Neil Mellor says that new arrangements for suppliers’ self-certification do not mean that the public sector supply chain will become the Wild West.
I want to draw attention to cyber crime and the public sector’s increasing appetite to conduct more business and offer more services across the Internet.
In September, Andy Beale, Director of Common Technology Services at GDS, proposed a change from external accreditation of services by CESG for G-Cloud services to a supplier-made assertion of capability – statements asserting how services meet certain security principles. GDS suggested it was becoming unsustainable to process all submitted applications for accreditation as the marketplace expanded.
Announcements from GDS last week confirmed that G-Cloud [V6] suppliers will be subject to self-assertion and this may be extended to present a consistent approach to the base level of security in the Government’s supply chain.
Government CTO Liam Maxwell has also recently stated that a simpler proportionally user-focused and ‘appropriate risk management’ approach for PSN was needed to ensure that it remained “a network that meets user needs and gives the great benefits of joint purchasing….”.
However far-ranging assertion of capability extends, PSNGB supports initiatives from GDS that make the public sector marketplace more accessible. As we have stated previously, self-assertion could help to uncork a bottleneck preventing very many commercial services reaching public sector buyers. This doesn’t mean we expect the public sector supply chain to become the Wild West; we’ll expect to see suppliers asked the right questions with matching capability assertions and with some degree of sample audit in place to verify returns. But, by relieving the bottleneck and cost of accreditation, it should help more suppliers add more services onto PSN.
What it also does is bring appropriate security, sharing and confidentiality out of the shadows and into the limelight – exactly where it should be. This is an area I have been keen to explore for some time because I believe security is an important pillar of a transformed public sector.
It’s a given that public sector business must be carried out on the Internet. It is an essential channel for public communications and digital engagement and critical to reducing the cost of delivering services. GOV.UK has proven to be a catalyst for the move to digital – in October, it announced its one billionth visit and now ranks alongside websites such as BT, BBC weather, and Sky News in terms of weekly visits.
With public sector to citizen communications, transactions and cost transformation increasingly dependent on the Internet, understanding and managing risk is vital.
A recent report from PSNGB member, BT, suggests that 36 per cent of public sector IT decision makers admit their organisation was hit by Distributed Denial of Service (DDoS) attacks over the past year, with three-quarters (75 per cent) hit more than once.
DDoS protection is a prerequisite to ensuring that access to information and services is unimpeded; though only around a third of public sector organisations have taken this measure – according to the same BT survey. Adequately protected, more use can and should be made of the Internet in public service delivery.
At this point it is worth drawing attention to a report from CSC. It concluded, in part, that the increasing digitisation of public services is putting more citizens’ data at risk of cyber attacks.
Protect and prevent?
Whilst protection can help identify the worst repercussions of an attack, it cannot prevent them. It is PSNGB’s view that no information or application that is mission critical to an organisation should reside on the public Internet.
Public sector organisations, therefore, need to consider optimum use of the Internet, what’s essential to keep within the private or shared private WAN (PSN) and how the gateway between them is protected, especially where a third party provides this and the information provider may have little or none of the control, but all of the responsibility.
In the commercial sector, board level understanding of the threat posed by Internet-borne attacks is at a much higher level than in the public sector. Banks and pharmaceutical companies, for example, faced with very significant threat to their operations, are now realising the need for additional protection even within virtual private networks in order to defend themselves from the latest attacks.
So, to the question –what is the purpose of brakes on a car? The purpose of brakes on a car is to enable you to go faster and be more agile, knowing that you can avert dangers; and not as you might think – just to slow you down or to stop. Good security should be the same; not intended to be a hindrance, but there to enable organisations to deliver services, compete and transform in a trusted environment – faster, better and cheaper.
There’s no ‘one size fits all’ for public sector networks and security. Users need to know they can depend on and trust the network over which they hold and share business-critical information and applications in the light of the risks involved. PSN provides that assurance but to continue to improve the quality and cost efficiency of citizen communications and interaction, the Internet too has a big part to play. Good security is critical to both.
Neil Mellor is marketing director at public services network supplier organisation PSNGB