The Government Digital Service (GDS) was warned by the Cabinet Office and the National Cyber Security Centre (NCSC) that its One Login digital identity system had “serious data protection failings” and “significant shortcomings” in information security that could increase the risk of data breaches and identity theft.
Problems were subsequently confirmed by an internal investigation led by GDS’s chief information security officer. But when, soon after, an MP wrote to the Cabinet Office to enquire about potential issues around the information security of One Login, GDS did not mention any of the warnings in its response.
According to claims by a whistleblower, many of the security problems that were reported have yet to be resolved.
One Login is the government’s flagship system for securely accessing online public services and underpins the Gov.uk digital wallet and the digital driving licence launched by technology secretary Peter Kyle in January this year as part of his new government digital strategy.
The whistleblower – who Computer Weekly has agreed not to name, but who has many years of cyber security experience and worked in a senior information security management role at GDS – first warned GDS leaders of serious cyber security problems with One Login in July 2022.
He says his warnings were not heeded, forcing him 18 months later to write to his MP to highlight the issues, citing the 1998 Public Interest Disclosure Act which protects civil servants who whistleblow about situations they believe to be in the public interest. He was subsequently informed by GDS that he would face disciplinary action.
As a result of his initial warnings, then GDS chief executive Tom Read found out that development work on One Login had been offshored to Romania, without his knowledge or approval and without first seeking advice from the NCSC.
The whistleblower claims that some of the security failings he identified have still not been addressed and as a result, the information security of the three million users of One Login remains at risk.
He cites over two-and-a-half years of reluctance from the GDS digital identity team to fully address his concerns.
A spokesperson for the Department for Science, Innovation, and Technology, of which GDS is a part, said: “We are fully compliant with UK data protection and privacy laws – including UK GDPR and the Data Protection Act 2018 – adhere to National Cyber Security Centre advice and operate a three lines of defence process. This ensures data is protected, fraud is deterred and detected, and threats are monitored and responded to.”
Serious security problems
In July 2022, the month after One Login went live, the whistleblower advised GDS senior leaders of a number of serious cyber security problems in the system – as was his responsibility in the job he was performing at that time.
His concerns included:
- The digital identity team had insufficient security and assurance personnel to provide effective cyber security governance and management;
- No risk or threat assessment for One Login had been conducted;
- There were no records to show that security obligations and requirements had been identified;
- No information security management system had been put in place;
- Insufficient security monitoring, including areas of concern such as indicators of compromise and the number of people with privileged access to the live production system.
The whistleblower also reported that system administration was being performed through non-compliant devices with a risk of transmitting security vulnerabilities, such as malware or phishing attacks, that could compromise the live system.
The NCSC recommends that system administration for key government services should be conducted from a dedicated device used only for that purpose, known as a privileged access workstation (PAW), or alternatively to use only “browse down” devices, where the security level of the device is always the same or greater than the system being managed. The whistleblower warned that a lack of PAWs and use of browse-up administration were significant risks.
As part of his proposals to address these issues, the whistleblower further claimed that the business case for One Login, which was used to approve over £330m of spending on the project, included misleading statements about the security approach taken for the system and that cyber security risks were not adequately assessed.
He recommended to GDS leaders that the National Audit Office (NAO) or the Infrastructure and Projects Authority (IPA) – the final arbiters of information assurance in the civil service – should be informed. His suggestion was rejected.
According to civil service guidelines, every IT system should have three levels of information assurance – first, by the team developing the system; second, through independent assurance from civil service experts outside the team; and third, from the NAO or IPA.
Helpful observations
In an email to GDS leaders in August 2022, director of digital identity Natalie Jones – the senior responsible owner for One Login – admitted that the whistleblower’s report about information assurance issues on One Login contained “a number of helpful observations and recommendations” and also acknowledged the need for the three levels of structured assurance,
However, in reply to Jones’ email, then GDS chief executive Tom Read questioned the role of the GDS information assurance (IA) team that provided the second-level independent review function, saying that “the days of having a separate ‘judging, assessing and blocking’ IA team should be long gone, and integrated engineering/security (dev/sec/ops) has been best practice for some years”.
Fourteen months later, following the appointment in October 2023 of a new chief information security officer (CISO) at GDS, the internal IA team was disbanded and moved into a new Information Security team.
Another aspect of the whistleblower’s July 2022 advice to GDS leaders raised questions over the use of offshore software development for One Login, provided as part of a contract with Deloitte.
In the same email from Read, the CEO said he was “uncomfortable that this is how I find out we’ve decided to offshore dev work. I would expect this to come to me for advice or a decision, along with advice from NCSC”.
Data protection failings
In November 2022, GDS was told by the Cabinet Office data protection officer (DPO) that One Login had “serious data protection failings” and that the live service should be suspended pending resolution.
In a report to Jones, the DPO made 11 recommendations to address the risks he identified with the One Login service at that time.
He said the initial draft of the mandatory data protection impact assessment (DPIA) for One Login “failed to adequately identify and provide mitigations for key risks before the live service and app were launched. These risks include the lawful basis relied on for biometric data, the legal prohibition of automated processing – and in particular the prohibition on automated processing based on special category data, such as biometric data, without explicit consent – and the failure to disclose the processing of special category data”.
The DPO also questioned whether the One Login team had sufficient discussions with the Information Commissioner’s Office (ICO) over the risks identified.
“These risks remained high post the mitigation measures identified in the DPIA, and this should therefore have triggered the legal obligation to conduct a statutory prior engagement with the Information Commissioner before the service went live. While I understand that there has been some engagement with the ICO, this would not be sufficient to discharge this obligation,” he said, in his report to Jones.
At the time, about 300,000 user accounts had been created in One Login – today there are more than three million. According to the whistleblower, GDS paid for an external lawyer to make a counterargument that the service was compliant in order to prevent its suspension.
A mandatory DPIA has still not been published, despite the system being live for more than three years.
Severe shortcomings
In September 2023, the NCSC wrote to Jones, saying that One Login had “severe shortcomings” in its cyber security, identifying “top-level risks” including “bulk personal data breach” and “risk of impersonation leading to mass fraud”. The NCSC concluded that “the current design and operating procedures of the system leave significant risks”.
The following month, the whistleblower wrote to the then GDS chief operating officer (COO) to further highlight his concerns, stating that the security issues he had identified the previous year had not been resolved.
He provided the COO with further data that showed over half a million vulnerabilities relating to security and resiliency within the live One Login service, of which over 10,000 were considered “critical” and over 7,000 as “high”. The bulk of the vulnerabilities – over 475,000 – were classed as “medium”.
He raised additional issues around information assurance. Assurance for One Login was done by an external consultancy, 6point6 – now a subsidiary of Accenture – which he said represented a conflict of interest because the company is also one of the main suppliers for developing One Login. Furthermore, he said the 6point6 team was refusing to share critical information with GDS’s second-line assurance function.
To this day, the whistleblower claims that the only risk assessments for One Login have been conducted by 6point6, and no independent risk assessment has been completed, which goes against civil service guidance.
High level of risk
Subsequently, in November 2023, the newly-appointed CISO, Breandan Knowlton, wrote to Read and Jones confirming One Login was “indeed carrying a high level of risk”. He listed a series of concerns, which included:
Security clearance of personnel. According to previous claims by the whistleblower, staff without sufficient security clearance had accessed the live production environment – containing data and code – over 6,000 times in a single month, including Deloitte employees based in Romania, which he described as “indicative of an unstable and poorly secured service”. He further claimed that 39% of production administrators did not have the appropriate “security check” (SC) level of security clearance, despite being responsible for handling “millions of citizens’ sensitive personal data”.
Software engineering teams based abroad – described by Knowlton as “irregular” for a government service, acknowledging that even the “quite small” number of offshore developers “still represents a risk”.
Direct production system access, with Knowlton saying the number of people accessing the live system was “troubling”, and indicated “a failure of automated sociotechnical security controls and tooling”
Alerting – acknowledging that “automated tooling can identify a firehose of potential vulnerabilities” which Knowlton believed the digital identity team had “a handle on”, but added, “the current risk is likely to remain high”.
Security culture – with Knowlton saying that “security is currently taken seriously,” but adding that “the extreme delivery pressure may be putting pressure on the programme to overreport current security readiness”.
Knowlton reported that “remediation plans [are] in place to address security and technical debt,” but concluded that, “If upon review by the DI [digital identity] team the majority of these concerns are evidenced and remain unaddressed, the security posture of the DI service could be deemed to fall outside of acceptable GDS and DI thresholds”.
Frustrated by inaction
In January 2024, frustrated by what he saw as inaction from GDS, the whistleblower wrote to his MP, James Sunderland, about his security concerns, citing whistleblower protection laws, and his MP wrote to Cabinet Office minister John Glen requesting a response.
On 5 February 2024, GDS initiated disciplinary action against the whistleblower.
On 8 February, Jones wrote to minister Glen in response to the allegations raised by the whistleblower in his letter to his MP. She included background information about the whistleblower and his recent history in GDS.
“This civil servant made very similar claims internally in 2023, which were thoroughly investigated and actioned at the time. His restated assertions do not appear to reflect the additional security measures implemented by One Login during the intervening period, as part of the programme’s commitment to continuous improvement,” Jones wrote.
“The wider issues associated with the employee who has raised the issue sharing sensitive information externally are being investigated through the Civil Service’s personnel and security channels.”
Her responses to the claims over security concerns said that “cyber security, resilience and information assurance have been amongst the programme’s highest priorities since its inception”. She explained the programme’s “robust approach” to security and refuted the specific points that had been raised:
Jones’ response to Glen about the specific points raised by Sunderland were:
Sunderland: How many individuals without national security vetting to SC had privileged access to the live service within the production environment, enabling them to make changes or access data at will?
Jones: “Over the last six months, we have strengthened One Login’s processes for onboarding new recruits and for granting access to the production environment (ie. to the live system’s code and critical software tooling). All One Login staff, irrespective of nationality, are required to undergo a minimum of [the government’s] Baseline Personnel Security Standard (BPSS) or equivalent checks before starting work. No ‘unchecked’ foreign nationals have been, or are, employed on the programme.
“Roles that need production access require Security Check (SC) vetting. An audit in December 2023 identified 172 people with production access; we are continually seeking to reduce this cohort to its smallest viable size while still maintaining the resilience of the system. Named individuals may also be granted limited access, on a case-by-case basis and if approved by a senior civil servant, if they hold BPSS and are undergoing the SC process. 22 people are currently in this category, but it is important to note that their work must be approved by an SC-cleared member of the team before it becomes part of the One Login technical solution.
“A wide range of controls are in place, even for SC-cleared personnel. For instance, code changes are subject to automated testing and two-person checks. Databases containing account details are encrypted. Access to sensitive data stores is restricted and protected by automatic monitoring, with any alerts sent to both the One Login security team and the Cabinet Office’s cyber monitoring function.”
Sunderland: How many security vulnerabilities have been detected in the live service by manual and automated security assessments, including those needing further investigation?
Jones: “The One Login team continually tests and checks the system to minimise vulnerabilities… All identified vulnerabilities are investigated, prioritised and remediated. As part of this approach, in August 2023 the programme assessed One Login against 32 security and operational best practice guidelines, ranging from high-level principles to granular standards in areas such as governance, cyber security, monitoring and resilience. This exercise identified a range of findings that were repeated across multiple production accounts, leading to an artificially large number of potential vulnerabilities (which was the source of some of the employee’s original concerns). Once the duplicates had been removed, however, they were classified as eight critical, 34 high, 25 medium and 21 low findings. Of the eight highest priority conclusions, one was a false positive, two have been fully addressed and the remaining five are currently being remediated. All of the remaining findings are also being triaged and addressed.”
Sunderland: The number of occasions per month when systems underpinning the live service were directly accessed by staff and contractors?
Jones: “It is necessary and important for named staff to be able to access One Login’s live system, to ensure its smooth and robust operation. This is controlled, logged and monitored, with automated alerting in the event of unauthorised, out of hours and/or unusually frequent access. In January 2024, individuals accessed the production environment a total of 6,222 times. This is consistent with expected levels for a system of One Login’s complexity. Any unapproved access to the system would be fully investigated. The One Login security team regularly carries out threat modelling and red teaming exercises to map out how a ‘bad actor’, whether internal or external, could try to infiltrate or attack the system. The findings are then used to strengthen further the system’s design and protections, including so that the impact of any compromise would be limited and ineffective.”
According to the whistleblower, the number of times cited for the production environment being accessed was unusually high – by comparison, he quotes figures for another GDS service, Gov.uk Notify, which processes one billion messages per year but in an average month he says Notify sees full-privilege interactive access just 10 to 12 times.
Sunderland: From a cyber security perspective, what was the IPA made aware of in their review, when and by who?
Jones: “We have a very constructive relationship with the IPA which, in keeping with One Login’ s status as a government major project, has undertaken three independent reviews of the programme. The most recent was in November 2023. We shared with the IPA all of the extensive documentation it requested, and the review team held candid interviews with personnel from across the programme – including One Login’s senior team and the head of security – and in other government departments. The IPA’s report made a number of recommendations, which we are currently reviewing, but commended the programme on its openness, delivery progress and the growing maturity of its live operations.”
Jones drafted a response to Sunderland that further summarised some elements of the information she provided to Glen. In neither letter did Jones mention the earlier warnings from the Cabinet Office DPO, the NCSC, or the GDS CISO.
Following guidance
GDS maintains that it follows civil service and NCSC guidance on security and data protection. The One Login programme employs a team of security experts, with additional scrutiny and assurance provided by GDS’s CISO, the Cabinet Office’s central cyber teams and the NCSC.
A Threat Intelligence and Counter Fraud team in GDS aims to ensure product features are counter-fraud by design and proactively monitored to investigate and intercept fraudulent activity.
GDS is assured against industry best practice guidance and says it regularly engages with the Information Commissioner’s Office, as well as conducting regular risk assessments and security testing.
GDS follows the GovAssure process and says it completed a Cyber Assessment Framework security exercise in 2024, with continued work and collaboration with NCSC on future mitigations.
Problems not addressed
However, the whistleblower claims that the GDS digital identity team is the exception in having nobody from GDS’s internal security team to advise on information assurance – he says every other GDS service follows this principle.
He says GDS has “removed independent assurance of cyber security” from One Login, despite civil service rules mandating that such assurance should be provided from outside the development team.
He claims that GDS has suppressed the NCSC’s warnings and that there is no evidence that all the security problems he identified have been fully addressed.
Computer Weekly asked GDS if all the One Login security and information assurance issues that were raised – along with the DPO and NCSC concerns – as well as the risks subsequently confirmed by the GDS CISO, have been fully addressed and resolved, but GDS did not provide a response to that specific question.
We also asked what risks remain to the data protection and information security of the three million-plus users of One Login, but GDS did not answer that specific question either.
#Government #faces #claims #security #data #protection #problems #Login #digital