External Security Tests on the Government's Flagship Digital Identity System, Gov.uk one loginHave Found Serious Vulnerabilites in the Live Service, Computer Weekly Has Learned.
A “Red Teaming“Exercise conducted in March by it security Consultancy Cyberis Discovered that Privileged Access to One Login Can Be Compromised without Detection by Security Monitoring tools.
According to cyberisRed Teaming Tests the resilience of systems by simulating the tactics, techniques and procedus of cyber attackers to show how well how well an organization can detect and respond to an incidence.
Computer weekly has been asked by the department for science, innovation and technology Problem.
Compromising the Highest Levels of Access to a System Risks Exposing Personal Data and Software Code to Any Cyber Attackers ALELE to exploit the vulnerability.
A government spokesperson said: “Delivering Best Practice, We Routinely Conduct Red Teaming Exercises to Test Security Infrastructure. Where ise
The existence of a serial current vulnerability will raise further Concerns over the security of one loginWho is intended to be the way that citizens prov bes' their identity and log in to most online government services.
There are already six Million users of the system, and it is used to access more than 50 online services.
Last month, computer weekly revised that gds were warned by the cabinet office in November 2022 and the National Cyber Security Center (NCSC) in September 2023, that One login Had “Serious Data Protection Failings” and “Significant Shortcomings” in Information Security That would increase the risk of data breaches and identity theft.
GDS said the concerns was “outdated” and Arose “when the Technology was in its infancy in 2023”, despite one login being used used at that time to support live services. “We have worked to address all these concerns as evident by multiple external independent assessments.
A whistleblower first raised security concerns about one login with gds as long ago as July 2022. With a risk of transmitting security vulnerability, such as malware or phishing attacks, that could compromise the live system.
The NCSC recommends that System Administration for Key Government Services Should Be Conducted from a dedicated Device Used Only For that Purpose, Known as a Privileged Access Workstation (Paw), or alternatively to use only “browse down” devices, where the security level of the device is always the same or greatly than the system being managed. The Whistleblower Warned that a Lack of Paws and Use of Browse-up Administration was Significant Risks.
Computer weekly subsequently revised that the One login team has yet to full met ncsc guidelines – The system only complia with 21 of the 39 outcomes detailed in the NCSC Cyber Assessment Framework (CAF) – An improvement on the five outsomes it successfully followed a year ago.
The one login development team is also sums to fully implement the government's Secure by design Practices, Although GDS said the system “Meets these Principles”.
Earlier this week, we further revised that One login has lost its certificate the government's own trust framework for digital identity Systems, after a key technology supplier allowed its certificate to lapse and, as a result, one login was removed from the official Accreditation Scheme.
In A meeting with private sector digital identity provides This week (wedding 14 May), DSIT Secretary of State Peter Kyle EXPLAINED How one login will underpin the forthcoming gov.uk wallet, which will be used to deliver digital versions of key government documents, Such as driving licenses.
Kyle Talked About The “Rapid Journey” He Hopes The Government will take in delivering digital identity services for citizens and stressed the important that that is the Systems are “delivered safely [and] securely ”.
The government spokesperson added: “Gov.uk One login following the highest security standards for government and private sector services-Including dedicated 24/7 eyes-on monitoring and incidents adh Public rightly expects, protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount. “
Questions are also being asked in parliament about the security of one login. In recent weeks, liberal democrat peer and digital speakesman tim cleans and conservative peer Simone Finn Have Sparetely Submitted Parliamentary questions to DSIT ASKINGS ASKINGS System.
Finn Asked Whether the government has “Quantiified the Likelihood and Potential Impact of Insider Threats, Unauthorized Privileged Access, and Production Environment Compromise with one login”.
In response, dsit minister for the future digital economy and online safety, peer maggie jones, said: “The gov.uk one login team collaborates closely with the NCSC to associations and MITIGATE RED With Insider Threats, Unauthorized Privileged Access, and Production Environment Compromise, Aligning with the Cyber Assessment Framework Outlined in the Government Cyber Sybernment Cyber Securities 2022-2030.
“While Assessments of Insider Threats Have Been Made, Copies of these assessments will not be planed in the library of the house, as they are part of onging second seconds and internal governance Processes. “
Clement-Jones Asked: “What Steps [the government is] Taking to address security issues in the one login digital identification system? ”
Jones Replied: “One login follows the highest Security Standards for Government and Private Sector services. Users to keep pace with the changing cyber threat landscape is paramount.
“Security Best Practice is Followed With A Number of Layred Security Controls which Include: Security Clearances for Staff with 'Security Check' Security Check 'Clearance For All Developers White Production Access; Identity and Access Management Controls That Block Staff from Viewing or Altering Personal Information; Around Building and Deployments; Logging and Monitoring to Access to Environment that Containally Identifioable Information; For access. “
Speaking to Computer Weekly About The Security Concerns, Clements-Jones Said: “How is the government's flagship Digital Identity System Failing to meet standard Form an essential part of our immigration controls?