State Incompetence and Pesky Hackers!
A contractor for the Ministry of Defense was hacked last week, allegedly by the Chinese state. At the time of writing this, the government believes that no private information was exfiltrated by the attackers but they know for certain that an attacker managed to infiltrate the contractors’ systems, bypass their cybersecurity measures and potentially have their way with the mass of data on the system. The defence minister, Grant Shapps, has said there will be an in-depth review into how and why the breach was able to happen. This is very normal after instances like this but the outcome is entirely predictable. I will stick my neck out and predict that once the review is made public or details start pouring out, we will be told that the private contractor was manifestly incompetent, probably using inefficient and outdated software that enabled the attackers to bypass the defenses in their system with relative ease. We will be told by some members of political commentary that it is a disgrace that this crucial information is handled by private companies instead of the state. We will be told the system needs reforming and it needs to be controlled and managed by a government entity instead of a private company. I suspect there is a high probability that, if elected, a labour government would make such reforms. We need to get ahead of this and know why this would be a horrific idea whilst dispelling some general myths related to this topic too.
Let us first talk about the contracting company, SSCL. SSCL was first founded in 2013 as a joint venture between the cabinet office and Sopra Steria as a provider of large-scale shared software services. The idea being that there would be significant efficiency gains that would cut the volume of money needed to be spent by the government; remember this is happening in the middle of the austerity years. The conservative-liberal democrat coalition sought after any politically feasible savings in the government budget in pursuit of a surplus and lowering the national debt. The government will, as always, attempt to shift blame onto the private partner in this venture, Sopra Steria, however the state uses this tactic far too often and should not get away with it again. In these partnerships, one side has all the power and it is most certainly the government. The idea that the private partner had all the influence in the normal decision-making processes you find in these ventures is absurd; if it were true that the state had no power then private companies would not lobby it so much and use their own power instead.
Combine that with the knowledge that the government had been in the mindset that any decisions made should align with the principles of austerity; policy decisions should cut government spending. I can almost guarantee that at some point in this decade long partnership there were suggestions from insiders to invest in the technology so that it can be brought up to date. Bringing a whole system up to date is not just about simply improving the user interface, the differences in cybersecurity between different generations of tech is unfathomable to people who are not involved in the sector. One patch (software update) can be the difference between getting hacked and not getting hacked. We live in a world where systems become legacy systems relatively quickly within a matter of a few years so it is not stupid to suggest that at some point in the partnership, their systems became out of date relative to the techniques and tactics used by modern hackers. It will have been clear to those with the know-how that the technology was becoming a massive security risk. The problem? The cost of constantly upgrading these systems will have been substantial yet the government wanted to be seen cutting spending, not increasing it. The government had no desire whatsoever to invest heavily in the systems needed to repel such a hack. The government may have suggested compensating measures that, in the long run, do not solve the core issue. The systems issues will have only got worse affecting the whole infrastructure continuously yet the government increased the involvement of SSCL in other departments. I highly suspect all this will be bore out in any review or investigations that happen now the event has become public. This is, once again, another example of state actors thinking they have the knowledge needed to execute complex plans; they do not and never will.
The suggestion that the state should take over, more than it already has, the managing of the systems that were affected also needs beating back. I want you to think for a second, which government run entity is most likely to be the beneficiary of huge sums of money to invest in their cybersecurity and general technology infrastructure? The NHS. You would imagine the NHS has some of the highest quality technology money can buy right? Wrong! The NHS is known for having some of the most outdated technology in the country. The sort of technology the NHS uses bears substantial risks for potential attackers to infiltrate the network and steal thousands, even millions, of pieces of sensitive patient data. It cannot be stressed enough that if the NHS, one of the most loved and protected institutions by both parties, does not get a technology upgrade then the technology used by SSCL will not be invested in either. We can go across parties and see that when Labour were in power, and when Tony Blair promised in 2002 an upgrade in technology, they were not able to efficiently invest in tech for the NHS either. The National Programme for IT promised to bring the NHS into the 21st century yet the labour party failed to execute this promise in any sort of way that resembles an efficient and cost-effective process; the incompetence is not just a feature of a single party.
It cannot be stressed enough that the conclusions drawn from this event cannot be about simply placing the “right” people in management. The state has no idea how to efficiently allocate resources to the most valued ends since it has no true pricing system to detect where people most perceive value. In a truly private sector company, a manager of an IT company may choose to invest in cybersecurity. They do this and advertise their enhanced protection for their clients, this leads to greater profit as they attract more clients. The profit margin is a direct and often swift indicator that the investment made is what consumers of the service want. If the IT manager decided against upgrades, once it became clear that the system was outdated and competitors were far ahead, the company would slowly lose money and eventually go out of business since individuals will not want to risk using an IT company with outdated equipment. The state has no system to receive these signals because its funds come from a never-ending source of taxation. If the people cannot stop giving their money to the system, they cannot adequately signal their disapproval of the system. No matter who you put in charge of managing a state-run organisation, it is guaranteed that they cannot allocate resources efficiently based off the logic I laid out above thus the state cannot be allowed to take sole responsibility for more systems than it already has control over.