In his first post since becoming the Chief Technology Officer for the Public Services Network, James Duncan outlines the plans for improving the PSN.
People have told me many times that they think the Public Services Network is something that needs to change. I heard this before I took the role of the CTO, and it’s not a message that has been lost on me since.
It’s been difficult to understand what the PSN is, what it does, and what it could do. Partly because it hasn’t been well communicated, but also because it’s been a difficult thing to understand. Is it a network? Is it a group of people? A set of standards? The what has been as complicated as the how.
Simply put, the Public Services Network (PSN) is the government’s high-performance network.
User need
In an attempt to more clearly explain the PSN, we’ve migrated the PSN website to GOV.UK. With the change comes a focus on simple, clear writing that anybody can understand. More importantly however, is a strong focus on the user need.
Our users, predominantly, are the ±380 local authorities that rely on the PSN to conduct their business. We can’t forget about the central government departments that also use our network, but in the past it seems that we’ve focused on them at the expense of the many city, district and county councils that make up the majority of our customer base.
The original vision for the PSN didn’t just call for these organisations either. It had a mission - one that we think is valuable and viable - of ensuring everybody who regularly uses public sector data can communicate. This includes schools, doctors’ surgeries, pharmacies, emergency services, hospitals and charities large and small.
In some ways, the timing of the PSN team moving to the Government Digital Service, was difficult. The new Government Security Classification system was introduced the very next day, and the PSN makes for a very good example of a product designed to operate in the old protective marking system. Fortunately, this gives us an opportunity to change things for the better, and to move forward from what has happened in the past.
Two networks become one
Firstly, we need to look at the two aspects of the PSN.
The PSN has been two networks, one suitable for what was once called IL2 traffic, and another suitable for data at IL3. However, now both only carry OFFICIAL traffic. This has left us with the question of what the user need is for the Protected network, as what we really need is one Public Services Network.
There are currently some ±580 connections to the PSN, of these comparatively few are connections to the Protected network. The incongruence between OFFICIAL and the stratification of the PSN network means that we need to do something to simplify it. We need the PSN to become a single network, where information can travel seamlessly from one end to the other. We have been talking - and will continue to talk - to suppliers, customers and stakeholders about how best to achieve this.
Accreditation and compliance
When it comes to accreditation and compliance, the PSN has been challenging for users. At its heart, the main activity of the current Compliance Team is to assure that the network is “trusted”, and working with Local Authorities and other users to make sure they are meeting the requirements of the code of connection.
As David Mead blogged a little while ago, we are implementing three approaches to assurance: Connection, Service and Connectivity.
The compliance regime for customers wishing to obtain a Connection to the PSN that is currently in place is fraught with problems. It is costly to implement, for those attempting to comply with the requirements and for the PSN team to assure. It is time-consuming, and complex, and most important of all, there are circumstances where we may not be as aware of the status of security as we should be. We are evaluating alternate certification schemes, such as Cyber Essentials, that simplify the criteria and reduce the burden for customers, while ensuring a known baseline standard for cyber security has been reached.
For suppliers previously, a Pan-Government Accreditor (PGA) would accredit services against the requirements for the Impact Levels. This created an unwieldy bottleneck that has actively added cost to supplier services, and slowed down the rate at which new services are made available on the network. We are changing the over-the-top Service assurance to be more in-line with G-Cloud and the Cloud Service Security Principles.
For Connectivity we are maintaining the same scrutiny we always have. Suppliers wishing to provide network capability to customers have to ensure their offering is accredited to the CESG Assured Service (Telecoms) standard - known as CAS(T).
Connecting via the internet
Finally, we need to acknowledge: the fact that the majority of customers wishing to connect to the PSN already have internet connections, the fact that more and more government services are being moved online and that our current connection options do not take advantage of, or enable this. We need to embrace the internet as a transit method for data that is, under certain constraints, suitable for OFFICIAL. To that end, we’re creating an option for connectivity that allows customers to connect using suitable encryption, via the internet.
This will broaden the accessible market for suppliers and increase the number of consumers on the network.
We hope these changes, as well as many other, smaller changes we are making in how we deal with and think about our stakeholders and customers, will improve the PSN. We want PSN to continue to deliver opportunities for data sharing across the public sector.
10 comments
Comment by Paul Hackett posted on
To me PSN should "do what it says on the tin" - and I think many have lost sight of the original vision. The PSN’s true value lies in its ability to deliver transformational frontline services. A common network and shared services - with the appropriate security levels - could allow local authorities, government departments, police,
health and voluntary organisations to work more collaboratively. It could facilitate for example,
freeing-up beds, and help better continuity of care in the community. A school nurse accessing health systems from the school; the midwife accessing from a Council Children's centre. Where has the ambition gone? I suspect that not engaging with the service has left PSN implementation in ICT's hands and all too often its just replace what we had almost like for like.
Comment by James Duncan posted on
Dear Paul,
Thank you for your feedback.
I think the ambition is still there. True, the original vision became a little clouded but the changes we're working on will deliver a network that bring together a far broader community. And that will help connect those people who can really make a difference at the frontline.
Comment by Phil Davies posted on
Whilst the PSN has experienced some teething issues, the move towards giving each Government Department Senior Information Risk Owner the ability to consider risk and select mitigation actions more independently has been largely positive. This is why I was surprised to see a move away from the current system.
SIROs who have taken ownership of the security options available to them have widely chosen to implement the two existing PSN connectivity services, and invested heavily in building them. To dismantle the second ‘Protected’ service now will not only have costly implications, but discredits the informed choices made by those decision makers.
Whilst fully in support of your crusade to strengthen public sector defences, I am cautious of removing the market’s ability to decide its own fate. With a largely successful system in place, I can’t help but think – if it’s not broken, don’t try and fix it.
Comment by James Duncan posted on
Dear Phil,
Thank you for your comment.
While we agree that the PSN has catered for central government fairly well in the past, we have to recognise that the users of the PSN extend far beyond the confines of Whitehall. What we're trying to do is give a wider range of users a wider range of options in terms of how they connect, collaborate and share information and services with each other.
With respect to the Protected service, what we're doing isn't "dismantling" the service; we're simply recognising that the information security landscape has changed. SIROs and other users now have more freedom to make informed choices about how to handle their information, and giving them the freedom to choose whether to use the Protected service or not is just one of the positive consequences of that.
Comment by J Knowles posted on
How about reducing the existing red tape ? Our PSN provider, Vodafone, has just refused to submit a PSN application for a domain name to be listed because "The word document needs to be signed properly, scanned, and the scanned copy needs to be sent to us". The form IS signed in a signature font by an IT Head. It's bad enough to be forced to submit two forms instead of the one required under GCF ; forcing the use of pen and paper in 2015 is adding insult to injury.
Comment by Simon Russell posted on
For us working in small District Councils, PSN has been nothing but a nightmare, although the ICT departments recognise the good security principles behind it, the heavy handed approach has left us at odds with our executive, colleagues and suppliers. We have been left to force thru any changes without any real assistance even on a technical level. The refusal of PSN staff to even give guidance on if a new system will meet PSN standards have left us cancelling projects or refusing to even look at them until clear guidance is given. Its time that whoever is running PSN engages in a meaningful way with those of us trying to implement the standard.
Comment by James Duncan posted on
Thanks for the feedback Simon.
We understand your concerns about the previous regime but we're pleased to say we've come a long way since those days. We’ve simplified and streamlined the organisational structure of the PSN team to make sure it’s more responsive to the needs of the PSN community, and we're working closely and collaboratively with customers to help them renew compliance. It's certainly reducing the number of rejected submissions and escalations, and the community feel they’re more involved than they have been. We think you'll have a very different experience when you renew.
Comment by James Duncan posted on
Dear John,
Thank you for your comments.
We agree that the current process for getting domain names on the PSN is unnecessarily bureaucratic, and - like all the other interactions with the PSN team - GDS will streamline it and make it digital by default. So far we have focussed our efforts on the highest-volume transactions first, where the user need is greatest, and the transaction cost it highest. We'll get to these lower-cost, less frequent transactions as soon as we can.
Comment by Andrew Philp posted on
Can you please give us an update on your investigations as to what you will be doing with the two connectivity options for the PSN now that they both carry OFFICIAL traffic?
Comment by Raphaelle Heaf posted on
The two connectivity options for PSN are PSN Protected and PSN Assured. PSN Protected is a network-layer encrypted overlay that runs over PSN Assured.
We've recently blogged about the new principles, which you can read about here https://governmenttechnology.blog.gov.uk/2015/07/20/network-principles-for-government
We have asked the suppliers of PSN Protected connectivity to jointly develop and agree a proposal that brings together the two networks, and allows traffic to move freely between them. These suppliers are best placed to do this as they understand the implications of changes on their own networks. The suppliers have agreed some high level principles and are now working through the detail.