There are many packaged information security products some more effective than others
Most individuals and organizations paid no attention to information security until computer virus and spyware attacks, via the Internet, became endemic. For the majority, it became a matter of signing up for a firewall, anti-virus and anti-spyware software and regarding the matter as closed. For busy people there may not seem to be much alternative, or need for alternative. There is always some other emergency to deal with. When an individual is making personal decisions, or an organization is taking a decision in a narrow part of that entity’s operations, it may be fair enough to make a quick and poorly considered choice. Unfortunately, what we each do now affects so many other people, including people we are never aware of, and who, in turn, are unaware of how we have affected them.
The real task should have been to consider risk management across an enterprise, whether that was an individual, a family, a community, a commercial organization, a community service organization, or a government. Holistic risk management is a concept that calls for an analysis of operational objectives (what we are here to do), with an analysis of potential or actual risks (all those things that could impede us in achieving our objectives). Once we know where we are, and where we want to get to, we can decide on the relative importance of each of the elements that we have reviewed.
Start by reading a good handbook on holistic risk management to decide how to approach the process
As with any aspect of life, we can decide, at the start, how much of a task we want to set ourselves. We can use paper and pencil in a rapid and informal review that records what we already knew and what we thought we knew but didn’t. At the other extreme we can establish many committees, buy sophisticated computer-based systems and do everything using a formal language so that the review is firmly based on mathematical analysis and decision-making. Between the two extremes are many alternatives with varying degrees of bureaucracy. Government departments and large corporations tend to use the most complex and bureaucratic approach, but that does not necessarily produce the most effective result. Where it fails, it is usually not a failure of methodology or technology, but the inept manipulation of the tools to achieve a preconceived result, or to conceal widespread error.
One example of this is the Blair regime’s use of Gateway Reviews where consultants are employed to produce reports on the effectiveness of major information system projects and procurements. The reviews are rarely objective because of the specification laid on the consultants. If the review produces a result that might make the regime look good, it is published, or ‘leaked’ in parts. If, as is probably the most common situation, the review identifies a series of glaring errors and incompetence, the regime claims that the information cannot be released because of some fictitious risk to the Gateway Review process. The Information Commissioner then rules that the information must be published and the regime hires an army of very expensive lawyers to frustrate the Information Commissioner. If Government manages to continue to suppress the reports, it may be that seriously defective systems will be implemented and the data that they contain may be of the lowest integrity.
The reason that holistic risk management should be employed is that it does not mandate a ‘Right Way’. The analysis stage simply lists and reviews all of the elements of objective and risk. That analysis has to then be turned into something meaningful to the specific enterprise. Every enterprise, from the individual to the largest organization, has a culture. Some are comfortable with taking risks to achieve objectives. Others are very cautious. As a result, those who want to reach their objectives most completely will be prepared to accept much less risk reduction, or outright avoidance, than would a conservative enterprise that is averse to risk. The analysis can be used in any way desired, but it will provide a map of objectives and risks. At any time, the approach to managing risks can be changed. It will have a direct effect on the achievement of objectives, but the effect will be identifiable before the final decision is taken.
As a result, we can all manage risk effectively according to the lifestyle that we desire. However, the core of this process is information risk. It begins with the analysis because, if the analysis is flawed, every decision could be flawed. The real issue is the integrity of the information rather than the assurance or availability. We need to know where the information came from, who handled it, who accepted it, and how it has been stored and used. If we do not have that knowledge, the information has a low integrity. That can mean that it is worthless, but it can also mean that it is dangerous. Our lack of knowledge automatically means that assurance is also low. Providing high availability to the information can mean that we lose control of it completely. A major loss of control can be established through uncontrolled data aggregation where high integrity data is mixed and adulterated with lower integrity data and the sum of the ingredients creates what is, effectively, new information that has the integrity of the lowest integrity level data involved in the aggregation..
In a manual paper-based system, we can ensure a high integrity because each document has an author. That author can include a bibliography of sources to show how the information was collected or measured. The document can be held in a secure storage system where a librarian is responsible for signing out and signing in every document. That does not guarantee that someone using the document is not irresponsible, but they can be interviewed and investigated if a problem occurs. Electronic systems can work in exactly the same way and should employ that level of supervision and measurement if the contents of an electronic document are to be used to enable and support decision-making.
The false prospective presented by the Blair regime to justify the invasion of Iraq is an example of one, or more, documents that can be traced to sources and individual decisions. A judicial review, which may eventually be undertaken, would be able to call for all records to be made available and question all those who worked with the information. If intelligence officers were responsible, they would have made a case against falsification and demanded a written instruction from politicians. If the written instruction was refused, the intelligence officer should have recorded any concerns, including recommendations against political orders. Under judicial review, the officer’s notes may not be acceptable evidence for a conviction but it will be possible for all parties to be questioned, leading to probability or admission.
As the Internet becomes more and more an integral part of life for so many enterprises that amount of casual and untrusted information in circulation increases dramatically. However, we do have some control. An enterprise can decide how information, obtained via the Internet, can be used within the enterprise and what information may be contributed back to the Internet. The growing difficulty is that we are not able to control an increasing percentage of information that relates to us.
Others may not take the same care that we do
The first area is in the management, by others, of data that we have provided. A current British scandal is created because banks have been dumping highly sensitive customer information in rubbish sacks left on public streets, or where the public has potentially uncontrolled access to the refuse. This is a major risk to those customers because it reduces the integrity of, what should have remained, high integrity sensitive information. The risk is not just that the sensitive information may have been stolen, or copied, and used in an authorized way, but that we no longer know for certain what has happened to the information. The fact that someone has not impersonated the original information providers for hostile purposes does not mean that an attack will never happen. Where a large amount of customer information has been so carelessly dumped, it will take criminals some time to get round to using all of it in crimes. In this example it is unlikely to have been the first incident, just that previous careless acts have not been detected.
The Great Index is associated with the Russian KGB but was started under the Czars. Similar systems were attempted in Germany under the Gestapo and SDP. The same principles have been embraced by the Blair regime
A slightly different, but no less sinister, example is the reckless actions of the Blair regime. This is a combination of deliberate actions and incompetence. From the start of the Blair regime in 1997, one continuing policy has been the establishment of a Great Index that would allow government to survey in minute detail every citizen. The primary purpose may have been to create a police state, where single party government is established and where a small ruling elite is immune from the wishes of the mass of population. However, the way in which the Blair regime may have intended to use the information is the smaller part of a huge risk for every citizen.
Systems implemented in Britain, by the Blair regime, have an appalling record of reliability. The initial entry of data is very seriously flawed and the subsequent performance of the system has degraded the integrity of the data further. As data is shared between systems, these systems are infected with low integrity data and this destroys their system integrity. The situation may now have reached the stage where the only way to restore data integrity would be to scrap all systems and start again. This would represent a phenomenal cost, even if the new clean systems were only created where there was a clear proven need for the government to require the information from citizens and where only essential information is collected.
There is mounting evidence that deliberate data subversion has taken place because government systems are inadequately protected from attack, and have been inadequately administered to identify where an attack has taken place, and the consequences of that attack. However, as the integrity of government data continues to fall, criminals and political attackers may move to non-government systems that have a higher level of integrity, placing those systems under greater threat.
Low data integrity poses two very specific sets of threat to citizens and customers of enterprises who take the same lack of care in managing information under their control.
The first set of risks comes because this contaminated data is sold on to third parties without the specific knowledge or approval of those who contributed the data. With a commercial enterprise the problem can be reduced because citizens could refuse to supply information. It is a different matter in the case of government because the citizen is legally required to provide information requested. In the case of the new Internal Passport and External Passport system in Britain, citizens will not only be forced to provide information that will be sold or used in any way the Blair regimes considers appropriate, but they will have to pay for the privilege of being abused. The cost will be both in the time and travel costs of going to an interrogation centre, that may be some considerable distance away, and in a direct fee payable before the Passports are issued.
The second set of risks are created because the data contributor has no control over what happens to sensitive personal information and no knowledge of who has had access, or for what purpose. From emerging scandals, it has transpired that citizens have been threatened by criminals who purchased information from the British Government to enable them to make their assault. There have already been a number of serious miscarriages of justice where low integrity data has been presented in court and where it has influenced a trial outcome. British motorists are already very familiar with the unchallenged use of flawed information at trial for alleged traffic offences. Magistrates, judges and juries still place levels of blind trust on ‘evidence’, presented by the government and its agents, which might have been justified under the old paper-based system of information handling.
Sally Clark, who recently and tragically died, was one of a number of high profile miscarriages of justice where conviction was influenced by very low integrity information used in evidence by prosecutors
An immediate reduction of risk could be achieved if Courts begin to treat any information, presented by government agencies, or any other litigant, as having a very low integrity, to the point where it cannot be admitted in evidence, unless its integrity can be proved beyond any reasonable doubt. This would restore some balance, but the real solution is to treat information integrity seriously and ensure that all electronic systems are subject to, at least, the same standards of accountability that has traditionally applied to paper-based information. Coupled with that is an urgent need to make sure that the consequences of networking any information resource are fully considered and that information integrity is adjusted accordingly.
This does not have to limit those who voluntarily chose to take a relaxed attitude to information risk. It just means that they should clearly show where the integrity may be suspect.
For example, one consequence of the Internet has been that managers of enterprises ‘save money’ by conducting research over the Internet and interpreting the information themselves, where they would previously have purchased a prepared market analysis from a specialist company. The purchased analysis would have an integrity that was based on the reputation and experience of the research company and their ability to identify and prove their information sources. It can be argued that a senior manager working as his, or her, own researcher is actually more expensive than paying a specialist company, but there are situations where money is saved when preparing a business report. Where the report is used to provide general trend indication it may not present any difficulties, proving perfectly adequate. Where important decisions have to be made on the information in the report, it may still be safe to use the information in that way, provided that the decision maker fully understands how the information was sourced and what level of integrity it has.