Viral Distribution

News yesterday that several London hospitals had been shutdown because of the outbreak of a virus would perhaps make you pause briefly and think of MRSA or some new anti-biotic resistant strain of Staph. So far, so not news – although, thankfully, far less common recently because of, I imagine, Herculean efforts by hospital staff. To hear that it was actually a computer virus makes you pause longer.

The mytob virus, apparently responsible for the shutdown, is more than 3 years old. It’s easy to protect against and well understood. Symantec describe it’s threat level as:


When was the last time you heard of a computer network being shut down by a virus? Well, not that long ago. Along with the hospitals, we have this news today


It seems we’re approaching the annual peak for computer virus infection

Computer users have been warned to take extra special care next Monday as it has been predicted to be the worst day of the year for computer viruses. Security experts PC Tools has forecast the bleak outlook for computer fans on November 24th, as figures from 2007 show that it was the peak for malicious software last year.

But seriously … an entire network shutdown now? In late 2008?

Shortly after I started work in UK government, a series of departments were shutdown for 2 or 3 days, some longer, because the Melissa virus infected their email system. Chaos reined as all email servers were shutdown and nothing could be sent or received. How quickly we had come to be reliant on email. In a hospital where it wasn’t just email but seemingly everything, it must be much worse.

Not long after that, the OGC piloted an anti-virus solution that was hosted “in the cloud” – i.e. was not on local PCs but that filtered every incoming (and later outgoing) email from any government email address that was set up. We took that pilot on, probably mid-2002, and extended it to every single government email address that wanted to use. It wasn’t cheap – but measure that cheapness against the cost of an infection, whether in clean-up time, risk to the operation or any other metric you care to use. Since then, as far as I know, there hasn’t been a single virus infection in a government department using the service. The company, MessageLabs, at the time a tiny company, has since gone on to be a world-leader in anti-virus (and was then bought by Symantec for some $700 million)

What’s my point? I guess it’s the frustration that these lessons have been learned already – and the solution is available at a relatively nominal fee. It’s been well tested and well used for 5 or even 6 years. And hundreds of thousands of email accounts across government are already protected.

For a hospital to be exposed to this kind of risk, with everything else that they have to deal with on a day to day basis, is just shocking.

And, as for the Pentagon, they should already know better – but they should also be reading my blog. Ban USB sticks now.

Seasonal Milestones

When I first joined UK government, in February 2001, I did a short presentation – to the top 200 or so people in the department where I was working – covering the impact of the Internet on government services, the expectations of customers, how things might evolve and what new pressures online services would bring.

Somewhere along the way, I mentioned that I was more than a little surprised – having come from a banking background where milestones and achievements were measured in how many days they were from now – to have heard conversations about perhaps delivering a paper or some sort of thinking by the Autumn:


So just a few weeks ago, when I received a letter from another department that reminded me of how I started out in Government, I thought I’d post an extract here:

200811210833.jpg /


200811091450.jpgThe Office of the President Elect … domain name (the US being, unusually, silent).

Complete with blog,

and Mission Statement provides resources to better understand the transition process and the decisions being made as part of it. It also offers an opportunity to be heard about the challenges our country faces and your ideas for tackling them

Good start … going to be fascinating to watch.

In The Eye Of The Storm

I changed the title of this blog (from e-Government @ large) about 9 months ago. It seemed like it was time. Whilst I still maintain a good interest in e-government, I am not actually involved day to day – I left the Office of the e-Envoy / e-Government Unit at the end of 2004 and since then have been in and around government (or government-like businesses) for the most part, but working on programmes with only small online components at best.


I chose “In The Eye of The Storm” for two reasons, neither of which I really explained at the time. There have been a few comments posted and more than a few emails to me that made me think I should perhaps explain. It probably won’t make any more sense, but here’s why:

Reason 1

5-odd years ago I started posting about the coming “50 year storm” in government:

the 50 year storm that looms is the set of events that will take place this year and early next that will warrant the catalyst. Some senior figures are moving on (perm secs in at least three departments), one or two cross-government figures too. Issues like we have seen over tax credits where technology and business issues conspired to cause enormous pain mean that we will have to rethink delivery controls. Spending will tighten as we enter another financial review round. The potential for central infrastructure, like our own Government Gateway, will be fully realised and people will commit resource to exploiting it rather than exploiting ways to get out of it

Of course it’s peculiar to write about the potential of central infrastructure on the very day that a chunk of data that could only be found in a central location escapes captivity but my point remains. Back in 2003 it felt like we, in UK government, were reaching the point of mass adoption of a few key iniitatives that would lead to a change in approach.

Looking back, the storm was perhaps not of the 50 year variety that I had envisaged. Sure, plenty of things happened – some great things and some not so great things – but the sea change in expectation, in behaviour and in approach to delivery that I was hoping for did not come.

So I changed the title of the blog to “In The Eye Of The Storm” to reflect that we were perhaps in the eye of that storm – we’d been through the first part of the storm and now there was a period of calm before the next wave was to happen. After all, 2005 had come and gone, pretty much 100% of government was online (depending on how you measure it and I’ve seen people justify measures of 10% or 90% – but most things that you want to do online, you now can do online), transformational government was in the ascendancy (and is perhaps now in the trough of disillusionment), the Gershon review had come and gone (as had Sir Peter) and it felt like there was a holding period whilst we waited for a change at the top level of government, before the next set of changes would be unleashed. That feels kind of like an eye of the storm to me.

Reason 2

The second reason was that because I was no longer in and around e-government, I thought I’d write less and less about e-government and more about things that were interesting for me. So, for a while, I switched to writing a lot about my running, about moving to Mac, about getting Entourage to work (three things that now drive the bulk of traffic to the site according to the Lijit widget at the top right of the blog – and you can see that sorted by country on the little map just below the widget, which is drawn from the same data).

So that was a little bit of soft humour – certainly not Jonathan Ross humour – that said I was in a calm period away from e-government and so didn’t feel the need to write about it so much. Will I breach the wall of the eye and get back into e-government? That seems unlikely. After all, what is e-government now? When I started the blog in December 2001 (pretty sure that I was the first UK public sector blogger, albeit that I wasn’t a civil servant), e-government was everywhere – it’s still important, there are over 8 million links to “e-government” from google. That isn’t the case now. Although there are still plenty of innovations coming along, whether they be web 2.0 based mash-ups or collaboration ventures, mysociety trying to drag everyone else into a more thoughtful and capable way of interacting with government and so on.


So generally, there’ll be less and less e-government here (as if there could be any less than there is now), more and more about running and other things that catch my eye – gadgets and gripes about gadgets and so on. It will become more of a personal blog, if you ever thought it was anything other than that.

Gateway In The News


It’s been a long time since the Government Gateway was in the news. Today there are 259 related items in Google News. And, of course, it has gone international with mutliple languages evident in even the first page of news. And most of them aren’t good news stories, rather retelling of what must be a form news story now

“Memory stick containing details of millions of customers/patients/armed forces members/taxpayers/benefit recipients/credit card holders lost. Fears over identity theft/terrorist action/confidentiality breaches reach fever pitch”

Of course it hurts all the more so when it’s something that I was intimately involved in, albeit I haven’t been near it organisationally for 4 years, but the relentless and unending series of data loss fiascos is taking a huge toll on public confidence. It isn’t just government organisations that lose data (see my post, 25 million green bottles, from almost exactly a year ago and the follow up about 3 months ago) but when governments do it (and, again, it isn’t just the UK government) the potential impact and the surrounding noise are orders of magnitude larger.

What someone was doing with a memory stick containing customer login details I have no idea. Why would anyone need such a thing? And why would he or she be in a pub carpark? On second thoughts, don’t answer that last question.

I suspect that there are elements of truth and untruth in the Mail on Sunday’s front page story – oh the times we used to hope for headline news for e-government, but not this kind of headlines – and that the real story is perhaps quite different. But it doesn’t matter; the damage is done. It’ s another incompetence of IT story to add to the seemingly infinite list.

It seems, to me at least, that the actions I put forward a year ago are just as valid:

1. Lock down data exchange now. People come to the data, not the data to the people. Until better processes are in place, this should stop the problem from getting worse.

2. All staff should be taught the “green cross code” of using computers. The very basics need to be re-taught. For that matter, the code should be taught at schools, colleges and libraries.

3. The spooks should lead a review of deploying encryption technology to departments holding individual data so that all correspondence is encrypted automatically in transit using appropriate levels of protection for the job. This will be expensive. The alternative though is to make encryption optional – but because you can choose, sometimes people will choose not to (because it’s too slow or something) and the problem will recur.

4. Systems being architected now and those to be architected in the future will look at what data they really need to hold and for how long and will, wherever possible, make transient use of data held elsewhere. The mother of all ID databases would be a good place to start.

Where I work, memory sticks don’t work. Plug one in and it just doesn’t work (and we’re using Windows XP rather than anything fancier). So perhaps the next actions are:

5. Any contractor or third party working with or alongside government agencies must deploy a standard desktop and server build that disables memory sticks when they are inserted into a USB slot. For good measure, they should perhaps ensure that if a memory stick is even inserted, it is securely and irrevocably wiped. Such third parties would have 90 days to implement this capability across their entire organisation or would be banned from working on government contracts – existing and new – until they had completed the task

6. Any member of such an organisation found to be carrying a memory stick during the period from now until the redeployment of USB countermeasures was complete would be prevented from entering any government building or using any government IT. This would be enforced through random searches, x-raying of bags on entry into buildings and so on.

Extreme? Possibly. But it seems that all measures apart from this are not working and that short of opening up all of the firewalls and setting server passwords to default, any public or private sector organisation – and I mean that in the widest sense as whilst we in the UK see our own examples more frequently, everyone else has the same problem too – couldn’t do a worse job of securing data.