In his first post since becoming the Chief Technology Officer for the Public Services Network, James Duncan outlines the plans for improving the PSN.
People have told me many times that they think the Public Services Network is something that needs to change. I heard this before I took the role of the CTO, and it’s not a message that has been lost on me since.
It’s been difficult to understand what the PSN is, what it does, and what it could do. Partly because it hasn’t been well communicated, but also because it’s been a difficult thing to understand. Is it a network? Is it a group of people? A set of standards? The what has been as complicated as the how.
Simply put, the Public Services Network (PSN) is the government’s high-performance network.
In an attempt to more clearly explain the PSN, we’ve migrated the PSN website to GOV.UK. With the change comes a focus on simple, clear writing that anybody can understand. More importantly however, is a strong focus on the user need.
Our users, predominantly, are the ±380 local authorities that rely on the PSN to conduct their business. We can’t forget about the central government departments that also use our network, but in the past it seems that we’ve focused on them at the expense of the many city, district and county councils that make up the majority of our customer base.
The original vision for the PSN didn’t just call for these organisations either. It had a mission - one that we think is valuable and viable - of ensuring everybody who regularly uses public sector data can communicate. This includes schools, doctors’ surgeries, pharmacies, emergency services, hospitals and charities large and small.
In some ways, the timing of the PSN team moving to the Government Digital Service, was difficult. The new Government Security Classification system was introduced the very next day, and the PSN makes for a very good example of a product designed to operate in the old protective marking system. Fortunately, this gives us an opportunity to change things for the better, and to move forward from what has happened in the past.
Two networks become one
Firstly, we need to look at the two aspects of the PSN.
The PSN has been two networks, one suitable for what was once called IL2 traffic, and another suitable for data at IL3. However, now both only carry OFFICIAL traffic. This has left us with the question of what the user need is for the Protected network, as what we really need is one Public Services Network.
There are currently some ±580 connections to the PSN, of these comparatively few are connections to the Protected network. The incongruence between OFFICIAL and the stratification of the PSN network means that we need to do something to simplify it. We need the PSN to become a single network, where information can travel seamlessly from one end to the other. We have been talking - and will continue to talk - to suppliers, customers and stakeholders about how best to achieve this.
Accreditation and compliance
When it comes to accreditation and compliance, the PSN has been challenging for users. At its heart, the main activity of the current Compliance Team is to assure that the network is “trusted”, and working with Local Authorities and other users to make sure they are meeting the requirements of the code of connection.
As David Mead blogged a little while ago, we are implementing three approaches to assurance: Connection, Service and Connectivity.
The compliance regime for customers wishing to obtain a Connection to the PSN that is currently in place is fraught with problems. It is costly to implement, for those attempting to comply with the requirements and for the PSN team to assure. It is time-consuming, and complex, and most important of all, there are circumstances where we may not be as aware of the status of security as we should be. We are evaluating alternate certification schemes, such as Cyber Essentials, that simplify the criteria and reduce the burden for customers, while ensuring a known baseline standard for cyber security has been reached.
For suppliers previously, a Pan-Government Accreditor (PGA) would accredit services against the requirements for the Impact Levels. This created an unwieldy bottleneck that has actively added cost to supplier services, and slowed down the rate at which new services are made available on the network. We are changing the over-the-top Service assurance to be more in-line with G-Cloud and the Cloud Service Security Principles.
For Connectivity we are maintaining the same scrutiny we always have. Suppliers wishing to provide network capability to customers have to ensure their offering is accredited to the CESG Assured Service (Telecoms) standard - known as CAS(T).
Connecting via the internet
Finally, we need to acknowledge: the fact that the majority of customers wishing to connect to the PSN already have internet connections, the fact that more and more government services are being moved online and that our current connection options do not take advantage of, or enable this. We need to embrace the internet as a transit method for data that is, under certain constraints, suitable for OFFICIAL. To that end, we’re creating an option for connectivity that allows customers to connect using suitable encryption, via the internet.
This will broaden the accessible market for suppliers and increase the number of consumers on the network.
We hope these changes, as well as many other, smaller changes we are making in how we deal with and think about our stakeholders and customers, will improve the PSN. We want PSN to continue to deliver opportunities for data sharing across the public sector.