se

ct

or

14In

fosecu

rity Tod

ayJuly/A

ugust 2006

In 1963 Prime Minister HaroldWilson gave Britain a vision of a

new era forged in the ‘white heat’ oftechnology. Forty years on,Wilson’spolitical heir,Tony Blair, seeks to ap-ply that technology to transform theway government interacts with its cit-izens and with itself.

Never mind the privacy and datasharing issues that lie at the heart ofthe proposed transformation. In gov-ernment IT, the chief risk is a shift indirection of the political wind.Whennewspaper headline drive policy, ex-pect choppy seas.

The British public sector spendssome £14 billion a year on IT projects.This is about 2.5% of the £552 billiontotal Chancellor Gordon Brown bud-geted to spend this financial year.Asthe government forges ahead with itse-government plans, spending on IT, asa percentage of the national budget, islikely to rise (see sidebar,‘Lies, damnedlies, and accounts’).

In recent years, the governmentdidn’t seem to get much value formoney.The litany of IT disasters feltendless: passports, magistrates’ courts,child support, tax credits, car li-cences, education, farm payments, jobcentres, the police. Even some sys-tems that seemed to be working, suchas those in the Home Office, are “unfitfor purpose”, says the new HomeSecretary, John Reid.To be fair, per-haps the purpose has changed.

The cost of these failed systemsruns into hundreds of millions ofpounds; the degradation of servicespromised but not delivered was embarrassing, and the distress to

individuals as a result of the failureshas damaged their trust and goodwilltowards the government.

In the private sector, the financial director would have drawn the purse-strings and heads would have rolled.The consulting firm Accenture hascontracts with the National HealthSystems’ National Programme for IT(now called Connecting for Health)worth at least £2 billion. Reporting itslatest financial results,Accenture CEOWilliam Green said,“During the quar-ter, several issues increased the risksand uncertainties associated with the NHS contracts and affected our estimates of the expected contract revenues and costs. Under GAAP, wewere required to record this provisionto reflect these new circumstances.”

iSoft, the former KPMG consultingarm that is Accenture’s partner for theNHS business, extended the time overwhich it recognises revenue.As a resultprofit forecasts fell from £17m-£22m to£3m-£7m.When its share price slidfrom 400p to 50p in response, itsacked its CEO Tim Whiston.

Such public recognition and pun-ishment of poor performance hasn’thappened in Whitehall, at least notthat anyone noticed.

It may prove harder to sweep simi-lar public sector disasters under thetable in future because two proposedmulti-billion pound systems have hitthe headlines and stayed there.Theseare the NHS’s Connecting for Healthprogramme and the proposed biomet-ric identity card. Government neededto been seen to be reining these witha firm stand.

Government should know betterIt’s not that the government wasn’taware of problems with large IT proj-ects-on the contrary.And it knowswhat to do, at least in theory.TheOffice of Government Commerce, partof the Office of the Deputy PrimeMinister (now called the Departmentof Communities and LocalDevelopment) has documented whatmakes projects go wrong (see table). Ituses these benchmarks in the GatewayReview process it uses to assess gov-ernment IT projects, ideally before con-tracts are signed.

The problem is, a spokesman said,that departments have to invite theOGC’s Gateway reviewers to run theireyes over the plan. But they don’t haveto accept their verdict or follow theirrecommendations.“Gateway reviewsdo not have a function to allow/disal-low projects to proceed, but simplymake recommendations to the SRO(senior responsible officer) that willmaximize the project’s chances ofsuccess,” the spokesman says. So,there is no head-on-block sanctionagainst failure, nor is there a formalautomatic measurement and reviewprocess.

The UK government needs to improve its ability to deliver effective IT-based systems at reasonable cost. But the proposed solution couldchange utterly the relationship between the state and the citizen.

IT strategy @UK.govIan Grant

ian.grant@innovations.eu.com

“The cost of thesefailed systems runsinto hundreds of

millions of pounds”

Se

ct

or

16In

fosecu

rity Tod

ayJuly/A

ugust 2006

The OGC says ‘465 projects andprogrammes that are recorded as ‘IT-enabled’ have undergone one or moreGateway reviews (these are CentralCivil Government only)’. But it wasunable to provide details of their cap-ital or running costs.

The OGC’s parent body, theDepartment for Communities andLocal Government, is also responsiblefor 22 national programmes for localgovernment (see table,‘Bang for thebuck’). Here the relationship with indi-viduals will be mostly more regular andmore intimate than with anyone ex-cept the taxman.

The department says a study by con-sultancy Capgemini showed that justsix of the projects would bring benefitsworth £320m in saved costs, increaserevenues by £60m while the improve-ment in services would be worth £1.3billion. Better buying could save anoth-er £1.1 billion, and e-payments couldsave about £708m over five years, itclaims. But it can’t or won’t say whatreturn on investment that represents.

What of the future? In November2005 the government published forcomment a document calledTransformational Government.This setsout a strategic view of how the govern-ment can apply information technolo-gy firstly to the benefit of citizens, sec-ondly to improve its internal efficiency,and thirdly boost its professionalism indelivering and managing IT projects.

In one of the 124 responses, theHome Office’s John Golding said “Partof the problem with government IS (in-formation systems) projects is the com-plexity of policy-generally governmentpolicies and solutions are vastly morecomplicated than private sector onesand we tend to pay, train and recruitless well and then we wonder whygovernment is poor at delivery. Butcomplex policy is seen as good andsubtle and the rewards for developing

it high, while the rewards for develop-ing achievable policy are zero.”

The government later issued an im-plementation plan that sets out anumber of tasks, responsibilities and atimetable.There are two fundamentalissues.The first is the secure and un-mistakably unique identification of in-dividuals and legal entities such asbusinesses.The second is agreementof the rules that govern what informa-tion government may legitimately col-lect and share about these uniquelyidentified individuals.

David Lacey started in infosecurity inthe 1980s with firms like Royal Mailand Shell. He helped to develop theBS7799 standard, and is a founder ofthe infosecurity standards setting body,the Jericho Forum. Lacey says the gov-ernment faces a difficult balancing actbetween data privacy and data sharing.“There is no quick solution.The bal-ance underpins the whole concept,and if the people don’t trust it, well...”

The government is taking this veryseriously. No fewer than three CabinetCommittees are addressing different as-pects.Their respective remits are:

• To coordinate the government’spolicy and strategy on identity man-agement in the public and privatesectors, and to drive forward thedelivery of transformational bene-fits across government;

• To drive forward the government’sstrategy for IT-enabled change in

“The balance between privacy and data sharing

underpins the wholeconcept”

Former Royal Mail security chief DavidLacey: government faces a difficult balancing act between dataprivacy and data sharing

Lies, damned lies, and accounts

There is at least one document thatestimates the government’s spendingon IT at £14 billion a year. But whoknows what this bald figure reallymeans?

In fact, the government may haveperformed some sleight of hand withthe sums. The regulatory impact assess-ment of Transformational Governmentsays “The public sector spends some£14 billion per annum on major IT sys-tems.”

But the authors say their assessmentspecifically excludes “the impact of ma-jor change programmes already under-way in the public sector, such asConnecting for Health; reform of theCriminal Justice System; the HarnessingTechnology strategy in Education; theLocal e-Gov programme; modernisationof the Defence InformationInfrastructure and the Digital Strategyprogramme. Responsibility for RIAs forthese programmes lies with the spon-soring department.”

It is thus unclear whether the £14 bil-lion they refer to includes these other lia-bilities. It is also unclear whether it in-cludes financial liabilities that may havearisen under the government’s PublicPrivate Partnerships and Private FinanceInitiatives. The reason for adopting theseprogrammes was to move the liabilities“off-balance sheet”, in other words, tohide them from the public.

At the February meeting of the PublicAccounts Commission, MP AustinMitchell said to the Auditor General, SirJohn Bourn, “You’ve brought to our at-tention the fact that 97% of health andlocal government projects are off-balancesheet.”

A Treasury spokesman said “We don’trecognise that figure,” and claimed thegovernment’s total off-balance sheet lia-bility is closer to 53% of the contractedvalue of the projects. The spokesman de-clined to say what the total is, but aTreasury document called the PFI SignedProjects List records about 750 projectsfrom 1989 with a total value of £48.4billion.

At least four of these are specifically ITprojects. One is the Crown ProsecutionService’s 10-year contract for Compass,a national case management system; nocapital value is given. HM Revenue andCustoms ordered managed infrastruc-ture services worth £14.3 million in1999. When the contract was revised in2003, the bill leaped to £156.0 million.In 2000 the Home Office spent £24.7million on IT 2000 (Sirius). The accompa-nying note reads, “Home Office e-Business and IT project. OFF balancesheet. Believed to be 3rd party financedbut no 3rd party rights within contract,as defined for PFI.”

Perhaps the ComprehensiveSpending Review due in 2007 will bemore enlightening.

se

ct

or

17In

fosecu

rity Tod

ayJuly/A

ugust 2006

the provision of public services; toreview delivery of departments’programmes for making efficiencysavings through e-enablement; andto make recommendations as nec-essary to the Committee on PublicServices and Public Expenditure;

• To develop the government’s strategy on data sharing across the public sector.

Ian Watmore, the government’s former chief information officer, nowheads the Prime Minister’s DeliveryUnit. He is nominally responsible formaking Transformational Governmentwork. But he has to coordinate enoughother cooks to make an alphabet soupof acronymed logorrhoeic committees(see table,‘Alphabet Soup’).

Lacey notes that strategies are “aspirational”; what counts are action and delivery. He notes government’s preference for out-sourcing and thus reducing public visibility of its liabilities. Hesays,“There is a massive skills gap,particularly in managing out-sourcedprojects. (The government’s ownproject management system) Prince2 is very bureaucratic and does notallocate responsibility to individuals.It is easy to lose that focused ac-countability among the committeesthat Prince 2 encourages. Deliveringon this strategy will be like driving a

bus without the steering column being connected to the wheels.”

Dennis Keeling, chief executive ofthe Business Application SoftwareDevelopers’Association (BASDA), ismore sanguine. His members, mostlydevelopers of accounting software,“have been e-filing (documents suchas tax returns and year-end payroll re-ports) using the GovernmentGateway for six years. I don’t know ofa single incident where security wascompromised,” he says.

Keeling notes that there are stringent rules against data sharing.“For instance, there are times whenwe or the government can receiveinformation but not send it on.Sometimes we cannot even saywhether or not the data exists.”

He notes that the government hasbeen “very guarded” about its inten-tions on identity and data sharing.Until his members have seen the gov-ernment’s proposals, he is unwillingto comment.“However, I am satisfiedthat we have access to the highestlevels should we need to discuss anyrelated issue,” he says.

One of them might be the suitabili-ty of the National Insurance numberas an individual’s primary identifierand index marker. Lots of governmentand institutions have used a number,such as the US’s Social Security num-ber or a credit card number, as theprimary means of authenticating theindividual to the institution.

It is no longer enough. Boston-based market researcher AberdeenGroup reports that the cumulativelosses from identity theft, now suf-fered by tens of millions of individu-als and businesses worldwide, rose1000-fold from an estimated $221billion in 2003 to $2 trillion in 2005.A US Federal Trade Commission

Bang for the buckThe government is hoping for a

10:1 return on its investment in 22so-called National Projects that makeup the Local e-Gov programme.

For a budgeted capital spend ofaround £120 million it hopes to im-prove productivity and efficiency byat least £1.1 billion, says aspokesman for the Department ofCommunities and Local Government.

“Every prospective project pre-pared a business case prior tobudgetary approval,” he says. Hedeclines to provide details of costsand benefits, but says they werenevertheless collected.

“Whilst we have not attemptedto summarize across the projects interms of cost savings, time saved,etc, the outputs and work from theNational Project programme werealigned with the delivery of 73Priority Service Outcomes for local e-government by March 2006.(See http://www. localegov.gov.uk/images/IEG6%20Final%20Proforma_425.doc)

“Overall, the work of the DCLG’sLocal e-Government Programme is forecast by local authorities todeliver £1.1 billion efficiency gainsby 2007/08.

“Through the migration processfor National Project programmework, 26 local authorities have nowtaken ownership of key products inorder to sustain the modernisationand improvement process into thefuture.”

The projects are:National ProjectsCustomer Relationship Management(CRM)Digital TV (DigiTV)e-Benefitse-Citizen (Take-up & Marketing)e-Firee-Paye-Procurement (NePP)e-Trading Standards National (e-TSN)Environment and Community OnlineResidents’ e-Services (ENCORE)Framework for Information Sharing in aMulti-Agency Environment (FAME)Knowledge ManagementLocal Authority Websites (LAWs)Local e-DemocracyLocal e-Government Standards Body (e-Standards)School Admissions: eAdmissions andPan London School AdmissionsPlanning and Regulatory Services Online(PARSOL)Project Nomad (Mobile Technology)Reducing Youth Offending GenericNational Solution (RYOGENS)SmartcardsValuebill (Council Tax/Business RateValuation)WorkflowWorking with Business

“Delivering on thisstrategy will be like

driving a bus withoutthe steering columnbeing connected to

the wheels”

Tony Blair speaking to NHS representatives at 10 Downing Street.(Sang Tan/AP/WPA rota/PA)

se

ct

or

18In

fosecu

rity Tod

ayJuly/A

ugust 2006

study found that two-thirds of IDtheft cases stemmed from stolencredit card numbers, and Washingtonstate survey found that one in ninefamilies have been victims of IDtheft. Some of them no doubt wereaffected by the theft of a laptopfrom a US Veterans’Affairs staffer. Ithad the Social Security numbers andbirthdates of 26.5 million ex-soldiersand their dependents.

As identity theft has risen, singlefactor authentication, such as a so-cial security or ID number, hasproven too vulnerable. Once stolenor otherwise abused, it is a skeletonkey to that person’s entire docu-mented existence.

Given initial problems with thecredit card firms’ chip and PIN sys-tem, it seems inevitable that reliableauthentication will have to integrate

at least three factors.These could bea chip, a PIN and one or two bio-metric measures, and the data willbe encrypted on-card and in transit.Moreover readers will also have totest for the subject’s vitality.Whenthe South African pensions depart-ment introduced a fingerprint readerto authenticate payments, at leastone family used their deceased pen-sioner’s severed, pickled digit tocontinue to draw his pension.

As many commentators have said,multifactor authentication will beexpensive. But people may resistthis less than expected. In the US,several retailers and banks now au-thenticate grocery payments byreading shoppers’ fingerprints. Moreand more passports carry biometricdata.And as more people suffer theconsequences of having their identi-ty stolen, pressure for more secureforms of identity is likely to rise. •Ian Grant is a freelance writer onbusiness issues.

Alphabet soupBelow are some of the bodies

that have a hand in planningand executing the govern-ment’s forthcoming IT strategy.

TThhee ppllaayyeerrssSir David Varney, CEO, HM Revenue &CustomsIan Watmore, PM’s Delivery Unit

TThhee ccooookkssPrime Minister’s Delivery UnitCabinet OfficeOffice of the Deputy Prime Minister (nowDepartment of Communities and LocalGovernment)Devolved Administrations (Wales,Scotland, Northern Ireland)Chief Information Officer CouncilHM TreasuryHM Revenue & CustomsWhitehall Shared Services ForumCentral Sponsor for InformationAssurance

DDooccuummeennttaarryy ddrriivveerrssCapability ReviewsComprehensive Spending Review 2007Kelly Report

EExxeeccuuttoorrssService Transformation BoardCabinet sub-committee on ElectronicService Delivery, PSX(E)Committee on data sharing, Misc 31Customer Group Director (Older People -CE of the Pensions Service)

Customer Group Director (Farmers -Director, Sustainable Farming Strategy)Common Infrastructure BoardInformation Assurance Policy ProgrammeBoardForeign and Commonwealth OfficeNational Hi-Tech Crime Unit (now SeriousOrganised Crime Agency)National Identity RegisterDepartment for Education and Skillse-skills UKIT AcademyAccreditors’ Forum (for infosecurity)SFIA FoundationNational School of GovernmentProgramme Delivery Director (Heavy-Hitter)GovernanceService Transformation BoardPan-Government Shared Services BoardCIO Council

AAddvviissoorrssChief Technology Officers’ CouncilCommon Infrastructure Board

IInnppuutt pprroovviiddeerrssDepartment of Constitutional AffairsNational ArchivesGovernment Social Research UnitDepartmental Communications andMarketing UnitsService Design AuthorityGovernment Communications GroupOffice of Government Commerce

RReessuullttss ddeelliivveerryy cchhaannnneellssDirectgovBusinessLink

Government GatewayGovernment ConnectGovernment Secure IntranetKnowledge NetworkGeographic Information PanelIntellectGovernment IT ProfessionStrategic Supplier BoardCorporate Development Group (CabinetOffice)Improvement and Development Agency

AAffffeecctteedd sseeccttoorrssEducation, Health, Home Office/CriminalJustice, Local GovernmentDepartment of Work & PensionsDefenceHM Revenue & CustomsMultiple agencies (e.g. Dept of theEnvironment, Farming and Rural Affairs,Transport)Rest of central government organisationsNational Audit OfficeAudit Commission

KKeeyy pprrooggrraammmmeessSkills Framework for the Information AgeNational Programme for IT (nowConnecting for Health)National programmes for e-GovProfessional Skills for GovernmentCommon Assessment Framework (sup-pliers)Common Assessment Framework (gov-ernment)Source: Transformational Governmentimplementation plan 2006

The common causes of project failure1. Lack of clear links between the project and the organization’s key strategic priorities,

including agreed measures of success. 2. Lack of clear senior management and Ministerial ownership and leadership. 3. Lack of effective engagement with stakeholders. 4. Lack of skills and proven approach to project management and risk management. 5. Too little attention to breaking development and implementation into manageable

steps. 6. Evaluation of proposals driven by initial price rather than long-term value for money

(especially securing delivery of business benefits). 7. Lack of understanding of, and contact with the supply industry at senior levels in

the organisation. 8. Lack of effective project team integration between clients, the supplier team and

the supply chain.

Source: Office of Government Commerce