Information & Ethics Committee on March 27th, 2018

Thank you.

It's difficult to know how much I can say on the cyber-attacks. Government departments are under constant attack by automated bots and agents all the time. We've also had distributed denial of service attacks. We're constantly looking at ways to engineer our way around those.

We are fortunate that we have GCHQ and the National Cyber Security Centre, which are very capable in anticipating and warning against attacks as well as advising not only government but also business in the U.K. of potential mitigation. Also, if there is a cyber-attack or if something is compromised, they are very capable in advising on how to quickly recover from it so that it doesn't cause any lasting damage.

I'm finding it difficult to be specific. I suspect you might need a closed session with a representative from the National Cyber Security Centre in the U.K. I do know more; I'm just conscious, particularly in a personal capacity, of what is appropriate for me to share.

Thank you.

I think that goes back to the first question of my opening statement: what are you trying to achieve by going digital? Is it purely moving more services online and effectively still operating in a forms world, where it's not paper forms anymore but forms on a computer screen, or is it about looking at how the operating model of government itself can be improved to enable services to be redesigned, really?

If we have better data in government, why do we ask citizens to constantly tell us something that government already knows, such as where we live, how much we're earning, how many children we have, and whether we're married? Why don't we move much more to data-driven services and push services to people, rather than asking people to fill in forms all the time?

I'm aware that the focus seems to have gone at my end....

I think that in an ideal world I would take the time to step back and ask, “How do we want our public services to be working and engaging with citizens in the next five to 10 years?” I would be just taking the time to look at everything that's going on.

I've mentioned that people are going to be wearing more monitoring devices in health and that the Internet of things is going to be in people's homes more and constantly interacting with them. There's going to be a whole series of changes coming. I worry that government will always be behind the curve. If today it's still thinking about moving things onto websites just as the rest of the world is moving to the Internet of things and devices, the whole world will have moved on again just as government manages to catch up with the web.

I think there's an opportunity to look back. We have a very similar problem in the U.K. between central government and local government, and we have multiple tiers of administration. There is an enormous opportunity to take a lot of the complexity out of the internal operations across both local and central government and to potentially put more resources back into front-line services.

My worry is that we talk too much about online services, rather than thinking about digital in terms of how government itself reorganizes and restructures its own operations to remove a lot of the complexity in process, function, and administration in order to simplify and streamline front-line services, whether they're delivered face to face or through a gadget of some kind. By making better use of technology within government itself, potentially there's an upside of enabling more resources to go towards the front-line services that maybe can't be automated.

Yes, of course.

Thank you.

I think there are possibly several layers to that. One is the Estonian type of approach that we have mentioned, whereby citizens can at least see who has had access to or made use of their data. Then there is a bigger question about how much appetite government has to reveal much more financial data about its internal operations. You mentioned the possible threat that if it does so, people might try to effectively game the system and manipulate the market. On the other hand, it might enable us to get better insight into where the public sector is doing a very good job and where other parts of the public sector could follow a particular organization's model because it's been very financially efficient in the way it operates. It might also enable us to see where other parts of the public sector are not functioning so well and could work together to help improve those areas.

Also, in the computer age, there is a potential level of transparency about algorithms and processes. For example, regarding welfare calculations, does government keep those processes entirely within itself, or does it enable third parties to potentially run my financial affairs against a welfare calculation system? There could be big benefits to citizens if they could share their financial details with a financial adviser. If a financial adviser could model my circumstances against government rules and calculations, they might be able to determine whether I could apply for benefits or whether I'm due a tax rebate or something.

There are many levels of transparency. I think it's a good question, because I don't think that I've seen anyone answer the question. How open does this government want to be in the digital age in terms of the type of information it makes available? As well, how open does it make some of its systems to allow for others to potentially come along and help government innovate and improve upon its services?

I agree that humans remain a weak point in many of these systems. I mentioned earlier some of the social engineering we've seen when very sensitive computer systems in the U.K. have been inappropriately accessed. While they do have protective monitoring on those systems that raises alerts when inappropriate access is made, the time delay between the access being made and the human being found, tracked down, and held to account has unfortunately been tragically slow on occasion, and I do mean literally “tragically slow” in at least one case.

The risk appetite comes back into this discussion, along with everything involved in the software engineering. How do we trust the code that a human being has written, all the way through the system to the operator of that system? Given that this can be a weak point, how do we ensure that as little unnecessary data as possible is displayed to users when they look at a screen in the future, instead of enabling them to bring up somebody's entire record on a single screen to look at all at once?

You're right that all those things should be looked at in designing these systems, but ultimately there's always going to be a risk in these systems. Where are you on that risk appetite, in terms of the cost and the mitigation you're prepared to take in different systems?