CEO and founder Crisis Team
Columnist
Share this content

HMRC ‘hyperscale’ cloud strategy sparks security concerns

With IR35 now threatening to disrupt the way that the private sector employs IT contractors, Bill Mew looks at the checkered history of HMRC’s own tech strategy.

8th Apr 2021
CEO and founder Crisis Team
Columnist
Share this content
Houses of Parliament at night , Westminster, London, UK
istock_GoranQ

In September 2020, HMRC recruited Daljit Rehal from Centrica as its chief digital and information officer (CDIO). Rehal is responsible for a budget of just over £1bn – which includes an operational budget of £725m and a further £300m for IT strategic changes. 

Currently, in the midst of the five-year Securing Our Technical Future programme, HMRC is seeking to move services and data away from three Fujitsu-run datacentres and into the cloud. 

The Fujitsu contract was due to expire in June 2022 but has recently been extended by three years. 2025 is now the department’s deadline for moving 600 services either into a public cloud environment or on to private cloud and hosted infrastructure owned by Crown Hosting Data Centres.

On the public cloud front, HMRC has recently signed a £40m-plus deal with Amazon Web Services (AWS). Details are scarce, other than that the tech giant is to deliver ‘hyperscale' compute cloud service provision.

However, this is not a sudden realisation by HMRC or the UK government of cloud computing’s potential benefits. There has been a long and checkered path to get where we are today.

Cloud love-in

A decade ago, the public accounts committee described government reliance on a few major IT suppliers as an “oligopoly” in the report “a recipe for rip-offs”: time for a new approach. It was more accurately a recipe for IT failure. 

A small group of large tech firms bid for large government contracts. They were routinely beaten down on price, leaving them with no option other than either cutting corners or making excessive charges for the inevitable subsequent changes to the specifications.

Under the coalition government, cabinet office minister Francis Maude promised to move away from the inflexible oligopoly and their inefficient delivery models to embrace “smaller, more innovative suppliers.” Cloud was seen as an enabler for moving away from “a limited number of very large suppliers on long-term, exclusive contracts.” 

It was also seen as a way to foster an innovative ecosystem of local tech SMEs and deliver on the government’s procurement commitment to spend a third of its budget with smaller, local British suppliers.

Evolution of small UK cloud firms

The Government Digital Service (GDS) was created to guide and indeed police IT procurement, and it initially adopted a ‘Cloud First’ mantra. This saw the evolution of a number of small UK cloud firms like UKCloud, based in Farnborough, and Datacentred, based in Salford – and back by seed funding from the local council. 

Both firms won contracts with HMRC and other government departments were reticent about trusting public data to public cloud environments. This changed when Microsoft and AWS opened cloud datacentres in the UK. 

The GDS mantra, under chief technology officer Liam Maxwell, evolved to deem their public cloud services as “appropriate for the vast majority of government information and services”.

Local tech firms fall out of favour

It led to a sudden swing away from the UK cloud firms to the global giants. Concerns were raised at the time that AWS was using "lowball" prices to undercut the UK firms and secure contracts which could then spiral in price. 

There were also allegations of a “revolving door” between Whitehall and AWS, with senior civil servants, including Maxwell, taking lucrative jobs with the cloud giant within months of overseeing government cloud contracts.

HMRC ended its contracts with both UKCloud and Datacentred to switch to AWS. And while UKCloud saw its revenues decline, it retained a number of other government contracts. 

 Datacentred was less fortunate. Overly reliant on HMRC, it was forced out of business. Critics accused HMRC of bad faith in the way that it dealt with the Salford firm and lost the local council its investment. It also came under fire for favouring a global mega-corp that paid little in taxes in the UK over a UK business.

Amazon has always maintained that it “pays all applicable taxes, due on its profits” and that its services provide the government with cost savings.

Cloud giants offer US snooping opportunity

Privacy campaigners and UK cloud firms also complain that the government is not only paying lip service to its commitment to direct a third of procurement to UK SMEs, but is also turning a blind eye to breaches of GDPR and unchecked US snooping.

The sensitive government data stored with US cloud giants includes not only our financial and tax records, but also medical records, criminal records and a lot more besides. Initial concerns  that such data would not be safe on public clouds were dismissed by Maxwell and others. 

However, recent rulings in the EU courts that overturned both Safe Harbor and Privacy Shield have exposed the fact that all data sets held by US cloud firms, even in their UK datacentres, are subject to potential surveillance by US security agencies.

Some go on to suggest that GCHQ and the Snoopers Charter mean that the UK security agencies are no better. However as the law stands, snooping by our own spies may be allowed, but snooping by foreign ones is most definitely not.

A particular irony is that to comply with the Shrems II ruling on GDPR and Privacy Shield, HMRC and other government departments now need to consider moving their business away from hyperscalers like AWS. A local firm like Datacentred would be the ideal alternative if HMRC hadn’t previously put them out of business.

UK derogation to overlook Shrems II ruling

However, with the flexibility afforded by Brexit, the UK government is expected to provide itself with some kind of derogation that would allow it to overlook the ruling. It would then be free to continue storing and processing our most sensitive data with AWS and other public cloud giants. The NSA’s access to such data is unlikely, therefore, to be curtailed.

In the early years, notable successes such as DVLA’s move to do away with the tex disc and integrate driving licence, insurance and MOT data online were held up as ‘exemplars.’ The UK was even recognised by the UN as the number one e-government in the world. 

It has since slipped down the rankings as digital progress has stalled. The uncertainty of Brexit was cited by departments that postponed their move away from legacy systems and signed extensions with the old IT oligopoly – as HMRC did extend its contract with Fujitsu for three more years.

Now that we have actually left the EU, there is no longer any uncertainty and instead, there is an urgent need to transform our IT systems to serve the post-Brexit reality. Whether we have swapped one oligopoly of large IT services firms for another oligopoly of cloud firms and whether our data is being adequately protected, one question remains: ‘Is there a coherent digital strategy here?’

Many are currently struggling with the transition to the new digital tax system or with the extension of IR35 to the private sector. Given the example that HMRC has set with its own IT systems, you may well understand why it wants you to "do as we say, not as we do".

Replies (3)

Please login or register to join the discussion.

By Nick Graves
08th Apr 2021 11:24

Never let reality & logic get in the way of crony-corporatism.

Still, at least the Technocrats will get even greater back-door access to everyone's personal data and can make undesirables UNPERSONS with greater ease.

Thanks (2)
avatar
By moneymanager
08th Apr 2021 12:52

I wouldn't be the first to note that all the "triple intial" regulatory and investigatory bodies of US government are thoroughly occupied by a non US beneficial policy, I won't venture here any opinion as to where their loyalty resides.

At a practical level ‘Is there a coherent digital strategy here?’, it seems a perfect prelude for overarching global state surveillance and the perfect personal mechanism to deliver that, a "vacinne passport".

Thanks (1)
avatar
By flightdeck
08th Apr 2021 16:39

But the government has a fine record of on-time, on-budget fully functioning IT systems. No they don't - they have the opposite.

They will spend millions upon millions giving this to an outsource shop (with a few British faces to make it SEEM British) and 90% of that cash will go overseas. This outfit will look professional but they are first and foremost money sharks - change control and kerching etc. The civil service is not skilled enough to manage these contracts much less understand and manage the tech (and that's how the get their clients by the danglies).

Thanks (2)