Government Security Classifications: Even more broken than I first thought?

Intro

On 30th June this year Cabinet office issued the first new version of the UK Government Security Classification Scheme for a decade. Although I had been assured multiple times by people involved in its development (some for the preceding couple of years!) that it was only a 'minor change', my first review on 3rd July explained why this wasn't necessarily true.

Contrary to the assertions of 'minor change', I was pretty sure the new GSCS was a radical & complicated new model that didn't work very well. Now I've looked at it in more depth and its actually a whole LOT worse than that...

I'm going to expand and explain what the new GSCS actually says in detail - mostly around the OFFICIAL Tier, but also how the minor changes in some SECRET data valuations are going to be really hard to live with for a lot of organisations.

A little bit of Data Classification history...

To understand the current scheme (the new one, which took immediate effect on 30th June), and why it introduces so much risk and uncertainty to the full breadth of HMG and Public Sector data management, we need to very briefly consider its predecessor - which I'll call "GSCS v.1", so the new one is "GSCS v.2"

GSCS v.1 was published at the end of December 2012 and came into effect in April 2014m giving a notional 16 months for HMG to get to grips with it.

In practice a lot of public bodies didn't even start to adopt it for a year or two after it was published however, and a quick trawl around the web suggests some only did so a couple of years ago!

This was in part down to the latitude given in the new scheme to retain the old GPMS protective markings until the data needed to be updated.

This time round GSCS v.2 hasn't given any time for adoption - it came into force the day it was published, and there is no time to change the names - which on one hand makes sense because the broad classification names haven't changed; but on the other (as we'll see) is really problematic because what those classifications actually MEAN has changed fairly radically:

The data you called OFFICIAL on 29th June, might still be being called OFFICIAL today, but in most cases its not going to be OFFICIAL any more...

In addition GSCS v.1, unlike the GPMS which preceded it, was not strictly hierarchical in nature; which is to say that the classifications didn't build progresssively upward - see below:

Given the above, its not particularly surprising that GSCS v.1 didn't meet its full potential, (which is another way of saying that in real terms it set back data classification in the UK by a couple of decades).

Combined with the data liberalisation process pushed in parallel by Cabinet Office when GSCS v. was published - '90% of all HMG data is OFFICIAL'; which was followed through the policy by blog mechanism employed by GDS and NCSC over the past 7-8 years of 'OFFICIAL data can go into Public Cloud ' - its perhaps not surprising that we now need a GSCS V.2.

So the new schema is a good thing, yes?

Well not exactly, its more of a combined missed opportunity and total screw-up.

V.2 has taken a badly understood and variably applied schema, and combined it with some of the principles of GPMS (i.e. v.2 thinks about Impact first, whereas GSCS v.1 considered 'Who is going to attack me?' first).

The result is a Dr. Frankenstein's monster of policy - which creates outcomes that are (to say the least) pretty surprising.

The mechanics of GSCS v.1

Here is a flow chart of every step you needed to follow in the GSCS V.1 model:

This probably won't present well on a LI page so if you want a copy of this and what follows in a PDF or hi-res format then DM me; or I will try to upload it somewhere it can be reached and link to it)

Now I know that a lot of folks are probably saying - 'We didn't do anything like that in our organisation!', but this is what the POLICY actually says, and if you apply the GSCS v.1 rules line by line this is what you would have been doing when classifying any piece of data.

Even in this not tremendously clear diagram, you'll see that right at the start you branch off either to the Blue line of questions (OFFICIAL), or the Orange line (SECRET).

Both can go upwards to TOP SECRET, but Blue has no path to get to Orange after that early question breakpoint.

If however you get to the end of the SECRET (Orange) line you haven't identified a big impact of compromise then it can revert to OFFICIAL (Blue).

Easy peasy, but virtually never applied because "90% of stuff is OFFICIAL", plus "Cloud"...

The mechanics of GSCS v.2

Hold on to your hats - or better still find somewhere quiet, grab a coffee, sit down, and work this through...

To make this simple I haven't added the multiple layers of handling requirements, descriptors, caveats or code-words to this version - I've got a version that does all of that too, but its a hard read (and an even harder explanation):

First things you might notice:

1. This is very much more hierarchical once again - plus the new scheme requires you to consider 5 different types of impacts (which is spookily familiar to anyone with knowledge of the old BIL tables)
2. The Cabinet Office assertion that OFFICIAL does not have 'two tiers', is broadly correct: It actually has THREE
3. Data marked at OFFICIAL is now REALLY low value data - stuff that mostly you wouldn't bother about
4. Data in the new OFFICIAL SENSITIVE Tier - and it IS a clear tier now - has a surprisingly low maximum ceiling. The worst that can happen in O-S now is minor injury, harm or moderate distress; or low to moderate impact on HMG which is of a short duration.
5. Not everything that is too serious an impact to be in O-S can move to SECRET: because it retains the 'Capable Attacker' requirement for physical harm then personal injury data in many cases under GSCS V.2 cannot be SECRET.
6. The threshold between some SECRET and TOP SECRET classificstion impacts is time - a short/medium term impact will be SECRET, whilst the same impact over a long-term will be TOP SECRET. This means data can be 'bargained down' quite easily by IAO's - not a great outcome...
7. A lot of stuff will either find its way to TOP SECRET, or worse still doesn't have a clear or obvious classification at all - its literally 'Hors Catégorie', which the cylists amongst you will be familiar with.

Why I say OFFICIAL now has 3 Tiers:

Cabinet Office were very clear under GSCS v.1 that OFFICIAL was ONE tier, and that OFFICIAL SENSITIVE was not a classification, but simply referred to a 'Need to Know' requirement.

As a policy that made sense, but virtually no-one used O-S like that.

This misuse meant that under GSCS v.1 there were a defacto TWO Tiers in OFFICIAL - 'O' and 'O-S'.

For GSCS v.2 the body text again asserts that OFFICIAL is a single tier, but by using impact AND by changing the controls applied at each of the OFFICIAL markings this assertion is quickly exposed as the nonsense I suspect even the authors of the policy really know it to be.

OFFICIAL now has three distinct variants as follows:

1. "OFFICIAL For Public Release" - data either already in public domain, or listed for release which is OFFICIAL. This does NOT require any security controls to be applied. NB: Think old GPMS Not Protectively Marked (NPM)
2. OFFICIAL - the familiar baseline, but now limited only to data which has "Limited to no negative consequences for HMG, their partners, or to an individual" - that's a very low ceiling which most data currently in OFFICIAL under GSCS V.1 will far exceed. NB: Think old GPMS 'PROTECT'.
3. OFFICIAL SENSITIVE - for many organisations the new baseline classification I think; data here can have a higher impact than the new OFFICIAL, but its still a surprisingly low ceiling overall. For example: "Causes no more than moderate short-term damage to the effectiveness or reputation of organisations". NB: Think bottom end GPMS "RESTRICTED".

If you disagree with me that the above sounds like three distinct tiers in OFFICIAL then let me know - but to me, and whether it was planned or not - Cabinet Office have pretty much reverted to old GPMS for these bottom tiers in everything but the naming conventions.

HOWEVER - there's no old GPMS CONFIDENTIAL equivalent, and as we'll see in a second that's a big (HUGE) issue.

Something else worth noting is that personnel vetting for any of the OFFICIAL tiers is now only BPSS. A lot of orgs apply way higher vetting than that and its causing a lot of pain acros Government and their supply chains, so this should (if anyone pays attention) be a positive thing.

Running some GSCS v.2 Use Cases

I'm not sure if Cabinet Office (and the plethora of representatives from across HMG who helped to formulate the policy) ran any use cases against the new scheme, but I invite you to do so yourself and see what results you get.

Try these scenario's, but you can also add your own and I invite you to share any you might develop in comments if you wish to do so:

• A) A victim of domestic violence is living in a place of safety as a result of threats made by their partner, and it is considered likely or possible that if their whereabouts are disclosed they could be seriously assaulted or killed. What's the classification of any information that identifies where they're living? If they have a child does this change the result?

NB: Do NOT consider the partner to be a capable cyber attacker - just an average person with bounded capabilities

• B) Information relating to the adoption of a young person is published on a website, that shows their birth name, their birth parents names, their adopted parents name, any new name given to the adopted child, the unique reference number of the adoption, and the general location (area) in which they may live .

This reflects the data incident reported recently for the National Records Service of Scotland.

• C) Same as ‘B’ above, but this time consider the case where the child has been placed in care by the court as a result of childhood abuse or neglect from their birth parents, and where the child is still a minor. 

• D) The names or Police Officers and staff, their ranks and roles/departments of the police service they work within, where there is a genuine risk of physical attack or murder of those officers/staff and/or their families from a terrorist organisation. 

For 'D' above consider both the threat to the individual (use case D(i)); and  the impact on the effectiveness of the organisation and its crime fighting/public safety purpose as a result of the information disclosure here (use case D(ii))

Use case D obviously reflects the PSNI data breach in the press presently, and you should of course remember that the disclosure of Officer and Staff information did NOT require an attack by a capable attacker; it was disclosed in an FOI response as a result of poor internal data governance/operator error - so you probably shouldn't apply a 'capable attacker' into your determinations

• E) Any other scenario you might think of from your area of knowledge or business (esp. if its one you want to share on the comments thread)

Having run through those Use Cases, consider just how useful it would be if we had a tier like the old GPMS CONFIDENTIAL... It's the only tier actually missing from the GSCS v.2 schema now, and perversely its also the tier that would be most valuable for organisations that otherwise ought to be shifting most of their data into SECRET or above under this schema.

Summing up what this might mean

A lot of organisations are probabaly still resource constrained for the Summer Holidays, and won't have looked at this in anger. Others have might have quickly scanned it, seen the familiar designations and put it in a drawer - if you did, I recommend you get it out again and look closer.

The biggest danger of this new policy is the familiarity of the classification terms used - this will likely lead to gross underestimation of exactly how radically different and far reaching the new schema is.

OFFICIAL doesn't now mean what folks have become accustomed to over the past decade; its not even clear if data can be limited to a single vertical tier hop -

<Spoiler alert for anyone who hasn't run the scenarios yet>

Some data previously classifiable at OFFICIAL is going to head towards TOP SECRET, jumping straight past SECRET, under the schema as its constructed today.

Any change to the GSCS Schema after a decade of the old one was bound to require some consideration for its impact on contracts (and also in particular for SAL's where they exist) - but this new schema will require such significant changes that the cost will be hard to fathom.

The benefits will be hard to identify and to realise.

The mandated observance of the new scheme for all contracts LET after 30th June is hard to understand and will be brutally hard and expensive for HMG orgs to apply. I haven't seen any withdrawals of ITT's recently, so I suspect no-one is following that mandate in the policy as yet, which might give short term bid team relief, but might also mean that there could be complex PCR 2015 implications for competitions downstream if bidders are sufficiently switched on to use that to their advantage.

it is wholly foreseeable that a lot of IT solutions & Cloud in use across HMG today will not be suitable IF the data is properly classified under this new scheme - and there's the real problem:

The pressure on HMG security people to underclassify data under the new scheme, just to avoid massive business process and IT change - is going to be intense. Most of them won't be able to withstand that pressure so underclassification is guaranteed to be the norm; for this reason GSCS v.2 is broken

And finally - GSCS v.2 is 100% clear that this time out,THIS schema must be applied to the whole of public sector, and that multiple varible regimes across different sectors which were introduced last time must not be used.

This is one of the few things in the new GSCS that I can get fully behind - forget technology differences, its the differing interpretations of classification and the controls applied around them, that really impact and block data sharing more than anything else.

Some sectors require additional controls to be applied that are based on statute or Policy (such as specific vetting in Policing; physical security requirements like PASF, List N, etc.; and data handling regimes to meet legal requirements), but in truth ALL of those can be achieved inside the flexibility of the new schema.

I doubt if they will be however, because to do so those same sectors would need to recognise that data they have spent recent years activrly underclassifying in order to pursue public cloud (and/or less expensive solutions) is now going to be SECRET or above.

To avoid that, and to keep using the cheap commodity products these sectors extensively use and/or want to use, I strongly suspect we'll see Police, Nuclear, Health, and various other sub-regimes of GSCS appear in due course.

For what its worth, I think that security sophistry will rob us of just about the only benefit this new GSCS v.2 could offer us - uniformity of data classification across Government, and a true opportunity for cross-party level-field data sharing.

And that's it for this time out - I welcome comments and your own findings. fro running Use Cases through the schema.

If you need a printable / shareable PDF of the flow charts (and if you are masochistic enough to have one including the descriptors etc. then please send me a DM, or email if you have the address.