HMRC ‘hyperscale’ cloud strategy sparks security concerns
With IR35 now threatening to disrupt the way that the private sector employs IT contractors, Bill Mew looks at the checkered history of HMRC’s own tech strategy.
In September 2020, HMRC recruited Daljit Rehal from Centrica as its chief digital and information officer (CDIO). Rehal is responsible for a budget of just over £1bn – which includes an operational budget of £725m and a further £300m for IT strategic changes.
Currently, in the midst of the five-year Securing Our Technical Future programme, HMRC is seeking to move services and data away from three Fujitsu-run datacentres and into the cloud.
The Fujitsu contract was due to expire in June 2022 but has recently been extended by three years. 2025 is now the department’s deadline for moving 600 services either into a public cloud environment or on to private cloud and hosted infrastructure owned by Crown Hosting Data Centres.
On the public cloud front, HMRC has recently signed a £40m-plus deal with Amazon Web Services (AWS). Details are scarce, other than that the tech giant is to deliver ‘hyperscale' compute cloud service provision.
However, this is not a sudden realisation by HMRC or the UK government of cloud computing’s potential benefits. There has been a long and checkered path to get where we are today.
A decade ago, the public accounts committee described government reliance on a few major IT suppliers as an “oligopoly” in the report “a recipe for rip-offs”: time for a new approach. It was more accurately a recipe for IT failure.
A small group of large tech firms bid for large government contracts. They were routinely beaten down on price, leaving them with no option other than either cutting corners or making excessive charges for the inevitable subsequent changes to the specifications.
Under the coalition government, cabinet office minister Francis Maude promised to move away from the inflexible oligopoly and their inefficient delivery models to embrace “smaller, more innovative suppliers.” Cloud was seen as an enabler for moving away from “a limited number of very large suppliers on long-term, exclusive contracts.”
It was also seen as a way to foster an innovative ecosystem of local tech SMEs and deliver on the government’s procurement commitment to spend a third of its budget with smaller, local British suppliers.
Evolution of small UK cloud firms
The Government Digital Service (GDS) was created to guide and indeed police IT procurement, and it initially adopted a ‘Cloud First’ mantra. This saw the evolution of a number of small UK cloud firms like UKCloud, based in Farnborough, and Datacentred, based in Salford – and back by seed funding from the local council.
Both firms won contracts with HMRC and other government departments were reticent about trusting public data to public cloud environments. This changed when Microsoft and AWS opened cloud datacentres in the UK.
The GDS mantra, under chief technology officer Liam Maxwell, evolved to deem their public cloud services as “appropriate for the vast majority of government information and services”.
Local tech firms fall out of favour
It led to a sudden swing away from the UK cloud firms to the global giants. Concerns were raised at the time that AWS was using "lowball" prices to undercut the UK firms and secure contracts which could then spiral in price.
There were also allegations of a “revolving door” between Whitehall and AWS, with senior civil servants, including Maxwell, taking lucrative jobs with the cloud giant within months of overseeing government cloud contracts.
HMRC ended its contracts with both UKCloud and Datacentred to switch to AWS. And while UKCloud saw its revenues decline, it retained a number of other government contracts.
Datacentred was less fortunate. Overly reliant on HMRC, it was forced out of business. Critics accused HMRC of bad faith in the way that it dealt with the Salford firm and lost the local council its investment. It also came under fire for favouring a global mega-corp that paid little in taxes in the UK over a UK business.
Amazon has always maintained that it “pays all applicable taxes, due on its profits” and that its services provide the government with cost savings.
Cloud giants offer US snooping opportunity
Privacy campaigners and UK cloud firms also complain that the government is not only paying lip service to its commitment to direct a third of procurement to UK SMEs, but is also turning a blind eye to breaches of GDPR and unchecked US snooping.
The sensitive government data stored with US cloud giants includes not only our financial and tax records, but also medical records, criminal records and a lot more besides. Initial concerns that such data would not be safe on public clouds were dismissed by Maxwell and others.
However, recent rulings in the EU courts that overturned both Safe Harbor and Privacy Shield have exposed the fact that all data sets held by US cloud firms, even in their UK datacentres, are subject to potential surveillance by US security agencies.
Some go on to suggest that GCHQ and the Snoopers Charter mean that the UK security agencies are no better. However as the law stands, snooping by our own spies may be allowed, but snooping by foreign ones is most definitely not.
A particular irony is that to comply with the Shrems II ruling on GDPR and Privacy Shield, HMRC and other government departments now need to consider moving their business away from hyperscalers like AWS. A local firm like Datacentred would be the ideal alternative if HMRC hadn’t previously put them out of business.
UK derogation to overlook Shrems II ruling
However, with the flexibility afforded by Brexit, the UK government is expected to provide itself with some kind of derogation that would allow it to overlook the ruling. It would then be free to continue storing and processing our most sensitive data with AWS and other public cloud giants. The NSA’s access to such data is unlikely, therefore, to be curtailed.
In the early years, notable successes such as DVLA’s move to do away with the tex disc and integrate driving licence, insurance and MOT data online were held up as ‘exemplars.’ The UK was even recognised by the UN as the number one e-government in the world.
It has since slipped down the rankings as digital progress has stalled. The uncertainty of Brexit was cited by departments that postponed their move away from legacy systems and signed extensions with the old IT oligopoly – as HMRC did extend its contract with Fujitsu for three more years.
Now that we have actually left the EU, there is no longer any uncertainty and instead, there is an urgent need to transform our IT systems to serve the post-Brexit reality. Whether we have swapped one oligopoly of large IT services firms for another oligopoly of cloud firms and whether our data is being adequately protected, one question remains: ‘Is there a coherent digital strategy here?’
Many are currently struggling with the transition to the new digital tax system or with the extension of IR35 to the private sector. Given the example that HMRC has set with its own IT systems, you may well understand why it wants you to "do as we say, not as we do".
You might also be interested in
Founder and CEO of CrisisTeam.co.uk (SiliconANGLE global Startup of the Week – May 2019), an elite team of experts in incident response, cyber law, reputation management and social influence that help clients minimize the impact of cyber incidents. Previous cloud strategist at UKCloud (the...