Sunday, November 13, 2005

`Bond'ing with best practices

The Hindu R.K. Raghavan

MI6, the UK's famed external intelligence agency, the counterpart of our Research and Analysis Wing (RAW), recently decided to launch a Web site. The move, and its implications, merit close study.

WHEN a government computer system is hacked, it often makes much more news than the attack against a purely private network. The public outrage that accompanies such an incident is natural, because compromise of what a government seeks to protect in public interest has huge implications for national security.

The task of protecting the systems owned by a military formation or an intelligence agency is the sacred responsibility of cyber security managers employed by these outfits. Exacting security standards are required, and these should necessarily draw from global best practices. Again, how well government IT managers do their job will depend on the criteria set for their recruitment and their own levels of motivation after coming into public service.

These are twin issues that receive just modest attention in governments' personnel policy schemes, mainly because of the tyranny of rules that govern public appointments. Conservative policy makers in government will, therefore, not depend on individual employees but would prefer a low-key approach that avoids risks involved in too much of transparency in dealings with the public. They would opt for keeping facts away from the public domain rather than share information.

Considering this environment in which governments and bureaucrats function in several countries, it may surprise many of us that MI6, the UK's famed external intelligence agency, the counterpart of our Research and Analysis Wing (RAW), recently decided to launch a Web
site of its own.

Many of us in India would consider it sacrilege if ever our Intelligence Bureau (IB), that takes care of domestic intelligence, or the RAW acts to follow the UK example. What is most remarkable is that MI6, which is officially known as the Secret Intelligence Service (SIS), hopes that the Web site will facilitate better understanding of the organisation to those who are aspiring to join it. There are references to air-conditioned offices, recreational facilities and good transport connections, as also a "family atmosphere", all of which are meant to encourage men and women from a wide spectrum of society to seek MI6 employment. The Web site makes a specific appeal to IT experts to come into the organisation.

Although none can apply for a job online, there are some who believe that the Web site will be an invitation to Al Qaeda supporters to infiltrate the MI6. Nothing can be more preposterous. The point is any recruitment to a sensitive organisation does not take place without a field verification and running the name of a prospective employee against available databases of suspects who should be kept out of employment in a country's vital public agencies.

Interestingly, the UK's domestic intelligence department, the Security Service (MI5), has been having a Web site for quite some time, and more pertinently, most of its recruitment is from among the pool that had applied through the Web site. It is, therefore, ironical that MI6's latest move has generated somewhat of a controversy. Possibly this is the outcome of the currently delicate internal security situation arising out of the July 7 explosions in London.

What is germane to the debate whether security organisations should have a Web site at all is how much of sensitive information will that carry. By this count, the MI6 Web site should disappoint those trying to pry into its top secret operations, whose compromise would be disastrous to national interests and could also wreck relations with friendly countries. For security reasons, the Web site is non-interactive. A visitor can only browse and not download any material. It carries information that is non-sensitive but is at the same time useful to the community. It will seek to dispel the many myths that have come to be associated with the agency's functioning and will clarify its role vis-à-vis other government departments. It will also explain how the organisation's accountability is sought to be enforced. Intelligence agencies the worldover tend to go overboard and are also susceptible to unethical executive pressures, two factors that enhance the need to lay down an accountability mechanism.

The MI6 decision brings to focus the whole question of how much computerisation do intelligence agencies need, and how far are they willing to take the risks involved in bringing sensitive information on to electronic records. With the growing expansion of the charter of
such agencies, especially in the context of 9/11 and subsequent terrorist attacks that have revealed a bewildering nexus between outfits across continents, the volume of information that intelligence managers should hold has been mind-boggling. Also, it is not enough that data are collected and stored, but they should also be easily exchanged between agencies without the danger of interception by terrorist groups. This is a gargantuan task that requires not only extremely secure networks but also data handlers who are totally trustworthy. Any dilution of the levels at which information is processed could spell doom. This is why senior managers in intelligence outfits need to be computer-savvy even at entry. I am not very sure that all intelligence chiefs are conscious of this. Till a few years ago, it did not matter whether intelligence sleuths were computer-literate or not.

The scene has changed dramatically, as would
the MI6 decision to go in for a Web site indicate. I would, therefore, strongly commend to the IB, RAW and similar sensitive bodies to emulate what major IT firms in the country enforce in terms of data security at their major centres. If such best practices are borrowed, there is very little for intelligence agencies to fear while going in for total computerisation. If any intelligence organisation is disinclined to opt for a totally electronic work procedure on the grounds of possible leakage, it will be a gross failure to take advantage of the benefits of modern technology. This is especially because we have reached a stage where cyber forensics has made such strides that an intruder is easier to identify now than in an earlier era where paper ruled the roost. A paperless office should be the dream of many in government who are entrusted with priceless data.

(The writer is a former CBI Director who is currently Advisor (Security) to TCS Ltd.)


Post a Comment

<< Home