Dependence was their own decision although lack of decision might be more accurate. Decision by default, shall we say?
Governments resent their dependence on Big Tech
Senior politicians gathered at Singapore International Cyber Week (SICW) this week to discuss the current state of cybersecurity have articulated their discomfort with finding themselves dependent on Big Tech. "Large tech companies wield an unprecedented level of influence over economies and societies. At the same time, they …
COMMENTS
-
-
Wednesday 18th October 2023 11:00 GMT Neil Barnes
Big tech has good salesbods. The points that are being made though are significant and serious... if your infrastructure (both civic and military) cannot be shown to immune not only to external actors but also to the manufacturers, should you be using it? The supplier may not be your friend tomorrow.
-
Wednesday 18th October 2023 11:38 GMT Lurko
The benefits of hindsight
Taking a high level view, dependence has crept in, rather than been an obvious decision point to accept the risks. Imagine outsourcing welfare payments processing using legacy systems to a third party data centre - that would just be seen as economic and sensible rather than a government welfare department trying to build, equip and operate its own processing. The decision to then buy and adapt an ERP from a major software house would likewise be seen as probably wiser than trying to build your own bespoke system (opinions may vary), but again, think that this is for a government welfare department who aren't IT experts. That of course exposes you to the full data stack the ERP provider is built on, and thus their vulnerabilities - but still, would the welfare department have done better if they'd built from scratch. Next up, the ERTP provider pushes the customer to adopt SaaS, and again that's seen as the modern thing to do.
So at what point would it have been prudent to say "hold on, it looks like this would save us money, but we'll lose control of our core systems"? There's very few people would agree that many (or any) government departments are suitably clued up to design, build and operate their own systems, or to do so at a viable cost. If anything, the pressure is on from everybody that the government should save money on administration. Who's going to vote for a government that says "nope, not buying commercial IT, we need it bespoke or FOSS, and we'll put up government spending to pay for all the staff and development work we'll need, not just for new systems, but for world-class security on every government asset?"
The same arguments apply to the private sector, and are why big business is in near universal thrall to the SApacle duopoly. Whether this is a good or bad thing is hypothetical, we are where we are. But hat raises the question this conference ponders but does not answer, where do we go from here?
-
Wednesday 18th October 2023 13:55 GMT David M
Re: The benefits of hindsight
Government departments clearly don't have the skills or resources to build their own IT systems, but what they do need is a few senior people who understand both the workflows and the technology well enough to ask the right questions, to define appropriate requirements, including for security, and to be able to monitor private sector development and deliverables to ensure those requirements are being met. I suspect that a lot of problems stem from the fact that nobody in the organisation has much of a clue about IT, so it's easy for suppliers to pull the wool over their eyes.
-
Thursday 19th October 2023 08:47 GMT Lurko
Re: The benefits of hindsight
Mostly that's correct, but it's not universally true. I work for a government department, and the directorate in which I work built its own case management system using MS Dynamics. Done near enough on time and on budget for a few million quid, it works well, replaces a slew of legacy proprietary systems and internal spreadsheets and databases, and is a real step chaange in organisational capability. Yes, we're on the hook to MS for the underlying technology and hosting, on the other hand we've designed and bullt a system that works, we own the design and can modify as required. Internal PM and design team, used contractor devs because the civil service isn't allowed ot pay the going rates, and because we've used a common technology platform we'll not be facing the skills problems a few years down the road when changes are inevitably required, unlike a true proprietary system. As with everything in both public and private sector, the public only hear about the failures, and the private sector are better at hushing those up.
I'd suggest the biggest problem for most government departments is not the loss of control to third parties, but those problems David M describes. The chaos at other government departments over case management systems is mind boggling. We're not a tech directorate, our digital team simply asked the right questions, listened to the answers, made sure that created a design for something that would work, and built was was asked for, without involving the usual big consultants like Fujitsu or Crapita who seem to act as agents of failure in so many things they touch. The prison service spent £100m on a case management service and then scrapped the lot of it without even finishing, the courts service have spent over a billion on a CMS system that's barely functional, yet a case management system should be one of the easiest things to build properly.
In our case, the real senior expertise was letting the digital team get on without interference, not engaging consultants, and it did help that our leadership do actually understand the operational processes and the need very well, all having come up through the ranks.
-
-
-
-
Wednesday 18th October 2023 11:17 GMT Anonymous Coward
You don't actually have to depend on big tech, you chose to do so because it's cheaper upfront to buy a premade solution and use some else's data centers and network. You also don't have to be as responsible for hunting bugs and security problems.
As for patch Tuesday being like a car recall every month, given the poor security of automotive software that would activate be an improvement.
-
Wednesday 18th October 2023 11:22 GMT b0llchit
Bullshit and I told you so
...discomfort with finding themselves dependent on Big Tech.
Wow! That must hurt to admit that they are a collective bunch of idiots trusting the untrustworthy with your data. As if the signs were not on the wall from the start and they hadn't been told by the knowledgeable. But being good politicians, they have a plan to shift the blame. They will blame "the other guys" and again may shine in the light of utter bullshit eaten up by other idiots.
-
Wednesday 18th October 2023 12:05 GMT JimmyPage
Oh, grow up
"Large tech companies wield an unprecedented level of influence over economies and societies. At the same time, they enjoy a remarkable degree of freedom from regulation and accountability for their activities and the content they carry," opined Singaporean minister Teo Chee Hean at Monday night's opening address.
That is almost the bumper sticker for Western capitalism. Power and money with naff all oversight, regulation or where possible competition
And for all their performance handwringing, all I can see from where I live is governments are aspiring to the same. Certainly here in the UK where it seems you are robbed with the threat of prison for your taxes, and yet discover that no one in government is actually responsible for anything.
-
-
Wednesday 18th October 2023 15:58 GMT Anonymous Coward
How about governments get their shite together
Europe has GDPR. Australia has their Essential 8. US has DISA & FedRAMP. The list goes on & on. They are all bitchy and whiny about where their physically resides....usually because their government wants Big Tech to spend millions on a new data center inside their country.
Security knows no such bounds. Security doesn't care where your data resides or what government policies it falls under. If it is vulnerable to compromise, then it will be attacked.
If the public sector wants better security from the private sector, make it easier for the private sector to deliver. If the governments of the world adopt a unified security standard then we can all stop playing the stupid games - in EMEA we do it this way, in APJ we do it that way, and NAM is a completely different animal....
That would never happen though because governments don't like to play nice with each other. They all like to claim they are somehow more special than each other. But again, the attackers know no such bounds & limitations.
-
Wednesday 18th October 2023 16:15 GMT Danie
Government is lazy
Well our government (jn South Africa) could follow though on its promise back in 2007 to go open source, or finish the 10-year eGov project that they started (self-built with open source). It would likely cost a lot less than SAP or Oracle, and keep all the money on-shore with local businesses. Estonia has done it, India has also done it (and has shared their code), so why can't we? It just takes some willpower and a sense of commitment.... Buying into a foreign owned cloud service is only going to cost more and more, and you'll have very little you can ever extract and use elsewhere (equals vendor lock-in).
-
Wednesday 18th October 2023 18:42 GMT Anonymous Coward
Greener grass elsewhere
Big Tech are virtual countries with exceptional highly paid workforce. Internet has made physical borders irrelevant. Governments will never become more competitive to attract the talent, unless they lock it physically like in China or North Korea. The dependency is unlikely to disappear due to concentration and monetization power.
As for impact of social media and disinformation, the power of Big Tech is easy to tame by legally forcing the companies to exclude sensitive and political content from boosting and suggestion algorithms. For example a political video or post must not be impacted by likes, comments or other metrics. It will be there, but its position or views will not be manipulable. Such content should not be subject to algorithms meant for general entertaining content.
-
Wednesday 18th October 2023 19:43 GMT Anonymous Coward
Bloody turncoats
For the last thirty years, to my knowledge, governments have deliberately rolled over and invited Big Tech to tickle their tummies with whatever gobshite (sic) their salesmen were peddling that day. 10 years ago I was part of an initiative, supported by the Cabinet Office no less, to change that. Yes, folks, 10 years ago the Cabinet Office was 10 years ahead of its time. Like fuck did their fellow Departments want to know.
Today I am a one-man initiative in another part of the forest (hence AC). Thank you Laura Dobberstein for the tipoff.
-
Wednesday 18th October 2023 22:27 GMT TheMaskedMan
"Meanwhile, these companies ultimately "make their own decisions," such as which nations they boycott or the content they carry."
A company making its own decisions? You mean they're not prepared to let a government - or anyone - dictate what content they carry? And are prepared to walk away from any nation that tries? How very dare they!
While I appreciate the security concerns, the general tone of the quotes here sounds like bratty political types having a tantrum because they can't have their own way with other people's systems.
The ability to walk away enabled WhatsApp et all to stand up to the British government over encryption, leading to a magnificent bit of face saving. I can certainly see that governments don't like that, but it's worked out well enough for the rest of us. If government wants absolute control, it should build its own systems (and look how well government IT projects usually work out). Otherwise, they have to put up with being just another customer.
-
Friday 20th October 2023 10:31 GMT garwhale
IT systems built by government departments have a long history of enormous cost, massive cost overruns and delays of years in delivery. Firms are not immune from such problems, but competition forces poor performers out. To force companies to take security seriously, big fines and compensation need to be introduced.