Robert Dover examines the information security issues that recent governments have faced, highlighting that the UK government’s approach has failed to keep pace with the way in which information technology has developed and is now used and exploited.
The Johnson, Truss and now Sunak governments have all had publicly revealed issues with information security. For Boris Johnson’s administration it was the extensive use of WhatsApp to discuss and make COVID policy. This morphed into the use of WhatsApp to share gossip and arrange social events in Whitehall, all of which was highlighted by the Sue Gray report.
Liz Truss allegedly had her personal mobile phone hacked by Russia state actors over this summer. And finally, the Sunak government has immediately been beset by the ongoing revelations about Home Secretary, Suella Braverman’s use of her personal email account to share restricted government documents with a fellow parliamentarian: deemed to be a breach of the ministerial code by Liz Truss.
Government intelligence is partly about gaining information that another government or competitor would prefer you not to have. But intelligence is just as much about preventing competitors from acquiring your confidential information. It is in this failure to protect information that this and previous governments have suffered. This failure rests – in part – on poor individual behaviours, but mostly in failing to adapt to a new information environment. Put bluntly, the government’s approach to information security has failed to keep pace with how information technology has developed, is used in politics and government, and how adversaries are adept at attacking and exploiting it.
Governments use three primary measures to protect their information: 1) the classification system, training and vetting; 2) control of devices; and 3) values and behaviours.
The classification system
The classification system is straightforward. The document’s author will provide a classification marking, depending on how serious the risk is if the document found its way into an adversary’s hands (ranging from OFFICIAL to TOP SECRET). These classifications are well understood by those who use them daily, but they seem poorly understood by Parliamentarians, journalists and indeed the public. This is a problem because part of the protection the classification system provides depends on a common understanding of the markings.
Control of devices
A good illustration of the potential harm that hacked devices can cause comes from a story in the Russian media that was picked up by Reuters. The Russian reporting claims that the attack on the Nordstream 1 gas pipeline on 26 September was carried out by the UK. It cites a text message to Anthony Blinken within an hour of the blast saying ‘it is done’ (apparently retrieved via the hack on Truss’s phone) as evidence of malfeasance. In the past, the allegations around the US National Security Agency hacking into Angela Merkel’s phone damaged diplomatic relations between the US and Germany. Ongoing revelations about the use of Pegasus spyware to hack the phones of politicians, journalists and activists is having a similarly chilling effect on security.
Former government ministers have suggested that the information security briefings they received in government were non-existent or sparse. This is surprising in the context of how extensive the training is for officials, but might go some way to explain the mistakes ministers have made. These mistakes have included bringing their personal mobile phones into rooms where sensitive matters are discussed.
The problems caused by ‘BYOD’ (or bring your own device) have been all but eradicated in business, universities and in the civil service. An official is unlikely to face disciplinary action if they have their government issued laptop or phone hacked and documents removed. Run the same scenario, but with the loss coming from an official’s personal device and there would likely be significant disciplinary consequences. The same is true in business and higher education.
The use of personal communications devices in Number 10, the Cabinet Office and other government buildings hosting sensitive business is unheard of for officials, but seemingly not for our senior politicians. Boris Johnson had to be persuaded to change his mobile phone number after retaining it for fifteen years. Donald Trump insisted on running a Samsung Galaxy phone that no longer received security updates until officials persuaded him otherwise.
Values and behaviours
Information security is as much a state of mind and following certain disciplines as it is having the most technically secure phone or computer – for example, conducting government business solely on government issued devices.
Understanding that most electronic communications are capable of being intercepted and decrypted is a good place to start when thinking through how to communicate. The sheer number of leaks from Conservative Parliamentary Party WhatsApp groups ought to be enough to give ministers pause for thought.
In conclusion, it is important to note two things about government information. The first is that official inquiries into wrongdoing by governments are dependent on official records. These records used to be exclusively paper-based, written in a guarded house-style, and were ‘weeded’ for state secrets.
However, modern government has moved strongly away from these traditional practices – as shown by the evidence supplied in Sue Gray’s report. Private messages between those at the heart of Number 10 formed the basis of the evidence in the report.
It is unlikely that these messages were written with public disclosure in mind. What they did show was an unvarnished and unflattering view of communications and information flow within government. This type of testimony is potentially more useful to us in understanding the dynamics between those who govern our lives – as well as how they make decisions about official matters. Politicians and officials should now expect that these kinds of disclosures will be made: they need to develop techniques that are fit for purpose.
The second is that government information should be expected to be vulnerable. Throughout the Cold War the US and Germany (via Operation Rubicon / Thesaurus) were exploiting vulnerabilities in encrypted communications devices to listen into the government cables of friends and enemies alike.
This continued into the twenty-first century, as highlighted by Chelsea Manning and Edward Snowden. So, we should not be surprised by this kind of state-on-state intrusion. But neither should we expect our senior politicians to be easy targets.
An under acknowledged reality is that traditional ideas of official secrecy are giving way to ‘delayed disclosure’, the idea that official secrets have gained a tendency to find their way out into the public realm in time (sometimes quickly, and sometimes over the course of many years). This new reality should change the way politicians and officials communicate.
By Robert Dover, Professor of Intelligence and National Security, University of Hull.