The Authorities Digital Service (GDS) has but to attain conformance with key nationwide cyber safety requirements for its Gov.uk One Login digital identification system, practically three years since safety considerations had been first raised.
The One Login crew remains to be working to totally meet Nationwide Cyber Safety Centre (NCSC) tips. Pc Weekly has realized that the crew solely complies with 21 of the 39 outcomes detailed within the NCSC Cyber Evaluation Framework (CAF) – an enchancment on the 5 outcomes it efficiently adopted a 12 months in the past.
CAF is designed for “making essential nationwide providers resilient to [cyber] assault”, in response to the federal government. It was developed by the NCSC to offer a “complete strategy to assessing the extent to which cyber dangers to important features are being managed by the organisation accountable”. CAF is a part of GovAssure, a cyber resilience assessment course of run by the Authorities Safety Group (GSG), which was launched in April 2023.
One Login is meant to grow to be the first method for residents to entry on-line public providers. In 2022, the enterprise case for One Login, which was used to justify over £330m of spending on the challenge, mentioned the system was “underpinned” by CAF – a declare that should be known as into query if solely 5 measures had been in place as not too long ago as 2024.
Not too long ago assessed
CAF contains 39 “contributing outcomes”, every with plenty of lower-level “indicators of excellent apply” (IGPs). Methods are rated on a binary foundation, whereby failing to satisfy one IGP leads to not assembly the general consequence, even when all different associated IGPs have been met.
One Login was not too long ago assessed as a part of a GovAssure assessment, which discovered that within the house of a 12 months, the GDS digital identification crew had moved from assembly solely 5 of the 39 CAF outcomes to 21.
GDS says CAF assessors famous One Login’s “understanding of cyber safety” and that plans are in place to attain the “exceedingly excessive requirements” of CAF conformance by the tip of the 12 months.
Nonetheless, One Login has been reside since June 2022, and with greater than three million customers, it’s exactly the kind of essential system for which the “very sturdy ranges of cyber safety and resilience” required by the NCSC in establishing CAF ought to apply.
Moreover, the Authorities Cyber Safety Normal mandates that each one digital providers ought to adjust to Safe by Design (SBD) Ideas. Pc Weekly has realized that the GDS digital identification crew can also be but to totally implement SBD, though GDS says the system “meets these rules”.
GDS was attributable to go reside with SBD by January this 12 months, however has delayed its full implementation till at the very least October.
This led to the Ministry of Defence asking questions of the One Login crew about SBD conformance as a part of plans to retailer an digital model of its Armed Forces Veterans Card within the Gov.uk digital pockets.
GDS says formal accreditation in opposition to the Safe by Design framework doesn’t but apply to One Login and that whereas such accreditation can’t at the moment be formally secured, it’s “inaccurate to report” that GDS or One Login doesn’t meet Safe by Design Ideas.
Historic issues
Nonetheless, the considerations over One Login’s total conformance with NCSC and GSG tips come quickly after the disclosure of historic safety issues in One Login.
Pc Weekly revealed earlier this month that One Login had obtained warnings about “critical knowledge safety failings” and “vital shortcomings” in cyber safety from the Cupboard Workplace and the Nationwide Cyber Safety Centre – together with a suggestion in November 2022 that the reside system must be suspended.
Following these warnings – and earlier points flagged by a safety skilled who has since turned whistleblower in an try to lift the considerations extra extensively – a crew led by GDS chief data safety officer (CISO) Breandan Knowlton performed an inner danger audit in October 2023 to evaluate the severity of the problems.
Provided that One Login is meant to be the important thing method of accessing public providers on-line, that is deeply regarding. Are we about to see one other Confirm fiasco? Ministers have to take a direct grip of this Tim Clement-Jones, Liberal Democrats
GDS has now responded to these claims with an in depth breakdown of how the issues recognized in 2022 and 2023 have been addressed (see desk under), however questions stay over why the service was allowed to go reside with recognized safety dangers.
A authorities spokesperson mentioned: “The considerations captured are outdated and summarise an preliminary view from when the know-how was in its infancy in 2023. We’ve labored to handle all these considerations as evidenced by a number of exterior unbiased assessments. Any suggestion in any other case is unfounded.
“Gov.uk One Login follows the very best safety requirements for presidency and personal sector providers – together with devoted 24/7 eyes-on monitoring and incident response. As the general public rightly expects, defending the safety of presidency providers and the info and privateness of customers to maintain tempo with the altering cyber menace panorama is paramount.”
Peer Tim Clement-Jones, the Liberal Democrat spokesman for the digital financial system within the Home of Lords, has submitted a sequence of Parliamentary inquiries to the Division for Science, Innovation and Know-how asking for particulars of the safety surrounding One Login. He expressed additional considerations in regards to the present cyber safety conformance of the system.
“Provided that One Login is meant to be the important thing method of accessing public providers on-line, that is deeply regarding. Are we about to see one other Confirm fiasco? Ministers have to take a direct grip of this,” he mentioned.
CISO assessment
Pc Weekly has seen particulars of the GDS CISO’s 2023 assessment findings, which listed a sequence of dangers and rated every of them from “low” to “extraordinarily excessive”. We requested GDS to offer an replace on every of the dangers based mostly on their standing at present, which is detailed within the desk under.
Anecdotal proof from sources near consultancy 6point6, which was introduced in to help the One Login crew for safety assurance, paints an image of a crew that beforehand had inadequate safety information, weak controls and few requirements.
GDS’s claims of progress in resolving One Login’s safety issues recommend the scenario has improved and that points are being addressed – however questions stay about how and why One Login was initially allowed to go reside with recognized points and missing conformance with key authorities requirements anticipated of all essential on-line public providers.
The whistleblower – who Pc Weekly has agreed to not identify, however who has a few years of cyber safety expertise and labored in a senior data safety administration position at GDS – mentioned it’s “not doable” to verify whether or not any historic or present safety issues have been resolved with out unbiased verification of GDS’s response.
“The unverified declare to have achieved 21 out of 39 contributing outcomes in CAF can’t be believed and the true rating will solely be recognized if operationally unbiased assurance is allowed full entry to the One Login programme,” he mentioned.
