A minister has batted off questions about the security risks facing the GOV.UK One Login, claiming that they reflect an “outdated” view of a programme that has “worked to address all… concerns”.
Maggie Jones, the minister for online safety, was recently asked a series of parliamentary questions about the new government-wide sign-in system, including an enquiry about recently reported claims that the then-chief information security officer at the Government Digital Service warned 18 months ago that One Login was “carrying a high level of risk”.
“These comments are outdated and reflect a view from when the programme was in its infancy in 2023,” Baroness Jones responded.
“We have worked to address all these concerns, as evidenced by multiple external independent assessments such as the recent Cyber Assessment Framework GovAssure process, which identified areas of good practice including governance, risk management, assurance, monitoring, incident management and lessons learned. Risk mitigation will continue to be central to our approach to ensure we keep pace with the constantly changing cyber threat landscape.”
Asked by Timothy Clement-Jones, the Liberal Democrat Lords science, innovation and technology spokesperson, for more detail about what “independent verification [GDS has] sought to assess the security” during its work on delivering One Login, the minister added that “the programme has conducted multiple independent risk and threat assessments, such as regular IT health checks, and these will continue to be part of the programme’s operating approach”.
“In addition, GOV.UK One Login works closely with the Information Commissioners’ Office on programme developments, including iterations of the Data Protection Impact Assessment,” Jones said.
The Department for Science, Innovation and Technology – which is now home to GDS – was also asked by the Lib Dem member what “steps they are taking to ensure that only individuals with the appropriate security clearance have privileged access to the One Login digital identification system live service”.
In response, Jones said that “GOV.UK One Login takes the security clearance and audit of personnel very seriously”.
“All individuals with production access to Government Digital Service systems must undergo a Security Check,” she added. “There are some individuals working within the GOV.UK One Login programme who are not SC-cleared, however they will not have production access to the service.”
The concerns about the security of One Login, first reported by Computer Weekly, come as GDS works to significantly drive up adoption of the system throughout the civil service. As of late last year, the tool had been implemented by 50 individual government services, and more than four million people had created an account – although ministers had previously expressed hope that this figure would reach about 30 million by the end of 2024.
To support work to ensure that these additional tens of millions of citizens sign up for One Login in the coming months, GDS last summer signed a six-figure deal with a major public relations firm to help create a “clear drumbeat” of messaging about the One Login platform.