Digital identity and cybersecurity in government topped the agenda at the latest Think Digital Partners’ latest London event. Experts from across government and suppliers gathered to discuss the challenges they face, and highlight their own experiences.
“It’s great to see so many expert and insightful speakers in one place,” said Think Digital Partners founder, Matt Stanley. “Getting access to the thoughts of people like GDS CISO Breandan Knowlton and John Keegan, head of digital security at DWP, is not an everyday occurrence, so events like this are very important.
“The day’s agenda is crammed full of brilliant and varied topics across many aspects of government identity and cybersecurity and working with government departments and our supplier partners we are able to highlight the important issues of the day and share some of the excellent work taking place across the public sector.”
Highlights include:
- Government Digital Services (GDS)’ head of UCD, Dr. Helena Trippe, shared the latest developments and update on the One Login programme and government identity initiatives.
- Matthew Cooper, client director, central government at SailPoint, and Tracey Mills, director, cyber at KPMG discussed internal identity security within large government departments, emphasising the importance of protecting perimeters for robust cybersecurity. Mills shared her experience in implementing identity and access management (IAM) strategies, where key challenges included low IAM maturity, lack of senior mandate, and complex organisational structures.
- Erin Nicholson and Jim Gumbley from software consultancy Thoughtworks delved into the pivotal role governance plays when sharing data within and across public sector organisations. They highlighted the use of new technologies like secure multiprocessing and federated learning to enhance privacy while improving data utility.
- Frey Wilson, co-founder and CTO, Cavero Quantum and Simon Moffatt, founder of The Cyber Hut, addressed the impending threat of quantum computers to cryptography, termed Q-Day. Wilson highlighted quantum-safe transition strategies, including various solutions like symmetric and asymmetric key distribution. The conversation underscored the importance of understanding current network cryptography, prioritising data, and planning a gradual transition to maintain productivity and security.
- GDS’ CISO Breandan Knowlton discussed the challenges of securing digital identity ecosystems in cloud environments. He said it was a misconception that cloud providers handle all security, highlighting the shared responsibility model. He stressed the importance of encryption at rest and in transit, real-time threat detection, and continuous monitoring. He noted that compliance alone is insufficient and advocated for ‘secure by design’ practices, integrating security early in the development lifecycle.
- Haydn Brooks, co-founder and CEO of Risk Ledger and John Keegan, deputy director, head of digital security at the Department for Work and Pensions (DWP) dived into supply chain security, emphasising the need for a zero-trust environment and rigorous contractual controls. The conversation highlighted the complexity of managing multiple supply chain tiers, including software, logistical, and corporate chains, and the challenges of visibility into third-party and subcontractor security.
- Jeb Cordery, head of business analysis, Digital Identity Programme at GDS and Paul Sandelands, head of AML/Financial Crime at Experian, weighed in on the future of identity, focusing on the challenges and solutions in identity verification, particularly in the context of inclusivity and fraud prevention. Both highlighted the complexities of verifying identities, especially for vulnerable groups like the elderly and those with limited credit information.
- A panel of experts from the UK and Europe explored the latest trends in decentralised identity and identity wallets. Jonas Ingelstrom, head of identity at iProov highlighted the successful adoption of digital identity in Sweden through the use of personal identification numbers, and Roger Oliviera, co-founder of Ver.iD highlighted efforts in the Netherlands to achieve interoperability between different digital identity programmes through public-private partnerships. The UK was discussed as having an opportunity to become a global leader in digital identity by leveraging lessons from other countries and focusing on regulatory clarity, inclusive implementation, and high-value use cases.
- Another panel discussion focused on the cybersecurity lessons the public sector can learn from its private sector counterparts. The importance of strategic identity management and leveraging third-party solutions was emphasised, with examples from financial services and open banking.
- Mike Crockart from the ScotAccount Digital Identity Service discussed the complexities of implementing a digital identity system, highlighting the challenges of identity debt and fraud risk in the public sector. He also touched on the ethical considerations of biometrics and the importance of public trust. In contrast, Mark Lizar from the Kantara Initiative focused on the cultural and legal aspects of digital identity, advocating for transparency and consent in data handling.
- Agata Samojlowicz, deputy challenge director – Digital Security by Design at Innovate UK gaver her take on the evolving cybersecurity landscape, highlighting the increase in vulnerabilities. She noted that many of these vulnerabilities could be mitigated through advanced technology developed in collaboration with ARM, Cambridge University, Google, and Microsoft. The technology, based on fine-grained memory protection and scalable software compartmentalisation, aims to reduce exploitable flaws. Samojlowicz also called for suppliers to integrate security early in product design, shifting responsibility to the supply chain and allowing users to focus on best practices.
- Finally, the future of cybersecurity was under the spotlight, covering the use of AI, quantitative risk management, and the importance of building security into software development from the start. The discussion highlighted the need to shift security left in the development lifecycle, with security teams being involved earlier in the process rather than being brought in at the end to help avoid compromises and tensions between security and development.
