Save content
Have you found this content useful? Use the button above to save it to your profile.
red alert light | accountingweb | HMRC Annual Report Triggers Cyber Alarm
iStock_runna10_red_alert

HMRC annual report triggers cyber red alert

by

Outdated tech at HMRC is highlighted in its annual accounts as potentially leading to calamitous failure. Bill Mew thinks that if HMRC was an aircraft, we’d all be advised to return to our seats and assume the brace position now.

25th Oct 2023
Save content
Have you found this content useful? Use the button above to save it to your profile.

All organisations have a risk appetite. It is what defines their attitude to risk, the amount that they are willing to tolerate it and the amount conversely that they are willing to spend (in say cybersecurity budget) to mitigate it.

Risk analysis involves looking at possible risk scenarios and for each one considering the following main factors: probability, vulnerability and impact. In aircraft maintenance terms, this might be the probability of severe turbulence, how vulnerable the aircraft would be to this and what the consequence would be if it could not cope. These factors are typically each classified as high, medium or low, or red, amber or green.

Investigative journalists from The Independent recently spotted that HMRC’s annual accounts include a set of red flashing lights, where it states that its outdated tech could lead to a “major IT failure or security breach” that could “harm our business operations permanently”.

Legacy hardware

HMRC is not alone in relying on ageing legacy hardware. Many banks and other government departments also do so. There is always a trade-off between the cost and risk of sticking with systems that work well enough, but are getting progressively out of date and hard to maintain, and the cost and risk of replacing them.

Unfortunately the longer that you put off replacement, the more temporary fixes and additions you then need to make to the legacy systems over time to enable them to adapt to changing requirements. Each time you take such a shortcut, rather than implementing a new system that would be optimised to the current use case, you are adding what is called technical debt. This describes the cumulative cost of poorly designed software and compromises that are made over time, as well as the increased difficulty of maintaining such a system as layer after layer of such shortcuts are added. Technical debt not only increases with the cost of maintaining a patchwork of fixes to an array of increasingly poorly architectured applications, but it also causes reduced productivity and customer experience, and inhibits an organisation’s ability to innovate

The perils of cybersecurity debt

Neglecting or delaying modernisation is also the main cause of cybersecurity debt. This arises from the accumulation of poor cyber hygiene practices. While new technologies have patches issued regularly to counter newly discovered vulnerabilities, as systems age these patches are issued less frequently and eventually systems become end-of-life and are no longer supported at all. In addition, while widely used software packages are supported for longer and have a larger pool of skilled practitioners, bespoke systems are not only unsupported, but are understood by a small and shrinking pool of technicians. And even when using packaged software, the more that these are configured to particularly unique use cases or have changes or additions bolted on, the less applicable any patches are anyway. In addition, complexity is the enemy of security. The more quick fixes are bolted on or connections are made to link applications together, the more points of failure or vulnerability exist. 

Successive governments have now neglected and delayed modernisation programs at a number of major government departments, including HMRC, for decades. It is like choosing to maintain a fleet of ageing airliners, long after their original replacement date. Even with the best maintenance (and some would argue that cost-cutting has had an impact here too) the airframes have a limited life span. 

Serious skills shortage

The accumulated technical and security debt is compounded by a skills crisis. Not only is there a massive shortage of cybersecurity skills in the public sector, but the programming skills for some of the oldest systems are in very short supply these days, and there is also a continual skills drain with the most sought-after skills being lost to the private sector.

And at the leadership end things are not a lot better. An emphasis on diversity over competence has meant that few public-sector chief information officers (CIOs) actually have any coding skills. It is argued that CIOs won’t ever need to do any coding themselves and much of the coding in the future will be done by artificial intelligence (AI) anyway. 

The problem is that if their direct reports suggest technical changes, these CIOs, while still on the hook if things go wrong, will lack the technical understanding to judge whether what is being proposed is the best course of action and unable to counter with alternative suggestions. It is like having cockpit crew who are known to be able to control things while the autopilot is engaged, but lack the skills to cope if or when you hit severe turbulence.

Missing out

Joined-up government that links taxation with benefits or healthcare with elderly care and that provides a step change in citizen services would be possible with modern systems, but not with what we have. And all the latest innovations in everything from AI to cybersecurity are happening in the cloud, not on legacy platforms. We are missing out.

Often underappreciated are both the risks of doing nothing and the potential benefits of full reform.

  • Minimising risk: Government departments typically follow a rigid process using risk management accreditation document sets (RMADS) with desktop exercises and penetration testing that can focus too much on known risks rather than far more effective, fully immersive simulation exercises that really put teams to the test.
  • Maximising benefit: Policies that mandate greater levels of citizen self-service, without back-end transformation, fail to deliver service improvements while often opening up vulnerabilities. Whereas full digital transformation has the potential to harness the latest tools to integrate services, while also harnessing advances in AI to improve service delivery and employing the latest cybersecurity tech to reduce risk.

Obviously, there is considerable cost and risk in replacing legacy systems. Banks have described the challenge of replacing their mainframe-based, core banking systems as akin to changing the engines on an airliner when in flight – and TSB stands as an example of how things can go very badly wrong, even when you have the very best contractors involved.

Nobody is suggesting that replacing HMRC’s ageing systems would be easy, but the cost and risk of not doing so are rising all the time. So what do we know from HMRC’s annual report and other sources?

  • Probability: The probability of a “major IT failure or security breach” is now seen as significant enough by HMRC itself to be mentioned in its annual report (red).
  • Vulnerability: The Customs Handling of Import and Export Freight (CHIEF) system is not connected directly to the internet, but many other HMRC systems are. The accumulated technical and security debt is becoming critical. And state-backed hacking groups wanting to cause havoc would see HMRC as a primary target. They are also highly skilled and very well resourced(red).
  • Impact: HMRC itself acknowledges that any breach could “harm [its own] business operations permanently”. The potential impact of such an incident on the government, the economy and the country as a whole would be catastrophic(red).

Given that there are three red lights flashing on the dashboard, the maintenance record is sketchy at best and the airframe is archaic, we just need to hope that the pilot on flight HMRC is more capable than his peers. Maybe time for us all to return to our seats, put our seatbelts on and possibly even assume the brace position.

Tags:

Replies (16)

Please login or register to join the discussion.

avatar
By richard thomas
25th Oct 2023 18:41

Where is Hugo when you need him?

Thanks (3)
Replying to richard thomas:
By Nick Graves
26th Oct 2023 12:06

Took me a moment to get that! Those were the days...

If HMRC were an aircraft it would have been grounded and de-certified a long time ago.

They take aviation safety seriously.

Thanks (0)
avatar
By Nick.Ferriter
26th Oct 2023 09:36

May I also add: lol, lmao

Thanks (0)
avatar
By johnjenkins
26th Oct 2023 09:46

You don't need Hugo you got me.
Wow who would have thought that HMRC is heading for Calamitous failure. Perhaps HMRC should read the posts on here to get an idea of how bad they are. I suppose that they thought MTD would solve all their problems and if they had not made it mandatory and worked with us that might well have been the case.
Even if they had continued with "agent strategy" things might not be as bad.
There is only one answer for HMRC and that is to allow us to take over the admin and let them investigate and collect. (yes I know I keep harping about it).
So Hugo what's your take on it?

Thanks (9)
avatar
By Mr J Andrews
26th Oct 2023 09:57

Brace position with James Harra in the cockpit ? They would probably have overlooked packing the oxygen masks and life jackets.

Thanks (4)
Replying to Mr J Andrews:
Tornado
By Tornado
26th Oct 2023 11:12

"brace position with James Harra in the cockpit"

Is he actually in the cockpit?

What is really required is a complete overhaul of the Tax System (preferably to massively reduce its complexity) and adapt/create systems that are designed for the job.

Having said that, this would probably throw millions of Civil Servants out of their jobs which no Government would do, so whilst the wizz-kids are always looking at new ways to do things quicker and easier, the collateral damage needs to be seriously considered otherwise the problems will be significantly more than just a crashed aircraft.

Thanks (3)
Replying to Tornado:
avatar
By johnjenkins
26th Oct 2023 12:19

He's certainly in a pit of cocks.

Thanks (4)
Replying to Mr J Andrews:
By Nebs
30th Oct 2023 09:57

Mr J Andrews wrote:

Brace position with James Harra in the cockpit ? They would probably have overlooked packing the oxygen masks and life jackets.


Based on the MTD model, if Harra is in the cockpit then the passengers would be flying the pane.
Thanks (0)
Replying to Nebs:
Tornado
By Tornado
30th Oct 2023 12:59

Based on the MTD model, if Harra is in the cockpit then the passengers would be flying the pane.

Yes very good, but also remembering that the passengers have no formal training or qualifications for flying the plane either.

Thanks (1)
By trecar
26th Oct 2023 10:44

Can't honestly say I am surprised. HMRC senior management take their orders from politicians who only ever have a short term horizon. Politicians as an entity tend to be sucked into election focused policies rather than sound management ones. This is displayed almost daily in failed government projects. The latest example being HS2. MTD fits into that mould, especially as it needs to communicate with so many other systems that have similar legacy problems.

Thanks (7)
Morph
By kevinringer
26th Oct 2023 12:28

HMRC's old software might be a security risk, but the new software is not fit for purpose. Therefore HMRC is replacing one risk (security), with another risk (the software doesn't do the job that is required of it). Compare the ASA with the old agent account, or the new VAT registration service with the old. Not only does the new software lack the functionality of the old, it isn't integrated with what it should be, for example 30/60-day CGT. HMRC think MTD ITSA will solve these problems, but MTD is the reason we have the ASA problems, and won't do anything to fix HMRC's tax administration.

Thanks (8)
By coops456
26th Oct 2023 13:11

"An emphasis on diversity over competence has meant that few public-sector chief information officers (CIOs) actually have any coding skills."

I disagree. The emphasis in all sectors has always been on ambition over competence. People always get promoted away from the coal-face stuff they are really good at, whether that is teaching or coding.

Thanks (2)
Replying to coops456:
avatar
By emanresu
28th Oct 2023 17:25

coops456 wrote:

"An emphasis on diversity over competence has meant that few public-sector chief information officers (CIOs) actually have any coding skills."

I disagree. The emphasis in all sectors has always been on ambition over competence. People always get promoted away from the coal-face stuff they are really good at, whether that is teaching or coding.

Yes and no. The activity of "coding" is one of many skills required to get working systems within both cost and timescale. I'd put "coding" as being only a minor risk contributor. Agreeing a specification, understanding the specification, being able to split up the specification into functions, preferably functions that can be used more than once. Extracting the range of inputs and outputs to these functions must handle, agreeing test criteria are all riskier activities.

As for patching - almost inevitable in an institution such as HMRC - Good designers should take patching into account in their design and analysis process. You don't end up with a working skyscraper by just piling bungalows one on top of the other.

And why didn't this all blow up in 2015? Twenty-plus official releases of HMRC's own SA software, each one more and more panic-driven than the last - inevitably ending in a complete crash and burn.

It is not as if the SA computation is complicated.

[Fourth time lucky? Why does AW keep trashing then reposting my posts? Apart from the obvious!]

Thanks (1)
Profile
By indomitable
26th Oct 2023 15:56

When will this country get a grip of anything!! Our politicians constantly let us down!!

But don't worry you still have to contribute a large proportion of your earnings to the treasury so that it can throw it away on god knows what!!

Thanks (2)
avatar
By flightdeck
26th Oct 2023 17:12

For once I do not blame the government. Fat layers of management run these departments and it is they who are responsible and accountable for what goes on. Harra has slopey shoulders saying the government under-estimated MTD (the one that is currently 5x OVER budget and still not done.). No Jim is it entirely your fault - you have the CEO badge so it's your fault.

Thanks (2)
By Nebs
30th Oct 2023 10:00

They should privatise HMRC. Things would get done, more money in the government coffers, and tax evaders would not be able to sleep at night through worry.

Thanks (0)