It’s 30 years or more since government first developed IT systems in-house, 20 years since outsourcing became a major trend and 7 years since we should have been 100% online, or digital by default as we now say. Sure we’ve come a long way in each of those periods but, honestly, we haven’t come nearly far enough. #Unacceptable IT is pervasive.
Real progress has been blocked by many things including an absence of capability in both departments and their suppliers, by a strong resistance to change, by the perverse incentives of contracts that mean its cheaper to pay service credits than to fix the problem and by an unwillingness to embrace the potential of newer and smaller players to offer status quo-busting ideas.
CIOs across government, including me in various roles at the centre of government, have been guilty for too long of taking the easy path. We have done the #unacceptable and thought we were doing a great job. We have:
- Signed contracts with single suppliers that have led to both poor service and high costs, because that is the way government did things
- Failed to let in innovative suppliers because of the constraints of those large contracts, because new suppliers, we figured, brought risk and uncertainty
- Designed and delivered solutions that look, in today’s world, ridiculously expensive and over-engineered because we thought that was the right thing to do
- Allowed our users to suffer with IT that is a decade – or more – behind what they are using at home because the security considerations for government are different and stricter from those for everyone else
Those decisions and the paths that they led us to take are no longer valid. There are better ways to deliver government IT than we have so far seen done.
Over the last 18 months, working on G-Cloud as well as the immediate forerunner of the Government Digital Service, I’ve seen the real signs of change:
- The biggest change is that some in the public sector are no longer willing to put up with the poor service and delivery that they’ve experienced; they are actively looking for new ways of working
- IT delivery people, Mike Bracken leading the charge, talk about customer centric and recognise that there isn’t any other way of delivering
- Big departments openly talk about wanting to get away from the traditional model of big, cumbersome IT and are serious
- I hear CIOs talk about not wanting to see promises continually broken and I know that they mean it.
Underpinning this desire for change is the recent switch to almost total transparency – things that were never published before are now routinely published, even before someone asks for them via FoI. Data is being made available by the Open Data initiative. Public Services are being opened up too. If the data is going to be made available anyway, what does “security” mean in the government context? This change in approach is forcing departments to confront what they really need to keep secure – and far from prying eyes - and what they don’t. That, in turn, allows new services to be delivered off-the-shelf and on a pay as you go basis via the G-Cloud framework.
There is still plenty more to do and, if I look back on the last dozen years and honestly reflect on those I’ve worked with and interacted with, this is still a pretty difficult list of stuff to do and some of those people just don’t have the capability to do it. They will have to look hard at themselves and decide how they are going to resolve that because it will turn out to be the toughest thing that they have done in their career so far.
The difficult stuff comes now:
Managing Multiple Suppliers
- Departments are no longer going to have an easy ride as they seek to extend an existing contract or renew what they have now (a large single supplier monopoly over their IT). They’re going to be pushed to break up contracts into smaller pieces, contract with or involve more SMEs and reuse what is already in place elsewhere. There is no better place to start than by getting something you already have, or something that you need to have, from the G-Cloud framework. CIOs will need to increase the capability of their teams – and their own capability too – otherwise they will find that they are no longer playing a part in this new approach. Some CIOs and some teams will not be able to make that transition.
Apples With Apples
- For years, obtaining data about what government pays for IT and, worse, what it gets for that money has been mission impossible. With transparency, increasing use of frameworks and smaller contracts, it will be easier than it has ever been to compare like for like costs across departments. CIOs will want to get ahead of that curve now and find out what their IT is truly costing them so that they can compare what new market offers really provide and whether it is worth making an early switch – and the pressure to make that switch before the end of the contract is only likely to increase as the true size of cost reductions becomes evident.
Digital By Default
- The need to design services around the customer will become pervasive -whether that customer is a citizen in front of a web browser at home or one of our own staff working in an office. The shift to “digital by default” (rather than “digital as well”) is fundamental and will cause a wholesale upheaval in organisations across government. People who thought they were in charge of delivering transactions probably won’t be, people who are on the inside of government might find themselves moved to the outside and entirely new product offers will come about as a result.
Looking Back, Looking Forward
- IT in government has certainly come a long way, it just hasn’t come far enough. It remains #unacceptable. The trends of the last couple of years – transparency, open data, open services, SMEs – aren’t going away; if anything, they will go stronger and bed in deeper.
What needs to happen next:
- CIOs across government need to recognise what has changed and stop hiding behind the comfort blanket of what has always been done before. That blanket is on fire.
- Big suppliers should see the smoke from that comfort blanket and recognise that the world of government IT has changed. They can no longer rely on delivering poor service for big money and get away with it. The customer approach is changing and they will need to change too, or be consumed by the flames.
- SMEs should embrace the opportunity they now have and bring their capabilities – speed, flexibility and low prices – to the government market. For the first time, government is ready.
I’ve read with interest a number of the responses here but I’m going to throw my 2p into the mix. I’m in the security trade so I prefer to post anonymously.
The G-Cloud is a blessing and a curse but most people are completely missing the security mountain that needs to be climbed. At Business Impact Level 2 (very broadly local government and low level central government) it’s easy to secure it and a no brainer to put in the cloud. Security at this level is achievable for “low” cost, minimal overhead and with sensible controls. At BIL 3 (which covers the majority of central government and everything else MoJ, Police, MoD including existing carrier networks like the GSi and RLi) it’s a nightmare.
Putting all your eggs in one cloud basket opens up a huge risk to central government at BIL3. Some low level HMRC data goes walkies? Major issue but not a massive one. Someone compromises your cloud and all the criminal, police, HMRC and school records stored there get pinched? You have a potentially very serious problem on your hands. Aggregation (as it’s called) is a problem government has struggled with for years and still shies away from. For those who don’t know what this is allow me to draw an analogy. You have a single £5 note and you put it in your wallet for safekeeping. This is regarded as enough security to make sure someone doesn’t take off with your £5. Now instead on one, you have a bundle of 10,000 £5 notes. Do you think that your wallet is still secure enough? What about a bundle of 10,000,000 £5 notes is a wallet still good enough? What I’m trying to illustrate here is that while it’s still at it’s core just a £5 note, when you collect a lot of them together all of a sudden the problems and issues with securing them change massively. Securing government data is exactly the same. You still think that a cloud that holds your HMRC records, criminal records, family records, police records, local government records, NI records, MOD data and so on doesn’t need more security than you do with each system being separate both physically and logically? You don’t think that the nasty people (whoever they are but they ARE out there) will not put a HUGE amount of additional resources into attacking and compromising the system that hold everything than they would into 20 separate systems?
The bottom line here is that going cloud for so much is a MASSIVE leap of faith and will require everyone accepting more risk. That everyone includes everyone reading this by the way because a lot of that data is going to be about you. Irrespective of what anyone thinks of CESG and their guidance (and some of can be ridiculously over the top) it IS based on 60+ years of experience and can’t be totally dismissed just for convenience and the latest fad (but it should, definitely be challenged and stretched but that is NOT the same as just forgetting about it)
Even that isn’t the whole story of course as theres things like over-marking documents (BIL3 instead of 2 or less), unrealistic risks, lack of expertise, vendor and outsources gouging and profiteering and probably a lot more that all contribute to this but unless you grasp and address the fundamental risk issues the rest just isn’t all that relevant. The question will always basically boil down to “Is the risk of all that data falling into criminal/foreign government hands low enough to justify the cost saving?” It’s an answer I don’t think anyone really knows yet but it’s scaring me that it’s so easily disregarded and the lack of understanding (or acknowledgement) for those in authority.
All of that security stuff said, I’m all for a massive shakeup of how government IT is done – theres a LOT of very poor, shady and downright criminal things that go on that need to be stopped. None of this should stop this shake-up happening but lets not forget there are other impacts and worries.
Incidentally, paper based risks are NOT the same. Not by a LONG LONG way. There is a physical limit the amount of data you can steal on paper. There is, theoretically, no limit to what you lose digitally.
Chris – wish you the very best of luck in retirement. Denise has some big shoes to fill…
David – I see from your latest blog post that you’re frustrated at a lack of response to your comments here. I expect they’re a bit busy right now, but here’s my tuppence worth:
- Digital by default doesn’t mean digital only.
- HMG are certainly not ignoring those who have never used the web. As I understand it (and correct me if I’m wrong) the principle is to build the service as fundamentally digital, and build any offline conduits (in plain speak this could be the post office, family members, carers, etc.) on top of this.
- Your figure of 10m is actually out of date – according to the figures for 2011Q4, there were an estimated 8.2m adults who say they have never used the internet (this has probably fallen to about 8m now, based on a quick play with the data). Although it is still a large number of people, things are changing incredibly quickly – it was double the number five years ago.
- Gcloud doesn’t mean that all government/citizen data and all government applications move to the cloud – it’s not all or nothing.
- There is no such thing as a perfectly secure system, but is it easier to steal data left on a CD/memory stick/laptop, or from a secure, remote data centre?
- With respect, your comparison with timeshare doesn’t make any sense. With timeshare, you pay for a specific place for a specific period of time, even if you don’t use it. That sounds like old school Big IT contracts to me, not flexible contracts.
- Where appropriate, the servers will either be in the UK or Ireland (perhaps elsewhere within the EU, but most probably Ireland). Where it’s not appropriate, the servers will be in the UK. They won’t be beyond British jurisdiction unless the content does not need to be protected (and a large amount of government data does not need such protection).
- “Where’s the agility? Where’s the affordability?” How about this article? Or this one? HMRC just ended the exclusivity agreement with Capgemini (they were going to have to wait until 2017 before). There are still lots of contracts that will have to be honoured, and there is still a massive problem with capability as Chris rightly highlights. It’s not going to happen overnight, but things are getting better.
PublicService.co.uk
26 January 2012
Matthew D’Arcy
Digital – the channel of choice for public services:
Guardian
3 February 2012
Penny Mount
Universal credit to be first service ‘digital by default’:
Tom Szekeres (above):
With respect, I’m not talking about holiday flats in Spain, I’m talking about the timesharing services offered in the old days by the likes of Comshare and GEISCO.
Tom Szekeres (above)
That may solve solve the location problem. But not the USA PATRIOT Act problem, which applies to any US company and its subsidiaries wherever they are. Even if they’re storing data in the UK, the US have a right to see it.
Confirmed yesterday by Sergey Brin in the Guardian:
From what you say it follows that this would apply wherever and in whatever format the data was stored. So surely this is not G-Cloud specific and beyond the scope of anything that can expected to be addressed as part of G-Cloud.
“Anonymous (no Moss, not that one…)” is an awfully long name. Do you mind if I call you Al?
Al, may I recommend the paper written by Mayer Brown (MB), The USA Patriot Act and the Privacy of Data Stored in the Cloud?
MB want to allay those European concerns and they particularly want to dispel the notion that we should avoid US-based cloud computing suppliers. This they do first by telling their readers that the Patriot Act doesn’t just apply to US companies but also to non-US companies that operate in the US. Don’t just avoid IBM and CSC, say, avoid Fujitsu, too, because they operate in the US.
Then they frighten the horses some more. It’s not just the Patriot Act we Europeans should worry about, there are other laws the FBI can appeal to in order to obtain data and injunct the supplier against telling the data subject.
The European Commission Directive protecting our data doesn’t work, MB tell us, but the Commission is working on a new one and in a few years that may or may not prove to be more effective.
So HMG run the risk of losing control of our data if it is stored in another jurisdiction and/or if the cloud computing supplier is a US company and/or if it is a non-US company with business in the US and/or if Anonymous has cut off access to the relevant servers.
It’s not looking good, is it, Al.
To be told that cloud computing is in no worse a position than other forms of storage, as you do, is not a positive argument in its favour. Chris Chant is specifically trying to prove that it has unique merits. Keeping control of our data isn’t one of them.
OECD
January 2011
Reducing Systemic Cybersecurity Risk, p.9:
ENISA (European Network and Information Security Agency)
January 2011
Security & Resilience in Governmental Clouds – Making an informed decision, p.8
Tom Szekeres (above):
The Telegraph article you link to reports some discounts extracted from leviathan contractors. The quid pro quo will be to lock Whitehall into contracts with them, the opposite of what Chris Chant rightly wants. The discounts are relatively small and, to a cynic at least, unlikely to materialise. There is some political advantage to Francis Maude but not enough.
The Guardian article you link to reports a notional £100 million cap on IT contracts with exemptions. If he can’t plead exemption, Sir Humphrey will simply split his £150 million contract into two £75 million contracts and carry on as before. The article also casts doubt on SMEs and agile development methodologies.
So to repeat, where’s the agility and where’s the affordability? You haven’t answered the questions.
Tom Szekeres (above)
This is a version of the non-existent “assisted digital” initiative.
It needs to be thought through. HMG owes that to its parishioners. Including the 8/9/10 million who have never used the web. They are users, too. And a user-centric system needs to cater for them.
That won’t be achieved by carers. Not in the main. Carers are busy people and don’t have time to be web instructors. They do not necessarily understand all the ins and outs of universal credit and, even if they do, it is not fair to make them take the responsibility of helping one of the great unwebbed to make his or her claims.
It’s not considerate to suggest (airily, as you do) that carers can or should provide adequate digital assistance. It is thoughtless, I believe, and a bit offensive.
Ditto post office workers. Go into a post office. Any post office. Who there has the time and the space and the knowledge and the responsibility to assist HMG’s ill-thought out, not to say unthought out, plans for digital by default. Exclusion by default, more like. And post offices, like libraries, are keeping shorter hours these days, when they’re not actually shutting down.
Family members? Some families, yes. Many families, no. You and HMG will have to do better than that. Digital assistance is an obvious requirement, and has been for years. Despite that, there is no coherent plan. The claim that digital by default is user-centric is a false prospectus.
It is provider-centric. The providers are fascinated by technology and want lots of opportunity to play. The users can go hang. That’s what it looks like.
Your blog post makes for interesting reading, and I think the title certainly summarises public opinion of Government IT. As a Software Developer who has experience of working on Government projects I would like to start by saying that there are two statements with which I agree strongly, “absence of capability” and “resistance to change”.
The absence of capability is particularly unfortunate, it prevents Government bodies from making informed decisions when selecting suppliers, performing sign-off, and testing systems. Worst of all, major issues are not fully understood and sometimes ignored altogether, whist minor issues can be blown out of all proportion and even result in delayed delivery.
There are some aspects of your blog post that seem at best unthinking and at worst overly presumptuous. I would argue it is not only newer and smaller players that can “offer status quo-busting ideas”. Equally I don’t believe “contracts with single suppliers” must lead to “both poor service and high costs”. Indeed high costs are just as likely to be incurred when employing several suppliers unless the suppliers are able to work in a highly cohesive and integrated way.
You state that Government bodies have “allowed users to suffer with IT that is a decade – or more – behind” due to security reasons. I don’t believe security is the reason for this. There are other bodies for which security is equally important but have not felt the need to hold back there IT infrastructure. Looking at digital banking services I see no signs that security considerations are preventing the banks from providing up-to-date and even innovative services. Perhaps this is because banks have in-house knowledge and development, that is to say they do not suffer from “absence of capability” and “resistance to change”.
It’s good to hear that “big departments openly talk about wanting to get away from the traditional model of big, cumbersome IT”. This isn’t something I have yet experienced, but I am hoping to see a greater acceptance of agile approaches and a broader minded approach to solutions especially the use of cheaper but just as reliable and robust open-source solutions. Unfortunately feedback from a recent bid showed the bid was heavily marked down for inclusion of open-source solutions. This flies in the face of the Government ICT Strategy.
The idea of pushing to “break up contracts into smaller pieces” seems well intentioned. When breaking things up it is essential that the responsibilities for different aspects of a systems is clearly defined. But is it practical or even possible? Software cannot be entirely designed upfront and thus breaking a system into sub-projects may be difficult at the very least. Even if this is achieved software design, and even architecture, must be constantly reassessed. What happens when one supplier wants to refactor something for the better but it requires work by another supplier, who absorbs the cost of the refactoring? In these situations stagnation sounds inevitable.
I want to take a quick moment to respond to David Moss. Moss appears to have confused digital by default with the concept of a website. Chant clearly states that the “need to design services around the customer will become pervasive -whether that customer is a citizen in front of a web browser at home or one of our own staff working in an office”. One of our staff, presumably being an real person talking to someone face-to-face, over the phone, or entering information from paper-based forms.
Digital by default sounds like a sensible strategy. I am not suggesting that everything should be digital, but rather it should be the default position. There are occasions when paper-based is the more appropriate solution. For storage of large amounts of data that requires substantial processing, digital simply makes sense. There is a fear here as well though. It is often assumed that simply because the processing power exists, it should be entertained. Processes, rules, regulations, can all too quickly become too unwieldy for individuals to understand. The legislation itself and simplification of the legislation is equally as important as the systems that are used to enforce it.
Security of data is clearly an important concern for Government bodies. But I’m unsure what question Moss is really posing. Will G-Cloud ensure 100% security? Of course not, it would be unreasonable to think that it could. Does this make G-Cloud a “strategic mistake, securitywise”? There is no reason why G-Cloud security should be any worse than existing Government systems. There is no such thing as a 100% secure system, paper systems are equally susceptible, hire the wrong individual, leave classified paperwork on a train…
I am interested in the physical location of data centres. Surely they would have to be located somewhere that falls within the jurisdiction of the British Government. And I am intrigued if what Moss says is correct, that there has been no answer to this question. Perhaps this has already been addressed in other rules and regulations for Government systems. Whatever the case, clarification is necessary.
As someone who works in the DWP – and has to put up with the shoddy IT that feels like it was frozen in 1995, shocking lack of supplier customer service and browbeaten staff who often just cannot be bothered reporting problems because they’ll take 2 years to fix… I can only say YES.
Chris, I agree with David’s comment about the existence of dinosaurs (still) in Whitehall – though IMO it’s slowly getting better.
On a more positive note:
- Yes, you have found a better way. Without question.
- “Digital by Default” and “Customer Centric” can co-exist; if digital also includes other self-service channels such as SMS, phone self-service, TV Red Button and so on. It’s exactly what we do at htkhorizon.com, across the public sector and other big organisations like O2.
- “No capex” doesn’t need to mean insecure. htkhorizon.com is a cloud software product, on our own private cloud, on a pay-as-you-go monthly charging model. We’re running toISO27001 and BS25999, we have a team of SC cleared staff and we can’t wait to get IL2/3 accreditation (we designed our private cloud for this purpose, with a very good CLAS consultant).
- Our customers own their own data, and it’s hosted on UK soil.
- As for affordability, a local authority or police force could take our service (today) for two-way digital contact with the public using email, SMS, web, social media, voice automation etc for £200 per month plus 4p per text. Not £20,000 per month, £200.
- And yes, we’re on G-Cloud. And we’re a UK SME.
How much more affordability and flexibility do we need?
It’s just an example, but I felt it worth raising because frankly the time for ranting about dinosaurs is over. It’s now time to learn the new rules and play a different game.
I know a funny, erm, tragic story along these lines.
A couple of years ago I was commissioned by an agency to build a system to a govt spec. It was all about saving money online by allowing certain types of govt. organisations to take a very detailed ‘quiz’ about their spending and then analysing the results to show them where to save. Phase 2 was going to do some matchmaking between them to increase savings by pooling their spending.
The phase 1 budget was (I think) around £75k. Not a big system… compact, phased and well-specified. We finished on time and on budget using Open Source software. I rather liked the product.
Having tested and staged, we informed the client that we were ready for their final acceptance testing and imminent delivery. We never got a reply.
Silently and without fuss the bill was paid and we never heard from anyone in that dept ever again. Afaik the code was never delivered. Were they made redundant? Did they all die of swine flu? Was the commissioning office in Brigadoon? We can but imagine.
As a professional software developer I am glad they paid but it saddens me to put effort into something worthwhile and see it go to waste.
As a taxpayer I’m appalled that £75k was thrown away like that.
I couldn’t agree more: #Unacceptable IT is pervasive, and it is endemic in its acceptance for a number of reasons.
There seems no sense in some of the decisions being made, and it is quite understandable for those in charge to be dumbfounded by technical arguments. No, really it is. It is the same mentality that sees Ministers being given portfolios that they have little idea or expertise in. But then, that is why they rely on advisers. There is also the fact that (tongue-in-cheek) there seems to be tendency to be advised to accept solutions that seem to require lots of additional help, over-runs etc. I’d love to see a list to compare with, of major projects that have come in UNDER budget, and with accolades. Let’s look at the positive side for a change.
As an SME It Services supplier with public sector clients, I fail to see how how the interests of small suppliers will be protected. Despite all the hot air from Govt. Lot to sort out still even if the Governments intentions are right.
Not much use also is it to be told that we cannot bid or retender a contract as its going to be procured through G Cloud, is it? Basically excludes us as an SME.
And as for good procurement practices becoming the norm – am a bit sceptical about that – we have seen a couple of tenders coming out recently with unfair timescales. For example get ITT on the Monday with bid in by Thursday or Friday. Are we just being used by the client as a “token” SME bidder or is it just sloppy procurement practice?
Dear Mr Chant
Few would disagree with your analysis of the current problems with a lot of UK government IT. The search is on for a better way. The question is, have you found a better way?
The better way you propose is digital by default and customer-centric. But the two don’t mix. 10 million of your customers have never used the web. To concentrate on digital by default is to ignore 10 million of your customers and – I say this more hesitantly than it sounds – you are fooling yourself if you think otherwise. Is digital by default, for 10 million people, the very opposite of customer-centric? Your answer to that? So far, a phrase – “assisted digital”. An empty phrase.
The media is knee-deep in cyber (in)security stories. Every time you re-announce your plans there’s always just been another one of these stories. Apart from Anonymous taking down the Home Office website for Easter, the latest serious insecurity story is the update on RSA themselves being hacked by the Chinese. If RSA can’t operate securely, how can Whitehall? They can’t. Is G-Cloud a strategic mistake, securitywise? Your answer to that? So far, silence.
Judging by Mr Scaife’s “no-brainer” post, the Cloud means no capital expenditure. Which means Whitehall would be using Amazon’s servers. Or Google’s or whoever’s. And where will these servers be? Wherever Amazon or Google or Microsoft or whoever put them. Which could be anywhere. Which could be beyond British jurisdiction. And access could anyway be subject to Anonymous’s permission. Will Whitehall literally lose control of its applications and its data? Our data, rather. Your answer to that? So far, silence.
Last time the world used timesharing – the 1970s – costs went through the roof. Why wouldn’t the same happen this time? Your answer to that? So far, silence.
What we do get from you is assertions about the agility and affordability of cloud computing. But no examples. How about taking a big government contract, an existing one, as a worked example, and telling us in detail how we can avoid the saga-length contracts and the King Midas costs while at the same time delivering customised services instantly? (“Instantly” is probably going a bit far but a lot of your sales talk sounds as though that’s what you’re offering.) Without a worked example, it’s all just talk.
At least that’s the danger. It was great the first time. 20 October 2011. And it’s great listening to you every few weeks telling the dinosaurs to show themselves out of Whitehall. But meantime the dinosaurs are still in situ, still signing contracts, sagas just like the old contracts, they’re still denominated in years and in billions of pounds and the counterparties are still the same old suppliers. Where’s the agility? Where’s the affordability? Your answer to that? So far, silence.
I shan’t ask you to defend your claim that Whitehall is now “open”. There’s quite enough else there for you to get your leopard’s teeth into.
Yours sincerely
David Moss
As a member of the public sector staff I applaud the open and honest look back at the mistakes that have been made.
The key is a cultural change in the the way pubic sector organisations see IT. IT is the foundation of the buisness (I do 80%+ of my work on a computer) and it should work towards enabling staff to do their work professionally and efficiently.
As Chris has stated the change is coming internally and I would like to add one more point to Chris’ argument, that being that the digital natives, the students studying in our universities today have *never* been without the internet are not adverse to sharing data across the web and cannot understand how the world worked without the web. Government will have to deal with these people as adults, business leaders, political leaders and critics soon enough.
As to the ’10m people don’t use the internet’ jibe – digital by defualt is, as I understand it, not about replacing all other communications with digital channels, but about enriching the mix of channels the government has to offer. Concurrently, initiative’s like http://raceonline2012.org/ are helping people understand the web and how it can help them in their everyday lives.
Cheers,
Alex