HMRC annual report triggers cyber red alert

All organisations have a risk appetite. It is what defines their attitude to risk, the amount that they are willing to tolerate it and the amount conversely that they are willing to spend (in say cybersecurity budget) to mitigate it.

Risk analysis involves looking at possible risk scenarios and for each one considering the following main factors: probability, vulnerability and impact. In aircraft maintenance terms, this might be the probability of severe turbulence, how vulnerable the aircraft would be to this and what the consequence would be if it could not cope. These factors are typically each classified as high, medium or low, or red, amber or green.

Investigative journalists from The Independent recently spotted that HMRC’s annual accounts include a set of red flashing lights, where it states that its outdated tech could lead to a “major IT failure or security breach” that could “harm our business operations permanently”.

Legacy hardware

HMRC is not alone in relying on ageing legacy hardware. Many banks and other government departments also do so. There is always a trade-off between the cost and risk of sticking with systems that work well enough, but are getting progressively out of date and hard to maintain, and the cost and risk of replacing them.

Unfortunately the longer that you put off replacement, the more temporary fixes and additions you then need to make to the legacy systems over time to enable them to adapt to changing requirements. Each time you take such a shortcut, rather than implementing a new system that would be optimised to the current use case, you are adding what is called technical debt. This describes the cumulative cost of poorly designed software and compromises that are made over time, as well as the increased difficulty of maintaining such a system as layer after layer of such shortcuts are added. Technical debt not only increases with the cost of maintaining a patchwork of fixes to an array of increasingly poorly architectured applications, but it also causes reduced productivity and customer experience, and inhibits an organisation’s ability to innovate

The perils of cybersecurity debt

Neglecting or delaying modernisation is also the main cause of cybersecurity debt. This arises from the accumulation of poor cyber hygiene practices. While new technologies have patches issued regularly to counter newly discovered vulnerabilities, as systems age these patches are issued less frequently and eventually systems become end-of-life and are no longer supported at all. In addition, while widely used software packages are supported for longer and have a larger pool of skilled practitioners, bespoke systems are not only unsupported, but are understood by a small and shrinking pool of technicians. And even when using packaged software, the more that these are configured to particularly unique use cases or have changes or additions bolted on, the less applicable any patches are anyway. In addition, complexity is the enemy of security. The more quick fixes are bolted on or connections are made to link applications together, the more points of failure or vulnerability exist. 

Successive governments have now neglected and delayed modernisation programs at a number of major government departments, including HMRC, for decades. It is like choosing to maintain a fleet of ageing airliners, long after their original replacement date. Even with the best maintenance (and some would argue that cost-cutting has had an impact here too) the airframes have a limited life span. 

Serious skills shortage

The accumulated technical and security debt is compounded by a skills crisis. Not only is there a massive shortage of cybersecurity skills in the public sector, but the programming skills for some of the oldest systems are in very short supply these days, and there is also a continual skills drain with the most sought-after skills being lost to the private sector.

And at the leadership end things are not a lot better. An emphasis on diversity over competence has meant that few public-sector chief information officers (CIOs) actually have any coding skills. It is argued that CIOs won’t ever need to do any coding themselves and much of the coding in the future will be done by artificial intelligence (AI) anyway. 

The problem is that if their direct reports suggest technical changes, these CIOs, while still on the hook if things go wrong, will lack the technical understanding to judge whether what is being proposed is the best course of action and unable to counter with alternative suggestions. It is like having cockpit crew who are known to be able to control things while the autopilot is engaged, but lack the skills to cope if or when you hit severe turbulence.

Missing out

Joined-up government that links taxation with benefits or healthcare with elderly care and that provides a step change in citizen services would be possible with modern systems, but not with what we have. And all the latest innovations in everything from AI to cybersecurity are happening in the cloud, not on legacy platforms. We are missing out.

Often underappreciated are both the risks of doing nothing and the potential benefits of full reform.

• Minimising risk: Government departments typically follow a rigid process using risk management accreditation document sets (RMADS) with desktop exercises and penetration testing that can focus too much on known risks rather than far more effective, fully immersive simulation exercises that really put teams to the test.
• Maximising benefit: Policies that mandate greater levels of citizen self-service, without back-end transformation, fail to deliver service improvements while often opening up vulnerabilities. Whereas full digital transformation has the potential to harness the latest tools to integrate services, while also harnessing advances in AI to improve service delivery and employing the latest cybersecurity tech to reduce risk.

Obviously, there is considerable cost and risk in replacing legacy systems. Banks have described the challenge of replacing their mainframe-based, core banking systems as akin to changing the engines on an airliner when in flight – and TSB stands as an example of how things can go very badly wrong, even when you have the very best contractors involved.

Nobody is suggesting that replacing HMRC’s ageing systems would be easy, but the cost and risk of not doing so are rising all the time. So what do we know from HMRC’s annual report and other sources?

• Probability: The probability of a “major IT failure or security breach” is now seen as significant enough by HMRC itself to be mentioned in its annual report (red).
• Vulnerability: The Customs Handling of Import and Export Freight (CHIEF) system is not connected directly to the internet, but many other HMRC systems are. The accumulated technical and security debt is becoming critical. And state-backed hacking groups wanting to cause havoc would see HMRC as a primary target. They are also highly skilled and very well resourced(red).
• Impact: HMRC itself acknowledges that any breach could “harm [its own] business operations permanently”. The potential impact of such an incident on the government, the economy and the country as a whole would be catastrophic(red).

Given that there are three red lights flashing on the dashboard, the maintenance record is sketchy at best and the airframe is archaic, we just need to hope that the pilot on flight HMRC is more capable than his peers. Maybe time for us all to return to our seats, put our seatbelts on and possibly even assume the brace position.