“When you aggregate data into one massive base, of course it immediately becomes a target for the country’s enemies.”
Richard Dearlove, the former head of MI6, has lambasted the Starmer government’s plans for a national digital identity system, warning it would “immediately become a target for the country’s enemies”. Dearlove, who led MI6 from 1999 to 2004, said emerging quantum technologies could undermine the security systems designed to protect the digital identification system.
“When you aggregate data into one massive base, of course it immediately becomes a target for the country’s enemies,” Dearlove told the right-wing broadcaster GB News. “You therefore must be sure that the citadel is impregnable. However secure you believe the system to be, quantum computing when it arrives could render redundant your defences.”
By “enemies” Dearlove appears to have one particular country in mind: China. According to official UK records, Chinese cyber spies already accessed the UK’s Electoral Commission’s Microsoft Exchange Server, potentially exposing the personal data of approximately 40 million UK citizens for over a year.
Dearlove’s name may be familiar even to non-UK-based readers. During his time as MI6 chief, he helped furnish then-Prime Minister Tony Blair with the flawed intelligence on Iraq war’s WMD capabilities that helped pave the way to the second Gulf War. He also had a hand in the Russiagate scandal, having advised Christopher Steele on the Trump dossier.
In other words, Dearlove is a rather unpleasant piece of work, even by typical senior spooks standards. That said, one would expect him to know a thing or two about systems security.
That didn’t stop him from apparently falling victim to a Russian hack in 2018. In 2022, the former spy chief went public with claims that Russian hackers had hacked personal emails of his and published them on a website called Very English Coop [sic] d’Etat. From The Telegraph.
The website claims the emails are proof of a conspiracy between leading Brexiteers including Sir Richard, Gisela Stuart, a former Labour MP, and the historian Robert Tombs.
The site claimed there was a plan to embed a pro-Brexit spy in the UK negotiating team led by Olly Robbins, the UK’s former Brexit negotiator, although this is impossible to confirm.
Asked by GB News whether the Starmer government should change course, Dearlove responded: “Better not to create the target and the temptation in my view.”
“Worse Than… Horizon”
Dearlove is not the only high-profile figure to have warned about the security risks of digital identity. Speaking in a Westminster Hall debate, Conservative MP David Davis said:
“What will happen when this system comes into effect is that the entire population’s entire data will be open to malevolent actors – foreign nations, ransomware criminals, malevolent hackers and even their own personal or political enemies.
“As a result, this will be worse than the Horizon [Post Office] scandal.”
He has a point. In fact, it is a point we made over six months ago, in our post, “Is the UK Creating a Giant Bonanza for Hackers and Nation-State Adversaries With Its “One Login Digital Governance System?” As we warned in that post, the UK has a horrid record when it comes to protecting citizens’ data and running IT operations in general, suffering the most cyber attacks of any country in Europe:
[If] not properly secured, [digital identity systems] risk creating a perfect bonanza of lucrative data for hackers and nation-state adversaries — of which, let’s face it, the UK has plenty. They could also create key points of vulnerability within the UK government and civil service’s IT systems.
The current state of the UK government’s One Login system, around which the digital ID system will be based, is hardly confidence inspiring.
Where’s the Trust?
The system is still not even compliant with cyber standards for critical services, has lost its certification against the government’s own digital identity system trust framework, and a recent simulated hack revealed that attackers could gain privileged access without detection.
If that isn’t enough to win one’s trust, it was also revealed in 2022 that parts of One Login were being developed on unsecured workstations by contractors without the required security clearance in Romania, a nation that ranks sixth on the World Cybercrime Index.
One Login is already up and running, however, and has 12 million sign-ups, roughly equivalent to one out of four English citizens. Once fully operational, it will underpin the forthcoming Gov.uk Wallet, which will be used to deliver digital versions of key government documents, such as driving licences, birth certificates and passports as well as private sector credentials.
Yet the system is not remotely secure, warns The Telegraph’s Andrew Orlowski, who has reported extensively on the flaws in the UK’s digital identity infrastructure.
Criticism of Starmer’s digital identity plans, which are obviously not his own, is mounting, even in legacy media.
LBC (the London Broadcasting Company) published an interesting op-ed by Irra Ariella Khi, the CEO of Zamna, an aviation identity company, who advises governments and industry leaders on digital identity. She made a key point about the government’s constant citing of Estonia’s long-established digital governance system as a source of inspiration for its plans:
The UK Government often points to Estonia as the model for digital identity. But Estonia’s entire population (1.6 million) is roughly the size of Croydon. You can’t copy-paste a small national system like that and expect it to work for 67 million people. It’s like taking something designed to run at 100% in Estonia and expecting it to hold up at 4,000% capacity in the UK.
This is especially true when you consider that the UK’s IT infrastructure largely consists of a hotch-potch of poorly designed legacy systems as well as its disastrous track record with IT systems in general.
Even Estonia’s much smaller, better designed, longer established system has suffered its fair share of data breaches. In 2017, thousands of people were shut out from accessing online government services after the discovery of a security flaw. From the BBC:
A problem with the country’s national identity cards was identified earlier this year, affecting 760,000 people.
The flaw could let attackers decrypt private data or impersonate citizens.
Those who have not had their cards updated with new security certificates will no longer be able to use them to access some services from midnight.
Estonia’s digital ID system lets citizens access government and some private services such as medical records, voting and banking.
But security researchers found the encryption used in the ID cards was easily cracked which could, if exploited, let attackers impersonate people.
In Indonesia, enterprising criminals have come up with malware that poses as the country’s digital identity app, reports Biometric Update:
Cybersecurity researchers have discovered a malware app designed to steal financial data, which disguises itself as Indonesia’s national digital identity platform, Identitas Kependudukan Digital (IKD).
The malware app, named Android/BankBot-YNRK, was found circulating online outside of the official Google Play app store, posing as an APK file of the digital ID platform. Once a user installs it, the app will start exploiting Android permissions to gain access to sensitive data, targeting banking and cryptocurrency apps.
According to an investigation from cybersecurity firm Cyfirma, the Trojan operates stealthily by leveraging its permissions to observe what appears on screens, simulate button presses and automatically complete forms as if acting on the user’s behalf. It also transmitted device details, location data and a list of installed applications back to the attackers.
“Overall, Android/BankBot-YNRK exhibits a comprehensive feature set aimed at maintaining long-term access, stealing financial data and executing fraudulent transactions on compromised Android devices,” says Cyfirma.
The Meaning of “Mandatory”
The UK government continues to insist that its digital identity system will be optional, despite all evidence to the contrary, including its own declarations. And it’s getting a helping hand in this deception from “fact-checking” websites. Full Fact explains that the government’s plans for digital ID do not require all UK citizens to hold one — only those who want to work there:
Digital ID would only be mandatory for those who are looking to work in the UK. It would therefore not be mandatory for everyone living in the UK. For example, someone who is retired wouldn’t need a digital ID.
But even that probably wouldn’t apply for long. Many governments with full-fledged digital identity systems, from Estonia to India, started off by assuring citizens that digital identity was totally optional — until it became necessary for just about everything. In India, access issues to the Aadhaar system have locked millions out of their legitimate benefits, even resulting in deaths.
In the UK, it is already mandatory (as of November 18) for business owners to register with Companies House via One Login — a fact that was not mentioned at all in the Full Fact article. That’s an additional six million people who will be corralled into the system — unless, of course, they refuse to or find work-arounds…
Nick Corbishley 