WHEN IS A SECURITY BREACH NOT A SECURITY BREACH?

WHEN IT'S A BRAVERMAN BREACH.

Podcast episode here: The Braverman Breach, https://richardsonsrubicon.com/the-braverman-breach/

According to a Byline Times article by Iain Overton, using personal channels for communication is a common occurrence among cabinet ministers.

Indeed, from my own personal experience working with cabinet offices, outsourced arms length bodies and tech firms, in that curious mismatch of organisations the use of personal emails, whats app and other messaging services is more common that you may think among certain strata. It's strictly against the rules, but it seems the higher up the food chain you go, the more people seem to get away with it. In tandem, the more senior the person doing this, the higher the risk becomes, as I'll explain later.

But first, let's look at the Braverman security breach.

According to the Guardian article by Pippa Crerar, Peter Walker and Aubrey Allegretti, Braverman, was sacked by the prime minister because she sent an official document from her personal email to a fellow MP, in a serious breach of ministerial rules.

Definitions - lets look at these:

Security Incident: A security event that compromises the integrity, confidentiality, or availability of an information asset. 
Data Breach: An incident that results in the confirmed disclosure — not just potential exposure — of data to an unauthorised party.

And then there’s
Security Clearance - the level of security clearance given to an individual after appropriate vetting.

So here’s the thing, I cannot personally confirm whether Ministers have been vetted and to what level. It is often said they are security cleared so I’ll touch on that in a moment.

Baseline Personnel Security Standard (BPSS) (not vetting):
Very basic stuff, your identity is verified and they have a look at your financial status.

The most common is Security Clearance (SC): 
This is the most common type of vetting process. It is transferable between Government departments and covers a wide range of jobs. It is valid for 5 years for Government contractors and 10 years for permanent employees who require substantial access to secret and occasionally top secret assets and information.

Developed Vetting (DV):
This level of security clearance provides substantial unsupervised access to top secret assets or for people working in the intelligence or security agencies. This stringent security check is much more specialised and tends to be job related. In interview, it is said they already know everything about you. They ask you questions to see if you tell the truth.

Interestingly, whether you pass vetting can be dependant on a number of factors. You could have a criminal record and still pass.

For example, Alexander Boris de Pfeffel Johnson accepted a fixed penalty notice for partygate. That FPN meant the police thought they had a good case and if it went to trial then Johnson could have got a criminal record. Johnson made a decision, for whatever reason, avoidance of a trial for example, to pay the notice. It means he doesn't have a criminal record, along his wife and Sunak, but even if he did I seriously doubt he would have been barred from any necessary access to information given the nature of the offence. Politically, however, a criminal record would have seen him out of office, and rightfully so.

Back to Sue Ellen.

The Governments Legal Team argued at the time that it was not unlawful for ministers to choose how they communicate, and that the use of private devices was common in modern workplaces.

I felt this misrepresented the situation slightly. While use of personal devices is true, or at least can be, the schemes they operate under normally have inherent security. So, for example, in an organisation I worked for, we allowed people to use personal devices, they were supplied with a dedicated VPN to access our services that only accepted connection via the secure VPN gateway that uses encryption certificates, the devices had managed MAC access, which acts like a key, so only authorised devices could attempt to connect to the services. We used Microsoft Azure to maintain the security of data in those suites.

There was no need to go to external services like google (as a private user) as all employees could access the data the were allowed to access from wherever they were on any of their allowed devices.

For third parties to view any data, we set up a file sharing system that allowed authorised access only, encrypted the data and time limited the availability. Documents that were intended to be shared had to be classified correctly and, if they weren't intended for a particular recipient, there was a release process where they could potentially be reclassified or have sensitive elements redacted. All of this was demanded by the Government, which is interesting considering how lax they seem to be in the Braverman case.

In the Braverman case, there seems to be a cloud of reporting with various facts scattered to the four winds making discussion confusing at best and in some cases making the security breach seem less important than it is.

I could be wrong but I've not seen evidence to the contrary that the person (Hayes in this case) COULD have been allowed to see the document according to their security clearance after vetting. Equally, he may not have been authorised by Security Clearance or may have not passed vetting so this may be a security issue in itself! More information is needed in this regard for me to confirm either way as I don't know his clearance level or vetting status.

However, as reported by Emyly Ferguson of Inews:

The Cabinet Secretary, Simon Case, was informed that a member of the public had raised concerns about receiving an email from Suella Braverman in which the then home secretary – meaning to send the message to someone else – shared details of a change to the Government’s immigration policy.

Mr Case told the PM (Truss) that Ms Braverman had committed two breaches of the ministerial code: one for sharing sensitive information outside the Government, another for doing so with a personal email address.

So the method by which the document was transported is in question. And we have an unintended recipient.

This security breach is of the type called data leakage.

Data leakage is the unauthorised transmission of data from within an organisation to an external destination or recipient. The term can be used to describe data that is transferred electronically or physically. Data leakage threats usually occur via the web and email, but can also occur via mobile data storage devices such as optical media, USB keys, and laptops. In this case, a "private" email address was used.

Once data is outside of a secure environment that's bad news, given it was already described as "sensitive" that's doubly bad news. It is not clear what category the information was, Top Secret, Secret or Official for example, lazily labelling it as sensitive makes the severity of the security breach hard to confirm or put it into proper context in the media.

OFFICIAL The majority of information that is created or processed by the public sector. This includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.

SECRET Very sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors. For example, where compromise could seriously damage military capabilities, international relations or the investigation of serious organised crime.

TOP SECRET HMG’s most sensitive information requiring the highest levels of protection from the most serious threats. For example, where compromise could cause widespread loss of life or else threaten the security or economic well-being of the country or friendly nations.

Considering this was about the Governments plans for immigration control and our borders I would consider SECRET to be the most appropriate security classification based on what we know about that subject and the criminal gangs involved in human trafficking.

The risk is that the email can be accidentally forwarded on and reach an unintended recipient who can cause all sorts of damage, further sharing the information.

Considering this was about the Governments plans for immigration control and our borders I would have sacked her myself

The Dangers of Downplaying

However, there continues to be an element of downplaying this, obviously for political reasons, but it belies the seriousness of the issue and highlights the weak culture of security within the Government. This weak security culture is perhaps the highest risk of all.

In another example of slightly different takes:

An article in The Times by By Charles Hymas and Tony Diver, states Ms Braverman resigned last week after admitting a “technical infringement” of the rules by sending a government document to Sir John Hayes, a senior Tory MP, via her private email account.
The article then talks about security clearance which is obviously a concern if someone has committed a security breach. It doesn’t seem to mention the unintended recipient.

I just wanted to clear that up as Braverman would have had and probably still does have the requisite security clearance for her role. Hayes? Who knows. The conversation should really stick to the breach and the circumstances and its interesting and disappointing at the same time that she called it a technical infringement. It's a security breach.

The downplaying of the security incident by the Home Secretary is a very poor example for the rest of the people in government, and in her department that trades in security.

So let's look at those.

According to the Guardian article by Pippa Crerar, Peter Walker and Aubrey Allegretti, “Braverman, was sacked by the prime minister because she sent an official document from her personal email to a fellow MP, in a serious breach of ministerial rules.” Again, where is the unintended recipient mentioned? Obviously the journalists weren't provided with this information.

“The draft written statement on migration was deemed highly sensitive because it related to immigration rules, which potentially have major implications for market-sensitive growth forecasts from the Office for Budget Responsibility, and, being money related, it's alleged Hunt applied pressure to Truss to let Braverman go.” Again, I refer you to the SECRET classification.

Further down in the article, The security breach was met with raised eyebrows from some of Braverman’s backers. Steve Baker, who co-led her leadership campaign and is now a Northern Ireland minister, said the use of a personal email had only been “technically” a breach of rules, and that such liaison with other MPs on policy was “perfectly normal”

This is the Northern Ireland Minister downplaying a security breach.

While what they said is probably true, it doesn't make it right. But as I mentioned in my opening statement, it's far more common than anyone would dare think.

What shocks me more is the lack of proper process to deal with it.

https://twitter.com/Peston/status/1585321222874742784

Peston quotes a letter John McDonnell wrote on 26TH OCT to The House Of Commons public admin and constitutional affairs committee chair William Wragg, asking him, "What agreed processes are there available to the Cabinet Secretary for dealing with breaches of security by ministers?".

By John McDonnell asking the question, either the processes don't exist or they are not publicised. Neither is optimal.

The Cabinet Offices own Government Security Classifications document from May 2018 states: “Everyone who works with government has a duty to respect the confidentiality and integrity of any HMG information and data that they access, and is personally accountable for safeguarding assets in line with this policy.”

Extracts:

Principle Two: EVERYONE who works with government (including staff, contractors and service providers) has a duty of confidentiality and a responsibility to safeguard any HMG information or data that they access, irrespective of whether it is marked or not, and must be provided with appropriate training.

6. Accidental or deliberate compromise, loss or misuse of HMG information may lead to damage and can constitute a criminal offence. Individuals are personally responsible for protecting any HMG information or other assets in their care, and must be provided with guidance about security requirements and how legislation relates to their role, including the potential sanctions (criminal or disciplinary) that may result from inappropriate behaviours.

7. Organisations must have a breach management system in place to aid the detection and reporting of inappropriate behaviours, enable disciplinary procedures to be enforced and assist with any criminal proceedings.

To top it all:
Cabinet Office minister Jeremy Quin was asked during the Urgent Question raised by Labour, when Braverman fled, asked whether they would then investigate Ms Braverman, he replied:

“Events in the last administration would not properly be part of the remit of a new independent adviser. That was a matter that was dealt with by the previous administration. We have a new administration and the home secretary has been appointed to her post.”

An attempt to draw a line under the security breach.

So to summarise, from what we are led to believe, there was a security breach of SECRET information. We also know there are no immediately identifiable processes to deal with it. Seemingly, similar breaches are commonplace and on the whole, it is unclear how much of our national security is at risk. Given what we understand about Russian money and links, I'd imagine the risk is critical THEREFORE the Government OF THE DAY needs to get to grips with internal security as a priority and the opposition should latch onto this hard to effect a positive outcome.

I would also seek to understand if there is a pattern of behaviour, as this increases the level and impact of risk by several factors and may be used to review whether the reappointment to the role was appropriate, given the Home Secretaries role is synonymous with National Security.

1.