Ministry of Defence risks security blunder with new IT system
By Ian Dunt
The Ministry of Defence (MoD) has left the door open to further security breaches through a haphazard and flawed implementation of its new IT system.
In a highly critical assessment by the public accounts committee (PAC), MPs described efforts to establish the new system as “highly inadequate”.
Committee chairman Edward Leigh said the £7 billion project was “badly planned in important respects”.
“No proper pilot for this highly complex programme was carried out and entirely inadequate research led to a major miscalculation of the condition of the Department’s buildings in which the new system would be installed.”
The damning report follows several breaches of data security at the MoD, and experts are increasingly concerned a further breach could lead to attacks on service personnel, possibly by Islamic fundamentalist groups.
Just two months ago, for instance, a portable hard disk with data on 1.7 million recruits and potential recruits was lost.
“There is risk for massive data breaches – not just to the organisation of the MoD but of that filtering down to members of the armed forces,” Simon Earl, technical director of IT Security Experts, told politics.co.uk.
“Take for instance the leaked BNP membership list on the internet – that’s the risk.”
An independent review of its data handling was held in early 2008 and the MoD is in the process of implementing the recommendations.
The new system would replace hundreds of existing computer systems with a single new one, called the Defence Information Infrastructure (DII).
The DII was supposed to prevent any further security breaches but the report notes “it took over two years longer than planned to get a version of DII that could handle secret material”.
MPs severely criticised the outsourcing of the project to a consortium called ATLAS, which they said was unable to meet the MoD’s requirements.
The system was supposed to replace the MoD’s old email, internet access and security systems. By June 2008, less than half of the news systems which had been promised for two years earlier had been completed.
The delay has forced the MoD to continue using the old systems, which are now completely out of date and running a risk of failure – opening the door to further security breaches.
“The ATLAS consortium implementing the project – led by EDS, a company whose track record of delivering government IT projects has not been exemplary – underestimated the complexity of the software it had agreed to create,” Mr Leigh said.
“For over two years, it was unable to deliver a system that could safely handle secret material.”
The cost of the project has increased by £182 million due to the delays.
Further delays were caused by serious miscalculation about the state of the buildings the system was to be installed in.
Whereas 62,800 terminals should have been installed by the end of July 2007, only 45,600 were in place at the end of September 2008.
“On the basis of totally inadequate research, the DII programme made a major miscalculation about the condition of the buildings into which the new system would be installed, with serious consequences for the delivery of the programme to time,” the report said.
When users who did have an opportunity to use the system did so, 40 per cent of them said they were unsatisfied with it.
Both opposition parties have seized on the report as evidence of the government’s continued failure when it comes to IT projects and a “cavalier” attitude to data security.
Nick Harvey, Liberal Democrat defence spokesman, said: “When the government’s terrible record on major IT projects is brought together with the MoD’s catalogue of failure on procurement, it is no surprise that we see this perfect storm of incompetence.”
Dr Liam Fox, shadow defence minister, said: “This report tells a story of Labour’s incompetence, mismanagement, and complacency. It is yet another IT disaster story for a government which has consistently shown a cavalier attitude to personal information.”
Last week, a freedom of information request revealed a failure across government departments to reform data security arrangements, despite losing 30 million personal files in two years.