Technological convergence is transforming communication tools. As the civil service tentatively explores the potential of mobile IT devices, a CSW round table discussed the security implications. Colin Marrs reports.

Two years ago, who would have predicted the rise of Apple’s iPad technology? Computer ‘tablets’ are just the latest devices to emerge in a personal computing revolution which has had a profound impact on working practices both within private companies and in people’s private lives. The ability to work remotely using mobile technology presents significant opportunities for the civil service too; but it also poses profound challenges.

At a recent Civil Service World round table discussion, held in partnership with computer security consultancy Sophos, civil servants met to discuss how departments can make the most of emerging mobile technologies to support civil service reform and improve public services. The discussion focused on the balance between making good use of such devices, and ensuring the robustness of data security.

James Lyne, director of technology strategy at Sophos, said that departmental managers will need to get to grips with significant changes in working practices and culture. “These devices and working practices are going to arrive,” he said. “There is no choice [but to adopt them] and the question is how we best manage that risk and what controls we put around it. What are the people, process and technological changes we need?”

What are the main security challenges?
Milan Bogunovic, who works on ICT strategy planning and operations at the Ministry of Justice, pointed out that many changes to working practices are already well established within the civil service, with many staff choosing to work from home on a regular basis. “On average, most government departments have 70 per cent as many desks as they do staff, so when everyone comes in there is not enough space,” he commented.

Because much of the civil service’s software is outdated, staff working remotely are issued with departmental laptops or phones rather than trying to get departmental systems working with their own devices. However, Bogunovic said that older equipment and systems can make it difficult to access work email systems. “I started university in 2002, and at work I’m still using the same tech as I was then,” he noted. “This can lead to frustrations and a lowering of productivity.”

The group agreed that the issue makes it difficult to attract top candidates to civil service jobs, with Lyne contending that “the ability to attract talent into the workplace is deeply tied up with having new technology”. Veronica Fraser, head of data protection at the Department of Health, said that potential recruits often perceive that they will be going “back to the dark ages” if they join the civil service. And Ollie Hart, head of public sector at Sophos, noted that the need to ensure civil service technology conforms to information assurance (IA) rules often causes a delay before new equipment comes into service: “People always want the next technology,” he commented. “The technology that is used today, because of the IA guidelines, is always at least one step behind the latest technology. It is a debate about how you manage the talent pool wanting the latest stuff versus the IA guidance.”

Despite its creaking systems, the civil service is finding ways to make use of mobile technologies. For example, Lyne identified a growing need for employees to be able to access business applications from a variety of devices, and Jason James from the Ministry of Defence’s Network Technical Authority said that he is working on projects to “delaminate” applications from hardware, “so it doesn’t matter where you access it from”. The security issues thrown up are considerable. Fraser explained how “the Department of Health has a lot of sensitive information to protect. The challenge is to have it all ways: accessibility and security.”

What are the technological solutions?
Lyne said that “fear and confusion” are the biggest factors preventing departments from making effective use of the technology. “You can do a lot with existing technology, but there is a massive gap between what could be done and what is actually being used,” he argued. James illustrated the point, using an extreme example of how mobile technology can be used effectively whilst remaining secure: the US Army, he said, is examining technology to call in missile strikes from a hand-held device. But Lyne argued that the civil service needs to learn to walk before it can run. “There are a number of departments that have iPads but don’t have basic levels of security,” he said, citing examples of laptops unprotected by password systems. He’s had the same conversation with separate departments on “countless occasions”, he said, calling for officials to tighten up basic security protocols.

Steve Wilkes, social media project manager at the Home Office, complained that the failure to share information across departments means that it’s common for teams across Whitehall to be working in isolation on very similar issues. But James argued that things are beginning to change, thanks in part to the Public Sector Network. “We will end up with a catalogue of applications that you can choose from,” he said. Fraser backed the end goal, but said departments are often reluctant to let another department take the lead.

Bogunovic provided an example of innovation within the civil service: the Government Digital Service is now using gmail accounts to share unrestricted information, allowing staff to work from home more easily. Wilkes raised concerns that this might lead to further controversy about the status of such emails in relation to Freedom of Information Act requests, but Lyne suggested that designated work gmail accounts could be made subject to such requests.

Bogunovic pointed out that cloud computing – where data, software and computing power is held on remote, communal servers, rather than on individual PCs – is going to force big changes to the way the civil service works. Maqbool Lalljee, a unit head in HM Revenue & Customs’ Large Business Service, is wary, however: “We have to be very hard-nosed about security,” he warned. “We are guardians of public data. We have to work within secure systems, and that is not going to change.” But James said he believes that security could be strengthened by creating separate public and private clouds; organisations such as GCHQ and the Ministry of Defence are unlikely to put all their info onto the cloud, of course, but most departments could make much greater use of the approach.

Lyne pointed out that changing IT is creating an amorphous, fluid, data landscape: “The reason this issue is uncomfortable for companies and the civil service is that we are losing control of the ability to put explicit boundaries round networks, data and devices,” he said, adding that this is leading to a ‘safety first’ culture in which information is often incorrectly labelled as classified. But James suggested an alternative: labelling each item of data, rather than protecting whole networks. ‘Metadata’ techniques, he said, can attach different security designations to every piece of information and ensure that systems handle each appropriately. “The moment you start using metadata properly, you stop incorrectly storing classified information,” he said.

The panel also ventured that much would be gained by collaborating with private sector technology firms to develop new applications. James said: “There is nothing stopping us from working with firms like Google.” Extra security systems, for example, could be developed for use on government mobile devices: “There might be special coding that can stop people hacking into your account.” He pointed out that this kind of partnership working is common in the private sector, and added that appointing an IT ‘managed service’ provider to handle data services can help ensure that civil servants are using the latest technology.

How do processes need to change?
Despite the raft of technological solutions which came up in discussion, panellists were clear that technology on its own will not provide a complete answer to security concerns. Lyne pointed out that restrictions put in place by Apple mean that iPads could never have the same level of security as other devices; and Fraser suggested that staff will inevitably find their way around security systems.

Bogunovic suggested that we “need to look at people, processes and technology together”. James agreed, saying: “A lot of our problems are solved by a process and not a technology”. A culture change is needed among senior civil servants, he argued: “We need to become more realistic. We need to accept a loss of technical control and put more focus on educating users.”

Wilkes agreed, but felt that some existing, firmly old-fashioned practices could take years to change. “I think we are scared of this technology sometimes,” he argued, pointing out that his department blocks civil servants from accessing many social media websites. “We block social sites. We have a YouTube channel and Flickr channel, and we don’t allow people to comment on them or let our own staff view them. Our policy is not to reply to Twitter [comments]. We are quite a few months, if not years behind.”

However, there was a general feeling that departments are at least working to give staff clarity on how mobile devices can appropriately be used. Lyne said: “Officials are pretty extensively trying to provide guidelines for these devices, because there is an acceptance that staff are going to use them.” He particularly praised draft guidance on Blackberry use.
The pace of technological change also presents challenges for managers trying to keep abreast of the latest developments. James described the JSP440 document, which provides guidance to the MoD on keeping computer data secure. “That document used to change once every seven years, on a minor and trivial basis,” he said. “It now changes every three months. Policy is changing at a phenomenal rate.”

According to Bogunovic, much can be gained from separating strategic aims, which change very little, from the tactics of how they are achieved. James added that the traditional model of planning in 10-year cycles is now a “complete and utter nonsense”. And Lyne agreed, arguing that guidance needs to be written on a more realistic timescale: “I have this set of 10 things I suggest about mobile security. Number one is: don’t even write a three-year strategy; write a six-month strategy, and iterate it.”

There was, however, a hint of disagreement when Bogunovic suggested that it would be useful for departments to develop their own approaches. “You have [departments] that have very sensitive data, while some could quite happily move to gmail,” he argued. Lalljee rejects the idea, calling for greater consistency of policy. “If we have different gateways then it is easier for people to get inside and attack from the inside,” he pointed out. “We cannot have duality.” The pooling of budgets for technological development, he added, can also lead to efficiency savings.

Fraser pointed out that the Cabinet Office and CESG – the national technical authority for IA – are making strides in providing more consistency in guidance across departments. But James said that more effort is required to make the guidance clearer, and Fraser complained that it can be hard to find it in the first place. “Often, people can’t access it, and that is not helpful,” she said.

How should staff be educated and trained?
Bogunovic pointed out that many of the challenges are cultural, saying: “At the moment, the civil service is very risk-averse”. But Fraser demurred – different staff have different levels of risk awareness, she said: “Half the people I work with are just well aware of risk management – it is running through their heads the whole time.” On the other hand, some are oblivious to risk: “There are other people whose first reaction is: ‘There are no risks’.”

Dedicated training is probably required – but Wilkes argued that this must be carefully handled: “The problem is that it is increasingly difficult with some staff to educate them about risks [such as] when they can use external email and when they can’t. There is a danger of confusing them even more and they will use inappropriate accounts.” Such training must not scare people unreasonably by focusing entirely on the dangers, said Lyne: “You can lose the benefits of technology in an attempt to make yourself comfortable.”

Part of the challenge is generational, the panellists agreed. Bogunovic said: “You can have people who have been in the civil service for 40 years, and people straight out of school. Older people are much more guarded about their personal data.” He suggested that both generations can help contribute to a common understanding of technological benefits and risks. “It is a two-way process of education,” agreed Wilkes.

Raising the level of understanding among chief information officers is also key, according to Bogunovic. He said: “At the moment a lot of CIOs are from the private sector, but we need to address how to develop [IT professionals] in-house.” James lamented that the civil service lost many skills “10 years ago, and has now realised we are not intelligent customers any more”. But he identified a dilemma for policymakers, saying: “The minute you start training civil servants and [they begin] picking up qualifications, they can walk out the door and get much better paid jobs in the private sector.”

Summarising the discussion, Lyne said that governments should feel more confident about adopting mobile technology, as long as they follow a few simple rules. “Get the basics right,” he urged. “Enforce passwords and encryption; find reasonable mechanisms to avoid high-risk information being put on devices, while allowing lower-risk information; and modernise awareness practices. That will put us in a significantly better position.” ?

Around the table:

Justin Bateman,CWB ICT and office manager, Operations Directorate, National Policing Improvement Agency
Milan Bogunovic,ICT Strategy, Planning & Operations, Ministry of Justice
Veronica Fraser,head of data protection, Department of Health
Ollie Hart, head of public sector, UK & Ireland, Sophos
Jason James,Network Technical Authority, Ministry of Defence
Maqbool Lalljee,unit head, Large Business Service, HM Revenue & Customs
James Lyne, director of technology strategy, Sophos
Steve Wilkes,social media project manager, Home Office

Click here to see all news and features from Civil Service World

Written by Colin Marrs, CSW