How updating Cold War era data classification unblocked government digital transformation
Looking at information security as an enabler for change, not a blocker, was the mind shift that contributed to digital transformation in UK government. The UK modernization of data classification concepts and processes enabled more responsive public services, as well as massive savings (£1.7bn in 2014 alone). From 2012 through 2015, the authors of this blog worked together in the Cabinet Office in the UK—Liam as chief technology officer and Ben as senior policy advisor for cyber security—to reform a decades-old information security policy. This effort helped unlock widespread cloud adoption in the UK public sector and the advantages that come with it. As a result, in 2016, the United Nations named the United Kingdom as the most advanced in the world for digital government. The lessons learned and the choice to move to the cloud to increase security and gain in flexibility are relevant to any organisation in pursuit of technology or business transformation.
Cold War classification
The official data security classification policy that we inherited dictated how 400,000 civil servants and others in the wider public sector, military, law enforcement, and government supply chain marked paper documents and secured IT systems. It dictated where information could and couldn’t be sent and even the strength of locks on doors. This policy was designed for people carrying briefcases tied to their wrists and had essentially remained unchanged since the Cold War.
The policy provided six levels of security classification: Unclassified, Protect, Restricted, Confidential, Secret, and Top Secret (most governments have a similar policy). Each classification was subject to entirely different processes and controls, which meant six ways of delineating information, six distinct levels of IT, and six different ways to do things. This stopped entire departments from sharing information or collaborating, even in times of crisis.
Created against a backdrop of heightened espionage and terrorism risks, four of the six classifications were designed for national security purposes. The majority of government work was conducted in the Restricted classification. Restricted was a catch-all for sensitive policy development, (some) sensitive personal data, low-level information relating to defence, diplomacy, intelligence, and much of the machinations of government work.
Restricted had a big effect on government’s IT. Although few hard standards existed, for years the UK government had built Restricted systems according to a specific template based on the written guidance and Classification Policy—a dated view of computer security unfit for the world we were living in. Government security practitioners had adapted to a rapidly changing technology picture and emerging cyber threats by locking down functionality rather than rethinking the overall approach. This all came to a head with the cloud and specifically the UK government’s ‘Cloud First’ policy.
UK Cloud First impact
While still under the aegis of the old policy, a Cloud First approach was rendered unworkable. Over the years, many had tried to overcome this situation, usually by asking cloud companies to fundamentally change the operating and technology model, which had made them attractive in the first place. As a compromise, “private cloud” (i.e. cloud in name only) had become the de facto choice. We knew, however, that we could not have digital government, if we had analogue security.
So how did rewriting the classification policy solve this? Early on, in order to effect the reforms we were seeking, we couldn’t just iterate or evolve the status quo—we had to start from scratch. It taught us an important lesson: to change things in security, you often have to stop doing things that work (or sort of work) as well as things that don’t. You have to change the whole environment—not just tweak within.
In the end, we got rid of all six classifications and replaced them with three. We kept the names Secret and Top Secret for the top two classifications; the dependencies and potential issues were too great, especially in terms of the UK’s international collaboration with defence and intelligence partners. The lowest classification, Official, was designed to be a new domain for government. Official combined what was previously Unclassified, Protect, Restricted, and (most of) Confidential, bridging previous gaps in government business.
New cyber threat model
To make sure Official provided the benefits government was seeking, we created a completely different “threat model”—essentially the basis from which security controls should be anchored. Cyber threats facing Official information were comparable to those facing large private sector organisations such as banks, pharmaceutical companies, or a large technology company. This was highly controversial. Government believed incorrectly that its security at Restricted provided a meaningful defence against the most capable cyber threats. This had been the assumed trade-off with having outdated and less functional IT. Finding out that wasn’t true was a difficult pill to swallow for many.
Second lesson learned: confront uncomfortable security truths and don’t allow your organisation to operate in ignorance. Furthermore, the security controls should be built around the best the commercial world had to offer, including public cloud. We espoused the benefits of ‘native security,’ the controls and options already available in the technology we wanted to buy. This allowed government to utilise modern devices and services in the form they were intended, rather than with clunky augmentations or, worse yet, significant restrictions.
The simple and secure option
The new Classification Policy was launched in 2014. Despite being seven times shorter than the previous document, it had taken almost three years of negotiation and development to produce (lesson three: do the hard work to make it simple). Within a year, government had begun to grip the opportunities it presented; previously inaccessible devices such as tablets and smartphones were becoming commonplace. Technology teams across government were taking advantage of the cloud. Through implementing clearly differentiated security policies, the government had made it easier to innovate while focusing security on the most sensitive data. A pivotal moment occurred a couple of years later when the newly created National Cyber Security Centre (part of GCHQ) stated publicly that when used properly, cloud is the secure option for government.
This blog, along with the embedded video, was produced by the AWS Institute. The AWS Institute convenes and engages global leaders who share an interest in solving public sector challenges using technology. Learn more about the AWS Institute. If you would like to offer feedback, email firstname.lastname@example.org. Or if you would like to learn from what others have done, visit Open Government Solutions.