Good Governance - Effective use of IT

Written evidence submitted by McAfee (IT 43)

Introduction

1. McAfee welcomes the opportunity to respond to the Public Administration Select Committee’s inquiry into good governance and the effective use of IT. As the world’s largest dedicated security technology company, we are relentlessly committed to tackling the world’s toughest security challenges and delivering proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the internet, browse and shop the web more securely. Backed by an award-winning global research team, a number of whom are based in Aylesbury, McAfee creates innovative products that empower home users, the private sector and the public sector and allow them to continuously monitor and improve their security. We serve as Vice Chair of Intellect’s Cyber Security Group, sit on Intellect’s ISAB SIAT Working Group, and participate in a range of other industry groups.

2. As the committee indicates, the current drivers of IT policy are the constraints created by the coalition’s deficit reduction plan and the need for greater efficiencies across all departments arising from this. The Cabinet Office has recently confirmed that £500 million has been saved as a result of its moratorium on spending, and IT has made a significant contribution to this. The Cabinet Office’s Structural Reform Plan outlines the need for savings going forward and the IT sector will be an important participant in this. McAfee believes that there are other steps the Government could take in this regard to realise greater savings, particularly through the rationalisation of security networks within and across departments. We comment further on this below.

3. Government should not overlook the wider role IT can play in enabling good governance and saving costs simultaneously. Recent moves towards increasing the proportion of public services available to citizens online, as recommended by Martha Lane Fox’s recent report to the Cabinet Office, are a welcome step in this direction. Such developments could, however, have wider security implications which we explore below.

Co-ordination of technology policy across government

4. The last ten years have seen rapid and radical innovations in technology; with evolution taking place at a far more dynamic pace than government has been able to embrace in policy terms. Responses have traditionally lagged behind technology development, with official government guidance being published some time after relevant innovations.

5. As a result of this, government has often been slow to take advantage of new technologies, and policy has not been co-ordinated in a way that exploits innovation to the full. This is especially relevant in the context of the current Government’s deficit reduction strategy as IT can play a positive role.

6. The speed with which the Coalition has moved forward with initiatives is to be welcomed. The transformation of the Cabinet Office into a powerful central hub at the heart of government should allow for more timely policy responses to ongoing technological development.

7. Recent reforms to CESG’s Listed Adviser Scheme (CLAS) are to be welcomed in this regard. The current process whereby CLAS consultants provide Information Assurance advice on systems processing protectively marked information is extremely costly for government. The PACE initiative within CESG aims to promote delivery in a timely fashion whilst making this scheme more cost-effective and more appropriate to the particular risks under consideration. This is a positive step, although there is scope for government to go further. In technology terms, the financial services industry provides a good model for government to consider.

8. Another core issue at present is the fact that security drives technology in the public sector, meaning that government cannot be as fleet-footed as the private sector in adapting to change. In the private sector, business will demand enablement of new technology and quickly take advantage of the benefits that can be realised, but the reverse is true in the public sector. This results in lack of prioritisation and loss of value.

9. Other Cabinet Office reforms of interest, including increases in the powers of the CIO to drive integration and improve value for money and the new infrastructure for the CIO’s office, will also assist in driving better policy co-ordination across government. We look forward to the Cabinet Office’s forthcoming announcement on the future of the CIO office.

Effectiveness of governance arrangements

10. Many organisations find the government controls currently in place open to wide interpretation, leaving too much scope for risk. Widely cast standards and governance requirements increase cost and time delays, with organisations struggling to work effectively. This is particularly evident in the field of public sector IT security.

11. In addition, many of the governance controls in operation are manual. Greater use of automated assessment and risk management tools could both reduce costs and improve governance simultaneously whilst reading human error; especially as 70-80% of security costs are attributable to manpower. Software licenses, on the other hand, represent only about 5% of costs. Operational efficiencies have often been neglected in the past.

12. Proposed reforms to government IT infrastructure are likely to impact on governance arrangements in the future. We note in particular confirmation in the Cabinet Office’s business plan of the Coalition’s commitment to ensure a level playing field for open standards. This aligns with the direction in which other government and commercial enterprises are heading.

13. McAfee itself launched an open architecture technology programme, largely in response to the needs of the US Department of Defense. The DOD’s open framework enables the department to plug in any number of solutions from different vendors. McAfee’s Security Innovation Alliance Programme has allowed accelerated development of interoperable security solutions and log management tools to meet these needs and simplify the integration of these products within complex customer environments. It provides an important value proposition for government and commercial customers who do not want to be locked into a single vendor.

Application of past lessons

14. The NAO and the OGC have published a number of reports in recent years outlining the problems the public sector has encountered with IT programmes. The NAO’s June 2010 report Assurance for high risk projects provides a good summary of many of these issues, outlining two broad areas of concern with high-risk projects:

· Lack of a clearly stated and enforceable mandate for assurance across government and consequences for non-compliance;

· Design of systems, particularly the lack of integration across individual mechanisms and the reliance on point in time assurance.

15. In terms of the wider lessons from unsuccessful IT programmes, learning and application of lessons learnt has been variable. Where projects and programmes have been large in scale, lessons have been disseminated through the media. At a lower level, organisations have been left to learn from their own mistakes. In many cases, however, there has not been a clear process for information dissemination to prevent the mistakes of past projects being repeated in the future. Given the speed at which policy can change in response to external forces, it is easy to see why mistakes continue to occur. Most public sector organisations still seem to be in reactive mode, and we would recommend that IT security be consolidated into a common framework that allows intelligence to be correlated appropriately.

16. Reforms to IT assurance and ongoing changes to the structure of IT governance within the Cabinet Office are to be welcomed. There is an urgent need for a centralised point of information dissemination to help departments to avoid the mistakes of the past; the creation of the Efficiency and Reform Group seem to us to be a step in the right direction.

IT and public service design

17. Government has been slow to adapt to the pace of change in the past. There is considerable scope for using IT better in the design, delivery and improvement of public services, especially with regard to the interface between government and citizen. There are many benefits to the increased digitisation of public services, both to the Exchequer in revenue terms and to the citizen as engagement with government becomes simpler and more personalised.

18. Martha Lane Fox’s recent report on Government internet services is to be welcomed. We note the report’s recommendations on the development and opening up of Application Programme Interfaces, and that government move forward with a first wave of digital only services in relation to Student Loans, Car Tax and JSA applications.

19. Whilst such moves will bring many benefits, government needs to be alive to the security risks they entail. As government-citizen online interaction increases, existing protection of networks needs to be more resilient at the network level given the size of the cyber-threat, something that has become increasingly apparent in recent months. McAfee research shows that the number of global attacks has grown exponentially in the last year, with an increasing number of these attacks directed at government and critical infrastructure.

20. The OECD’s January 2011 report on reducing systemic cybersecurity risk reinforces these concerns: "World wide web portals are being increasingly used to provide critical Government-to-citizen and Government-to-business facilities. Although these potentially offer costs savings and increased efficiency, over-dependence can result in repetition of the problems faced by Estonia in 2007."

21. On the other hand, increasing numbers of users will be accessing government networks to undertake transactions in the coming years, and many of these will have PCs that are unprotected and potentially infected. Identity fraud is a key ongoing risk, with the current cost of this to the UK economy estimated at around £1.2 billion. This raises further questions about the potential problems with users unfamiliar with IT and IT security attempting to access services.

22. Risks are complicated further by the generational divide. Younger generations are more IT literate but commonly have little concern about the risks and consequences of usage. At the other end of the spectrum the older population is traditionally far more sceptical, especially given the perceived security risks. Therefore, each group requires education, albeit in different ways. There are also issues over who should be liable in fraud cases, and where the burden of responsibility should fall. This is a particular issue in relation to online tax assessment.

The "post-bureaucratic" age

23. The phrase "the post-bureaucratic age" describes a whole set of ideas about putting the citizen in the driving seat of government through increased transparency, increased citizen-led delivery of services traditionally delivered by civil servants.

24. IT should be seen as an enabler of these ideas. Our comments on the security risks of increased government-citizen interaction are relevant again as the post-bureaucratic age presents its own unique security problems as citizen interaction with government increases and the proportion of citizen-led public services rises. Many will utilise IT in a sophisticated fashion to deliver services – but often without the detailed security architecture upon which government relies. This increases risk.

25. This is best dealt with through a proactive approach from government to educating citizens and potential deliverers of public services on cyber-threats and the most appropriate way to mitigate them.

Cyber-skills

26. There are already a number of pools of skills excellence within government, although more work needs to be done. The public sector can learn a lot from the work being undertaken in the financial services sector which is far ahead of government. The Sector Skills Council for IT Skills is currently moving forward with its own work in the specific field of cyber-security skills and we are engaging with its work.

27. It is important that government doesn’t attempt to "reinvent the wheel" with training offerings. The private sector is already providing excellent training offerings which could easily be transplanted to government. McAfee, for example, has provided hands on malware investigate and forensics training to investors from the Policy Central eCrime Unit and the Serious Organised Crime Agency.

28. Talent management and retention remain problems. Highly skilled experts, many of whom are initially trained in the public sector, will often move to the private sector, attracted by higher salaries. There is a risk that this "bleed" will increase given the current squeeze on public sector spending.

Procurement policies and practice

29. The public sector has been slow to take advantage of the economies of scale that can flow from central purchasing. Philip Green’s recent efficiency review for the Cabinet Office noted that "government acts as a series of independent departments rather than as one organisation"; this is particularly pertinent in the field of IT security, where significant savings could be made.

30. Green is right that lessons can be learnt from the private sector, where there has been a drive towards vendor consolidation and cross-portfolio purchasing. Public sector groups have also typically adopted a project by project approach to security procurement which has resulted in a patchwork quilt of products that bear little relation to each other. The private sector has already demonstrated that financial benefits flow from consolidation; the public sector should follow suit. It is welcome that ERG has stated that government should adopt a more "corporate" approach.

IT and the "age of austerity"

31. Government has already moved forward with a number of initiatives in the IT field which have already resulted in significant savings.

32. McAfee believes that substantial savings are still there to be made across government from rationalisation of IT security. Many departments continue to operate on the out-dated premise that optimal protection comes through use of multiple products from multiple vendors. This approach fails to recognise that many of today’s security solutions, including those offered by McAfee, proactively draw co-operatively on the research of other providers, thereby providing the user with a comprehensive security service.

33. McAfee’s own solution, McAfee GTI (Global Threat Intelligence), takes this process to an entirely new level, providing comprehensive detection and protection automatically to a suite of McAfee security products in real time. It uses 100 million sensors to monitor the Internet, continually seeking and identifying new and emerging threats before they materialise. More than 350 researchers in 350 countries across the globe, including the UK, focus exclusively on tracking and analysing this information.

34. The Gartner Maturity Model is a recognised methodology for describing an organisation’s state of security. Shifting the public sector from a state of compliance (where organisations demonstrate emerging policy and process definition but at a high cost) towards optimisation (with a dramatically higher overall level of IT protection accompanied by a considerably lower cost profile driven by Operating Expense and management efficiencies) on this model could save up to 40% of IT security spend. As we outline above, approximately 70% of security spend is on manpower and time, where major savings can be made.

35. The UK requirements in this area are not dissimilar to those of the US where we have undertaken considerable work. For example, standardisation of New York State’s systems cut expenditure on all endpoint security products by some 75%, saving the state $20 million a year.

36. Cloud computing should also lead to significant cost savings but in itself presents considerable risks that must be managed on the front end. In migrating to the cloud and disseminating information broadly, public bodies inevitably surrender a certain amount of control to the cloud provider, increasing their risk profile. Cloud services must therefore be part of the overall strategy and not become a separate silo. McAfee is unique in having a framework to support such mixed models.

Government’s use of external expertise

37. There is a wealth of knowledge in the private sector on effective IT usage, much of which could add value to government, particularly as it looks to maintain its knowledge of risks and threats. The public sector can often benefit from the research activities that are already taking place in the private sector.

Existing government approach to security

38. Our own research has shown that the number of global attacks on IT systems has grown exponentially over the last year, with an increasing number of these attacks directed at government and critical infrastructure. We note the publication of the Strategic Defence and Security Review and the National Security Strategy, and the recognition of cyber-attacks as a Tier 1 threat.

39. Government faces a number of challenges in this regard including:

· A slowness to respond to emerging security threats;

· An inability to keep pace with private sector innovations;

· Standards being open to interpretation;

· Unnecessary complexity resulting in considerable lost time and wasted funds;

· The timeliness to disseminate changes down to a local level.

40. Security spend is traditionally a comparative low piece of overall IT expenditure. The additional expenditure trailed in the SDSR is to be welcomed. However, this is an area that is rightly receiving considerably more attention at present. There have been a number of high profile cyber-attacks in the last few years, and the SDSR highlights the importance of this area to government and country alike. The trend towards increasing digitisation of government services will also need an increased focus on IT security. The Government is right to push for more government services to be delivered online.

41. Unprotected citizen computers could also pose significant risk going forward, especially as citizen-government interfaces increase. One potential solution could be to offer free six month trial version of security software to familiarise users with the nature of IT security. Such a model has already been successfully adopted elsewhere; for example, McAfee has undertaken significant work with Facebook, educating its 350 million users about security threats through trial software, chatrooms and other education programmes. Government should consider how best to do similar things through, for example, DirectGov. Getsafeonline is a brand that could be better utilised to educate both the public and small businesses. IT education within schools should also focus more on security.

January 2011