Parliament's Intelligence and Security Committee has published their 2003-2004 annual report (.pdf)
This report is the fig leaf of what passes for Parliamentary oversight of the secret intellingence agencies in the UK, and only gives brief details about their activities and expenditures. Even these are censored in the report. Other democratic countries manage to provide the tax paying public with much more detail and insight, without compromising their national security.
Nevertheless, the report mentions things which will be of some interest to students of Government technology project cock ups.
If there is one thing that the UK Government is worse at than Information Technology Projects, it is probably large office complex projects. The new GCHQ "Doughnut building" is all very well, and a much needed replacement for the sub standard pre-fab accommodation which GCHQ has squatted in for so many years.
The report highlights the various scandals involving the lack of financial control and managerial leadership at GCHQ e.g. the auditors refused to sign off the accounts for 3 years in a row!, GCHQ can only find and account for 92% of the equipment assets which we have paid for, by means of the accounting trick of ignoring anything under £10,000 value etc. - 8% of what must be billions of pounds worth of assets is a lot of public money which has been lost through incompetence or possible corruption.
It is no great surprise that the new Doughnut building is simply too small to hold all the GCHQ staff. The occupancy is alleged to be 115% , so the 1950's vintage pre-fabs remain in use, despite the fact that the site has been sold off to private sector developers, who will soon be within their rights to bulldoze these or else to milk the Government for massive financial compensation.
The Secret Service MI5 seems to have been concentrating too much on terrorism and has taken its focus off Russian and Chinese espionage.
The Secret Intelligence Service MI6 apparently managed to underspend its allocated budget, supposedly due the situation in Iraq and various unnamed project delays They too seem to have withdrawn from intelligence activities in certain parts of the world - at a guess Latin America, although they claim to have been the only agency with some spare capacity to devote to some anti-Organised Crime activities, presumably drug smuggling (although obviously with no success in Afghanistan).
The report has this curious comment:
"135. We believe that this situation mainly derives from the history of cuts in the 1990s as part of the post-Cold War budget realignment, which put the Agencies on the defensive. When international terrorism began to spread in the mid 1990s, the Agencies felt that they could not ask for additional resources, not least because they were already being accused of inventing new tasks for themselves."
Surely this is an argument for much more openness on the part of these Agencies, to demonstrate their actual worth to the taxpayer ?
The Government does not seem to have properly reviewed the Critical National Infrastructure since 2002, this remains a concern for the Committee i.e. there has been no progress since their similar comments last year:
"We were also informed that the JIC had not assessed the threat to the CNI from electronic attack since 2002. Capabilities to attack the CNI exist, and, while both NISCC and CESG sought to reassure us that they were reducing the vulnerability of the CNI to technical attack, we were not convinced.
We recommend that the threat to the UK?s Critical National Infrastructure and vulnerability to electronic and other attacks should be examined by the JIC and considered by Ministers."
There also needs to be actual real money and resources spent on things as fundamental as an audit of what exactly constitutes the UK's Critical National Infrastructure - most of it is under the control of private sector companies, not the Government.
Increasingly these private sector companies are not the handful of former state monopoly companies with which the civil service has been used to dealing with so cosily over the years, but are based overseas e.g. an attack on the Home Location Register computer of a mobile phone company in mainland Europe could easily compromise part of the UK's Mobile Phone Network.
" SCOPE
116. SCOPE is a complex programme aimed at fundamentally changing the way the intelligence community interacts. It will be underpinned by a secure web-enabled information system, designed to work up to and including ***, linking the main producers and consumers of intelligence and providing a central intelligence repository and database drawing from and supplying ten departments and Agencies. The SCOPE programme will build on the current messaging system, the UK Intelligence Messaging Network (UKIMN), as well as delivering additional functionality, such as shared databases and the ability of the intelligence community to work across organisational boundaries.
117. The Cabinet Office, through the JIC Chairman, centrally manages the SCOPE programme, with a mix of programme staff from departments, the Agencies and the private sector. We reported last year that SCOPE would be introduced in phases, with full roll-out commencing in 2005. The aim is that the modular and phased approach will deliver significant benefit even before the most ambitious elements of the programme have been introduced. However, we concluded that:
?Now that the SCOPE programme has both agreed requirements and sufficient
funding, it needs to start delivering working systems that improve interdepartmental and Agency communications.?
118. This year we were told that, as part of this Early Delivery Programme, a new secure network within HM Customs and Excise was introduced and successfully connected to the UKIMN. Additionally, a prototype system, carrying the most highly classified material, was successfully demonstrated and work was carried out on the UKIMN to improve its reliability, usability and security.
119. Current work is focused on a project, known as Limited Operational Capability (LOC), which will deliver new types and formats of intelligence material in a web-based system between two organisations. The competition is currently being run for SCOPE systems integration, with four suppliers selected to bid for the contract.
120. A number of important lessons have been learnt from these early elements of the programme, all of which are standard management principles:
- a. partners must own the programme completely and accountability for delivery must be clear;
b. there must be adequate resources for the programme in terms of both project
management and business change;
c. all plans must be produced well in advance of the implementation date and
must be fully integrated; and
d. engagement with the Agencies, especially the security accreditors, must take
place early on.
It seems astonishing to have to re-iterate and re-learn "standard management principles" ? Presumably because these are not being applied in practice.
"121. Despite the success that the SCOPE programme has had in the past year in delivering working systems and in securing greater departmental engagement in the programme, the Committee remains concerned that the following points have not yet been fully addressed by the SCOPE team and the customer departments:
- a. Not all the security issues have been resolved, including some that could limit the programme.
b. Departments, particularly the MoD, and the Agencies are having difficulty
funding and developing effective systems to integrate SCOPE with their internal IT systems to the extent they wish.
c. The implications of the business change processes have not been identified, nor has training been developed to maximise the benefits SCOPE can bring to the intelligence community.
d. There is uncertainty about the cost of the programme and therefore it is not clear if sufficient funds to complete it will be available.
122. Despite the progress made on the SCOPE programme to date, the Committee believes that these points need to be addressed as a matter of some urgency if the ambitious SCOPE programme is to be a success."
So, is SCOPE Another Government IT Project Disaster In Progress ?
The arguements about levels of secrecy, departmental budgets, who pays for Common Good infrastructure etc., have all been explored in the past with previous secret Government IT systems, and are particularly relevant to other current Government IT projects such as the accelerated implementation of the national Police intelligence sharing systems e.g. IMPACT and PLX.
Whether the lessons learned will be applied to these other systems, is, given the track record of those involved e.g. the Home Office, unlikely. A contibitutory factor to this could be the fact that any civil service managers who have gained IT project experience on one of these secret Government IT projects , will have been promoted and moved away from having direct input to the next generation of these systems i.e. the current civil servants will be re-inventing the wheel all over again.