Am I Being Official? Or Just Too Sensitive? Changes in Protective Marking.

From April 2nd – no fools these folks – government’s approach to security classifications will change.  For what seems like decades, the cognoscenti have bandied around acronyms like IL2 and IL3, with real insiders going as far as to talk about IL2-2-4 and IL3-3-4. There are at least seven levels of classification (IL0 through IL6 and some might argue that there are even eight levels, with “nuclear” trumping all else; there could be more if you accept that each of the three numbers in something like IL2-2-4 could, in theory, be changed separately). No more.  We venture into the next financial year with a streamlined, simplified structure of only three classifications. THREE!  

Or do we?

The aim was to make things easier – strip away the bureaucracy and process that had grown up around protective marking, stop people over-classifying data making it harder to share (both inside and outside of government) and introduce a set of controls that as well as technical security controls actually ask something of the user – that is, that ask them to take care of data entrusted to them.

In the new approach, some 96% of data falls into a new category, called “OFFICIAL” – I’m not shouting, they are. A further 2% would be labelled as “SECRET” and the remainder “TOP SECRET”.  Those familiar with the old approach will quickly see that OFFICIAL seems to encompass everything from IL0 to IL4 – from open Internet to Confidential (I’m not going to keep shouting, promise), though CESG and the Government Security Secretariat have naturally resisted mapping old to new.

That really is a quite stunning change.  Or it could be.

Such a radical change isn’t easy to pull off – the fact that there has been at least two years of work behind the scenes to get it this far suggests that.  Inevitably, there have been some fudges along the way.  Official isn’t really a single broad classification.  It also includes “Official Sensitive” which is data that only those who “need to know” should be able to access.   There are no additional technical controls placed on that data – that is, you don’t have to put it behind yet another firewall – there are only procedural controls (which might range – I’m guessing – from checking distribution lists to filters on outgoing email perhaps).

There is, though, another classification in Official which doesn’t yet, to my knowledge, have a name.   Some data that used to be Confidential will probably fall into this section.  So perhaps we can call it Official Confidential? Ok, just kidding.

So what was going to be a streamlining to three simple tiers, where almost everyone you’ve ever met in government would spend most of their working lives creating and reading only Official data, is now looking like five tiers.  Still an improvement, but not quite as sweeping as hoped for.

The more interesting challenges are probably yet to come – and will be seen in the wild only after April.  They include:

– Can Central Government now buy an off-the-shelf device (phone, laptop, tablet etc) and turn on all of the “security widgets” that are in the baseline operating system and meet the requirements of Official?

– Can Central Government adopt a cloud service more easily? The Cloud Security Principles would suggest not.

– If you need to be cleared to “SC” to access a departmental e-mail system which operated at Restricted (IL3) in the past and if “SC” allows you occasional access to Secret information, what is the new clearance level?

– If emails that were marked Restricted could never be forwarded outside of the government’s own network (the GSI), what odds would you place on very large amounts of data being classified as “Official Sensitive” and a procedural restriction being applied that prevents that data traversing the Internet?

– If, as anecdotal evidence suggests, an IL3 solution costs roughly 25% more than an IL2 solution, will IT costs automatically fall or will inertia mean costs stay the same as solutions continue to be specified exactly as before?

– Will the use of networks within government quickly fall to lowest common denominator – the Internet with some add-ons – on the basis that there needs to be some security but not as much as had been required before?

– If the entry to an accreditation process was a comprehensive and well thought through “RMADS” (Risk Management and Accreditation Document Set) which was largely the domain of experts who handed their secrets down through mysterious writings and hidden symbols

It seems most likely that the changes to protective marking will result in little change over the next year, or even two years.  Changes to existing contracts will take too long to process for too little return. New contracts will be framed in the new terms but the biggest contracts, with the potential for the largest effects, are still some way from expiry.  And the Cloud Security Principles will need much rework to encourage departments to take advantage of what is already routine for corporations. 

If the market is going to rise to the challenge of meeting demand – if we are to see commodity products made available at low cost that still meet government requirements – then the requirements need to be spelled out.  The new markings launch in just over two months.  What is the market supposed to provide come 2nd April?

None of this is aimed at taking away what has been achieved with the thinking and the policy work to date – it’s aimed at calling out just how hard it is going to be to change an approach that is as much part of daily life in HM Government as waking up, getting dressed and coming to work. 

G-Cloud – Still A Hobby? Or More Fundamental?

It’s been an intense ride for G-Cloud in 2012 – a small team, woefully under-resourced, has accomplished much:

– Two iterations of the framework in the bank and a third underway
– Hundreds of suppliers (many new to government) represented
– Its first IL2 assured services (from Memset)
– Its first IL3 accredited services (both IaaS and email from SCC)
– An internal review of frameworks that killed off several other frameworks that were in flight
– A change in leadership navigated as Chris Chant retired and Denise McDonagh took over 

Early purchases are perhaps disappointing – 95 separate purchases totalling a little under £4m (through the end of November).  Even if you factor in that many of these purchases are, anecodotally, being made at prices that are 50-90% cheaper than government has previously achieved, it is easy for critics to argue that G-Cloud is, at best, a hobby for government.

That said, the Strategic Implementation Plan for the ICT Strategy, published in March 2011, had an idea for moving it from a hobby to a fundamental part of ICT delivery in government:

This metric has rarely been commented on but it’s interesting, to me, for several reasons:

1) Four Years

It suggests a roughly four year journey for cloud to become mainstream in central government.  There are no interim metrics available and, one year in, we are, any way you cut the numbers, not yet 1/4 of the way to achieving this.  In OeE days, when the target was “100% online by end 2005” we saw many departments peg their services as likely to be online by Q4 2005 – a classic “it will be all right on the night” hockey stick pattern.  Doomed to fail in other words.

What’s needed are interim targets coupled with plans for their realisation.  What percentage of new ICT spend will be transitioned to public cloud computing services by the end of 2013? And by the end of 2014? 

Suppliers who have entered the market or who are thinking about entering it would massively benefit from seeing these targets made more granular.  Departmental customers wondering how do make the transition happen would have more choice and would be able to work with other departments, in concert, to achieve the targets.

Even more aggressively, then, where will we be by the end of June 2013?

2) New ICT Spending

As far as I know, no one has ever measured or defined what is “new” spending or ever defined what the opposite of new spending is (one assumes “maintenance” but I could be wrong).  We know that any proposals for spend in excess of £1m or £5m (depending on the category) go to Liam Maxwell’s ICT Reform team for approval but it’s not clear if that is new spending – it could, for instance, be £5m of disk drives to support a legacy system.

Departments that I have spoken with suggest that their maintenance spending accounts for some 65-80% of total spend.  Given the heavy spend controls, it might be even higher for some departments.  Does that mean that 20-35% of total central government spend could be classified as “new”?  That would be something like £1.2-2bn on the basis of a £6bn total (I could make up any number for that total, going as high as £13bn even).

But what if new spend turns out to be far less than that?  Or what if it turns out to be far more?  MoJ are out to market for a suite of new suppliers to manage their ICT – some of those suppliers will be new to MoJ; Does that mean that spend with those suppliers will count as new? Or because they are looking after legacy will it get counted as maintenance?  As I said, the definition of “new” needs to be made clear.

On the bright side, putting up to £2bn into public cloud over the next 4 years would certainly count as more than a hobby. 

3) What Kind of Spending

Government has at least two kinds of money – capital and operating.  Traditionally – simplifying massively – ministers like to spend capital on delivering major policy commitments.  Many departments are thus capital heavy in their spending (and all the more likely so in ICT given that buying hardware & software or developing systems usually results in having an asset on the balance sheet). 

Cloud purchases are, though, on a pay as you go basis – they are operating expenditure.  Switching £2bn from capital to operating will create quite a shift in the way government departments think about their money.  It’s not clear to me that many people are planning for that shift – departmental budget settlements still look capital heavy at least for this upcoming year.

ICT moving from a drain on capital funds to a routine operating cost is a necessary consequence of the move to buying services (there will also be interesting consequences on VAT recovery).

4) Public Cloud

There’s a clear statement of intent here and it is that Government isn’t interested in private cloud services (or cloudwashed services as the more acerbic commentators might label them – that is existing capabilities that are rebranded as cloud).  But getting to the heart of what “public cloud” really means might be interesting – if a supplier puts a service together that is available only to the public sector and is priced to compete with pure public clouds, why would government say no to that? 

Some suppliers on the G-Cloud framework today already look to be very competitive with public cloud providers – even though they have gone through more hoops to achieve the assurance and accreditation required by central government.

Also, somewhere in the middle of government, the debate about security levels continues to rage.  A change in policy is seemingly imminent.  IL3, the most common security level in central government, will disappear apparently to be replaced by T1, a simpler level of control that should open the door to far more services that already exist.  This looks, to me, to be far from done and dusted but it is an important change that would make delivering on the cloud commitment far easier.

Not so much public cloud as public sector cloud as well.

5) 50%

If 50% of new spending is to go on public cloud, where is the other 50% to go to?  And what is the aim of moving this 50%?  Underpinning the aim, I am sure, is the desire to reduce, very substantially, the spend on maintenance – that is, the 65-80% of spend that goes on keeping the legacy ship running.  

For every £1 of new spend, what reduction should be achieved in legacy cost?

6) Central Government

The Cabinet Office only aims to control (or perhaps influence) central government of course, but it’s likely that local government could make the fastest and most dramatic steps in its use of cloud (be it public or public sector cloud) mostly because they are smaller and more fleet of foot, have lower security considerations (IL2 rather than IL3) and

Local government probably spends as much on ICT as central government, although it is a far more fragmented spend (with, I believe, a much higher spend maintained in house rather than through outsourced service providers).

A commitment to move an agreed amount of spending from local government ICT budgets to public or public sector cloud would be a huge boost to the emerging UK public sector cloud marketplace. I say “UK” deliberately – this would create a chance for our truly local service providers to create new offers, expand existing capabilities, create jobs in the UK and boost the economy.

Beyond A Hobby

The G-Cloud team will doubtless be thinking about how they grow usage of their framework as they ready the third version (now released from purgatory following the endorsement of G-Cloud in the frameworks review).  They need some help, though, some of which can, I believe, be provided by addressing the points above.

Happy New Year to all readers of this blog.  I hope that 2013 brings all of you success and happiness, whether you have your head in the clouds or your feet on the ground.

Government IT – 180 Degree Turn – Chris Chant

This is the text of a (great) speech that Chris Chant gave at yesterday’s Tea Camp:

First of all to acknowledge a small and important bunch of people who have been delivering some great stuff in gov IT And those who have been working their socks off but through no fault of theirs ON THE WRONG THING – it’s tough being in IT. 

People now can be using the fruits of your work EVERY DAY. There aren’t many things like that – electricity maybe. 

But we need to face  some  UNAVOIDABLE TRUTHS head on 

The vast majority of Gov IT in todays market is outrageously expensive, ridiculously slow,  poor quality and most unforgivably rarely user centric in any meaningful way 

Let’s start with a personal view of the unacceptable. 

It is unacceptable, not to know the cost of a service and the real exit costs – commercial, technical and from a business de- integration standpoint. 

It is unacceptable now to enter into contracts for longer than a year…….
And to those who say “what about supplier upfront  infrastructure costs”, I say ask shops how they do it, ask small garages how they cover the costs of hydraulic hoists and computers 

It is unacceptable, not to know how many staff we have working on IT 

It is unacceptable, not to know what all those staff do. 

It is unacceptable, not to know what systems we own, how much they cost and how much or even IF they are used 

It is unacceptable, not to know when users give up on an online service 

And it is unacceptable, not to know why 

Of course It is unacceptable that they do! 

It is unacceptable to have a successful online service and then to remind customers to use it with a postal mail shot 

It is unacceptable not to be able to communicate with customers securely electronically  

It is unacceptable, not to be able to do our work from any device we choose. 

It is unacceptable to pay up to £3500 per person per year for a desktop 

It is unacceptable for your corporate desktop to take 10 mins to boot up in the morning and the same to shut down 

It is unacceptable for staff to be unable to access Twitter or YouTube or not able to access the online service they are supporting in a call centre 

It’s unacceptable in this day an age, to ensure people are “working” by restricting access to the Internet. 

It is unacceptable, that 80% of Gov IT is controlled by 5 corporations. It is unacceptable, to outsource your IT strategy

It is unacceptable to see the cost of changing 1 word/colour or 1 line of code as £50k  

It is unacceptable to wait 12 weeks to get a server commissioned  


It is unacceptable, not to engage directly with the most agile,  forward thinking suppliers, the SME market.

Things have changed and we haven’t, until now 


Cloud will be cheaper – by the time you factor in the time spent now procuring and accrediting individual solutions,  

Using cloud solutions that have already been secured and accredited will be cheaper almost always.  

We will only pay for what we use, even models emerging for DR 

Over time, for most, products will be pre-procured and security accredited 

We will know from the outset the cost of the product and importantly the cost of exit 

Contracts will be under a year and the business impact of exit will be visible 

Price and service performance will be visible to all. Which will drive a provider to low cost high performance products 

We will not get ourselves locked in, in any way 

We will make fewer changes to the standard configuration of our desktops ( for as long as we provide them) so they will be more reliable, faster and cost less 

82% saving in GDS over corporate systems, includes great kit and IL3 access when needed. 

We will be able to migrate quickly to pre procured products that we need. Either as our needs change or if we are dissatisfied with service or price 

Our staff, over time, will become our system integrators until services in this space mature at the right price. What they won’t be doing is spending years on procurement and security work that has been done by others a hundred times before. 

People will be setting up some services in minutes instead of years 

FDPs and cross cutters don’t have all the answers now must iterate and iterate delivery, policy AND  process – will this approach work – I believe it will – certainly the Herculean effort spending 2 years working out requirements, another year in a procurement process and 3 years delivering some massive bespoke system hasn’t covered us in glory 

The first manifestations of this total transformation of the way Government uses technology will come in the next couple of days. 

We will publish a strategic implementation plan and OJEU which will together demonstrate solid commitment to change the way we work. 

But cloud is very much applicable to restricted and confidential. Services already being developed 

Cloud is PAYG, is elastic, is on demand, put down as fast as you pick up 

Not bound by old rules and ways of working 

Not lock ourselves in business or commercial 

Aggregation of demand is not the only way to drive down cost 

Commerce doesn’t only work that way – M &S 

IT service must start around user need not around outdated and ill applied security concerns 

CESG know this local practitioners often don’t  

We start from “this is what the user needs”, then comes the system (at the right price), then comes the security wrapper to make it appropriately safe 

And that, for many,  is a 180* turn – and it’s the way all Gov IT must be delivered from now on.

(any transcription or editing errors are mine)