This carelessness with our data is not victimless – it’s criminally irresponsible and someone must carry the can, writes director of the Crisis Research Institute MARK ALMOND
- Read more: Outrage at massive police data breach of people’s personal details
Fifty years ago this week, William McIlveen, an off-duty reservist with the Royal Ulster Constabulary, was assassinated by the IRA at the factory where he worked in the town of Armagh in Northern Ireland.
The 36-year-old Protestant, who was employed as a security guard, was shot twice in the stomach with a high-velocity rifle after going to investigate a car that had pulled onto the factory forecourt.
In those days — at the height of the Troubles — RUC officers were paranoid about security. Some didn’t even tell their friends that they were policemen, and they certainly would not have wanted the location of their day job broadcast if their RUC position was part-time.
But the IRA was well practised at using intelligence networks to identify promising targets by picking up on careless talk in the pub or pumping informants for details.
Decades on, that understandable paranoia among Northern Ireland’s police officers endures and the need for confidentiality is maintained.
That’s why the bungled release this week of the names, ranks and other personal details of more than 10,000 people employed by the Police Service of Northern Ireland (PSNI) is such a catastrophic event
That’s why the bungled release this week of the names, ranks and other personal details of more than 10,000 people employed by the Police Service of Northern Ireland (PSNI) — the RUC’s title since 2001 — including every serving officer, is such a catastrophic event.
It has made things much easier for the men of violence. Some will say that times have changed and officers face nothing like the danger they once did. But the terrorism threat level in Northern Ireland was raised from ‘substantial’ to ‘severe’ as recently as March.
READ MORE: Q&A: What data was accessed? Is my name and address online? Your questions answered after electoral roll cyber attack sees the details of more than 40 million people leaked
The escalation was prompted by an attack on Detective Chief Inspector John Caldwell in Omagh. He was shot a number of times by two gunmen while off-duty, putting footballs in his car after a coaching session with his son’s under- 15 team. He suffered life-changing injuries.
Indeed, while the 1998 Good Friday Agreement largely ended three decades of sectarian violence in Northern Ireland, police officers are still sporadically targeted by splinter groups of mostly Irish nationalist militants. Many officers and ancillary staff prefer to keep their service — and certainly their actual department — secret to reduce the risk of being targeted.
However, after the accidental PSNI data breach — mistakenly divulged in response to a Freedom of Information request — some people may have to move house, especially Catholic officers and civilian staff, who may well live in areas where so-called ‘dissident’ IRA activists are most likely to be active.
Appallingly, the names made public on the internet included the identities of 40 PSNI personnel who work in sensitive departments, including the security service MI5. Unrepentant IRA operatives will be only too happy to get hold of those names and try to put faces and addresses to them.
With a complacency as seemingly casual as their security measures, senior officials in Northern Ireland assure us this life-and-death data was accessible online for only a couple of hours before being deleted. But that gave any interested parties, whether domestic terrorists or foreign spy agencies, plenty of time to download it.
All the great powers, including Britain, have invested massively in defending against code-breaking and data-stealing services.
Information about how a rival’s police forces — including its ‘secret police’ and intelligence services — encode data, store it and transfer it is priceless intelligence for a foreign power trying to penetrate our security.
It is reasonable to assume that the PSNI’s approach to data storage and cyber security is shared by the various law-enforcement agencies across the rest of the UK.
The complacent bureaucratic mindset from Whitehall at the centre of government to Stormont in Northern Ireland needs to be shaken up — and those responsible held to account
Acquiring inside intelligence about how MI5 operate, for example, could be key to opening up access to even more valuable information. Let’s not forget how investigative journalism group Bellingcat exposed the identities of the Russian spies who travelled to Salisbury five years ago to poison the former Russian spy Sergei Skripal.
The Russian spy agency, the GRU, had committed elementary blunders. It gave its agents passports with consecutive numbers, and they had driving licences linked to the same address in Moscow. This meant anyone listing that block of flats as their home address could be picked out as a likely agent.
In the same way, finding other data about officers in Northern Ireland once their names and service branches are known is made much easier. Terrorists able to scan the PSNI data could use other accessible data sources ultimately to locate a target.
The data fiasco came to light a day after the Electoral Commission admitted the electoral roll had been ‘compromised’.
We are reassured that it is unlikely that a criminal gang got hold of around 40 million identities because there is no evidence of mass breaches of bank accounts, for instance. But this hack, widely assumed to be state-sponsored — such as by Russia — does pose a range of security threats.
Britain doesn’t have identity cards, so the Government here has only a vague idea of who lives where at any given moment — except at the point, every ten years, when it conducts the national census. The Electoral Commission, on the other hand, boasts that it keeps its register of voters constantly up to date.
With details of so many names, and domestic as well as email addresses, you can imagine a situation in which the hackers who mounted the cyberattack on the Commission could create all sorts of trouble in the run-up to a General Election.
They could, for example, send out emails or letters saying a polling station has been changed; flood people’s Facebook accounts with ads; or email links to websites promoting a particular political message.
With details of so many names, and domestic as well as email addresses, you can imagine a situation in which the hackers who mounted the cyberattack on the Commission could create all sorts of trouble in the run-up to a General Election
They could also commit postal-vote fraud on an industrial scale by collecting the details of people working abroad at the time of an election, or students registered at their parental home as well as their university address. They could even harvest ballot papers sent in bulk to blocks of flats or student halls.
They could even use contact details to locate individuals, approach them via a ‘chance’ meeting near their home, or by letter or email, and then cultivate them for intelligence purposes.
Even more sinister is the possibility that Moscow could target Brits in Russia if the name and address on a Briton’s visa form matched their address on the electoral register.
Identifying family members at the same address, or other persons of interest, could facilitate an approach to recruit or intimidate someone.
Remember, spies — like terrorists and the Mafia — know how alarming it is to be told: ‘I know where you live.’
So we can easily imagine a state such as Russia, for instance, would love to sift this material for spy-recruitment purposes or to set up disinformation operations.
Don’t forget that the first diversification out of the catering business by Yevgeny Prigozhin, the boss of the Wagner mercenary group, was the establishment of an internet trolling agency in St Petersburg that went on to try to influence the U.S. presidential election in 2016.
When it comes to protecting lives, national security and our democracy, carelessness with data is as dangerous as turning a blind eye to espionage.
Too many politicians and civil servants seem to shrug their shoulders at data breaches. There is a danger that they are coming to treat such events as little more than bad weather — something they can’t do much about, just one of those things.
But this lax approach is criminally irresponsible. The complacent bureaucratic mindset from Whitehall at the centre of government to Stormont in Northern Ireland needs to be shaken up — and those responsible held to account.
Source: Read Full Article