New HMG GCSP - First Look Details

On 30th June 2023, the UK Government published a new and updated Data Classification policy - the 'Government Security Classification Policy' [GSCP] to replace the now "classification scheme" [GSCS] (which in turn had replaced the previously very long-standing Government Protective Marking Scheme [GPMS] a decade before*).

* Yes its now over a decade since the GSCS was published (December 2012), though it only came into effect on 2nd April 2014, and some orgs didn't adopt it for years after that.

The initial read of the primary document suggested a few foibles in the new policy - I wrote very briefly about them here.

In that post I picked up on the inference that "risk to life" was identified as existing at all three tiers (yes the new Policy still claims to have three tiers - though as we'll see its not clear that's still a justifiable claim). As I suspected, that's not necessarily true - but its not unlikely to not be true either.

First and most important build before I give a bullet point summary - this new GSCP is really complicated. I don't mean its just complex; all data classifiction is inherently complex. This is genuinely complicated.

Changing to adopt everything that the GSCP tells you to do is going to be really really hard for most organisations, and history suggests that this means most folks just won't do it, or worse still they won't do it well, consistently or accurately.

Bullet point 'Exec Summary'

• GSCP is big, complex and covers a lot of documents.

Not all of the documents are internally consistent and how you'll position the GSCP in your head (and potentially internally when its explained to the Seniors) is likely to depend on the document(s) you read most and anchor yourself to.

In addition to the documents there are videos on the web page too...

• There's not much here about Integrity or Availability - i.e. 'nothing' really

GSCP is all about Confidentiality; Integrity gets ONE mention re use of email & DMARC, Availability doesn't make the cut at all.

NB: To be fair, GSCS and GPMS were also mostly about Confidentiality, but they both at least recognised Integrity & Availability existed, and expressly called out you needed to do something about them.

In addition, CESG introduced the associated model of BIL's to force folks to think I & A, and though it surprises a lot of folks, right up till 29th June when it was removed, the GSCS did so also.

BIL's didn't actually disappear from UK Classification policy until last Friday - surprising I know, but true...

• OFFICIAL Sensitive [O-S] is now really a new classification - but Cabinet Office will vehemently still claim this isn't the case.

O-S used to be based solely on 'a need to know' requirement suitably stated for each piece of data; but now its supposedly meant to be based on Impact and on 'releasability' to the public.

"-SENSITIVE marking should be applied to OFFICIAL information that is not intended for public release and that is of at least some interest to threat actors (internal or external), activists or the media."

Although I say that its now based on Impact and releasability to the public - other parts of the same guidance say its still definitely about "need-to-know" so this is confusing.

Given the amount of effort applied to create 'Handling Instruction' descriptors however (see below), which mean that a simple O-S for need to know is kindof pointless, I think the suggestion its still all about "need-to-know" is weak.

Therefore - It seems to mostly be about impact now...

Although these criteria make it sounds like O-S should maybe be in a different tier, it definitely isn't according to Cabinet Office. Instead the same broad and baseline controls should apply to both OFFICIAL and O-S.

This means that (in theory) you could still put your O-S information - which is "likely to be subject to heightened interest and attacks simply by virtue of being O-S*", and would have moderate impacts on to Hyperscale Public Clouds, if you're so minded, but it could well breach their acceptable use policies and terms of service, so be very careful if you do that.

Best way to think about this change is to consider 'plain' OFFICIAL as being like old-school PROTECT, with OFFICIAL_Sensitive as mostly old-time RESTRICTED.

Both of them can be protected as per old PROTECT type assurance - and stangrely some of the things you are told to consider at O, don't apply to O-S even though they'd be sensible.

* One commenter asked about SNI (a descriptor applied in civil nuclear for 'Sensitive Nuclear Information'). At present no guidance on that is forthcoming, but IF as CabinetOffice suggest, having data marked as O-S will be enough to expect focussed attack by threat actors, then O-S SNI must be the same but with bells on?)

• You 100% have to comply with the Law - but there may be exemptions you can use and you should look for them...

It might seem a strange thing to say in a Government Policy that you need to comply with a Government's own laws - but we live in strange times, plus there's LOADS of evidence that right now whole sectors of UK Government don't simply fail to properly follow laws and regulations; they openly flaunt them.

As a result, its good that the Policy makes clear that laws are to be observed, though disquieting that it then both directs the reader to look for exemptions for where it might not nbeed to be applied, and also fails to recognise that there are multiple jurisdictions in the UK (and that those laws might be quite important).

• Some data doesn't seem to have a logical classification home - the definitions of OFFICIAL, SECRET and TS have always had some cracks between them into which data could fall, but now they're veritable chasms.

Ignore for the moment that the overarching document ('Government Security Classifications Policy') says that bad things can by exception happen in the OFFICIAL Tier (like a person dying as a result of data release).

If you read the actual Tier descriptions you'll quickly establish that if people work within the description of the OFFICIAL tier (including for the moment - OFFICIAL - SENISTIVE) that's just not possible.

'Guidance 1.1: Working at OFFICIAL' tells us that OFFICIAL data is now material that "would typically cause limited to no negative consequences for HMG, our partners (including damage to con?dence in the con?dentiality between HMG and its partners) or to an individual".

This is a pretty low ceiling then...not much headroom for a bad outcome to occur.

OFFICIAL - SENSITIVE lies a little bit above that; "Information that is not intended for public release and that is of at least some interest to threat actors (internal or external), activists or the media." and "A compromise could cause moderate, short-term damage to: HMG, the UK’s international reputation, the UK economy, HMG’s relations with its partners (including international partners) or moderate harm or distress to an individual or group of people."

Taken together, the worst that should happen in an OFFICIAL Tier is that a person gets hurt, or there's some short term reputational damage to Gov. Definitely no risk to life here & nothing to see - now move along.

Conversely, SECRET data (from 'Guidance 1.2 - Working at SECRET') has this description: "A compromise of SECRET information has serious implications. It could: threaten the lives of individuals or groups; and/or seriously damage the UK’s security resilience, international relations, ?nancial security; and/or, impede the UK’s ability to investigate serious and organised crime."

This sounds more like the area in which Police, Law Enforcement and Public Safety organisations operate (and that might concern them 'cos they've all relied expressly on NOT having to run their systems at SECRET).

From the above it looks very much like 'Threat to Life' is above the OFFICIAL Tier AND that it's now SECRET; but not so fast...

SECRET also requires you to consider the capability of attackers and it does this in two ways:

"Due to the sensitive nature of SECRET information, the threat pro?le anticipates the need to defend against a higher level of threat actor capability than would be typical at the OFFICIAL level."

What is clear however is that data being very sensitive (but not quite sensitive enough to be T-S) isn't a sufficient basis to make it SECRET.

"The information creator is responsible for assessing the potential impact of a compromise of information and the expected threat pro?le to determine whether information is SECRET. The serious impact of a compromise of infromation, combined with tghe enhanced risks expected from highly capable threat actors, is what defines SECRET classified information." (my emphasis on 'and' BTW)

Now here's the problem that this introduces.

The GSCP is clear that data that could result in serious harm (or death) should never be included in any OFFICIAL Tier (incl. O-S); BUT

To be classified as SECRET the data impact has to cause serious harm AND it needs protection from a capable attacker.

Here's a tricky (but very common) use case to show the issue:

Ex: An individual with a history of violence and threats will be highly likely to kill their ex-partner if their location is disclosed to them (accidentally or otherwise). This person is not however a capable and skilled attacker of IT systems.

So what classification is this data? (Answers on a postcard to Cabinet Office)

Its clearly way too risky for OFFICIAL, but the attacker's not skilled enough to be able to place it in SECRET. We probably need something in between where we can keep this stuff confidential. In fact we could call it that...

This BTW is exactly the problem that Policing have today, and they put this material into Hyperscaler Public Cloud. Under the new HMG Policy this type of data is definitely not OFFICIAL. But nor can it be SECRET.

Bottom line then is that there's quite a lot of data that should - under this policy - definitely NOT be in the OFFICIAL Tier (not even O-S), but because it doesn't need to be protected from capable and motivated attackers it can't be SECRET.

This mirrors a problem that emerged in the old GSCS - when we moved from the hierarchical model under GPMS to a strictly NON-heirarchical model of GSCS.

Most folks didn't realise that you couldn't go from OFFICIAL to SECRET, only from OFFICIAL all the way up to T-S if the impacts were REALLY bad; but this time round the policy is a lot clearer and the problem is exposed.

Here's a diagram I did back in 2015 that showed the problem - sad to see its not fixed and arguably even worse now :(

I'll do a new flowchart in the next few days to show just how complicated and gappy the new model is BTW.

• Reputation, Reputation, Reputation - there's a lot of consideration of reputational damage in this new policy - in fact its a key focus.

No idea why Government this time round is so fixated on reputation TBH, but they repeat stuff about considering risks to HMG reputation quite a lot...

• Gov use of Cloud? Did you actually mean to say 'Microsoft'? - The 'Guidance 1.5: Considerations?for Security?Advisors' ldocument inks to two sources that specifically mention Microsoft M365 services wrt Collaboration suites.

My old bad joke of 'Policy by blog', to describe how HM Gov has adopted the use of unoffocial blog entries over the past 6-8 years as an informal way to suggest you should feel free to do things (normally deemed expedient by the incumbent role holder at the time), which its own policies didn't officially LET you do is no longer valid. Now its acceptable to quote blogs as a source for a Policy.

As well as linking to the NCSC Cloud Security Guidance, an NCSC Blog promoting use of M365 is actually REFERENCED in this official Government paper. Tricky.

In addition, Microsoft get a free advert by having a hyperlink to their guidance as to how you use their product. Quite bizarre.

I've never seen quite such blatant product placement in a serious and official UK Government Policy paper before.

(NOTE: This still doesn't change the fact that for some Public Bodies processing sometypes of data - even in the OFFICIAL Tier - its illegal to use that product).

I doubt that Microsoft mind the name-check to be fair, but other vendors might be less than happy. Given the general trend of published HMG documents encouraging (and even obliging) public sector organisations to use offshored Public Cloud platforms we might all be a bit rightfully concerned.

• It's unComfortably Complicated - As well as mandating that ALL data should now be marked, what you need to write on the top of the page is now somewhat more complicated.

Within the Classification Policuy there are now SIX Descriptors (up from 3), TWO International Prefixes (up from 1), the SAME number of National Caveats + Codewords, AND FIVE Handling Instructions (which are completely new).

Now you might say thats not soo very complicated, but I've not finished.

Not all of these Descriptors, International Prefixes, Caveats and Handling Instructions should be - or can be - applied by all of the various Classification Tiers.

I've mapped the main ones in the policy out below, but there will continue I am sure to be a number of industry specific monikers to attach based on your sector.

When I showed them to a colleague earlier today he suggested maybe I should have made it simpler to understand. In time, and if I can, then I will but I'm just reporting the changes today - not trying to explain them.

The key thing is that these can be (will need to be) nested to documents, and I really doubt that:

a) most of the Classification Scheme marking and management tooling out there will be able to cope with it; and

b) most users will need specific training (that hasn't been taken into account in the 12 month adoption target) and even then they'll make mistakes for sure.

The policy also gives helpful examples, like this one when "a users decided that all additional markings are required" :

• Being out of the Office is now no impediment to working at SECRET - UK Gov embraces home and remote working as never seen before ithanks to the new "Guidance?1.4?-?Working?Remotely?at OFFICIAL?and?SECRET"

Some folks say that the world of work has been changed forever by Covid, and that Hybrid and Home working is the new norm. Well HMG seem to agree, because in a really major change of policy you can now work on your SECRET stuff at Home!

I'm in two minds over this TBH, because whilst I recognise the benefits of being able to read briefings of a Serious and Organised Criminal Gang and their efforts to use kids to tranfer drugs and weapons via County Lines whilst eating my Cornflakes in my dressing gown and baffies, I'm not sure that's necessarily a wise move...

It is however, now recognised HMG Policy - for those able to convince their employer that they have a List X kitchen (a joke BTW - I know you don't need to get my kitchen 'List X'. It's PASF).

Looking at the guidance and steps you need to take, they're roughly what we used to have to do as CLAS Consultants when we were given RESTRICTED CD's of HMG Policy back in the day. nothing too excessive - even for SECRET.

It does however say that you must not have any smart devices in earshot - which means 'Alexa how do I apply the new GSCS Marking Instructions to my SECRET UK/US Eyes bid documentation' shouldn't be featuring in their top ten list of requested info any time soon (which is a good thing).

And Finally...

There are some special bits of wierdness in the Policy but this final one I can't quite fathom out as being serious or not...

'Annex?B?-?What?to?do?in?the?event?of?a compromise of OFFICIAL, SECRET, TOP SECRET information' says:

I can imagine the two converstaitons that would follow such a loss & actions:

1 - Call Centre Operator "Al Shabaab? OK, do you have his address?"; and

2 - Security Controller "You've lost what? What do you mean its OK, you've got a crime reference number? @#$%&! "

Summing Up

These policies are REALLY complex, and like legislation its going to take a long time before we develop the case law needed to understand if they work or not in practice.

My initial feeling was that they've bene poorly developed and don't hang together particularly well, and that hasnb't changed massively - though I DO (I think) understand what they've tried to achieve.

Over the past months (years actually) I've been dribbled snippets of these planned changes, and some of them were a lot stranger than what we've got today - but I'm still really very surprised by some folks in government (in multiple sectors) that assured me this new policy didn;t change much at all.

I don't know what they've been reading, but this really does change quite a lot, and the work needed tyo pivot to this is significant.

It also needed to be initiated quickly - unlike GSCS which was published 16 months before it went live this policy is live and applicable RIGHT NOW. Expect to see this stuff in bid documents within weeks or days, and if you have a live bid you should be asking how its affected by this new Policy straightaway.

Contracts that are live should all be considered for Chang eImpacts and we ought to be seeing new SAL's coming out in due course - there's only a 12 month transition period this time round, so get a wriggle on.

Regardless, if the GSCS was anything to go by we'll have this or something very like it for the next Ten Years or so. Better get to grips with it soonest.