Tag Archives: Cabinet Office

A proposed Bill and charter that could change the face of Whitehall IT and save billions

By Tony Collins

A government-commissioned review yesterday backed a Bill that could, if enacted and applied to Whitehall generally, prevent billions of pounds being lost on wasteful projects.

The Public Authority Accountability Bill – known informally as the Hillsborough Law – would establish an offence of intentionally or recklessly misleading the public, media or court proceedings.

It would also impose a legal requirement on public authorities to act with candour, transparency and frankness when things go wrong.

Although the Bill was a reaction, in part, to the cover up by public authorities of their failings in the light of Hillsborough, it could, if enacted, deter public authorities from covering up failings generally – including on major IT programmes.

For decades public authorities have had the freedom – unrestricted by any legislation – to cover up failures and issue misleading statements to the public, Parliament and the media.

In the IT sphere, early problems with the Universal Credit IT programme were kept secret and misleadingly positive statements issued. The National Audit Office later criticised a “good news” culture on the Universal Credit programme.

And still the DWP is fighting to block the disclosure of five project assessment reviews that were carried out on the Universal Credit IT programme between 2012 and 2015.

It could be argued that billions of pounds lost on the NPfIT – the National Programme for IT in the NHS – would have been avoided if the Department of Health had been open and candid at the start of the programme about the programme’s impractically ambitious aims, timescales and budgets.

The Department for Business, Energy and Industrial Strategy is currently keeping secret its progress reports on the £111bn smart meters rollout – which independent experts have said is a failing programme.  The department routinely issues positive statements to the media on the robust state of the programme.

The Public Authority Accountability Bill was drafted by lawyers who had been involved with representing bereaved Hillsborough families. It is aimed mainly at government inquiries, court proceedings and investigations into lapses of public services.

But it would also enshrine into law a duty on public authorities, public servants, officials and others to act within their powers with “transparency, candour and frankness”.

Lawyers who drafted the Bill refer on their website to “institutional defensiveness and a culture of denial” when things go wrong. They say,

“In 2017 we expect public authorities and individuals acting as public servants to be truthful and act with candour. Unfortunately, repeated examples have shown us that this is not generally the case.

“Instead of acting in the public interest by telling the truth, public authorities have tended to according to narrow organisational and individual motives by trying to cover up faults and deny responsibility …”

Backing for the Bill came yesterday from a 117-page report on the Hillsborough disaster by Bishop James Jones. The government commissioned him to produce a report on the experiences of the Hillsborough families so that their “perspective is not lost”.

Jones’ impressive report refers to institutions that “closed ranks, refused to disclose information, used public money to defend its interests and acted in a way that was both intimidating and oppressive”

His report refers to public bodies in general when it points to a “cultural condition” and “mindset” that features an “instinctive prioritisation of the reputation of an organisation over the citizen’s right to expect people to be held to account for their actions”. This, says the report, “represents a barrier to real accountability”.

It adds,

“As a cultural condition, this mindset is not automatically changed, still less dislodged, by changes in policies or processes. What is needed is a change in attitude, culture, heart and mind.”

The report urges leaders of “all public bodies” to make a commitment to cultural change by publicly signing a new charter.

The charter commits public bodies to:

  •  Place the public interest above its own reputation.
  • Approach forms of scrutiny with candour, in an open, honest and transparent way, making full disclosure of relevant documents, material and facts.
  • Learn from the findings of external scrutiny and from past mistakes.
  • Avoid seeking to defend the indefensible or to dismiss or disparage those who may have suffered where the organisation has fallen short.
  • When falling short, apologise straightforwardly and genuinely.
  • Not knowingly mislead the public or the media.

The report says that institutional defensiveness and a culture of denial are “endemic amongst public institutions as has been demonstrated not only by the Hillsborough cover up but countless other examples.”

Stuart Hamilton, son of Roy Hamilton who died at Hillsborough, is quoted in the report as saying,

“Police, officials and civil servants should have a duty of revealing the full facts and not merely selecting some truths to reveal but not others. Not lying or not misleading is simply not good enough. Without this, future disasters cannot be averted and appropriate policies and procedures cannot be developed to protect society.

“Such selective revealing of information also results in the delay of justice to the point where it cannot be served”.

He added,

“I believe that without a change not only in the law but also in the mindset of the public authorities (which a law can encourage) then very little exists to stop the post-event actions happening again.”

IT-enabled projects

Whitehall departments and the Infrastructure and Projects Authority publish their own narratives on the progress on major IT-enabled projects and programmes such as Universal Credit and smart meters.

But their source reports aren’t published.

Early disclosure of failings could have prevented hundreds of millions of pounds being lost on FireControl project, BBC’s Digital Media Initiative, the Home Office Raytheon e-borders and C-Nomis national offender management information projects and the Rural Payments Agency’s CAP delivery programme (which, alone, contributed to EU penalties of about £600m).

Comment:

Yesterday’s beautifully-crafted report into the Hillsborough disaster – entitled “The patronising disposition of unaccountable power” – is published on the Gov.uk website.

It has nothing to do with IT-enabled projects and programmes. But, in an unintentional way, it sums up a public sector culture that has afflicted nearly every Whitehall IT-based project failure in the last 25 years.

A culture of denial is not merely prevalent today; it is pervasive. All Whitehall departments keep quiet about reports on their failings. It is “normal” for departments to issue misleadingly positive statements to the media about progress on their programmes.

The statements are not lies. They deploy facts selectively, in a way that covers up failings. That’s the Whitehall culture. That’s what departments are expected to do.

According to Bishop Jones’ Hillsborough report, one senior policeman told bereaved families that he was not obliged to reveal the contents of his reports. He could bury them in his garden if he wished.

It’s the same with government departments. There is no legal duty to keep programme reports, still less any requirement to publish them.

If Bishop Jones’ charter is signed by leaders of public authorities including government departments, and Andy Burnham’s Bill becomes law,  the requirement for candour and transparency could mean that IT programme progress reports are made available routinely.

If this happened – a big if – senior public officials would have to think twice before risking billions of pounds on a scheme that held out the prospect of being fun to work on but which they knew had little chance of success within the proposed timescales, scope and budget.

It’s largely because of in-built secrecy that the impossibly impractical NPfIT was allowed to get underway. Billions of pounds was wasted.

Some may say that the last thing ministers and their permanent secretaries will want is the public, media and MPs being able to scrutinise what is really happening on, say, a new customs IT project to handle imports and exports after Brexit.

But the anger over the poor behaviour of public authorities after Hillsborough means that the Bill has an outside chance of eventually becoming law. Meanwhile public sector leaders could seriously consider signing Jones’ charter.

John Stuart Mill wrote in 1859 (On Liberty and The Subjection of Women) that the “only stimulus which can keep the ability of the [public] body itself up to a high standard is liability to the watchful criticism of equal ability outside the body”.

 

Advertisements

Is Gauke being told the whole truth on Universal Credit’s rollout problems?

By Tony Collins

“It is working,” said Work and Pensions secretary David Gauke in Manchester yesterday. He was referring to a plan to accelerate the rollout of Universal Credit from this month.

“I can confirm that the rollout will continue, and to the planned timetable,” he added.

But are civil servants giving Gauke – and each other – full and unexpurgated briefings on the state of the Universal Credit programme?

Last year, in a high-level DWP document that government lawyers asked a judge not to release for publication, a DWP director referred to

“a lack of candour and honesty throughout the [Universal Credit] programme.”

Senior civil servants were not passing bad news on the state of the Universal Credit IT programme even to each other.

The DWP document was dated several years after Iain Duncan-Smith, the original force behind the introduction of Universal Credit, found his internal DWP briefings on the state of the UC programme so inadequate – a “good news” culture prevailed – that he brought in his own external advisers – what he called his “red team”.

In 2013 the National Audit Office, in a report on Universal Credit, said a “good news” mentality within the DWP prevented problems being discussed.

If problems could not be discussed they could not be addressed.

Last year the Institute for Government, in a report on Universal Credit, said IT employees at the DWP’s Warrington offices burst into tears with relief when at last permitted – by external advisers –  to talk openly about problems on the programme.

The Work and Pensions Committee has questioned why DWP ministers told MPs all was going well with the programme when it was well behind schedule and beset with problems.

The Public Accounts Committee called the DWP “evasive and selective” when it came to passing on information about the state of the Universal Credit programme.

Is there any reason to believe that the “fortress mentality” that the NAO referred to in its report on Universal Credit in 2013 is no longer present?

When David Gauke announced yesterday that he is continuing the rollout of Universal Credit, was he basing his decision on the full facts – or a “good news” version of it as told to him by the DWP?

Comment

David Gauke will have been given the “new minister” treatment when he joined the DWP on 11 June 2017.

“The first thing you’ve got to overcome when you walk through the door is that everybody is being almost far too nice to you,” said one of Gauke’s predecessors, Iain Duncan Smith. He was speaking in 2016 after leaving the DWP.

IDS was much criticised for assuring Parliament all was well with the Universal Credit IT programme when it wasn’t. But maybe he was right to point out that, when he joined the DWP, he found that the “biggest cultural barrier” was getting civil servants to be honest about difficulties.

“The Civil Service, legitimately, see it as their role to deliver on politicians’ policy demands and this can sometimes make them resistant to the idea that they should inform you early of problems,” said IDS.

It was IDS who told BBC’s Radio 4 Today programme in December 2013, that Universal Credit was on track.

“It’s on budget. It’s on budget. Some 6.5million people will be on the system by the end of 2017.”

In fact, fewer than 700,000 people are claiming Universal Credit,  according to the latest DWP statistics.

DWP’s 30 years of a “good news” culture

In the past 30 years, it has been almost unknown for the DWP’s mandarins to concede that they have had serious problems with any of their major IT-based projects and programmes.

Perhaps it’s understandable, then, that Gauke apparently refuses to listen to critics and continues with the accelerated rollout of Universal Credit.

Would he have any idea that the Citizens Advice Bureau, in a carefully-researched report this year, said that some claimants are on the DWP’s “live service” (managed by large IT suppliers) which is “rarely updated” while other claimants are on a separate “full service” – what the CAB calls a “test and learn” system – which is still being designed?

Would Gauke know of the specific concerns of the all-party Work and Pensions Committee which wrote to the DWP earlier this year about Universal Credit decision makers being “overly reliant on information from [HMRC’s] Real-time information” even when there is “compelling evidence” that this data is  incorrect?

Would Gauke have any reason to believe those who refer to regular computer breakdowns and inaccurate and inconsistent data?

In the DWP’s own document that it did not want published, the DWP director said that, internally, “people stopped sharing comments which could be interpreted as criticism of the Programme, even when those comments would be useful as part of something like an MPA [Major Projects Authority] review.”

Many staff believed the official line was ‘everything is fine’. Nobody wanted to be seen to contradict it.

All this suggests that the DWP will carry on much as before, regardless of external criticism.  Individual ministers are accountable but they move on. Their jobs are temporary. It’s the permanent civil service that really matters when it comes to the implementation of Universal Credit.

But mandarins are neither elected nor effectively accountable.

NHS IT programme?

There may be some comparisons between Universal Credit and the NHS IT programme, the £10bn NPfIT.

A plethora of independent organisations and individuals expressed concerns about the NPfIT but minister after minister dismissed criticisms and continued the rollout. The NPfIT was dismantled many years later, in 2011. Billions was wasted.

Based on their civil service briefings, NPfIT ministers had no reason to believe the programme’s critics.

Universal Credit has more support than the NPfIT and the IT is generally welcomed, not shunned. But the Universal Credit rollout is clearly not in a position yet to be speeded up.

Whether Gauke will recognise this before his time is up at the DWP is another matter.

Like IDS, Stephen Crabb and Damian Green – all secretaries of state during the rollout of Universal Credit – Gauke will move on and his successor will get the “new minister” treatment.

And the cycle of ministerial “good news” briefings will continue.

Perhaps the DWP’s senior civil servants believe they’re protecting their secretaries of state.

As the civil servant Bernard Woolley said in “Yes Minister”

“If people don’t know what you’re doing, they don’t know what you’re doing wrong.”

Thank you to David Orr, an ardent campaigner for open government, who alerted me to Universal Credit developments that form part of this article.

HMRC appoints Microsoft executive as head of IT

By Tony Collins

Government Computing reports that HMRC has appointed a new chief digital and information officer, Jacky Wright, who is currently Microsoft’s corporate vice-president, Core Platform Engineering.

Theresa May ratified Wright’s appointment. Candidates were considered from across the civil service and the public and private sectors, and internationally.

The chief executive of HMRC Jon Thompson said,

“Jacky is a seasoned commercial leader with ‘best in class’ credentials, globally. Balancing strong operating experience with a record of driving innovation… Her influence as a technology leader and as a champion for the role of women and BAME [black, Asian, minority ethnic) in industry, is a major win for this organisation.”

Wright will take up her appointment from 16 October. She said,

“I am passionate about the impact innovation can have in truly transforming services for people and businesses in a positive way and want to continue the great work being done within HMRC and across the Civil Service at this time. I am proud to represent women and BAME in technology and will continue to promote the vital role of diversity within our industry and more broadly.”

One of HMRC’s biggest IT challenges in the coming months and years will be to detach itself from the £10bn “Aspire” outsourcing deal in which Capgemini and Fujitsu are the main suppliers.

Aspire is being broken up. HMRC says the contract is already “dead” but the department will rely on Capgemini as a strategic supplier until June 2020 and most probably beyond. HMRC has spent at least £720m a year on Aspire since 2008, including 2015/16.

Comment:

After spending years trying to distance itself from major IT suppliers, HMRC has appointed a top Microsoft executive as its new head of IT.

That said, Wright is an excellent appointment. She’s widely recognized for her contributions to the technology industry and for championing diversity. She has been in Britain’s Powerlist 100 of Most Influential People, the Top 100 BAME Leaders in Business, and Savoy Magazine’s Top Women list.

The challenge for Wright will be to use her influence and skills in a civil service that, at the top level, may not fully appreciate her. Will she feel sufficiently valued and stay?

Francis Maude – the former IT reformer and Cabinet Office minister – said in a Speaker’s Lecture this week that the civil service values policy experts more than operational and technical leaders.

“Policy nearly always trumps operational and technical skills for the leadership roles,” said Lord Maude.

“It feels like a class divide: there are the white-collar policy mandarins, and the blue-collar technicians who do operations, finance, procurement, IT and digital, project management, HR, and so on.

“All the attempts to create genuine parity of esteem have failed. This has to change in the future. Many government failures could have been prevented if operational and technical teams had the same access to Ministers as do policy officials.”

In working for HMRC,  Wright may need to acclimatise to a civil service culture that could, at times, strike her as frustrating, closed and irrational.  HMRC’s former IT chiefs include Steve Lamey, Phil Pavitt and Mark Dearnley.

Will an innovations specialist of Wright’s calibre last at HMRC? If she does, it could imply that HMRC is defying the civil service culture and is valuing a top international IT professional.

If she doesn’t last, it could imply that she has been hired as a Formula One driver and then given a Prius to race.

The Prius is an impressive piece of machinery. But it’ll never go particularly fast, however expertly it’s driven.

Microsoft’s Jacky Wright named as HMRC’s new CDIO

 

Whitehall renews facade of openness on major IT projects

By Tony Collins

Headlines yesterday on the state of major government IT projects were mixed.

Government Computing said,

“IPA: Whitehall major projects show ‘slow and steady’ delivery improvement”

Computer Weekly said,

“Government IT projects improving – but several still in doubt”

The Register said,

“One-quarter of UK.gov IT projects at high risk of failure – Digital borders, digital tax and raft of MoJ projects singled out”

The headlines were prompted by the Infrastructure and Projects Authority’s annual report which was published yesterday.

The report listed the RAG – red/amber/green – status of each of 143 major projects in the government’s  £455bn major projects portfolio. Thirty-nine of these are ICT projects, worth a total of £18.6bn.

Publication of the projects’ red/amber/green status – called the “Delivery Confidence Assessment” – seemed a sign that the government was being open over the state of its major IT and other projects.

A reversal of decades of secrecy over the progress or otherwise of major IT projects and programmes?

In a foreword to the Infrastructure and Project Authority’s report, two ministers referred twice to the government’s commitment to openness and accountability.

MP Caroline Nokes, Cabinet Office minister, and MP Andrew Jones, a Treasury minister, said in their joint foreword,

“The government is also committed to transparency, and to being responsive and accountable to the public we serve.

“Accordingly, we have collected and published this data consistently over the past five years, enabling us to track the progress of projects on the GMPP [Government Major Projects Portfolio] over time.

“We will continue to be responsive and accountable to the public.”

But the report says nothing about the current state of major IT projects. The delivery confidence assessments are dated September 2016. They are 10 months out of date.

This is because senior civil servants – some of whom may be the “dinosaurs” that former minister Francis Maude referred to last month – have refused to allow politicians to publish the red/amber/gtreen status of major projects (including the Universal Credit programme and the smart meters rollout) unless the information, when published, is at least six months old.

[Perhaps one reason is to give departmental and agency press officers an opportunity to respond to journalists’ questions by saying that the red, red/amber of amber status of a particular major project is out of date.]

Amber – but why?

An amber rating means that “successful delivery appears feasible but significant issues already exist” though any problems “appear resolvable”.

In September 2016 the Universal Credit programme was at amber but we don’t know why. Neither the IPA or the Department for Work and Pensions mention any of the “issues”.

The £11bn smart meters rollout is also at amber and again we don’t know why. Neither the IPA nor the Department for Business, Energy and Industrial Strategy mention any of the “issues”. Permanent secretaries are allowed to keep under wraps the IPA’s reasons for the red/amber/green assessments.

Even FOI requests for basic project information have been refused.  Computer Weekly said,

“Costs for the Verify programme were also withheld from the IPA report, again citing exemptions under FOI.”

Comment

The senior civil servants who, in practice, set the rules for what the Infrastructure and Projects Authority can and cannot publish on major government projects and programmes are likely to be the “dinosaurs” that former Cabinet Office minister Francis Maude referred to last month.

Maude said that Whtehall reforms require that new ministers “face down the obstruction and prevarication from the self-interested dinosaur tendency in the mandarinate.”

Clearly that hasn’t happened yet.

The real information about Universal Credit’s progress and problems will come not from the Infrastructure and Projects Authority – or the Department for Work and Pensions – but from local authoritities, housing associations, landlord organistions, charities and consumer groups such the Citizen’s Advice Bureau (which has called for Universal Credit to be halted), the local press, the National Audit Office and Parliamentary committees such as the Public Accounts Committee and Work and Pensions Committee.

On the smart meter rollout, the real information will come not from the Infrastructure and Projects Authority – or the Department for Business, Energy and Industrial Strategy – but from business journalist Paul Lewis, consumer advocate Martin Lewis, business organistions such as the Institute of Directors,  experts such as Nick Hunn, the Energy and Climate Change Committee and even energy companies such as EDF.

Much of this “real” information will almost certainly be denied by Whitehall press officers. They’ll be briefed by senior officials to give business journalists only selected “good news” facts on a project’s progress and costs.

All of this means that the Infrastructure and Projects Authority may have good advice for departments and agencies on how to avoid project failures – and its tact and deference will be welcomed by permanent secretaries – but it’s likely the IPA will be all but useless in providing early warnings to Parliament and the public of incipient project disasters.

Ministers and some senior civil servants talk regularly about the government’s commitment to openness and accountability. When it will start applying to major government IT projects?

 

UK.gov watchdog didn’t red flag any IT projects. And that alone should be a red flag to everyone

 

 

 

 

Aftermath of the cyber attack – will ministers learn the wrong lessons?

By Tony Collins

At least 16 NHS trusts out of 47 that were hit by the ransomware attack continue to face problems, according to BBC research.

And, as some patients continued to have their cancer treatments postponed, Tory, Labour and Lib-dem politicians told of their plans to spend more money on NHS IT.

But will any new money promised by government focus on basic weaknesses – such as the lack of interoperability and the structural complexities that made the health service vulnerable to cyber attack?

Last year when the health secretary Jeremy Hunt announced £4bn for NHS IT, his focus was on new technologies such as smartphone apps to order repeat prescriptions rather than any urgent need to upgrade MRI, CT and other medical devices that rely on Windows XP.

Similarly the government-commissioned Wachter review “Making IT Work: Harnessing the Power of HealthInformation Technology to Improve Care in England made no mention of Windows XP or any operating system – perhaps because ministers were much more likely to welcome a review of NHS IT that focused on innovation and new technologies.

Cancer treatments postponed

The Government’s position is that the NHS was not specifically targeted in the cyber attack and that the Tories are putting £2bn into cyber security over the next year.

Theresa May said yesterday,

“It was clear warnings were given to hospital trusts but this is not something that was focused on attacking the NHS. 150 countries are affected. Europol says there are 200,000 victims across the world. Cyber security is an issue we need to address.

“That’s why the government, when we came into government in 2010, put money into cyber security. It’s why we are putting £2bn into cyber security over the coming year.”

Similarly Jeremy Hunt, health secretary, told the BBC that the attack affected international sites that have “some of the most modern IT systems”.

But the BBC’s World at One gave an example of how the NHS’s IT problems were affecting the lives of patients.

It cited the case of Claire Hobday whose radiography appointment for breast cancer at Lincoln County Hospital was cancelled on Friday (12 May 2017) and she still doesn’t know when she’ll receive treatment. Hobday said,

“I turned up by hospital transport for my second radiotherapy session, and I, along with many other patients – at least 20 other people were waiting – and they said the computers weren’t working.

“I do have to say the staff were very good and very quickly let us all know that they were having trouble with the computers. They didn’t want to misinform us, so they were going to come and talk to us all individually and hoped they would be able to rectify it.

“Within half an hour or so they came out and said, ‘We’re really sorry but it’s not going to get sorted. We’ll send you all home and give you a call on Sunday’ which didn’t happen.

“But they did ring me this morning (15 May 2017) to say it’s not happening today and if transport turns up please don’t get in it, and it’s very unlikely it will happen tomorrow.

“It is just a bit upsetting that other authorities have managed to sort it but Lincolnshire don’t seem to have been able to do that.”

United Lincolnshire Hospitals Trust told World at One it will be back in touch with patients once the IT system is restored.

Roy Grimshaw was in the middle of an MRI scan – after dye was injected into his blood stream –  when the scan was stopped and he was asked to go back into the waiting room in his gown, with tubes attached to him, while staff investigated a computer problem. After half an hour he was told the NHS couldn’t continue the scan.

Budgets “not an issue”?

GP practices continue to be affected. Keiran Sharrock, GP and medical director of Lincolnshire local medical committee, said yesterday (15 Mat 2017) that systems were switched off in “many” practices.

“We still have no access to medical records of our patients. We are asking patients to only contact the surgery if they have an urgent or emergency problem that needs dealing with today. We have had to cancel routine follow-up appointments for chronic illnesses or long-term conditions.”

Martha Kearney – BBC World at One presenter –  asked Sharrock about NHS Digital’s claim that trusts were sent details of a security patch that would have protected against the latest ransomware attack.

“I don’t think in general practice we received that information or warning. It would have been useful to have had it,” replied Sharrock.

Kearney – What about claims that budget is an aspect of this?

Sharrock: “Within general practice that doesn’t seem to be the reason this happened. Most general practices have people who can work on their IT and if we’d been given the patch and told it needed to be installed, most practices would have done that straight away.”

GCHQ

World at One also spoke to Ciaran Martin, Director General for Government and Industry Cyber Security.  He is a member of the GCHQ board and its senior information risk owner.  He used to be Constitution Director at the Cabinet Office and was lead negotiator for the Prime Minister in the run-up to the Edinburgh Agreement in 2012 on a referendum on independence for Scotland.

Kearney: Did your organisation issue any warnings to the health service?

Martin: “We issue warnings and advice on how to upgrade defences constantly. It’s generally public on our website and it’s made very widely available for all organisations. We are a national organisation protecting all critical sectors and indeed individuals and smaller organisations as well.”

Huge sums spent on paying ransoms?

Kearney asked Martin, “How much money are you able to estimate is being spent on ransoms as a result of these cyber attacks?” She added,

“I did hear one astonishing claim that in the first quarter of 2016 more money was spent in the USA on responding to ransomware than [was involved] in armed robberies for the whole of that year?”

Martin: “First let me make clear that we don’t condone the payment of ransoms and we strongly advise bodies not to pay and indeed in this case the Department of Health and the NHS have been very clear that affected bodies are not to pay ransoms. Across the globe there is, sadly, a market in ransomware. It is often the private sector in shapes and sizes that is targeted.”

Martha Kearney said the UK may be a target because it has a reputation for being willing to pay ransoms.

Martin, “We are no more or less a target for ransomware than anywhere else. It’s a global business; and it is a business. It is all about return on investment for the attacker.

“What’s important about that is that it’s all about upgrading defences because you can make the return on investment lower by making it harder to get in.”

If an attacker gets in the aim must be to make it harder to get anything useful, in which case the “margin on investment goes down”. He added,

“That’s absolutely vital to addressing this problem.”

Are governments at fault?

Martin,

“Vulnerabilities will always exist in software. Regardless of who finds the underlying software defect, it’s incumbent on the entire cyber security ecosystem – individual users, enterprises, governments or whoever – to work together to mitigate the harm.”

He added that there are “all sorts of vulnerabilities out there” including with open source software.

Windows XP

Computer Weekly reports – convincingly – that the government did not cancel an IT support contract for XP.

Officials decided to end a volume pricing deal with Microsoft which left NHS organisations to continue with XP support if they chose to do so. This was clearly communicated to affected departments.

Government technology specialists, reports Computer Weekly, did not want a volume pricing deal with Microsoft to be  “comfort blanket” for organisations that – for their own local reasons – were avoiding an upgrade from XP.

Computer Weekly also reported that civil servants at the Government Digital Service expressed concerns about the lack of technical standards in the NHS to the then health minister George Freeman.

Freeman was a Department of Health minister until July 2016. In their meeting with Freeman, GDS officials  emphasised the need for a central body to set technical standards across the NHS, with the authority to ensure trusts and other organisations followed best practice, and with the transparency to highlight those who chose not to.

A source told Computer Weekly that Jeremy Hunt was also briefed on the security risks that a lack of IT standards would create in a heavily-federated NHS but it was not considered a priority at that top political level.

“Hunt never grasped the problem,” said the source.

There are doubts, though, that Hunt could have forced trusts to implement national IT security standards even if he’d wanted to. NHS trusts are largely autonomous and GDS has no authority to mandate technical standards. It can only advise.

How our trust avoided being hit

A comment by an NHS IT lead on Digital Health’s website gives an insight into how his trust avoided being hit by the latest cyber attack.  He said his trust had a “focus on perimeter security” and then worked back to the desktop.

“This is then followed up by lots of IG security pop ups and finally upgrading (painfully) windows XP to windows 7…” He added,

“NHS Digital have to take a lead on this and enforce standards for us locally to be able to use.”

He also suggests that NHS Digital sign a Microsoft Enrollment for Windows Azure [EWA] agreement as it is costly arranging such a deal locally.

 “NHS Digital must for me, step in and provide another MS EWA as I am sure the disruption and political fall-out will cost more. Introduce an NHS MS EWA, introduce standards for software suppliers to comply with latest OS and then use CQC to rate organisations that do not upgrade.”

Another comment on the Digital Health website says that even those organisations that could afford the deployment costs of moving from XP to Windows 7 were left with the “professional” version, which “Microsoft has mercilessly withdrawn core management features from (e.g. group policy features)”.

The comment said,

“There are a lot of mercenary enterprises taking advantage of the NHS’s inability to mandate and coordinate the required policies on suppliers which would at least give the under-funded and under-appreciated IT functions the ability to provide the service they so desperately want to.”

A third comment said that security and configuration management in the NHS is “pretty poor”. He added, “I don’t know why some hospitals continue to invest in home-brew email systems when there is a national solution ready and paid for.

“In this recent attack most the organisations hit seem to use local email systems.”

He also criticised NHS organisations that:

  • Do not properly segment their networks
  • Allow workstations to openly and freely connect to each other in a trusted zone.
  • Do not have a proper patch / update management regime
  • Do not firewall legacy systems
  • Don’t have basic ACLs [access control lists)

Three lessons?

  • Give GDS the ability to mandate no matter how many Sir Humphreys would be upset at every challenge to their authority. Government would work better if consensus and complacency at the top of the civil service were regarded as vices, while constructive, effective and forceful criticism was regarded as a virtue.
  • Give the NHS money to spend on the basic essentials rather than nice-to-haves such as a paperless NHS, trust-wide wi-fi, smartphone apps, telehealth and new websites. The essentials include interoperability – so that, at the least, all trusts can send test results and other medical information electronically to GPs –  and the upgrading of medical devices that rely on old operating systems.
  •  Plan for making the NHS less dependent on monolithic Microsoft support charges.

On the first day of the attacks, Microsoft released an updated patch for older Windows systems “given the potential impact to customers and their businesses”.

Patches are available for: Windows Server 2003 SP2 x64Windows Server 2003 SP2 x86, Windows XP SP2 x64Windows XP SP3 x86Windows XP Embedded SP3 x86Windows 8 x86, and Windows 8 x64.

Reuters reported last night that the share prices of cyber security companies “surged as investors bet on governments and corporations spending to upgrade their defences”.

Network company Cisco Systems also closed up (2.3%), perhaps because of a belief that it would benefit from more network spending driven by security needs.

Security company Avast said the countries worst affected by WannaCry – also known as Wannacypt – were Russia, Taiwan, Ukraine and India.

Comment

In a small room on the periphery of an IT conference on board a cruise ship , nearly all of the senior security people talked openly about how their board directors had paid ransoms to release their systems after denial of service attacks.

Some of the companies – most of them household names – had paid ransoms more than once.

Until then, I’d thought that some software suppliers tended to exaggerate IT security threats to help market their solutions and services.

But I was surprised at the high percentage of large companies in that small room that had paid ransoms. I no longer doubted that the threats – and the damage – were real and pervasive.

The discussions were not “off-the-record” but I didn’t report their comments at the time because that would doubtless have had job, and possibly even career ramifications, if I had quoted the security specialists by name.

Clearly ransomware is, as the GCHQ expert Kieran Martin put it, a global business but, as ransoms are paid secretly – there’s not a whisper in corporate annual accounts – the threat has not been taken seriously enough in some parts of the NHS.

The government’s main defence is that the NHS was not targeted specifically and that many private organisations were also affected.

But the NHS has responsibility for lives.

There may be a silver lining if a new government focuses NHS IT priorities on the basics – particularly the structural defects that make the health service an easy target for attackers.

What the NHS doesn’t need is a new set of politicians and senior civil servants who can’t help massaging their egos and trying to immortalise their legacy by announcing a patchwork of technological marvels that are fun to work on, and spend money on, but which gloss over the fact that much of the NHS is, with some notable exceptions, technologically backward.

Microsoft stockpiled patches – The Register

UK government, NHS and Windows XP support – what really happened – Computer Weekly

NHS letter on patches to counter cyber attack

Multiple sites hit by ransomware attack – Digital Health (31 comments)

Lessons from the WannaCrypt – Wannacry – cyber attack according to Microsoft

 

MPs suggest Cabinet Office is losing its grip on departments – but does it care?

By Tony Collins

The Register has an excellent piece by Kat Hall on how the Cabinet Office is losing its grip on Government departments.

Citing the annual report of the all-party Public Accounts Committee, Hall says there are issues where “departments repeatedly don’t do what they have been told or asked to do by the centre”.

An analysis by The Register found that

“government departments are winning significantly more exemptions to splash the cash on expensive IT projects since the departure of former Cabinet Office minister Francis “Mad Frankie” Maude last year”.

Chair of the Public Accounts Committee Meg Hillier said: “After my second year as Chair I am increasingly concerned about the long-term accountability of senior civil servants.

“The game of musical chairs starts as one Permanent Secretary moves on and they all change jobs in the system. And few are in post long enough to have a vested interest in the long-term aims of their department or a project.

“And there is the age-old tension between a department and central Whitehall through the Cabinet Office.”

Universal Credit and HMRC’s plans to overhaul its Aspire IT contract – the biggest in Europe – were outlined as being two areas of concern. As was the Home Office’s Emergency Services Network.

“The Home Office seemed to downplay the risks to the contract and its being caught unawares by the contractor does not reassure us that the Department is on top of the contract or this project. This could cost the taxpayer dear,” it said.

Comment:

It’s hard to argue with a comment on Hall’s piece by @JagPatel3 who suggests that some in Whitehall are as preoccupied with spin as with the efficient delivery of public services.

“… Government is preoccupied with presentation, manipulation of words and the dark art of spinning – instead of working on its programme of reform to deliver public services efficiently, to satisfy the wants, needs and expectations of the electorate.

“The political imperative of needing to put a positive slant on everything the Government does or will do, irrespective of whether it is true or not, is the reason why spin has become the centrepiece of this Government’s communications strategy.

“And because Government has got a monopoly on inside information (enabling it to maintain extremely tight control), it uses spin to divert attention away from the key issues that really matter to citizens …

“the eagerness with which senior Civil Servants have complied with their political masters’ desire to see policy announcements framed around presentation and spin, at the expense of substance, would explain why their skills set has been narrowed down to this single, dark art.”

The commentator also says that the “intense focus of attention on presentation alone has resulted in a massive gap opening up between the leadership and lower ranks of the Civil Service, who have to deal with the reality of delivering public services on the ground, on a day-to-day basis, which has in itself, led to alienation and disaffection”.

A good summary. Many ordinary civil servants are doing the hard work of delivering public services while a few of their masters are preoccupied with keeping what they do secret and justifying or defending all else that is published in National Audit Office reports, other third-party reports or leaked emails.

It’s hardly surprising the Cabinet Office is losing control of departments. Since Maude’s departure it doesn’t want control. It has become clear that it wants, in a hassle-free way,  to continue with Sir Humphrey’s non-integrated approach to government.

The Cabinet Office is just another Whitehall department. Why would it want to be an “enforcer?”

Some officials “smuggle their often half-baked proposals past ministers” says Cabinet Office adviser who quits

By Tony Collins

Jerry Fishenden has resigned from the Cabinet Office‘s Privacy and Consumer Advisory Group after nearly six years. First he was its chairman and more recently co-chairman.

The Privacy and Consumer Advisory Group comprises privacy and security experts who give the government independent analysis and guidance on personal data and privacy initiatives by departments, agencies and other public sector bodies. This includes GOV.UK Verify.

The group’s advice has had the citizens’ interests in mind. But the group might have been seen by some Whitehall officials as having an open and frank “outsiders” culture.

Francis Maude, then Cabinet Office minister, helped to set up the group but he left in 2015 and none of his replacements has had a comparable willingness to challenge the civil service culture.

Maude welcomed the help of outsiders in trying to change the civil service.  He tried to bring down the costs of Government IT and sought to stop unnecessary or failing projects and programmes. He also wanted to end the “oligopoly” of a handful of large IT suppliers. But Maude’s initiatives have had little continuing support among some Whitehall officials.

Fishenden said in a blog post this week that Maude had wanted the Privacy and Consumer Advisory Group to be a “critical friend” – a canary that could detect and help fix policy and technology issues before they were too far down the policy / Bill process.

“The idea was to try to avoid a repeat of previous fiascos, such as the Identity Card Act, where Whitehall generalists found themselves notably out of their depth on complex technical issues and left Ministers to pick up the pieces.”

He added that “since Francis Maude’s departure, there has been only one meeting” with subsequent Cabinet Office ministers.

“Without such backing, those officials who find the group’s expert reviews and analyses “challenging” have found it easier to ignore, attempting instead to smuggle their often half-baked proposals past Ministers without the benefit of the group’s independent assistance…

“Let’s just hope that after the election the value of the group will be rediscovered and government will breathe life back into the canary. Doing so would help realise Francis Maude’s original purpose – and bring significant benefits to us all, whether inside or outside of government.”

Comment

One of the Privacy and Consumer Group’s strengths has been its independent view of Government IT-related initiatives  – which is probably the main reason it has been marginalised.

Fishenden’s departure is further confirmation that since Maude’s departure, the Cabinet Office – apart from the Government Digital Service – has settled back into the decades-old Whitehall culture of tinkering with the system while opposing radical change.

While Whitehall’s culture remains unreformable, central government will continue to lose the best IT people from the private sector. Some of these include the former Government Digital Service executive director Mike Bracken, Stephen Foreshew-Cain, who took over from Bracken, Janet Hughes, programme director of Verify,  Andy Beale, GDS’s chief technology officer, Paul Maltby, GDS’s director of data and former Whitehall chief information officers Joe Harley, Steve Lamey, Andy Nelson and Mark Dearnley.

The unfortunate thing is that a few powerful career civil servants, including some permanent secretaries, will be delighted to lose such outsiders.

Jerry Fishenden is simply the latest casualty of a civil service tradition that puts the needs of the department before those of the citizen.

It’s a culture that hasn’t changed for decades.

The canary that ceased to be – Jerry Fishenden’s blog on his departure

Privacy and Consumer Advisory Group

Whitehall to auto-extend outsourcing deals using Brexit as excuse?

By Tony Collins

Type of government procurement spend 2014-2015. ICT is the top item.
Source: National Audit Office

Under a headline “UK outsourcing deals extended because of Brexit workload”, the Financial Times has reported that “hundreds of government contracts with the private sector that were due to expire are to be automatically extended because civil servants are too busy with Brexit to focus on new and better-value tenders”.

The FT says the decision to roll over the contracts could prove expensive for taxpayers because it limits competition and undermines government efforts to improve procurement.

A “procurement adviser to the government” whom the FT doesn’t name, said more than 250 contracts were either close to expiring or had already expired in 2016-17. The adviser told the FT,

“Brexit has pushed them down the list of priorities so there are lots of extensions and re-extensions of existing deals.”

The adviser added that this was the only way civil servants could prioritise the huge increase in Brexit-related work since the referendum.

Extensions

The FT provides no evidence of automatic contract extensions or the claim that deals will be extended because of the civil service’s Brexit workload.

There is evidence, however, that Whitehall officials tend to extend contracts beyond their original expiry date.

In a report published this year on the Cabinet Office’s Crown Commercial Service, the National Audit Office identified 22 framework contracts that were due to expire in 2016-17. Half of them (eleven) were extended beyond their original expiry date.

[The Crown Commercial Service was set up in 2014 to improve state procurement.]

The NAO also found that Whitehall departments – and the Crown Commercial Service – have been awarding contracts using expired framework deals, even though this contravenes public contracting regulations.

In 2015-16, 21 of the 39 frameworks that were due to expire were extended without competition or market testing, according to the NAO.

One example of an extended contract is a deal between Capita and the Department for Work and Pensions which started in 2010. Capita provides eligibility assessments for the personal independent payment allowance, which supports for people with long-term ill health or disability.

The five-year deal was extended by two years until July 2019.

Capita has also won a three-year extension to a contract with the Pensions Regulator and the BBC has extended a deal with Capita that was signed originally in 2002 to June 2022 – a total of at least 20 years.

Open competition?

The NAO has found that extending ICT contracts may not always be good for taxpayers. In the later years of their government contracts, suppliers tend to make higher margins (though not always).

There are also suggestions that civil servants will sometimes sign contract extensions when the performance of the supplier does not meet expected standards.

On ICT, the Cabinet Office asks central departments to complete a return every six months for each business process outsourcing and facilities management contract above £20m with strategic suppliers.

The survey asks whether the contract is being delivered on time, to scope, to budget, to the appropriate standards, and whether there have been any disputes.

In one study of government contracts with ICT suppliers, the NAO found that, of 259 returns from departments, 42 highlighted problems that included,

  • failure to achieve milestones
  • dissatisfaction with quality of outputs
  • errors and other issues with delivery
  • poor customer engagement and end user dissatisfaction and
  • failure to meet key performance indicators.

Comment

For taxpayers there is some good news.

A break-up of “Aspire”, the biggest IT outsourcing long-term deal of all, between HMRC and Capgemini (and to a lesser extent Fujitsu) – worth about £9bn – is going ahead this June. An HMRC spokesman says,

“HMRC is on track to complete the phased exit from Aspire, as planned, by June 2017.”

And according to Government Computing, Defra’s IT outsourcing contracts with IBM and Capgemini under a £1.6bn contract called “Unity” are due to expire in 2018 and there are no signs the deals will be extended.

But the Department for Work and Pensions’ huge IT outsourcing contracts with the same major suppliers are renewed routinely and not always with open competition. The DWP says on its website,

“DWP contracts are awarded by competition between potential suppliers, unless there are compelling reasons why competition cannot be used.”

The DWP doesn’t define “compelling”. Nor is it clear whether its auditors look at whether the DWP has put up a compelling case for not putting a large IT contract out to open competition.

In 2014 the Public Accounts Committee, after investigating major suppliers to government, concluded,

“Government is clearly failing to manage performance across the board, and to achieve the best for citizens out of the contracts into which they have entered.

“Government needs a far more professional and skilled approach to managing contracts and contractors, and contractors need to demonstrate the high standards of ethics expected in the conduct of public business, and be more transparent about their performance and costs”.

Breaking up is hard to do

The break up of the huge Aspire IT outsourcing contract at HMRC is an exception, not the rule. The NAO has found that civil servants regard their major incumbent suppliers as safe and less risky than hiring a smaller company (that’s not steeped in Whitehall’s culture).

The NAO has also found that in some cases officials don’t know whether their suppliers are performing well or not. On many ICT contracts there is “open book” accounting, but not all departments have the staff or expertise to check regularly on whether their suppliers’ profits are excessive.

If Whitehall, with exceptions, is continuing to roll over contracts whether it’s legal to do so or not, what incentive exists to stick to the rules?

Brexit?

The FT story suggests Brexit is the reason hundreds of contracts are to be extended automatically. There’s probably truth in the automatic extension of some contracts – but it’s unlikely to be because of Brexit.

It’s unlikely that the civil servants involved in Brexit will be the same ones who are handling ICT contract extensions. That said, Brexit will inevitably put a higher workload on lawyers working for government.

If contracts are being extended automatically, it’s probably because that’s the way it has always been, at least within living memory.

While Sir Humphrey and his senior officials remain only nominally accountable to Parliament for how they spend taxpayers’ money, the easiest option of renewing or extending existing contracts will usually be seen as the best option.

It can be justified with “compelling” arguments such as a need to make an urgent decision in difficult circumstances, or the absence of alternative suppliers who have the necessary skills or the financial strength to accept the risks of failure.

Will anything change?

Until departments have to publish contemporaneously their intentions to award contracts without open competition or there is effective accountability within the civil service for major decisions, little is likely to change.

It hasn’t happened yet and there’s no reason to believe it will.  Many politicians including prime ministers have tried to reform the civil service and they haven’t ruffled a single carpet in the corridors of Whitehall.

As Antony Jay, co-writer of Yes Minister,  said in January 2013,

“The central anomaly is that civil servants have years of experience, jobs for life, and a budget of hundreds of billions of pounds, while ministers have, usually, little or no experience of the job and could be kicked out tomorrow.

” After researching and writing 44 episodes and a play, I find government much easier to understand by looking at ministers as public relations consultants to the real government – which is, of course, the Civil Service.”

In short, Brexit is likely to be officialdom’s up-to-date excuse for carrying on much as before.

Thank you to @TimMorton2 for alerting me to the FT article.

Large suppliers still dominate government IT

By Tony Collins

In 2012, the then Cabinet Office minister Francis Maude, lamented the high costs of government IT and spoke of an “oligopoly” of large suppliers. He suggested things would change.

“… contracts were consistently awarded to a limited number of very large suppliers on long-term exclusive contracts.

“As a result there was inadequate competition and an abdication of control. The concept of having one supplier, aggregated supply, increased project risk and removed competitive tension.

“The Government repeatedly found itself paying large amounts for systems that were delivered late, over budget and which often did not fully meet the original policy requirement.  If indeed, they were delivered at all. There are plenty of well-documented disasters – such as DH’s now terminated National programme for IT.

“Ultimately, the last Government lost control of IT – it outsourced not only delivery, but its entire strategy and ability to shape the future of our public services.

“At the same time smaller, more innovative and efficient suppliers were finding themselves locked out of the supply of services to Government because of what was described by Parliament as a powerful “oligopoly” of large suppliers.

“Procurements took so long only the big companies could absorb the cost – which they naturally passed on to us.

“All in all, we had an approach that was bad for users, bad for the taxpayer and bad for growth.”

Public sector IT spending was up to £20bn a year, he said, adding that “public sector productivity was actually declining”.  He outlined how things were changing.

What has happened since?

A report published today by the National Audit “Digital Transformation in Government” raises a question of how much has changed.

Efforts to boost the SME share of government IT business “have had some impact”, says the National Audit Office, but it adds that “most government procurement with digital and technology suppliers continues to be with large organisations”.

“In 2015-16, 94% of such spending was with large enterprises, a fall of less than one percentage point since 2012-13.”

Today’s NAO report is mainly about the Cabinet Office’s Government Digital Service – GDS. It points out GDS’s strengths and weaknesses but in general does not give any advice on the sensitive point of whether it should have more or less influence on government IT.

On digital transformation, it says that the work of the NAO shows that attempts to transform government have had mixed success.

“Many public services appear increasingly unsustainable. Those responsible for major programmes have continued to exhibit over-optimism and make slow progress towards their objectives.”

It adds,

“Digital transformation has a mixed track record across government. It has not yet provided a level of change that will allow government to further reduce costs while still meeting people’s needs.

“GDS has also struggled to demonstrate the value of its own flagship initiatives such as Verify, or to set out clear priorities between departmental and cross-government objectives.

“GDS’s renewed approach aims to address many of these concerns as it expands and develops into a more established part of government. But there continues to be a risk that GDS is trying to cover too broad a remit with unclear accountabilities.

“To achieve value for money and support transformation across government, GDS needs to be clear about its role and strike a balance between robust assurance and a more consultative approach.”

Comment

The National Audit Office report is strong on facts and quality of research but avoids the big question of how GDS can bring about change when the top brass in departments prefer autonomy to what they see as GDS’s interference.

GDS’s existence goes to the heart of how the civil service runs. It is one part of the civil service trying to bring about change in other parts of the civil service.

And the evidence so far is that the civil service doesn’t like change.

The NAO report disappoints because it doesn’t address how government IT is to change if departments are to continue to run empires unchallenged by GDS or the heads of the civil service. Sir Humphrey is still king.

GDS scrutinises departmental IT spending – spending applications are reviewed by a team of eight people within GDS’s Standards Assurance team – but, much to Sir Humphrey’s delight, GDS’s influence seems to be waning.

When Jack Straw was Justice secretary, he told MPs in 2007 that when he abandoned projects there was a fuss at first and soon nobody noticed the project did not exist.

“There is always the option to abandon things. I did that in the Foreign Office with much complaint that the world might end.

“What happened was that we saved a lot of money and no one ever noticed the fact that that scheme did not exist…it is very frustrating that so many people, including the private sector, are taken in by snake oil salesmen from IT contractor who are not necessarily very competent and make a lot of money out of these things. I am pretty intolerant of this.”

How much has changed? Outsiders including Jack Straw and Francis Maude, together with insiders such as Chris Chant have pointed to the need for major changes in the way departments manage huge IT budgets and there have been some improvements: HMRC’s is breaking up its monolithic “Aspire” contract, citizens may notice that it is possible now to renew passports and driving licences online and GDS has had an impact in making departments think hard about whether they really need to spend the amounts they do on major IT contracts.

But major change in the costs of government IT seems not just a long way off but unattainable while the dominance of Sir Humphrey remains unchallenged.

Digital Transformation in Government – NAO report

Crazy – millions of citizens offered two competing government identity systems

 

From HMRC’s website on Gov.UK … Which should you choose to confirm your identity?
HMRC and other government departments are offering millions of citizens the choice of two “competing” identity systems – the Cabinet Office’s GOV.UK Verify, or HMRC’s Government Gateway.
There’s no guidance offered on which to choose; and no explanation for the absence of joined-up thinking.

By Tony Collins

When Whitehall departments do their own thing, the public rarely notices the duplicated time, effort and cost, at least when it comes to IT.  Now the “silo” approach has spilled out into the public arena.

The Government Digital Service – part of the Cabinet Office – developed GOV.UK Verify to enable people to confirm their identify when they want to use government services online.

At the same time, HMRC continued to work on a separate identity system: Government Gateway.

The cost of the two developments isn’t known.

HMRC prefers its own development work on Government Gateway because it enables companies as well as individuals to identify themselves. Verify is designed for individual use.

But instead of adapting one or the other to serve individuals and companies, or using Government Gateway for companies only, central departments are offering both  – with no guidance on which system citizens should choose; and there’s no explanation for the absence of a joined-up approach to IT.

The BBC’s technology correspondent Rory Cellan-Jones says of the two separate identity systems that GDS and HMRC are engaged in a “bitter turf war”.

Comment

Today I went online to renew a driving licence and was shepherded by DVLA to use the Government Gateway identity system. A few weeks ago I had already successfully registered with GOV.UK Verify.

Government Gateway didn’t work properly, for me at least, although I had all the correct documents.

When I registered to use a different government service a few weeks I had no choice but to use GOV.UK Verify to confirm my identity. Verify was thorough, seamless and worked perfectly. Impressive. It left the impression of a system that had been well thought out, with the citizen in mind.

Putting aside the fact that Government Gateway did not work for me, it seemed dated, much less thorough than Verify, and left an impression of transience – that it was a temporary “make-do” system. For instance, the help screens were not tailored to the particular question being asked. Not impressive.

For me. GOV.UK Verify is the identity system of choice. It could surely be adapted to confirm the identities of companies – unless HMRC would rather continue to do its own thing.

It’s ludicrous that central government is spending billions of IT annually without a joined-up approach. Ministers keep promising it. Officials at conferences keep promising it. Whitehall press releases promise it.

A few weeks ago departments were offering only Government Gateway or GOV.UK Verify. Now many of them are offering both.

That’s progress?

Disturbing

A wider point of Whitehall’s dual IT approach to identity verification is that it’s the tip of the iceberg (apologies for the cliché but it’s apt).

With their ICT budgets, collectively, of billions of pounds a year, central departments are, in the main, doing their own thing.

A politician with the clout of Francis Maude may be needed to bang the heads of permanent secretaries together. But even if Maude’s replacement Ben Gummer had that clout – and he doesn’t – permanent secretaries and departmental boards would complain that the Cabinet Office was interfering.

Complaints along these lines would be made, perhaps, in off-the-record briefings to friendly journalists and to the National Audit Office in departmental responses to NAO surveys of senior officials, with the result that the Cabinet Office would end up backing away from trying to enforce a joined up IT approach.

That a genuine joined-up approach to government IT has been talked about for decades and hasn’t happened is largely because, outside of determining of the size of budgets, it is the permanent secretaries and their senior officials who hold power in Whitehall,  not transient politicians.

And bureaucracies always want to keep their departmental empires as intact as possible.

The current two top Whitehall officials, Cabinet Secretary Sir Jeremy Heywood and John Manzoni, chief executive of the civil service, are consensus-seeking people, not at all confrontational. Probably their lack of a controversial edge is one of the main reasons they were chosen for their jobs.

All of which means there’s no chance of permanent secretary heads being banged together in an effort to cut costs and help bring about joined up government IT .

In 2012, Francis Maude, then Cabinet Office minister,  said, in a speech to the FT Innovate Conference,

“In the last decade our IT costs have gone up – while our services remained patchy. According to some estimates, we spend more on IT per capita than any other government.”

Is government ICT spending much less today? Perhaps HMRC’s Government Gateway officials would let us know.

**

Some Twitter comments