Monday, 22 May 2017

Cyber threat highlights why public sector must work with private firms - my Catholic Universe column

Fifteen years ago I was working for a local authority in the north of England. I managed that council’s Council Tax and Business Rates department and at the time our computer system was on the verge of becoming obsolete.

It transpired that prior to my arrival at the council our then suppliers had contacted the authority to give them contractual notice that at a certain date they would no longer be supporting the software and that either they could continue using it without support, and more importantly a lack of updates following legislative changes, or they could buy a new and in all likelihood far more expensive system.

To all intents and purposes upon my arrival the council had been sitting on this information for a number of months and I had no choice but to recommend that we go to the market to buy new software as a matter of urgency.

We soon discovered that there were three or four suppliers of this type of system in the market and that, for a district council, the packages were inordinately expensive running over a few years into hundreds of thousands of pounds. Nevertheless with changes to legislation on their way we had to have one.

After a short procurement period we chose our supplier and awaited our new system.

During the period of time between ordering our system and the go live date a strange thing happened to me. A representative of the computer supplier said to me one day “we really like the way you operate, why don’t you come and work for us?” With an attractive package on offer I found it very difficult to say “no”, so I didn’t.

After working my notice period a few months later I started work at the IT suppliers. I worked in the ‘services’ department and within a very short period of time I was told that my role was two fold. I had to help our customers, the council's that we worked with, to get their computer systems up and running. My second task was to sell “services”.

You might ask what “services” are, I certainly did, and the answer was very, very simple. Anything that wasn’t in the contract that the council had signed.

Local authorities, I was told, commonly would sign what they thought were comprehensive agreements when in actual fact everything that they received was very clearly stipulated in the legal contract.

I was a little shocked at this at first. Was this profiteering? Was this why, as I kept being told, the private sector should have no place in public services?

I asked a senior manager who made what must have been an oft-repeated argument to me: ‘Our customers get everything, everything their contract stipulates. It is not the responsibility of this company to handhold local councils nor is it our problem that as a whole the are tremendously awful at contract management.’ Of course that last quote isn’t a direct one but it is very much along the lines of what was said.

And, of course, that Executive was absolutely right. There are some things public bodies are outstandingly good at; looking after sick and vulnerable people, teaching our children, processing benefits to name but a few; but there are others where they, not to put too finer point on it, are inept.

After having some experience in the field I wouldn’t trust many public bodies with negotiating a contract, or managing a project, or running an IT system.

Simply put too many public sector administrators do all of those things in addition to their day jobs and there are people out there, most in the private sector, who can carry out those roles more effectively and efficiently in the long run saving taxpayer money.

The reason I raise all of this is the news last week of cyber attacks on the National Health Service.

Last week, around 48 NHS organisation's found that they had lost access to their computer systems as a result of them becoming infected by a piece of software known as ‘ransomware’.

Using flaws in systems criminals are effectively able to take over computers, encrypting the information stored on them. These cyber attackers will only release the data when a usually fairly modest ransom has been paid using an all but untraceable, but very real, online currency known as Bitcoin.

The effects on the National Health Service were significant. Some General Practices were unable to access patient records, automated fridges for dispensing blood shut themselves down and in one incident an MRI scanner stopped working with an anaesthetised child inside it.

The attack on the NHS was by no means isolated, it was reported to have affected companies including Nissan and Renault as well as German train operator Deutsche Bahn and global logistics giant FedEx. In total 99 countries were reported to be affected.  

But the attack had probably it's most notable, if not potentially most severe, impact on parts of our health service. We are still not absolutely clear whether patient records were put at risk or not.

It transpired that the attack had been made on computers running the long obsolete computer operating system Windows XP. You won’t have seen this operating system on a home computer in many years but still, on a relatively large scale and despite warnings from government, some NHS organisation's continue to use it.

There are a plethora of reasons why this may be the case. It could be that some applications still in widespread use don’t work well with later versions of the operating system; it could be that existing and often expensive hardware and medical equipment doesn’t support newer software; it could be because IT support is inadequate; and patently it might be that trusts have prioritised resources in other directions.

But whatever the reason patients have been jeopardised as a result of IT failings.

It is impossible for any government to mitigate all risk. No one can say with certainty that they could have prevented last week's cyber attacks.

Similarly it’s impossible for any government to be immune to criminality and events which take place outside of their control; look no further than the mooted ban on laptops and tablet devices on transatlantic flights which we are told, given terrorist advances in explosives, is an inevitability.

But we must keep sight of the fact that whether it’s the procurement of a computer system or cyber and terror attacks any government would be remiss in assuming that there is no benefit in working closely, even delegating authority to, the private sector.


Yes private companies are there to make a profit but they are our friends and our co-workers.

Sometimes they are better placed to have the skills that our public services rely on.  

No comments:

Post a Comment