I made a submission to the House of Commons ‘Science and Technology Committee’ tonight, about my opinion on the (Draft) Investigatory Powers Bill. Here it is:
I was Information Security Officer for the trading floor of a ‘Big Six’ energy company. I spent a year investigating best-practice and defining departmental information security policy. I aimed to learn from the mistakes of others, to avoid making them and hope it will be useful if I pass on what I discovered.
- Technology is not the issue
The most common error is to treat organisational risk as ‘an IT issue’ and to spend as much money as can be found on whatever technical controls are presented, to mitigate each newly identified threat. The effect of such an approach is that rather than managing risk economically, one has an ever-increasing set of controls that have a negative, invasive effect on normal operation and morale, yet a determined attacker still only has to find one weak point to break through (it is usually a person, not technology.) This approach eventually collapses when the organisation realises it is spending more on security than remains of the culture it was trying to defend. I see evidence of such escalation in the measures in The Investigatory Powers Bill. Believing information security is a set of technology controls has repeatedly failed to deliver adequate value for money in private enterprise.
- Manage risk, not controls
A far better approach is to identify the most valuable resources, identified threats and probable attack vectors, then to spend in a highly targeted way, defending what really matters. To me, that looks to be the communications around a very small number of known terrorist suspects and criminals. It does not include wasting resources on mass surveillance of all British citizens or all secure legal transactions with UK businesses; annoying them in the process and losing their support.
- The Bill is a weapon, not defence. It will be used against us
In this instance, the security services’ real aim is to manage the UK’s physical security, not information risk. The changes proposed seek to make it easier for the security services and police forces to attack the information resources of terrorists and criminals. Sadly, we no longer live in a world where that is possible in isolation. We are all defended by the same technologies. Anything that undermines the information security of terrorists has exactly the same effect on all UK citizens. The Bill seeks to erode our traditional British values of individual freedom, fairness, the right to privacy, equal opportunity, and assumption of innocence under the law. It will also open us up to new methods of attack from our countries’ enemies. I hope that you will decide that this price is too high.
You can do the same but today is the deadline. The technical controls are very open to technical criticism too.
Afterwards, please tell your MP if you have any concerns. If you don’t, read it again, imagining your most feared extremist government having the same potential to access to your private information.