• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager
• Smartbuy

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth
• Events 2007

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R.K.Raghavan

It is bad times for government departments in the United Kingdom holding sensitive information and struggling to protect it from anti-national and anti-social elements.

There has been a spate of incidents recently that has caused huge embarrassment to the Treasury Benches vis-À-vis an Opposition that is gloating over shocking breaches in information security, raising doubts whether there is any system of protect ion at all in public agencies in the country.

The most recent of significant happenings is the loss of data relating to convicts undergoing various terms in British prisons. The basic mistake here is that of a private contractor, PA Consulting, hired by the government for a variety of tasks, including the flagship National ID card scheme.

What had been encrypted and handed over to the company was decrypted and held by the latter in a pen drive that has now been lost.

Whether this was a plain and simple negligent loss of data or a deliberate theft is yet to be established by Scotland Yard which is probing the matter.

The contract between the UK government and PA Consulting was mainly to facilitate easier tracking of the movements of offenders who had come to the adverse notice of the criminal justice system.

About 80,000 persons are held in the country’s prisons, and there is every expectation that the number will keep rising, especially to appease public opinion that is so sensitive to crime and demands a tougher policy of locking up people who indulge in violence.

The data lost by PA Consulting included the names, addresses and expected dates of release of all prisoners in England and Wales who are under the direct care of the Home Office in London.

(Prisoners in Northern Ireland and Scotland are handled separately by local authorities.) It is learnt that the missing memory stick also contained some data from the national computer system run by the police forces in the country. These pertained to personal information on about 30,000 offenders with six or more convictions.

The above incident will have to be viewed against the backdrop of several others in the past few months. The most important of these was the loss, in November 2007, of disks containing personal data of about 25 million individuals and 7.5 million families who received child benefit assistance from government.

In two separate incidents of last December, government departments lost data on more than 7,000 motorists and 3 million candidates undergoing driving tests.

In January 2008, a naval officer’s laptop containing information on 6,00,000 Armed Forces recruits was stolen. (In a recent admission by a Defence spokesman, more than 700 laptops had been lost by government in the past four years.)

In March, 2008, two CDs containing data on seasonal agricultural workers meant for the UK Borders Agency went missing.

Other embarrassment — not directly related to information placed in the computer system — came to the government in June after the media revealed that classified documents on terrorists (especially the al Qaeda) and how government proposed to combat them were found unattended on trains.

Viewed in totality, all these incidents spoke of a security problem that called for a serious review and appropriate action, if only public confidence in government ability to guard information pertaining to national and community security does not suffer further erosion.

The emphasis here is not on the number of incidents that had been reported, but on what is apparently the non-existence of a system and the lack of accountability of persons handling government information, especially in matters of Defence and criminal justice.

While no mala fide has yet been established in any of the incidents that have become public knowledge, governments, not only in the UK but all over the world, will have to provide for the worst-case scenario where attacks on their data bases are motivated and the work of anti-national elements or those looking for making a quick buck through sale of information.

What is most important here is the need for transparency, that is, the public should be told of losses of data and not kept in the dark merely to save officials of embarrassment. The objective should be one of learning from each instance of breach so that loopholes are plugged.

There are two aspects to information security for consideration here. The first relates to daring cyber attacks on a system and gaining illegal access and theft of data directly from it, either for causing embarrassment to the holder or wrongful loss to him. This is serious enough but is possibly difficult to prevent.

I am more concerned with negligent loss of data through misplacing hardware containing information, as in the case of loss of a memory drive.

The latter device, however convenient it is for transferring information and retrieving it quickly in a contingency, is a dangerous tool in the hands of a careless or dishonest employee.

Readers may recollect how information relating to huge purchases was smuggled out of the Naval War Room in New Delhi two years ago with the help of a memory drive.

What is the solution? Many organisations ban the use of such a device by their staff.

To ensure that this ban is effective, most computers are disabled of their floppy drives or USB portals.

This measure may seem drastic and unimaginative. But then it is the only way to guard important information from dangerously floating around in the public domain.

Before signing off for the fortnight, I cannot resist the temptation of relating the ‘ingenuity’ of one of our nationals in having bypassed the security procedures set up by a leading international hotel chain, the Best Western group.

In what is described as ‘the greatest cyber heist in history’, an unknown Indian has been found to have assisted a criminal gang in obtaining data pertaining to 8 million customers who had stayed in the group’s more than 1,300 hotels during 2007.

The successful attack by the Indian was on the hotel’s online reservation system. He did this by placing a Trojan in a machine used by the hotel at one of its locations. According to experts, this modus operandus is unique, and tracing the offender is therefore an extremely difficult task.

It will be interesting to keep track of the investigation, if only to know how the offender executed his amazing operation. It is possible technology played only a minor role here.

There has possibly been a human failing, one that permitted physical access to a computer owned by the hotel chain.

This is why network security is of little comfort, unless it is suitably blended with physical controls which reduce access to the minimum, something that is fundamental to VIP security devised by police agencies.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Copyright © 2008, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line