Public sector lacks data-security sense

A leading government advisor has heavily criticised low levels of awareness of security threats within the public sector.

Lieutenant general Sir Edmund Burton, a key advisor to the Cabinet Office on information assurance issues, said that with the exception of the police, defence and intelligence communities, public servants have little grasp of information security threats. "What keeps me awake at night is that, with some notable exceptions, across government there's too little awareness of the scale and breadth of the risk facing us at the moment," he said.

This systemic problem extends across all government departments, and is endemic at board level. Ignorance of information security threats at board level is actually more of a threat than the threats themselves, according to Burton. "No-one knows the scale of the risk. We need to energise boards. The technical risks are nothing compared with ignorance at board level," he said in a panel discussion at a British Computer Society (BCS) security event this week.

A senior member of the Cabinet Office's Central Sponsor for Information Assurance (CSIA), whose remit is partly to oversee the effective transmission of data threat information between public sector organisations, admitted the problem did begin at board level, and said the situation would improve once a younger generation of civil servants reached seniority.

The member said: "Senior civil servants will eventually be succeeded by people who grasp technology issues. People in that generation of senior civil servants are less adept at technology than people who've grown up with it."

The lack of risk awareness extends to information risk in governance, policy formulation and civil service culture. There is also a lack of awareness of technical countermeasures, system infrastructure, threats and vulnerabilities, how to improve skills and competencies, and how to perform risk analyses, according to the CSIA member.

Steps are being taken within the government to address the perceived lack of security risk awareness. There is a network of "senior information risk owners", which liaises with the government CIO and CTO councils to refresh information assurance strategy.

But there is still a lot of work to be done, according to Burton. "In the area of information assurance they really need to understand and manage the information risk between organisations. [The problem] is hugely complex - the scale is large, and the complexities are new. It's time for decisive leadership and partnering between the public and private sectors," he said.

The government recently announced two sets of controversial plans around data use - plans to form the database for the ID Cards National Identity Register from three existing databases, and plans to relax data-sharing laws so government departments can share information more easily.

Phil Booth, national co-ordinator for the No2ID anti-ID cards campaign, said ordinary civil servants not having a grasp of security issues should "terrify" people. "That civil servants can't even assess security threats beggars belief. They are proposing major new pieces of the critical national infrastructure. To say they don't understand security should terrify anyone whose details are going to be on the system," he said.

Tom Espiner writes for ZDNet UK