By David Nordell
If the British news media are anything to go by, Britain seems to have become the country you least want to live in if you’re concerned about the privacy of your personal information, or indeed the security of highly classified government documents.
First, Her Majesty’s Government managed to lose two unencrypted CD-ROMs containing 25 million personal data records; then, a senior civil servant left top-security documents on his commuter train with intelligence assessments about Iraq and al-Qa’eda. A few days later, a civil service colleague left behind on another train sensitive documents about terror financing. Lap-tops with highly sensitive yet unencrypted data have been stolen from army and defence ministry officials and from a senior member of the ruling Labour party. Only a few weeks ago, it was reported that a consultancy working for the Home Office had lost a memory stick with details of 84,000 prisoners in England and Wales, as well as 30,000 repeat criminal offenders listed on the national police records database. And, most recently, a hard disk containing details of 5,000 prison officers went missing in July, although Justice Secretary Jack Straw, the minister responsible, was apparently only informed about the leak at the beginning of September. But not without reason, the British public took the cynical view that it was government that was prone to security cock-ups, while the private sector could be relied upon to be more careful.
No longer. According to a BBC report, a data archiving firm managed to accidentally sell one of its old computers, holding millions of sensitive customer records for three leading banks: Royal Bank of Scotland, its subsidiary National Westminster Bank, and American Express, on eBay. According to the report, the personal data included customers’ mobile phone numbers, mothers’ maiden names (which are often used to authenticate identities for on-line or telephone transactions) and even scanned signatures. This wasn’t even the first time a financial institution has inadvertently leaked sensitive customer data: the Nationwide Building Society, a leading mortgage bank, was fined nearly 1 million pounds by the regulator last year after a laptop holding customer data was stolen from an employee’s home.
All of this is extremely embarrassing, of course, and makes data security managers throughout the British civil service, and now the financial sector, look like idiots. But that’s the least of it. This kind of amateurishness presents a major risk for terror finance, and indeed terrorist activity. Financial crime, especially fraud directed against financial institutions and their retail customers, has become one of the leading sources of financial resources for terrorism, not only in Britain but also elsewhere; and at least in Britain, much of the fight against terror finance is now focussed on the various kinds of financial fraud. Similarly, all the risks of financial fraud are multiplied greatly if customers’ identities can be stolen easily. If the computer sold by eBay had ended up in the hands of a terrorist cell, instead of a responsible IT professional who immediately informed the authorities, the data on it would have enabled the members to defraud thousands of innocent people, probably to a total of millions of pounds -- and considering that the most recent terror outrages in the UK didn’t cost more than a few thousand pounds each, that sum can buy a lot of terrorist activity. Alternatively, if transferred to the jihadi training camps in Pakistan through the usual mix of ’charitable donations’ and fake income remittances through the money transfer networks, that money would also be able to buy a lot of training for aspiring suicide bombers.
In a way, the loss of prison officers’ personal data is even more worrying. It’s only recently been properly understood, thanks in part to a major project conducted under NATO auspices, that the prisons holding convicted terrorists, or suspects awaiting trial, are part of the front line in the counter-terrorism battle: simply put, they’re a pressure cooker in which the more experienced terrorists can recruit, radicalise and train new members, some of them perhaps not even Muslim, for the jihad. In the Israeli military prisons where Palestinian security prisoners used to be held, for example, regular searches of the prisoners’ cells and tents would regularly turn up everything from improvised weapons to instruction manuals on improvised explosives and resistance to interrogation. Prison officers, who are in any case poorly paid and enjoy less public respect than the police, are responsible not only for keeping order and preventing escapes and riots, but for gathering intelligence within the prison walls, including using informers, and for segregating both dangerous and vulnerable inmates. If the details of 5,000 British prison officers end up in the wrong hands, they will be an ideal weapon for terrorist groups to weaken the prison system, whether by bribing or blackmailing, or even murdering, prison officers. A well-planned jailbreak resulting in the loss of major terrorists, or the murder of a key prisoner governor, would at the very least be a blow to morale and to the government’s credibility as defender of the population.
No doubt, there are more equally embarrassing and potentially dangerous data leaks that haven’t yet been reported by the media, and there are others yet to happen. But there are two important lessons to be drawn from what is already visible. The first and more obvious one is that the British government needs to take data security far more seriously. At a day-to-day level, it isn’t rocket science. The government must task the Security Service and other agencies with developing practical data security standards and procedures that can be applied readily across every area of sensitive personal data, from bank accounts to medical records; and it should give teeth to existing official bodies, such as the Information Commissioner, to carry out security audits and punish offenders. The concept of ’critical national infrastructure’ has existed for many years already; and when I took part three years ago in a ground-breaking European workshop on economic terrorism, it was already clear that banks, security exchanges and clearing systems, including their data systems, were as much part of this critical infrastructure as water supplies or power generation. Yet masses of personal data, much of which can be exploited not only for ’ordinary’ crime but also for attacks against the fabric of society, remain neglected.
The other lesson, I believe, is that the model we have been using of ’terrorist finance’ needs to be re-examined and modified. The truth is that terrorist finance is an relatively easy concept to understand, because it’s clear that terrorist activity needs a whole infrastructure of propaganda, recruitment, training, safe houses, travel, legal support, and so on, all of which requires money to keep it going. But terrorist finance is also a concept that is convenient for governments and international bodies, because flows of money can usually be tracked, because laws and regulations can be introduced easily (even if they’re much less easy to police effectively), and because the burden of compliance can be placed on the shoulders of financial institutions. The reality that is perhaps beginning to be illustrated by the failures of information security in Britain is that information may be at least as important an asset to potential terrorists as money, and that at least as much attention need to be paid to keeping it out of terrorists’ hands. In fact, there is already a new model, of ’terrorist resourcing,’ which has been conceived by a Canadian government counter-terrorism analyst, and which takes account of the entire logistical supply chain, so to speak, that terrorists need in order to function. It’s about time that the counter-terrorism community begins to develop this model rather than looking at money alone.
Comments