whitehall mandarins to certify that they are personally satisfied with the information assurance processes in place would concentrate their minds wonderfully and lead to a real improvement in security.  (In a similar way, I am introducing – through the Committee I chair on the Metropolitan Police Authority, a system whereby senior officers sign off the health and safety arrangements in their commands.)

Dominic Grieve’s paper sets out an eleven-point plan.  I am happy to say that I can give three of the points my whole-hearted support.  It  would be churlish of me not to do so.  They were my ideas first.  (I’d accuse the Tories of pinching them from me, but I suspect it would be fairer – although why I should be fair, I don’t know – to accuse them of pinching them from the same person I did, if I could remember who it was.)

I do, however, have one concern about their/my proposal on Ministerial responsibility.  The difficulty is that most Ministers stay in particular jobs for too short a time for that responsibility really to mean anything.  Most Ministers are reshuffled every year – often far too short a time for them to make a real difference to anything.  Perhaps the answer would be for legislation saying that once appointed Ministers would have to stay in the same job for at least three years (unless sacked, in which case they would be banned from taking another Ministerial position until the original three years was over).  That would be good for the quality of administration in general.  I offer this to the Conservatives (or indeed anyone else) free, gratis and for nothing ….

Even though Parliament isn’t sitting, each week Hansard publishes the written answers to Parliamentary questions tabled before the recess started and whose answers have finally emerged from the civil service sausage machine and been signed off by the relevant Minister.  I have just caught up with the latest list, which includes the answer to the question I tabled five or six weeks ago on electromagnetic pulses (EMP) and the National Security Strategy.

My question followed on from a scary briefing I had attended on the threat of EMP attacks on the critical national infrastructure.  (Some comments have suggested that the briefing was scare-mongering rather than scary, although I remain convinced – as subsequent discussions I have had with people who know about the subject have confirmed – that the subject has real substance and should be taken seriously).

The answer I have received from Lord Alan West is as follows:

“The Government’s updated National Security Strategy takes into account the threat posed to UK interests, including the critical national infrastructure, by the full range of “threat actors”, a definition that includes natural hazards, as well as individuals or organisations with malign intent. The associated Cyber Security Strategy of the United Kingdom, published alongside and reflected in the National Security Strategy update, considers a number of methods of cyber attack, including those that generate high levels of power that can damage or disrupt unprotected electronics.

In addition, the Centre for the Protection of National Infrastructure (CPNI) provides advice on electronic or cyber protective security measures to the businesses and organisations that comprise the UK’s critical national infrastructure, including public utilities companies and banks. CPNI also runs a CERT service which responds to reported attacks on private sector networks.”

Reading between the lines, I take this to mean that EMP attacks (and including natural pulses emitted by the Sun) are considered as part of the Strategy and that the CPNI provides relevant advice.  I am reassured by the first part of the answer, but less convinced by the second part – I received similar-sounding answers to my questions a few years ago about the advice that the CPNI (or its then predecessor) were giving about information security.  And the big question remains: it is only advice, is anyone actually doing anything?

I spent an interesting hour or so this afternoon with a “white hat hacker” – someone who uses his substantial computing experience to identify system weaknesses and vulnerabilities so that those weaknesses and vulnerabilities can be fixed.

He demonstrated how simple it is to clone most so-called smart cards, so as to render many (virtually all) secure entry systems redundant.  The technology is readily available as are the programmes required to do it.

This doesn’t mean that card-based systems are of no value, but what it showed was how often there are basic design flaws that could be fixed, so as to render such systems much harder to compromise.

I had missed the reports of the Dutch researchers who were able to put phantom money onto their Oyster cards so as to travel round London free.  This afternoon, I saw how easily it can be done by those who are minded to cheat the system.  I wonder how much Transport for London are losing by this weakness each day and whether their systems for detecting such fraud and de-activating the cards concerned are as robust as they claim.

At the end of 2005, I persuaded three reputable “white hat” penetration testing companies to offer their services for free to any Government department that would like some independent checking of their information security.  I wrote with this offer to the designated “senior information risk owner” in every Ministry.  The three companies were worried that they would be put out of business by the rush of Government agencies taking them up on their generous offer.   However, you will not be surprised to learn that after seven weeks not a single one of the twenty or so “senior information risk owners” that I had written to had replied.  I then got a letter from the Cabinet Office on behalf of all of them – an example of coordinated Government rarely seen before or since – declining and saying that they were confident that their systems for protecting information were more than sufficient and that no external validation was needed.  Subsequent experience showed how complacent that response was.

This afternoon’s meeting suggested that similar complacency still all too often reigns – not only in the public sector but in the private sector as well.  Of course, there are exceptions and I have come across examples of excellent practise with systems checked by two external penetration testing companies, independent of those who have supplied, installed or manage the systems concerned.   However, those examples are just that – exceptions.  Too often senior managers don’t understand the problem or the risks that they face and are too readily reassured by those who have a vested interest in saying that everything is fine.

My attention has been drawn to Kevin Anderson’s very sensible and balanced analysis of the Gary McKinnon extradition case.  It is far more measured than Mayor (and part-time Telegraph columnist) Boris Johnson’s rant.  I wonder who earns the most from his journalism – the one who provides analysis or the one who rants with cavalier regard for fact?

I attended a meeting this morning where in passing there was a reference to the new British Telecom network upgrade (21CN) that is now underway.  The presentation had just included a warning to British businessmen travelling to China (after all, even a senior No10 aide had been caught).  Then it was pointed out that a key component of 21CN was manufactured in China by a manufacturer with close links (don”t they all?) to the Chinese Government, that Government departments and most businesses allowed at least some of their key data or their voice communications to go over BT networks.  So by implication any malign intervention wouldn”t require a honey-trap on someone visiting China but could be done remotely via the components in 21CN.

Apparently, one of the suppliers of 21CN”s Multiservice Access Nodes (and let”s be honest, I am not sure precisely what these are, but they sound important) are Huawei Technologies.  Huawei promise that their success in winning the contract will create “many new jobs in the UK”.

Obviously, it is possible for people to be paranoid (and many are) that anything electronic manufactured in China (or anywhere  else that we don”t trust this week) might contain “hidden” code capable of broadcasting back the contents of communications or even allowing control of equipment to be passed to those with malign intent overseas.  But as we know being paranoid, doesn”t mean that people aren”t out to get you.

So how worried should we be about the security of British business and of the UK”s critical national infrastructure?

I cannot assess the real scale of the threat, although there does seem to be a growing consensus that the Chinese Government are building up their capacity to wage cyber war and that there is the intent to achieve cyber dominance by 2050.  The Chinese are certainly investing heavily in high technology and there is substantial US concern about the Chinese capacity for conventional and industrial espionage by electronic means.

What I am clear about is that as a nation we do not take information security as seriously as we should – and this applies both in the public sector but also in the private sector.  If there is a threat from BT”s 21CN, it may now be too late to do anything about it, and that leaves the real question what is being put in place to ensure that the threat is being mitigated.

This morning I reported my continuing concerns about computer repairers like “The Geek Squad” and “The Tech Guys”.  Now I see that my good friends at FaberBrent (whose Advisory Board I have just joined) have quite independently reported a Sky undercover exercise on a laptop repairer who caught the” repairer” trawling through files for personal data and banking details.  So I am right to be worried and some system of regulation and certification seems essential.

When the Digital Britain White Paper was published on 16th June, I raised some concerns about the White Paper’s apparent endorsement of “The Geek Squad” and “The Tech Guys”.

I have now received from Lord Stephen Carter a response to the points I made in the debate.  Unfortunately, the response slightly misses the point (by about a mile, actually).  It sets out the measures being introduced to improve the enforcement of consumer law applying to on-line transactions.  This is all good stuff – a single online complaints register for people encountering an online scam; investment in new equipment, training and staff for on-line consumer law enforcers; and a review of enforcement powers in an on-line world.  However, this is not really going to provide much reassurance for people nervous about letting an unknown person into their homes to fidedle around with their computer systems.

I have now written back to Stephen Carter – although my letter may well have arrived after his last day in office (he is one of the GOAT ministers who is resigning this month).  My letter says:

“Thank you for your letter of 8th July.  I am grateful for the clarification you have provided on the points I raised following your statement to the House on 16th June.

However, I would like to come back on the second issue I raised.  This related to the need to ensure that consumers have adequate protection when dealing with suppliers, such as “The Geek Squad” or “The Tech Guys” – both specifically mentioned in “Digital Britain”.

In your response, you mention the measures being taken to improve enforcement of consumer law applying to on-line transactions.  Whilst these measures are valuable, they rather miss the point of my concerns.  Both “The Geek Squad” and “The Tech Guys” involve the consumer permitting individuals to access their computer equipment (and usually their homes).  Such individuals are being given a position of trust by the consumers concerned, who will assume that they are (1) honest and (2) know what they are doing.  As far as these points are concerned, it is extremely unlikely that the consumer will have the technical knowledge to understand (or indeed to be able to detect) what has been done to their equipment – that is after all why they have asked “The Geek Squad” or “The Tech Guys” to visit or to look at their equipment.

If you engage a security guard from a security firm, the individuals engaged are required to be registered with the Security Industry Authority and will have been vetted for criminality and there are requirements relating to their training.  Yet the activities of most security personnel will usually be visible and will normally be comprehensible to the person engaging them.  Should there not be some similar system of regulation and customer assurance of the quality of work in place for those individuals engaged by “The Geek Squad”, “The Tech Guys” or any other similar service?  If no such system is in place, most customers – who are likely not to be skilled technically – will be vulnerable to data being stolen from them, to malicious code being placed on their machines or to more traditional forms of criminality.

I would welcome your comments on what can be done to address this.  I am copying this letter to Lord West of Spithead (in view of the information security implications) and to Alun Michael MP (in view of his role chairing the Tripartite Internet Crime and Security Initiative).”

I will be interested to see if the civil servants get the point this time.

The Health Services Journal (reporting an investigation by More4 News) says that NHS computer systems were infected by more than 8000 viruses in the last year, most of which would have been avoided if the NHS Trusts concerned had kept their anti-virus software up-to-date.

This would be worrying enough (consequences described included the breakdown of patient appointment systems), but the complacent response of the Department of Health is breathtaking.

According to the HSJ:

“The revelation that NHS trusts have been poor at keeping their anti-virus software up to date has provoked concerns that they are vulnerable to viruses that could cause confidential patient data to be disseminated.

 ”But a spokesman for the Department of Health said the electronic patient records systems provided through the national programme for IT were “protected by the highest levels of access controls and other security measures”.”

However, my understanding has always been that once an individual machine has been compromised – depending on what malware has been installed – then all the data accessed or stored by that machine is potentially vulnerable.  So if so many Trusts are failing to maintain up-to-date anti-virus software, then confidential patient data IS at risk.

The Department of Health spokesperson went on to say that:

“local NHS trusts were legally responsible for complying with data protection rules and were expected to record any breaches.”

So that’s all right then …….

According to the FBI, Goldman Sachs fell victim to potentially one of the most costly losses of information ever when one of their computer specialists decided that the $400,000 a year he was being paid was not actually sufficient compensation for his talents and decided to move to another company who were prepared to treble his salary.  In the few days before he left, the employee apparently copied part of the code controlling Goldman Sachs’s electronic trading platform which enables them to respond almost instantly to market movements (probably in a way that makes those market movements even more destasbilising for the rest of us but is highly profitable for Goldman Sachs).

Of course, it could have been worse, he could have tinkered with the code as well before he left, so that the trading platform would have bankrupted Goldman Sachs instead of making them enormous profits.  At least, I assume that would have been worse …..

Moral: be nice to the geeks in your IT department.

Alan Johnson, the Home Secretary, has made it clear that ID cards will not be compulsory.   In a press conference, he said that the pilot schemes for airside workers to have ID cards in Manchester and London City Airports would not now be compulsory for UK citizens.

He said:

“Holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport.   Accordingly I want the introduction of identity cards for all British citizens to be voluntary and I have therefore decided that identity cards issued to airside workers, planned initially at Manchester and London City airports later this year, should also be voluntary.”

At the press conference, he was asked by journalists if ID cards would be made obligatory and said quite clearly that they would not be.

In a Parliamentary written statement he said:

“There will be significant benefits to individuals from holding an identity card which will become the most convenient, secure and affordable way of asserting identity in everyday life. Identity cards will also be valid for travel throughout Europe in place of a British passport. ….. However, holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport. Accordingly I want the introduction of identity cards for all British citizens to be voluntary.”

This is a sensible and proportionate approach to adopt.

I have always felt that identity cards were mis-sold when they were first announced.  They were never going to be a magic bullet in the battles against terrorism or organised crime – although that was what was claimed when the proposals were first aired.  However, a simple system enabling the citizen to demonstrate – should they wish to do so – who they are always seemed to me to have enormous value (certainly better than having to turn up at a bank with a driving license, a council tax receipt and a utility bill).  In essence, that is the system that the Government is now saying we will be moving towards.