Thursday, 22 November 2007

I Lost Yesterday But Not Millions of Records

If you were like me, yesterday went by in a blur. So fast did it happen that it was over almost before it began. I was lost, yes lost! I cannot remember when I was more lost. Lost that is in disbelief, total disbelief. No I could not be hearing and seeing what I was hearing and seeing. The world had become almost surreal as though all those standards one has been given for most of one's life were thrown to the wind.

I lost my day focusing on the news that I could not comprehend let alone understand. This news pales in comparison to something I had ever experienced in the computer industry. I could not believe the news that two data disks containing the information of almost half the population of the UK was lost. No one seems to know where, but after several weeks the Chancellor and Prime Minister of the UK have had to conclude that an astonishing amount of very private information was lost.

Now lost is a pseudonym for something very serious. We assume that when data is supplied to a government it gets put onto a secure system and it stays there unless someone accesses that system by means of a tried and tested security method. In the office that lost the information in the UK, there appear to have been two systems, one for one group of people that was very secure and another for another group of people that obviously was very insecure .

Unfortunately, in this specific office, having two systems has meant that the whole system was compromised like having a back door to a bank that remains open for some people to use as long as they have special access to that door. We often hear of computer programmers leaving a back door into secure systems that only they know how to use. By definition, such systems are insecure. One only has to what the American TV series 24 Hours to see the implications of such insecurity. In effect, the data lost in England was not secure and never was. The implications of such levels of insecurity are potentially catastrophic for the entire information world.

Governments, like doctors, are respected for their level of competence, trustworthiness, reliability, honesty, capability, and intelligence. What we have observed is at the very least a lack of skill! At its worse, the loss of data may have been deliberate and will be used by some unknown group.

Today, we must think that we may never know where the data has gone, who has by now copied it, and what the gains are to those that have the data, say even for marketing of goods and services. Think how such data could transform the competitive landscape for small companies struggling to survive against and large organization with such 'secret' information. Think how such information could be used by the terrorist worlds or by secret police organizations and government based groups seeking to undermine.

Now audit systems are supposed to determine whether a system is secure and it would seem that the auditors of this particular office did just that. They found out by their own methodology that the system they were asked to review was insecure. The only problem is that the auditors used an insecure system in order to determine the insecurity of an system that was designed to be secure but was quite insecure. Perhaps there is logic in the auditing system that was used after all. It seems to have unearthed more than one insecure system, an insecure system of data storage, and insecure system of data retrieval, an insecure system of data review, an insecure system of internal audit, and insecure system of external audit. One could go on and on!

Now the issue is whether there is a loss beyond the loss of data which is very serious in itself. If I give you a key and you lose it, then you are responsible for the loss that occurs to me should that key fall into the wrong hands. Right? When, almost but not quite! You could argue that you were insane or incompetent and that I should never have given you the key. Even worse, you could say that you knew that I would lose the key. Even worse, you might say that I told you to give the key to someone else so that I could rob myself for some nefarious reason. Perhaps, there are parallels in the above analogy to what has happened to the lost data in the UK.

In a typical case of theft, the thief knows what he is after having stolen may times before and having been trained in the art of thievery. What do we do if the data was not just lost, but stolen? If the data were stolen which seems very likely then the thief had probably stolen before and knew what to steal and how to use the data stolen. There could even have been an organized group behind the theft who knew how to use the data stolen. If that is the case then more has been lost than data of twenty five plus million people. Much more has been lost! Even worse the liability is now that of the people who gave the data under systems of faith and trust. When you provide data, you trust that the people you have given the data to are trust worthy and do not have nefarious goals beyond those that you can imagine.

The problem with this case is that you might trust one office of government but not the whole of government and when one part of government makes demands on another, you and I might lose that trust. For example, I don't trust CDs as a means of transporting 25 million records. You probably don't either. When we give our data to another group we expect them to use reasonably secure methods of holding and retrieving. At this point, I think one could have truly lost trust in the various offices of government which exchange private information. Why is this. It is because we cannot trust that the methods of the government in data storage and retrieval of private information were or are, in the case of the UK, reasonably secure.

This lack of trust, if were to include the banking system, would bring about a crisis of confidence beyond our imagining.

Needless to say, we must insist that the people who receive our data give us reassurance that they can be trusted throughout their organisation. After all, a security system is only as strong as its weakest link, which I think we can now see in the case of the UK system that lost the valuable data of millions of people.

Now the question arise as to who should resign. My gut feeling is that the whole present government should resign if the data is not found in the next 24 hours. Yes, the whole lot and new elections be held in February. Perhaps that would go part of the way to helping people recover some of the loss in confidence that could occur over the next few weeks and the full implications of what has happened are reflected on in the sanity of day and the insanity of a dream like state we call sleep. Who an sleep soundly after this?

YOU HAVE REACHED WOOH'S STREAM
The Internet User's Best Kept Secret

Sketches from scratches is a provocative blogspot that has grown out of the Wuh Lax experience. It is eclectic, which means that it might consider just about anything from the simple to the extremely difficult. A scratch can be something that is troubling me or a short line on paper. From a scratch comes a verbal sketch or image sketch of the issue or subject. Other sites have other stuff that should really be of interest to the broad reader. I try to develop themes, but variety often comes before depth. ... more!