July/August 2006 issue

IT strategy @ UK.gov
Ian Grant

The UK government needs to improve its ability to deliver effective IT-based systems at reasonable cost. But the proposed solution could change utterly the relationship between the state and the citizen.

In 1963 Prime Minister Harold Wilson gave Britain a vision of a new era forged in the ‘white heat’ of technology. Forty years on, Wilson’s political heir, Tony Blair, seeks to apply that technology to transform the way government interacts with its citizens and with itself.

Never mind the privacy and data sharing issues that lie at the heart of the proposed transformation. In government IT, the chief risk is a shift in direction of the political wind. When newspaper headline drive policy, expect choppy seas.

The British public sector spends some £14 billion a year on IT projects. This is about 2.5% of the £552 billion total Chancellor Gordon Brown budgeted to spend this financial year. As the government forges ahead with its e-government plans, spending on IT, as a percentage of the national budget, is likely to rise (see sidebar, ‘Lies, damned lies, and accounts’).

In recent years, the government didn’t seem to get much value for money. The litany of IT disasters felt endless: passports, magistrates’ courts, child support, tax credits, car licences, education, farm payments, job centres, the police. Even some systems that seemed to be working, such as those in the Home Office, are “unfit for purpose”, says the new Home Secretary, John Reid. To be fair, perhaps the purpose has changed.

The cost of these failed systems runs into hundreds of millions of pounds; the degradation of services promised but not delivered was embarrassing, and the distress to individuals as a result of the failures has damaged their trust and goodwill towards the government.

In the private sector, the financial director would have drawn the purse-strings and heads would have rolled. The consulting firm Accenture has contracts with the National Health Systems’ National Programme for IT (now called Connecting for Health) worth at least £2 billion. Reporting its latest financial results, Accenture CEO William Green said, “During the quarter, several issues increased the risks and uncertainties associated with the NHS contracts and affected our estimates of the expected contract
revenues and costs. Under GAAP, we were required to record this provision to reflect these new circumstances.”

iSoft, the former KPMG consulting arm that is Accenture’s partner for the NHS business, extended the time over which it recognises revenue. As a result profit forecasts fell from £17m-£22m to £3m-£7m. When its share price slid from 400p to 50p in response, it sacked its CEO Tim Whiston.

Such public recognition and punishment of poor performance hasn’t happened in Whitehall, at least not that anyone noticed.

It may prove harder to sweep similar public sector disasters under the table in future because two proposed multi-billion pound systems have hit the headlines and stayed there. These are the NHS’s Connecting for Health programme and the proposed biometric identity card. Government needed to been seen to be reining these with a firm stand.

Government should know better
It’s not that the government wasn’t aware of problems with large IT projects-on the contrary. And it knows what to do, at least in theory. The Office of Government Commerce, part of the Office of the Deputy Prime Minister (now called the Department of Communities and Local Development) has documented what makes projects go wrong (see table). It uses these benchmarks in the Gateway Review process it uses to assess government IT projects, ideally before contracts are signed.

The problem is, a spokesman said, that departments have to invite the OGC’s Gateway reviewers to run their eyes over the plan. But they don’t have to accept their verdict or follow their recommendations. “Gateway reviews do not have a function to allow/disallow projects to proceed, but simply make recommendations to the SRO (senior responsible officer) that will maximize the project’s chances of success,” the spokesman says. So, there is no head-on-block sanction against failure, nor is there a formal automatic measurement and review process.

The OGC says ‘465 projects and programmes that are recorded as ‘IT-enabled’ have undergone one or more Gateway reviews (these are Central Civil Government only)’. But it was unable to provide details of their capital or running costs.

The OGC’s parent body, the Department for Communities and Local Government, is also responsible for 22 national programmes for local government (see table, ‘Bang for the buck’). Here the relationship with individuals will be mostly more regular and more intimate than with anyone except the taxman.

The department says a study by consultancy Capgemini showed that just six of the projects would bring benefits worth £320m in saved costs, increase revenues by £60m while the improvement in services would be worth £1.3 billion. Better buying could save another £1.1 billion, and e-payments could save about £708m over five years, it claims. But it can’t or won’t say what return on investment that represents.

What of the future? In November 2005 the government published for comment a document called Transformational Government. This sets out a strategic view of how the government can apply information technology firstly to the benefit of citizens, secondly to improve its internal efficiency, and thirdly boost its professionalism in delivering and managing IT projects.

In one of the 124 responses, the Home Office’s John Golding said “Part of the problem with government IS (information systems) projects is the complexity of policy-generally government policies and solutions are vastly more complicated than private sector ones and we tend to pay, train and recruit less well and then we wonder why government is poor at delivery. But complex policy is seen as good and subtle and the rewards for developing it high, while the rewards for developing achievable policy are zero.”

The government later issued an implementation plan that sets out a number of tasks, responsibilities and a timetable. There are two fundamental issues. The first is the secure and unmistakably unique identification of individuals and legal entities such as businesses. The second is agreement of the rules that govern what information government may legitimately collect and share about these uniquely identified individuals.

David Lacey started in infosecurity in the 1980s with firms like Royal Mail and Shell. He helped to develop the BS7799 standard, and is a founder of the infosecurity standards setting body, the Jericho Forum. Lacey says the government faces a difficult balancing act between data privacy and data sharing. “There is no quick solution. The balance underpins the whole concept, and if the people don’t trust it, well...”

The government is taking this very seriously. No fewer than three Cabinet Committees are addressing different aspects. Their respective remits are:

• To coordinate the government’s policy and strategy on identity management in the public and private sectors, and to drive forward the delivery of transformational benefits across government;
• To drive forward the government’s strategy for IT-enabled change in the provision of public services; to review delivery of departments’ programmes for making efficiency savings through e-enablement; and to make recommendations as necessary to the Committee on Public Services and Public Expenditure;
• To develop the government’s strategy on data sharing across the public sector.
Ian Watmore, the government’s former chief information officer, now heads the Prime Minister’s Delivery Unit. He is nominally responsible for making Transformational Government work. But he has to coordinate enough other cooks to make an alphabet soup of acronymed logorrhoeic committees (see table, ‘Alphabet Soup’).

Lacey notes that strategies are “aspirational”; what counts are action and delivery. He notes government’s preference for out-sourcing and thus reducing public visibility of its liabilities. He says, “There is a massive skills gap, particularly in managing out-sourced projects. (The government’s own project management system) Prince 2 is very bureaucratic and does not allocate responsibility to individuals. It is easy to lose that focused accountability among the committees that Prince 2 encourages. Delivering on this strategy will be like driving a bus without the steering column being connected to the wheels.”

Dennis Keeling, chief executive of the Business Application Software Developers’ Association (BASDA), is more sanguine. His members, mostly developers of accounting software, “have been e-filing (documents such as tax returns and year-end payroll reports) using the Government Gateway for six years. I don’t know of a single incident where security was compromised,” he says.

Keeling notes that there are stringent rules against data sharing. “For instance, there are times when we or the government can receive information but not send it on. Sometimes we cannot even say whether or not the data exists.”
He notes that the government has been “very guarded” about its intentions on identity and data sharing. Until his members have seen the government’s proposals, he is unwilling to comment. “However, I am satisfied that we have access to the highest levels should we need to discuss any related issue,” he says.

One of them might be the suitability of the National Insurance number as an individual’s primary identifier and index marker. Lots of government and institutions have used a number, such as the US’s Social Security number or a credit card number, as the primary means of authenticating the individual to the institution.

It is no longer enough. Boston-based market researcher Aberdeen Group reports that the cumulative losses from identity theft, now suffered by tens of millions of individuals and businesses worldwide, rose 1000-fold from an estimated $221 billion in 2003 to $2 trillion in 2005. A US Federal Trade Commission study found that two-thirds of ID theft cases stemmed from stolen credit card numbers, and Washington state survey found that one in nine families have been victims of ID theft. Some of them no doubt were affected by the theft of a laptop from a US Veterans’ Affairs staffer. It had the Social Security numbers and birthdates of 26.5 million ex-soldiers and their dependents.

As identity theft has risen, single factor authentication, such as a social security or ID number, has proven too vulnerable. Once stolen or otherwise abused, it is a skeleton key to that person’s entire documented existence.

Given initial problems with the credit card firms’ chip and PIN system, it seems inevitable that reliable authentication will have to integrate at least three factors. These could be a chip, a PIN and one or two biometric measures, and the data will be encrypted on-card and in transit. Moreover readers will also have to test for the subject’s vitality. When the South African pensions department introduced a fingerprint reader to authenticate payments, at least one family used their deceased pensioner’s severed, pickled digit to continue to draw his pension.

As many commentators have said, multifactor authentication will be expensive. But people may resist this less than expected. In the US, several retailers and banks now authenticate grocery payments by reading shoppers’ fingerprints. More and more passports carry biometric data. And as more people suffer the consequences of having their identity stolen, pressure for more secure forms of identity is likely to rise. •

About the author
Ian Grant is a freelance writer on business issues.

Back to features index