Defence secretary Des Brown's appearance in the House of Commons today was a grim, if instructive affair, and only served to reinforce everything I said a couple of weeks ago on this blog: security is first and foremost about people, policies, management and enforcement. Technology comes a long way behind.
Security is always about the weakest part of the chain – data's interface with everyday employees – and rarely about defence-grade encryption protocols and sexy multibillion-dollar IT programmes. Indeed, those are the things most likely to neglect the little guy.
Mr Brown admitted that there has not been just one incidence of an MoD laptop going stray with people's personal details on it, but three since 2005. The Tories countered that, in fact, there have been literally hundreds of laptop thefts from armed services employees, many of which computers may also have contained sensitive information. The government has admitted to 69 laptops and seven PCs being stolen in the past year, and has issued a staff ban on the movement of data.
All told, that is a staggering illustration of how everyday occurrences are where the real risk lies, and not in shadowy bunkers in some far-off corner of the 'Axis of Evil'. We're talking about the Axis of People: careless people; people who don't follow security guidelines; people who are lazy; people who are the victims of opportunistic criminals... everyday human beings, in other words.
These are the people who, in the real world, have access to databases, and they are rarely technology buffs or experts in data protection and privacy laws. They are too busy doing their own jobs – such as managing the front desk in a busy doctor's surgery, or working in the back office of a local town hall.
Familiar opposition cries of systemic incompetence in Whitehall miss the main point – most average employees are not security or privacy experts – but amply illustrate another: that senior management gets the blame for the little guy not being considered.
However, the defence secretary unwittingly raised some other questions that must call into question the government's competence to manage future large-scale technology and data programmes on behalf of the public, such as the NHS IT system and the proposed national ID card. First, he said that none of the data on the laptops was encrypted; and second, that he had no idea why.
But the major admission was number three: he had no idea why so many employees needed access to such large databases – the implication being that the real weakness in the MoD's security policies was people using the system. Exactly, minister.
Mr. Brown, should future large-scale projects go ahead without just such a radical rethink of what security and privacy mean in the real world (that security is always, always, always, about people, and especially the little guy, and no amount of money and technology can alter that) then these upcoming schemes risk data loss and theft on an unprecedented scale, even in the wake of the loss of 25 million families' details in the Child Benefit scandal.
Minister, if the weakness in security is, indeed, lots of people accessing the data, then you have effectively lost your own argument in favour of systems designed to do exactly that: facilitate the widespread sharing of sensitive public data across the NHS, and across all internal and external security services affecting the UK. A staff ban on the movement of data is not a blueprint for the data-sharing future across public services promised by Whitehall.
The further issue for us in the outsourcing community, though, is that all of these MoD computers were managed by an overarching IT function on behalf of the three armed services. The lessons here? No security policy will stand up to real-world tests if a third party neglects its basic obligations. If those third parties are located offshore – as some schemes undoubtably will be in future, and have been in the past – then your security policy is not just concerned with rules and their enforcement, but also of remote management of the third party, and robust HR policies. What more risks are we prepared to take?
• With Gordon Brown recently striking a cautionary note on the ID cards scheme, the time has come for a much more realistic appraisal of the advantages and disadvantages. Any compulsory scheme must be put before Parliament; this year, the collective mood of the Commons may have darkened.
Moreover, as I've said before on this blog, the real question to ask of any large IT schemes is the simple one: why? ID cards will do nothing to prevent home-grown terrorism, as we are always promised, and little to prevent everyday identity theft or fraud. The only possible impetus must be a commercial one for the government: the turning of private data into a public, tradeable commodity.