AWS Public Sector Blog

How updating Cold War era data classification unblocked government digital transformation

Looking at information security as an enabler for change, not a blocker, was the mind shift that contributed to digital transformation in UK government. The UK modernization of data classification concepts and processes enabled more responsive public services, as well as massive savings (£1.7bn in 2014 alone). From 2012 through 2015, the authors of this blog worked together in the Cabinet Office in the UK—Liam as chief technology officer and Ben as senior policy advisor for cyber security—to reform a decades-old information security policy. This effort helped unlock widespread cloud adoption in the UK public sector and the advantages that come with it. As a result, in 2016, the United Nations named the United Kingdom as the most advanced in the world for digital government. The lessons learned and the choice to move to the cloud to increase security and gain in flexibility are relevant to any organisation in pursuit of technology or business transformation.

Cold War classification

The official data security classification policy that we inherited dictated how 400,000 civil servants and others in the wider public sector, military, law enforcement, and government supply chain marked paper documents and secured IT systems. It dictated where information could and couldn’t be sent and even the strength of locks on doors. This policy was designed for people carrying briefcases tied to their wrists and had essentially remained unchanged since the Cold War.

The policy provided six levels of security classification: Unclassified, Protect, Restricted, Confidential, Secret, and Top Secret (most governments have a similar policy). Each classification was subject to entirely different processes and controls, which meant six ways of delineating information, six distinct levels of IT, and six different ways to do things. This stopped entire departments from sharing information or collaborating, even in times of crisis.

Created against a backdrop of heightened espionage and terrorism risks, four of the six classifications were designed for national security purposes. The majority of government work was conducted in the Restricted classification. Restricted was a catch-all for sensitive policy development, (some) sensitive personal data, low-level information relating to defence, diplomacy, intelligence, and much of the machinations of government work.

Restricted had a big effect on government’s IT. Although few hard standards existed, for years the UK government had built Restricted systems according to a specific template based on the written guidance and Classification Policy—a dated view of computer security unfit for the world we were living in. Government security practitioners had adapted to a rapidly changing technology picture and emerging cyber threats by locking down functionality rather than rethinking the overall approach. This all came to a head with the cloud and specifically the UK government’s ‘Cloud First’ policy.

Changing the classification system

UK Cloud First impact

While still under the aegis of the old policy, a Cloud First approach was rendered unworkable. Over the years, many had tried to overcome this situation, usually by asking cloud companies to fundamentally change the operating and technology model, which had made them attractive in the first place. As a compromise, “private cloud” (i.e. cloud in name only) had become the de facto choice. We knew, however, that we could not have digital government, if we had analogue security.

So how did rewriting the classification policy solve this? Early on, in order to effect the reforms we were seeking, we couldn’t just iterate or evolve the status quo—we had to start from scratch. It taught us an important lesson: to change things in security, you often have to stop doing things that work (or sort of work) as well as things that don’t. You have to change the whole environment—not just tweak within.

In the end, we got rid of all six classifications and replaced them with three. We kept the names Secret and Top Secret for the top two classifications; the dependencies and potential issues were too great, especially in terms of the UK’s international collaboration with defence and intelligence partners. The lowest classification, Official, was designed to be a new domain for government. Official combined what was previously Unclassified, Protect, Restricted, and (most of) Confidential, bridging previous gaps in government business.

New cyber threat model

To make sure Official provided the benefits government was seeking, we created a completely different “threat model”—essentially the basis from which security controls should be anchored. Cyber threats facing Official information were comparable to those facing large private sector organisations such as banks, pharmaceutical companies, or a large technology company. This was highly controversial. Government believed incorrectly that its security at Restricted provided a meaningful defence against the most capable cyber threats. This had been the assumed trade-off with having outdated and less functional IT. Finding out that wasn’t true was a difficult pill to swallow for many.

Second lesson learned: confront uncomfortable security truths and don’t allow your organisation to operate in ignorance. Furthermore, the security controls should be built around the best the commercial world had to offer, including public cloud. We espoused the benefits of ‘native security,’ the controls and options already available in the technology we wanted to buy. This allowed government to utilise modern devices and services in the form they were intended, rather than with clunky augmentations or, worse yet, significant restrictions.

The simple and secure option

The new Classification Policy was launched in 2014. Despite being seven times shorter than the previous document, it had taken almost three years of negotiation and development to produce (lesson three: do the hard work to make it simple). Within a year, government had begun to grip the opportunities it presented; previously inaccessible devices such as tablets and smartphones were becoming commonplace. Technology teams across government were taking advantage of the cloud. Through implementing clearly differentiated security policies, the government had made it easier to innovate while focusing security on the most sensitive data. A pivotal moment occurred a couple of years later when the newly created National Cyber Security Centre (part of GCHQ) stated publicly that when used properly, cloud is the secure option for government.

This blog, along with the embedded video, was produced by the AWS Institute. The AWS Institute convenes and engages global leaders who share an interest in solving public sector challenges using technology. Learn more about the AWS Institute. If you would like to offer feedback, email aws-institute@amazon.com. Or if you would like to learn from what others have done, visit Open Government Solutions.

TAGS: , , , , , ,
Ben Aung

Ben Aung

Ben Aung joined Sage Group as global CISO in 2018, after 16 years in the UK public sector. Sage is the UK’s largest technology company and the world's leading provider of integrated accounting, payroll and payments systems to entrepreneurs and small and medium businesses. Ben has overall responsibility for the security of Sage’s global technology estate and customer-facing products and services for over 2 million customers in 23 countries. This includes market-leading cloud products for Europe, the Americas and AMEA. Ben left public service as deputy government chief security officer, based in the Cabinet Office. Ben was responsible for all aspects of protective security policy and coordination across 48 government departments and over 400,000 civil servants. Ben’s remit included cyber security, personnel security, counterterrorism, counterespionage and investigation of major breaches, including contravention of the Official Secrets Act. While in government Ben worked within UK’s crisis response apparatus (COBR) and was involved in numerous national incidents, including the 2017 WannaCry outbreak. (https://www.linkedin.com/in/benaung/)

Liam Maxwell

Liam Maxwell

Liam Maxwell is director of government transformation at Amazon Web Services (AWS), where he helps governments accelerate their modernization programs. Previously, he was the UK government's first chief technology officer (CTO) and served subsequently as national technology adviser. He has a background in technology leadership in FTSE100 and Fortune 500 business service companies, local government, and education. He’s adjunct professor of electronics and computer science at the University of Southampton.