The Government Digital Service (GDS) has yet to achieve conformance with key national cyber security standards for its Gov.uk One Login digital identity system, nearly three years since security concerns were first raised.
The One Login team is still working to fully meet National Cyber Security Centre (NCSC) guidelines. Computer Weekly has learned that the team only complies with 21 of the 39 outcomes detailed in the NCSC Cyber Assessment Framework (CAF) – an improvement on the five outcomes it successfully followed a year ago.
CAF is designed for “making critical national services resilient to [cyber] attack”, according to the government. It was developed by the NCSC to provide a “comprehensive approach to assessing the extent to which cyber risks to essential functions are being managed by the organisation responsible”. CAF is part of GovAssure, a cyber resilience review process run by the Government Security Group (GSG), which was launched in April 2023.
One Login is intended to become the primary way for citizens to access online public services. In 2022, the business case for One Login, which was used to justify over £330m of spending on the project, said the system was “underpinned” by CAF – a claim that must be called into question if only five measures were in place as recently as 2024.
Recently assessed
CAF includes 39 “contributing outcomes”, each with a number of lower-level “indicators of good practice” (IGPs). Systems are rated on a binary basis, whereby failing to meet one IGP results in not meeting the overall outcome, even if all other related IGPs have been met.
One Login was recently assessed as part of a GovAssure review, which found that in the space of a year, the GDS digital identity team had moved from meeting only five of the 39 CAF outcomes to 21.
GDS says CAF assessors noted One Login’s “understanding of cyber security” and that plans are in place to achieve the “exceedingly high standards” of CAF conformance by the end of the year.
Nonetheless, One Login has been live since June 2022, and with more than three million users, it is precisely the sort of critical system for which the “very robust levels of cyber security and resilience” required by the NCSC in establishing CAF should apply.
Furthermore, the Government Cyber Security Standard mandates that all digital services should comply with Secure by Design (SBD) Principles. Computer Weekly has learned that the GDS digital identity team is also yet to fully implement SBD, although GDS says the system “meets these principles”.
GDS was due to go live with SBD by January this year, but has delayed its full implementation until at least October.
This led to the Ministry of Defence asking questions of the One Login team about SBD conformance as part of plans to store an electronic version of its Armed Forces Veterans Card in the Gov.uk digital wallet.
GDS says formal accreditation against the Secure by Design framework does not yet apply to One Login and that while such accreditation cannot currently be formally secured, it is “inaccurate to report” that GDS or One Login does not meet Secure by Design Principles.
Historic problems
However, the concerns over One Login’s overall conformance with NCSC and GSG guidelines come soon after the disclosure of historic security problems in One Login.
Computer Weekly revealed earlier this month that One Login had received warnings about “serious data protection failings” and “significant shortcomings” in cyber security from the Cabinet Office and the National Cyber Security Centre – including a recommendation in November 2022 that the live system should be suspended.
Following those warnings – and earlier issues flagged by a security expert who has since turned whistleblower in an attempt to raise the concerns more widely – a team led by GDS chief information security officer (CISO) Breandan Knowlton conducted an internal risk audit in October 2023 to assess the severity of the issues.
Given that One Login is intended to be the key way of accessing public services online, this is deeply concerning. Are we about to see another Verify fiasco? Ministers need to take a direct grip of this Tim Clement-Jones, Liberal Democrats
GDS has now responded to those claims with a detailed breakdown of how the problems identified in 2022 and 2023 have been addressed (see table below), but questions remain over why the service was allowed to go live with known security risks.
A government spokesperson said: “The concerns captured are outdated and summarise an initial view from when the technology was in its infancy in 2023. We have worked to address all these concerns as evidenced by multiple external independent assessments. Any suggestion otherwise is unfounded.
“Gov.uk One Login follows the highest security standards for government and private sector services – including dedicated 24/7 eyes-on monitoring and incident response. As the public rightly expects, protecting the security of government services and the data and privacy of users to keep pace with the changing cyber threat landscape is paramount.”
Peer Tim Clement-Jones, the Liberal Democrat spokesman for the digital economy in the House of Lords, has submitted a series of Parliamentary questions to the Department for Science, Innovation and Technology asking for details of the security surrounding One Login. He expressed further concerns about the current cyber security conformance of the system.
“Given that One Login is intended to be the key way of accessing public services online, this is deeply concerning. Are we about to see another Verify fiasco? Ministers need to take a direct grip of this,” he said.
CISO review
Computer Weekly has seen details of the GDS CISO’s 2023 review findings, which listed a series of risks and rated each of them from “low” to “extremely high”. We asked GDS to provide an update on each of the risks based on their status today, which is detailed in the table below.
Anecdotal evidence from sources close to consultancy 6point6, which was brought in to support the One Login team for security assurance, paints a picture of a team that previously had insufficient security knowledge, weak controls and few standards.
GDS’s claims of progress in resolving One Login’s security problems suggest the situation has improved and that issues are being addressed – but questions remain about how and why One Login was originally allowed to go live with known issues and lacking conformance with key government standards expected of all critical online public services.
The whistleblower – who Computer Weekly has agreed not to name, but who has many years of cyber security experience and worked in a senior information security management role at GDS – said it is “not possible” to confirm whether any historic or current security problems have been resolved without independent verification of GDS’s response.
“The unverified claim to have achieved 21 out of 39 contributing outcomes in CAF cannot be believed and the true score will only be known if operationally independent assurance is allowed full access to the One Login programme,” he said.
