Q&A: Jon Callas of PGP
In the wake of the HM Revenue and Customs data loss debacle, IT PRO sat down with security expert Jon Callas, chief technology officer of security vendor PGP to discuss some of the issues , along with potential solutions to stop this happening again.
PGP is synonymous with encryption and secure file transfer, and as chief technology officer, Jon Callas is at the forefront of the company's technology development. Late last week we sat down with Jon Callas and him for his opinions on the severity of the security breach at HM Revenue and Customs (HMRC) and whether the underlying problem is technical or political.
Is the HMRC data loss a symptom of a cavalier attitude to data security in government?
Yes, but. Among those buts: there is a cavalier attitude towards data security in industry, too. Government isn't alone. This loss occurred because someone was trying to be helpful, as opposed to a stereotypical bureaucrat, and frugal. Lastly, they were upfront and told everyone. I'm sure someone could have come up with a justification for why they didn't have to disclose it. As awful as this is, let us not forget that this was an accident, and the government owned up to it.
And excuse me - why are we blaming the bureaucrat and not the courier company? They're the ones who lost it. Why are we not being outraged about the courier system so incompetent? On our list of who we can "blame" there's whoever negotiated the contract to save a bit of money without tracking. Everything I buy from Amazon gets shipped with tracking; large-scale mass consumer goods shipping all comes with tracking on it, because the customers want to know.
Should people worry more about the data that might have been exposed this time, about the system that might have exposed them whether it did or not, or about other systems that routinely expose data?
I would worry more about the exposures we don't know about. Around the world there are documented cases of government workers selling drivers license data, as well as rogue employees in credit card companies and merchants selling personal information. It is most likely that those discs are in the wheel well of a truck, or the plastic shards are in a landfill. They could be in the hands of bad people, and I hope they are not.
However, there are many known data thefts, and this is not one. Last year, one of my previous employers lost a CD with financial records of all current and past employees. The consultant who had it left it in the seat jacket pocket of an airline. The week after that, another previous employer lost all pension records of all employees. I empathize with everyone this happened to.
What about the issue of transferring that much data in the first place?
It sounds like we have some real structural issues that include a completely incompetent courier service. It is very likely that there was a real business need to move this data around - they were not doing it just because. Nevertheless, why this much data? There is the whole issue with outsourced IT where it would be horribly expensive to sanitize this data and that's a huge problem - if the data had been sanitized, what was lost would not have been an issue. If they only needed demographic data they got too much - so why was it difficult to get what needed? Why was it easier to give them the entire database than the extract?
And does it matter that it was going by CD rather than over a network?
What you really want to do is encrypt the data and then it wouldn't matter how it goes. I suppose physical media is somehow intrinsically less secure and I'm not sure how much of that is our own bias towards thinking that networks are just more secure.
Could the security breach actually prove to be a good thing if it turns out to be a wakeup call for better data security?
If it is a wakeup call, then yes, it could be a good thing. But for that changes would need to cover all aspects of this incident. How do we make it cheap and easy to encrypt data between government people? How do we make it easy and secure to transfer data? How do we make it easy to sanitize and minimize data sets?
If this were a high tech disaster like an airliner crashing or a space craft going wrong, there would be an inquiry saying 'what can we do to make it right? Should people sending data around at all and if they do how do we make it a safe operation?' The main thing is the government should be looking at what policies should we have. Right know there's the 'let's find the scapegoat' phase and the union is trying to protect the guy who is just doing his job.
There are plenty of worse alternatives to having CDs fly around. They could be giving everybody access to a complete central database, which makes me and anybody else concerned about privacy cringe.
Do the vast proportion of businesses, individuals and governments still send unprotected email and why?
Yes they do, and mostly because they think this won't happen to them. They don't perceive the threat - the view the threat as being 'scary faceless hackers'. I can't think of how somebody would steal and email and so therefore it can't happen; even though I know in theory that anybody with an Ethernet sniffer could get that, it wouldn't happen to me. The thought is 'they wouldn't be looking for my things and there are many other things that I need to be doing'. One of the problems with dealing with risks is that you can thing of many more risks than you have budget.
These CDs: if they were piles of bank notes nobody would have thought to do with them what they did. It's the mental processes somebody goes through to figure out how valuable something is - banknotes are immediately valuable to everyone, data isn't.
Are the issues for secure transfer awareness or technical complexity?
The basic data management of how you would send these systems is no more difficult than setting up an email server. None of this is rocket science!
Assume I want to send you some information. I go to a transfer web site, and select on my disk the file I want to send to you, and give your name and email address. The web site uploads the file to an intermediate server, and sends you an email with a secure (SSL) link. It will send me an email when you start downloading it, and when you complete the transfer. If I wish to encrypt the file as well as have an encrypted link, I have to do that by hand, but this system would have stopped the HMRC incident.
So do we need a system that's more automated, that has less room for human error?
At some point we have to assume that people are at least moderately competent. Any system that says 'let's take the humans out because we know they're idiots' is destined to fail in its own charmingly unique ways. Human begins are simultaneously any system's biggest weakness and greatest strength. If you call me up and say 'I need such and such data - for all people with child benefit I need just this one item which is their postcode' - what if you don't believe that? Is that person being good or bad on that one thing? Are they a good security savvy public servant or are they being a faceless bureaucrat?
What implications does the breach have for the government's plans for ID cards?
As someone who thinks that the ID plans are a bad thing, my optimistic view is that it will scuttle them. Pessimistically, they'll wait for this to blow over, and then proceed. Even more pessimistically, they will come up with an irrelevant tweak to existing things and claim that solves the problem. For example, they would bring in biometrics and claim that because they have biometrics, the plans are now secure. It takes someone with some security savvy to realize that biometrics would actually make the system worse.