Public sector cyber break-ins: Our money, our lives, our right to know

Opinion At the start of September, Transport for London was hit by a major cyber attack. TfL is the public body that moves many of London's human bodies to and from work and play in the capital, and as the attack didn't hit power, signaling, or communications systems, most of the effects went unnoticed by commuters. The organization downplayed the damage done to back office ticketing, billing, and other systems. Everything was in hand.

Not for long. TfL quickly rowed back on claims that no customer data had been exposed as evidence appeared to the contrary. Customers complained that various ticketing discount schemes and group privileges for students and retirees weren't accessible, and TfL made vague promises to perhaps compensate for this some time in the future if receipts were kept. The official line was, however, that things were basically fine.

Recent reports say otherwise, claiming that the scope of the problem is much wider and the situation more serious than previously understood. A vintage friend of The Register confirmed that he couldn't get his old age travel permit, while TfL's Oyster contactless ticketing system was putting erroneous entries on passenger accounts that could not easily be fixed.

The police have arrested a British teenager and aren't thought to be looking for anyone else, so it's most likely not a criminal gang cyber extortion job. But otherwise we don't know what happened or how, what needs to be fixed or when it will be, nor what implications there are for further vulnerabilities. TfL could be a lot more open – indeed, it could hardly be less so.

This is not unique to TfL. If you've read The Register for more than a week, you'll know how it goes. Nobody likes to broadcast bad news, and from the British Library to public health services to government organizations, the initial instinct to manage the information about a breach seems stronger than the instinct to manage the systems in the first place. Commercial entities have the same instincts, but can be quite the poster children for regulatory disgorgement. Public sector outfits have the institutional instinct to clam up and ride things out, which their political overseers understand all too well.

This is exactly wrong. There is a case to be made to exact more disclosure from companies that get hit by cybercrime, but also the argument that their responsibilities are limited to themselves, and their customers can leave or lawyer up depending on levels of horror and hurt. Public sector outfits not only have much broader responsibilities to citizens, not customers, but consume state resources that directly affect all our lives. A million spent rebuilding an IT system blown apart by bit burglars is a million not spent keeping people safe, healthy, and free.

In short, cybersecurity in the public sector is a critical matter to society. It should be treated as such. It is not. Unlike transport infrastructure, environment, food and health, it is not regulated. If an aircraft crashes or a novel infection breaks out, certain bodies have a legal duty to investigate and report.

Imagine if TfL or the British Library knew that the day after a breach, an independent expert team would be clambering through the smoking wreckage, and that in reasonable time there would be a full public report on what happened, why, and how to avoid it.

The benefits would be uncountable. Both public and private sectors would learn what mistakes not to make and, far more importantly, become highly motivated not to make them. Clamming up is not an option when the walrus of candor is going through your server logs. That decision to look the other way when a system limps past end-of-life or omit an audit on who exactly sees what data suddenly feels like the bad move it so obviously is. Not to mention training and managing teams properly, which in cybersecurity as much as in aviation is so often the limiting factor ahead of technology.

It's not an easy move to contemplate. As with freedom of information legislation, institutional resistance will be high and the political cost potentially higher. The actual cost, in these days of chronic under-funding of basic state functions, will look daunting. It's not as if refusing to spend on cybersecurity isn't one of the big problems to begin with.

Then there's regulatory capture, where the industry and its watchdogs get too close to each other and too far away from those they serve. Ask Boeing and the FAA why hundreds of people died in the 737 Max. That's not an argument against regulatory oversight, just one for doing it properly.

We need an accident investigator for cybersecurity, one with the power to keep senior execs awake at nights, one to whom nobody can say no. One that looks for reasons, not blame.

In the long term, it will save money and lives, make everything easier for everyone with responsibility to keep the wolves in the forest. In the medium term, it will shake up expectations and practices across the sector. And in the short term, it will be exceedingly entertaining. We own the public sector. We set the rules. Let's make it happen. ®