In a bid to reduce costs, complexity and confusion, the Cabinet Office is launching a new pan-Whitehall ‘protective marking’ system. Stuart Watson listens in at a round table convened to explain and examine the changes
The government’s Security Policy Framework lays out the requirements for all departments and agencies when handling sensitive data. Among other things it defines the levels of protective marking that must be applied to documents and data held by departments, and the characteristics of the IT systems required to process and store that information.
Many civil servants will be familiar with the current Government Protective Marking System (GPMS). It sets out six categories: top secret; secret; confidential; restricted; protect; and unclassified. However, the Cabinet Office has decided to review that system, with the aim of making it easier to achieve the appropriate level of security while cutting costs and responding to rapid technological change.
The proposed scheme would reduce the number of classification levels to three: top secret; secret; and official. Implementing it will, inevitably, require time and resources; it will involve retraining staff, and making changes to IT systems. However, its backers believe that it offers the opportunity to create more open public services, increase government transparency, simplify administration and save money.
At the Dods Public Sector ICT conference in December, CSW got together with IT services company HP to hold a gathering of government information management professionals. The round table discussion sought to explore the implications of the new protective marking scheme, and to identify the potential challenges associated with its implementation.
The need for change
Opening the discussion, the Cabinet Office’s Michael Brennan – who’s responsible for developing the new system – made the case for change: “The current system was designed during the Cold War, with the idea of heavy protection of everything government does,” he said. “It adds layers of complexity to our lives, both as civil servants assessing the sensitivity of information and as IT suppliers trying to make sense of something which is uniquely complex compared with other sectors of the economy. It is difficult to understand, and therefore difficult to implement and use.”
Chris Stendall from DWP recalled how the GPMS created difficulties in his previous role at the Government Olympic Executive. “It quite seriously got in the way of communication, particularly when dealing with a private company like Locog. If this had been proposed a few years ago we would have hugely welcomed it,” he said.
Brennan claimed that the new regime will move away from an approach that focuses narrowly on national security, and recognise today’s data security challenges around respecting citizen confidentiality, reducing the opportunities for fraud, and upholding the reputations of public bodies and private sector providers. Some participants suggested that the spate of data losses a few years ago had made civil servants over-cautious – and Brennan explained that the new system will require civil servants to take responsibility for evaluating the value and sensitivity of information: “We would like to see that bottom tier, the ‘official’ space, be one where organisations and individuals can manage risks actively,” he said. He added that few civil servants understand the differences between some of the current categories: “That’s a damning indictment of the current system. If you don’t understand how it works, how can you possibly use it properly?”
Exploiting new technology
Brennan argued that the new regime will make it easier for civil servants to use mobile technology and thus work more efficiently: “The current system predicates against being able to adopt fast-moving, fast-changing technology, because of the complicated assurance and accreditation processes that we have in place,” he said.
“The civil service is the public that it serves,” commented Brennan’s Cabinet Office colleague, Ben Aung. “I go home and use my iPhone or my laptop, and there is a perception at the moment that we’re quite happy for me to operate like that on my own time, but coming to work every day I need a whole set of rules and regulations that will protect me. If people are not faced with complex shades of grey, they will make the right decision most of the time and we’ll have more opportunities to innovate and use different types of technologies or more efficient business processes.”
Greater flexibility in the use of mobile technology would be welcomed by social workers, said Rob Langley from child protection agency CAFCASS: “At the moment we are restricted in the way we can use technology. You can’t go into a meeting with a family in difficult circumstances and say: ‘Can you just sit quietly while I spend 10 minutes logging on and not quite connecting onto the system, which is securely locked down?’ We could use that freedom to work more efficiently.”
Working with other organisations
Several members of the panel said that the current GPMS creates difficulties in working with private and third sector suppliers, other departments and government agencies, due to varying interpretations of classifications and differences of opinion over the security of IT systems.
Paul Johnson from new mutual My Civil Service Pension said that he has encountered “paranoia” over security from civil servants and civil service suppliers when he’s tried to collect and share information about pension arrangements. Departments’ IT contractors are the most fearful, he claimed: “They are terrified that if anything goes wrong, it’s their reputation that will suffer and they will never get another contract.”
HP’s Alan Jenkinson suggested that many suppliers are scared because their contracts contain unlimited liabilities for the loss of public records, making them over-cautious: “The procurement of these services drives the wrong behaviours,” he argued.
Michael Eaton, from the Welsh government, noted that growing third party service delivery is set to exacerbate these challenges: “Three to five years from now, 75 per cent of the data movement that creates value is going to exist in private and voluntary sector organisations, and other intermediaries working on behalf of the public sector. We are effectively asking them to inherit the GPMS. Our challenge is how we cope with that networked, collaborative world outside the confines of Whitehall.”
Brennan responded: “Implementation will necessarily start with the centre of government and its direct suppliers, but it’s an approach that will be compatible working with other sectors, like mutuals, charities, local authorities and the NHS. If you take away that [emphasis on] national security, you’re living in a world that looks a lot more like the one that the rest of the sectors of the economy work in.”
Implementation challenges
The assembled civil servants agreed that the current GPMS obstructs cross-department working. However, several of them were concerned that the new system could make things worse by encouraging departments to adopt different ways of categorising and protecting ‘official’-level data, leading to even greater divergence and mistrust between them.
MoJ’s Bob Nicholls warned: “I would expect the system under the new GPMS to be even more complex than it is today. We are either going to be accepting huge risks, or we are going to have to put similar controls around ‘official’ systems that we are today putting around ‘confidential’ systems.”
Brennan reassured him that the Cabinet Office will define a set of baseline controls for ‘official’ data: “Yes, the Home Office is going to have a different solution to the MoJ. Yes, it’s going to have its own conversation with its own suppliers. But as long as they have met the baseline controls, they will be expected to share that information. The Cabinet Office will play a part in brokering those trust relationships, but departments are going to have to do it for themselves as well,” he said.
PJ Hill from the MoD was worried that the new scheme will not produce the anticipated cost savings: “I’m very nervous that there are a lot of people saying that we are going to save lots of money and that’s not correct; not for a long time. In fact, it may cost us money to move to this better world,” he said.
Meanwhile, Nicholls anticipated that IT systems capable of dealing with ‘official’ information could prove more costly than current secure infrastructure, if there’s greater uncertainty over the level of security that they’ll need to provide.
Jenkinson countered that the existing GPMS is driving up the cost of IT systems: “It costs a lot to design, build, maintain and support” GPMS-compliant systems, he said. “It extends project delivery time by potentially weeks and months.” And Brennan said that savings will be achieved through changes to baseline controls that will allow public bodies to use cheaper “off-the-shelf” software rather than bespoke systems.
The proposed plan suggests that there is no need to mark all ‘official’ data. “Inside a department, that’s fine, but now departments have quite permeable walls the information will go quickly across, and if it’s not marked who knows how sensitive it is?” asked HP’s Peter D’Ardenne.
“A very practical reason for not asking people to mark everything is that they won’t, can’t and don’t do it,” replied Brennan. However he added that it is the Cabinet Office’s intention to find some way within the ‘official’ category to indicate where particularly sensitive information is contained within a document.
UKBA’s John Holland complained that much of the discussion was couched in terms of protecting information contained within paper files: “The vast majority of information we deal with is not in documents, it is in databases,” he pointed out. “The kind of stuff that exists on hard drives is way more valuable than any document.”
The new scheme does take the existence of databases into account, replied Aung, and it calls for civil servants to put in place controls appropriate to the type of information and the level of risk – regardless of whether the data is contained within a database, a document or an email.
Effecting cultural change
If civil servants are to adopt a more mature and flexible approach to risk assessment, a cultural change will be required. The emphasis will no longer be on protecting information from a threatening foreign country, but on sharing and using it wherever possible.
Angela Duncan from the Home Office suggested that the 2007 response to data losses demonstrates that such a change can be effected: “There was a big cultural change programme,” she recalled. “We have put staff through a lot of education, training and awareness on information assurance, and we set up data-sharing agreements.”
The first stage of implementation will be to provide training so that all of the people who need to use the new GPMS understand it thoroughly: “It won’t be a centrally managed process. The Cabinet Office will be overseeing it with central resources to assist departments, but it’s going to be down to individuals and managers within organisations to do this,” said Brennan.
He concluded: “There is quite a simple message which we need to inculcate into people, which is: ‘It doesn’t matter what this information is: it does not belong to you. It belongs to the taxpayer, it belongs to the government, and you should take care of it’.”