Recent announcements on the ICT Infrastructure programme for the Scottish Government and press coverage have drawn my attention to the Public Sector Network programme. Read around the topic I have become increasingly concerned that this programme is seriously flawed.
In summary, the PSN programme is a programme for creating a single public sector network for all UK public sector organisations including Universities. It is a programme that appears to be driven by the need to save money and a recognition that the existing arrangements are often outdated and inefficient. However, the proposed solution is very complex and potentially costly despite being argued publicly as a mechanism for saving costs and introducing a level playing field for commercial suppliers.
But you can’t really explain this all in one paragraph, so here’s a more extended attempt to explain what this is all about, starting with a look at the background and the surprisingly ambiguous definition of what the programme really is.
In early 2007, the CTO Council articulated a vision for a Public Sector Network described as a network of networks delivering the effect of a single network for the public sector. In July 2008, the Public Sector Network (PSN) programme was established by the UK Government, principally coordinated by the Cabinet Office. (PSN-OM p.10-11)
But what is it?
Below is a selection of definitions or visions of what the Public Sector Network is. These are mostly from programme documents and should give a flavour of how confusing this whole thing is.
- A single, integrated infrastructure, delivered by multiple selected service providers
- A ‘private network of networks’ for the public sector, addressing the various special; security, resilience, service and availability needs of public sector organisations
- Global, including overseas posts and other international UK public bodies
- A secure version of the Internet for the UK Public Sector
The PSN vision is one of creating the effect of a single network across the public sector, to be delivered through multiple service providers in order to ensure ongoing value and innovation. In some respects, this is similar to the Internet model, whereby “service consumers” experience flexibility and inter-working without much concern for underlying inter-network “plumbing”. However, the vision is also one of a “private network of networks” for the public sector, addressing the various special security, resilience, service and availability needs of public sector organisations. (PSN-OM, p.10)
The Public Sector Network (PSN) will change the approach to the acquisition of Information and Communications Technology by the UK Public Sector, allowing public sector customers and select partners to harness changing technology to better support their delivery of service and the transformational government agenda. This will be achieved through a commonality of standards, a customer-centric operational model and a flexible approach. (PSN-PM, p. 1)
PSN is not a physical entity.
- an industry standard
- an enabler for network interoperability benefits
- an enabler to deliver procurement effort benefits
- a process that provides a commonality
PSN offers a vision of ICT services from many suppliers being shared across the Public Sector and delivered over a common network infrastructure, itself provided by several network operators. (PSN-Comp, p.7)
The PSN is a supply-side “network of networks”, making network-oriented services utility-like for the public sector. Hence, it is essentially an inter-working and standards framework for the suppliers of network-oriented services to the public sector, governing both interconnection of supplier services and the relevant key service characteristics/attributes that ensure inter-working and end-to-end service assurance across supplier portfolios. (PSN-GCN, p. 7)
These definitions tend to raise more questions than they answer:
- Is the PSN a separate physical network that duplicates the Internet but is intended just for the public sector?
- When the PSN documentation talks about open standards does this mean that this is technically just using Internet standards or is it actually a network running under a protocol unique to the UK public sector?
- Why can’t the public sector just use the Internet?
- If this is separate from the Internet does this mean that staff in the public sector won’t be able to access the Internet?
- What will this cost and how can it possibly save the government money?
Let’s try and tackle some of these.
So is the Public Sector Network a physical entity?
A breakout session of a joint Scottish Government, Socitm and Cabinet Office PSN workshop held in Edinburgh in January 2011 was clearly told that the Public Sector Network, “is not a physical entity”. But the extensive documentation around PSN includes description of the Government Conveyancing Network (GCN) - a part of PSN that “will be used to interconnect supplier data networks and other services in terms of network transport” (PSN-GCN, p. 8).
Similarly, the Operating Model document describes the PSN vision as “one of a ‘private network of networks’ for the public sector, addressing the various special security, resilience, service and availability needs of public sector organisations” (PSN-OM, p.10). If the PSN is not a physical entity then how can it possibly address issues of resilience and availability that are not ‘virtual’ concerns?
Looking at the various specification documents available on the Cabinet Office web site it is clear that the specifications include physical requirements like network timing and the implementation of domain name resolution across the network.
Ultimately the only way to make sense of all the documents and the conversations is to look at the terminology.
The truth, as far as I can tell, is that the PSN is the specification and not the network itself. Just like a car manual is not a car, the PSN is not a physical network but it does define the standards required to supply a physical network that is essential for it to run. To put this simply, whenever a document talks about the Public Sector Network you should probably insert the word “Specification” at the end. So, the phrase “The Public Sector Network is not a physical entity” should be read, “The Public Sector Network Specification is not a physical entity”, but parts of the actual network will be!
This is a very unfortunate and ambiguous choice of terminology.
What is the Public Sector Network Specification and what is the network it specifies?
So, the Public Sector Network (PSN) is the specification of a network that will deliver network services to users in a consistent manner throughout the country and even beyond the UK. These services will be physically delivered by private sector suppliers who have won contracts to deliver these services and who have met the compliance requirements set by government.
Third party private sector suppliers are providing something akin to an Internet connection, except it isn’t connecting directly to the Internet: it is connecting to a special public sector private network with what it terms, “segregated access” to the Internet (PSN-OM, p.21). This, the theory goes, allows the public sector to maintain a security separation from the Internet with communications running on networks which are provisioned to deliver higher resilience and availability standards than the Internet can provide.
So the idea is that the private sector will supply separate parts of this one single network and they will work together by virtue of adhering to the PSN specification. Hence, the PSN is not a physical network owned by the public sector: it is network that meets a specification and runs over networking hardware supplied to government by the private sector on a service contract.
So, why can’t the public sector use the Internet like everyone else?
This is a very good question. Indeed I would argue that this is ultimately the question that every government minister and civil servant should be asking repeatedly.
The proposed reasons why the public sector needs its own network appear to fall into the following headings:
- For consistency across the public sector
- For efficiency
- For reliability and capacity
- For security
Let’s take these one at a time.
Consistent networking across the public sector
The truth is that, to the present day, the public sector is a mish-mash of networks developed independently and often intended to be kept separate from each other. The need to bring these networks together to allow for sharing of information and intercommunication is hard to deny.
But given a choice does it makes sense to standardise on the networking standard of the world or create a unique one for the UK public sector?
Efficiency of delivery, procurement and maintenance
Maintaining the current range of networking services across government is undoubtedly more costly than it needs to be. It makes sense to standardise the platform so that procurement is less costly.
But what is the least costly option, servicing a network that is unique to the UK public sector or servicing a network like every other private sector business in the world?
Reliability and capacity
Enabling the public sector to share a common network that can balance the varying peaks and troughs of demand across services is a good way of dealing with capacity needs where individual and separate networks would be constrained by their individual capacities. Setting standards for the delivery of these networks can help to ensure that the networks are reliable.
But this concept of shared networking is the basis of the Internet. If capacity and reliability requirements genuinely demand more control there is no reason why the public sector couldn’t have a dedicated physical network running on the standards of the internet. In effect this is the model of the UK Joint Academic Network (JANET) used for many years by Universities and Colleges throughout the UK.
A secure network
Clearly the public sector deals with information of a private nature some of which concerns the security of the nation. So, do we need a separate network or unique networking standards in order to deliver the levels of security required?
It turns out that this question is answered by the specification of the PSN itself. It says quite clearly that it is possible to deliver all the security levels required over an “untrusted” network like the Internet.
Coupled with encryption technologies the authentication of individual devices will enable the sharing of information across the same PSN infrastructure from IL0 to IL4. (PSN-OM page 20)
(“IL0” (Impact Level 0) refers to “untrusted infrastructure” for example, the Internet. In other words, the PSN can operate over the Internet. So the special security needs of the public sector do not appear to mandate a PSN.)
The truth here is that much of the public sector has taken a “walled garden” approach to security. The idea is that you create a safe network within which public sector users can operate without worries of outside intrusion. Just like some secured government building, the security checks are made at the exits and entrances so that everyone inside feels safe to walk around with freedom and security. Unfortunately this isn’t really very secure at all. As soon as someone gets into the building they can access anything and everything.
So what do banks and security conscious companies do? They may provide a private network for employees but ultimately they make sure that data and systems that need to be secure are individually secured to the level commensurate with the data risks.
If the public sector took the same approach they could also operate on the standard internet like everyone else does.
So why are we doing this?
It is very hard to see any real justification for the Public Sector Network programme in its current form. So, how has it come into existence and why is it going ahead?
I can’t claim to know why the PSN programme happened but I can make some guesses:
- In the absence of technical guidance it is quite possible that the public sector decision makers didn’t realise that they might be able to make use of existing technologies to replace all the complex networking systems that are currently in use. From that standpoint the idea of setting up a programme to design a whole new public sector network specification may have made complete sense.
- Security always has a high profile and leads the public sector to demand the highest possible security standards in some things whilst completely failing to address the obvious issues like the unencrypted laptops, CDs and memory sticks that keep hitting the news. The security provisions in some parts of the public sector are so awkward that they practically force staff to ignore them in order to get their work done. Faced with pressures to be secure it is not surprising that non-technical decision makers probably ruled out the Internet as a viable option even despite then producing a specification that allows the Internet to be used!
- The need to cut costs has resulted in a massive focus on centralised purchasing and procurement as an apparently obvious way of gaining ‘economies of scale’. This principal is much more widely applied than it is understood. Consequently it doesn’t surprise that government decision makers might feel that it would be better value for money to procure a government specific system for the whole of the country, than let individual regions procure an internationally standard system locally. In reality the latter is almost certainly more cost effective than the former and a lot easier to organise as well.