back to article So, Gov.UK infosec in 2015. 'Chaotic'. Cost £300m. NINE THOUSAND data breaches...

The Cabinet Office is failing to coordinate the UK's government departments' efforts to protect their information according to a damning report by the National Audit Office. The NAO found that the Cabinet Office failed in its duty and ambition to coordinate and lead government departments’ efforts in protecting such …

  1. Anonymous Coward
    Anonymous Coward

    Is it me?

    or does anyone else when seeing "gov and IT" in the same story expect to see "loads of cock-ups, millions of pounds lost...."

    I'm sure IT wasn't meant to be like this, in the early days, there was so much hope.

    1. Bloakey1

      Re: Is it me?

      There was hope and we were told about the paperless office as well. We would all have lots of leisure time as we were knowledge workers and the machines would facilitate our copious amounts of time in Benidorm and Falaraki.

      Ahhh, what halcyon days.

      1. Anonymous Coward
        Anonymous Coward

        Re: Is it me?

        Ah yes, the paperless office! Back then, in the golden days when strong AI was "just around the corner", and people so easily mistook science fiction for reality.

        I still recall a wonderful cartoon from (I think) "Computer Weekly", maybe in the early 1980s. It showed two people in an office setting, manoeuvring carefully past each other in a doorway. The man is carrying a huge, tottering pile of books, folders, papers, tapes, disks, etc. that reaches well above his head. The young woman asks him, "What on earth is that?"

        To which the immortal reply is: "This is the documentation for the new paperless office system".

        1. Hans 1

          Re: Is it me?

          A paperless office is not quite possible, because it is based on the belief that all your clients and service providers are also paperless.

          However, if you have big printers, you certainly can purchase a proper document system and only ever print out what has to be sent by snail mail (so live with much smaller printers), the rest can be kept digital. Anything that comes in can be scanned, identified, and stored along in your document repository in the right folder ... takes less room, costs much less, and saves trees ... if you are not doing that, then you holding it wrong!

          1. Loud Speaker

            Re: Is it me?

            only ever print out what has to be sent by snail mail

            Just wait till you have to make an insurance claim and have no originals of the documents. Then you will see the benefits of "paperless".

      2. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      Re: Is it me?

      Not sure the "and IT" is needed, seems like Governments ( to be fair, the world over) primary skill is "To cock up and waste lots of money"

  2. m0rt

    Until there is due respect given to peoples' data in Governmental policies, there will be be no proper provisions in place, or planned for. Protection and privacy of data is dead until this is done. You can only take steps yourself, which seems to, more often than not, mark you out as someone who is trying to hide something.

    This extends into the private world, since usually companies will often 'comply'* with local law.

    This current state of affairs leaves me feeling incredibly sad and tired.

    *Or, like right now, just wing it until they get caught and are fined inverse-proportionately.

  3. Anonymous Coward
    Anonymous Coward

    Public misunderstanding?

    I keep running up against shock from members of the public that the government doesn't take the same care of personal data that the public expects government to take of personal data. It seems to have escaped attention that the government openly declared in 2013 and implemented in 2014 changes to the way that government classifies and handles data that contains an implicit assumption that data can and will leak and that government will not spend a lot of time and resources preventing leaks. See: Government Security Classifications note that on page 17 "Threat Model and Security Outcomes" that there is acceptance that "a risk based decision has been taken not to invest in controls to assure protection against [determined threat actors]."

    Add this more relaxed attitude to the security of personal data to the confusion caused by the new marking of OFFICIAL that now covers a range from the old unclassified to confidential and it's not too surprising that many government departments are confused about what they should be doing.

    Government guidance says "commercial practice" but is that at the level of (say) a bank or at the level of Talk Talk? The guidance doesn't say. Also unlike commercial practice the government is not going to hand out compensation if it loses your data.

  4. adnim

    Have GCHQ systems ever been breached?

    If not, perhaps they should share their infosec methodologies with other government departments.

    1. Lotaresco

      Re: Have GCHQ systems ever been breached?

      "If not, perhaps they should share their infosec methodologies with other government departments."

      Errm what do you think they already do? There's a GCHQ outfit called "CESG".


      "As the Information Security arm of GCHQ, we protect the vital interests of the UK by providing advice on Information Assurance Architecture and cyber security to UK government, critical national infrastructure, the wider public sector and suppliers to UK government."

      1. Dan Wilkie

        Re: Have GCHQ systems ever been breached?

        Exactly - as the old saying goes, you can lead a horse to water but you can't make him drink.

        Which isn't strictly true, but it's a lot of effort and I guess people would rather just buy another horse.

        1. Destroy All Monsters Silver badge

          Re: Have GCHQ systems ever been breached?

          Ministers and Civil Servants would be disquieted if you offered to accompany them behind the garden shed...

          1. Anonymous Coward
            Anonymous Coward

            Re: Have GCHQ systems ever been breached?

            "Ministers and Civil Servants would be disquieted if you offered to accompany them behind the garden shed..."

            Ron Davies would have been ecstatic to have that sort of offer.

            El Ron

          2. getHandle

            Re: Have GCHQ systems ever been breached?

            I thought many Ministers and Civil Servants paid good money to be taken behind the bike sheds.

            ..That doesn't quite read back the way I wrote it but, on reflection, probably works even better...

        2. RobertD

          Re: Have GCHQ systems ever been breached?

          Or, as Stan Laurel put it, "You can lead a horse to water but a pencil must be led". It is funnier if you say it out loud.

      2. Anonymous Coward
        Anonymous Coward

        Re: Have GCHQ systems ever been breached?

        Ahh CESG

        They're the people who mandate mobile VoIP standards with backdoors aren't they?

    2. Anonymous Coward
      Anonymous Coward

      Re: Have GCHQ systems ever been breached?

      well, as any GCHQ spook allegedly needs to be approved by someone called the National Security Agency before hiring, let's look at their best practise (pre Snowthing)

      There's no such thing as 'secure' any more. The most sophisticated adversaries are going to go unnoticed on our networks. We have to build our systems on the assumption that adversaries will get in. We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly.

      refreshing stuff from December 2010 :

      1. Anonymous Coward
        Anonymous Coward

        Re: Have GCHQ systems ever been breached?

        "any GCHQ spook allegedly needs to be approved by someone called the National Security Agency before hiring"

        That's complete bollocks. HTH.

    3. allthecoolshortnamesweretaken

      Re: Have GCHQ systems ever been breached?

      Well, technically, ... given the "special relationship" and "Five Eyes" and what not, is it still a breach if the NSA did it?

  5. adam payne

    "with 8,995 data breaches in the 17 largest government departments in 2014-15."

    This makes Talk Talk look good.

    It really must be utter chaos in these departments.

  6. Anonymous Coward
    Anonymous Coward

    Isn't this reporting unfair, considering that the cabinnet Offce just hired a trainee and a secretary to solve these nasty tech-coordination problems? :-)

  7. John Smith 19 Gold badge

    "Protecting information while re-designing public services " How about starting with

    It's OUR data, not yours.

    As with ALL governments.

    Most "government" is actually CITIZENS data, which they demand from their citizens or subjects.

    And a lot of the time the voters would prefer neither to give it not that it be stored in the first place.

  8. John Crisp

    Sounds to me like marketing bull from Microsoft/Google/whoever...

    1. Announce the system is crap

    A short time later...

    2. Announce fantastic, new, better value, secure replacement

    1. Anonymous Coward
      Anonymous Coward

      These announcement people are all copypasting memospeak.

      The politicians/CEOs however, have evolved the ability to self-hypnotize so that they actually believe the memospeak. At least until the new memo.

  9. Anonymous Coward
    Anonymous Coward

    About facing both ways at once.......

    No wonder the typical (so called) civil servant is confused about security.

    On the one hand, civil servants working for HMG are building a modern STASI in Cheltenham, a STASI which depends on EVERYONE ELSE'S security being s**t so that they can hoover up emails, bank records, phone records, phone conversations, web browsing histories, mortgage records, and on and on and on........

    And on the other hand, these confused civil servants are wondering why on earth they need to harden the business systems which they use every day. wonder it's chaos.


  10. Lotaresco

    Tinfoil helmet alert

    "On the one hand, civil servants working for HMG are building a modern STASI in Cheltenham"

    That really is a consignment of geriatric shoe-menders, stupid scare-mongering of the worst kind. GCHQ has advised the public and industry to tighten up their security for as long as I can recall. They publish, openly, detailed guidance on how to best protect information on-line. They are deeply involved via initiatives such as Cyber Essentials and their support for IASME in helping industry, the civil service and individuals to become aware of what needs to be done and to do it. This is about as far away from the childish picture of "STASI" as it is possible to be.

    The problem is not the body tasked with establishing best practice in government security and with operating the UK's response to cyber threat, it is with the fact that the people who should be looking after our data do not take their responsibilities seriously.

    1. Dave 15

      Re: Tinfoil helmet alert

      What would be really interesting is to hack in and find out what they actually store on us. They being some nosey small minority of us given cart blanche to ensure the rest of us are not allowed to argue. Have you noticed the lack of protests, strikes, demonstrations, even the lack of pop protest songs. Everyone who even thinks it is locked up. The fact the government has no ability to look after data doesnt stop them collecting exponentially more of it and stupidly sharing it with anyone and everyone.

      Stasi... gestapo... nope, those guys never had a single candle to the groups at nsa and gchq and the governments that fund them

    2. Anonymous Coward
      Anonymous Coward

      Re: Tinfoil helmet alert

      Yup.....childish......and ad hominem too.....but then perhaps you have never heard of Edward Snowdon.....

      1. Lotaresco

        Re: Tinfoil helmet alert

        "perhaps you have never heard of Edward Snowdon"

        You're right, I haven't. Did Mr Snowdon do anything of interest? Or are you getting him confused with Edward Snowden?

        BTW, if you want to look less like a net-loon, stop typing lines of full stops between words. It's the web equivalent of writing in green ink. Ellipsis, used to indicate something has been omitted from text, is just three dots. A simple, coherent, argument will get your point across. Pointing fingers and shouting STASI! Is about the best way to get people to ignore your comment as that of someone bereft of clue.

  11. LewisCowles1986

    I hate to say it but the picture presented is always a #vendor-backed fluffy one, no wonder it's a steaming pile. Some dip-stick 5, 10, 20 years ago set them on a path they cannot deviate from (likely because the corrupt ministers and upper management have shares); they have to buy in lots of things from established vendors and there is no question legacy systems have to be maintained with the cost directly from the tax payer.

    Half the stuff they know to be expensive, old s**t, I know I've spoken to people in Government IT. Nobody seems to have the wherehwithal or backbone to question what is going on. Take Gov UK verify for example... They built a system to allow private businesses (with history of data breaches) to gain legitimate access to your data so the government can use it from them WTF!

    As usual I think we need stronger opinions, more public information and a complete ban for procurement from any vendor that has even one outstanding bug between two terms of service, with a cap of 5 years terms of service. As a private sector business owner you won't believe the crap some private buyers try to pull. Whilst I don't advocate for douchery, perhaps from something so tied to the public pocket we need a lot more oversight

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like