Monday, January 20, 2014

Am I Being Official? Or Just Too Sensitive? Changes in Protective Marking.

From April 2nd - no fools these folks - government’s approach to security classifications will change.  For what seems like decades, the cognoscenti have bandied around acronyms like IL2 and IL3, with real insiders going as far as to talk about IL2-2-4 and IL3-3-4. There are at least seven levels of classification (IL0 through IL6 and some might argue that there are even eight levels, with “nuclear” trumping all else; there could be more if you accept that each of the three numbers in something like IL2-2-4 could, in theory, be changed separately). No more.  We venture into the next financial year with a streamlined, simplified structure of only three classifications. THREE!  

Or do we?

The aim was to make things easier - strip away the bureaucracy and process that had grown up around protective marking, stop people over-classifying data making it harder to share (both inside and outside of government) and introduce a set of controls that as well as technical security controls actually ask something of the user - that is, that ask them to take care of data entrusted to them.

In the new approach, some 96% of data falls into a new category, called “OFFICIAL” - I’m not shouting, they are. A further 2% would be labelled as “SECRET” and the remainder “TOP SECRET”.  Those familiar with the old approach will quickly see that OFFICIAL seems to encompass everything from IL0 to IL4 - from open Internet to Confidential (I’m not going to keep shouting, promise), though CESG and the Government Security Secretariat have naturally resisted mapping old to new.

That really is a quite stunning change.  Or it could be.

Such a radical change isn’t easy to pull off - the fact that there has been at least two years of work behind the scenes to get it this far suggests that.  Inevitably, there have been some fudges along the way.  Official isn’t really a single broad classification.  It also includes “Official Sensitive” which is data that only those who “need to know” should be able to access.   There are no additional technical controls placed on that data - that is, you don’t have to put it behind yet another firewall - there are only procedural controls (which might range - I'm guessing - from checking distribution lists to filters on outgoing email perhaps).

There is, though, another classification in Official which doesn’t yet, to my knowledge, have a name.   Some data that used to be Confidential will probably fall into this section.  So perhaps we can call it Official Confidential? Ok, just kidding.

So what was going to be a streamlining to three simple tiers, where almost everyone you’ve ever met in government would spend most of their working lives creating and reading only Official data, is now looking like five tiers.  Still an improvement, but not quite as sweeping as hoped for.

The more interesting challenges are probably yet to come - and will be seen in the wild only after April.  They include:

- Can Central Government now buy an off-the-shelf device (phone, laptop, tablet etc) and turn on all of the “security widgets” that are in the baseline operating system and meet the requirements of Official?

- Can Central Government adopt a cloud service more easily? The Cloud Security Principles would suggest not.

- If you need to be cleared to “SC” to access a departmental e-mail system which operated at Restricted (IL3) in the past and if “SC” allows you occasional access to Secret information, what is the new clearance level?

- If emails that were marked Restricted could never be forwarded outside of the government’s own network (the GSI), what odds would you place on very large amounts of data being classified as “Official Sensitive” and a procedural restriction being applied that prevents that data traversing the Internet?

- If, as anecdotal evidence suggests, an IL3 solution costs roughly 25% more than an IL2 solution, will IT costs automatically fall or will inertia mean costs stay the same as solutions continue to be specified exactly as before?

- Will the use of networks within government quickly fall to lowest common denominator - the Internet with some add-ons - on the basis that there needs to be some security but not as much as had been required before?

- If the entry to an accreditation process was a comprehensive and well thought through “RMADS” (Risk Management and Accreditation Document Set) which was largely the domain of experts who handed their secrets down through mysterious writings and hidden symbols

It seems most likely that the changes to protective marking will result in little change over the next year, or even two years.  Changes to existing contracts will take too long to process for too little return. New contracts will be framed in the new terms but the biggest contracts, with the potential for the largest effects, are still some way from expiry.  And the Cloud Security Principles will need much rework to encourage departments to take advantage of what is already routine for corporations. 

If the market is going to rise to the challenge of meeting demand - if we are to see commodity products made available at low cost that still meet government requirements - then the requirements need to be spelled out.  The new markings launch in just over two months.  What is the market supposed to provide come 2nd April?

None of this is aimed at taking away what has been achieved with the thinking and the policy work to date - it’s aimed at calling out just how hard it is going to be to change an approach that is as much part of daily life in HM Government as waking up, getting dressed and coming to work. 

8 comments:

  1. Anonymous11:48 am

    and will Local Government, Police or NHS even adopt it ? PSN mandates aside none of those stakeholders are committed to it yet.

    ReplyDelete
    Replies
    1. Agreed. All very complicated. I'm not even sure all of central government will adopt it yet. and PSN has a lot of work to do on other things before whilst still confronting this.

      Delete
  2. As usual, useful and thoughtful article, Alan, but taking a moment to look back 13 years to birth pangs of the Gateway, UK public service has come quite a long way - though as you suggest further to go. I guess the critical thing with all security is PEOPLE - OK sorry for shouting!

    ReplyDelete
    Replies
    1. True, but it ain't about the past ... it's about the future. Or so someone probably said it is.

      Delete
  3. A neat summary Alan.
    Clearances is a good place to start - in my view you never did NEED SC to access a (old money) restricted system - eg mail system as you have said. But old habits and risk aversion made "over clearing" the defacto norm. If you talk to people who really understand risk they will probably concur that Basic (and in particular cases CTC) are more than adequate.

    ReplyDelete
    Replies
    1. Agree - easier to overclear, just in case, to precisely clear. Will be interesting how "official" is handled in that sense given, in theory, it takes you from old money IL0 to IL4.

      Delete
  4. Networks and Hosting is the next interesting area for me. G-Gloud and PSN providers have all got hooked on the IL numbers too. But if you look closely at what makes IL3 hosting any more "special" than IL2 hosting then more often than not its the connectivity to a so-called IL3 network (GSi as was, PSN-IL3 in the interim) - and there's the rub. What makes an IL3 PSN network different to an IL2 one? Presence of (router to router) encryption largely. But if your hosted apps are already encrypted from client to server (I.e. using TLS or some such wizardry) then where is the benefit of IPSEC/PEPAS etc?

    ReplyDelete
    Replies
    1. Did you take a look at the doc I linked to - the IL2 and IL3 differences are sort of in there (as best as I understood them anyway). In an "Official" world it's hard to see PSN being encrypted at all - and so, as you say, some client to server encryption ought to be preferred (and simpler to carry out). One interesting thing might be where the certificate authority is (and who it is).

      Delete