Zero Trust Security

UK Government Digital Service Co-Founders On Improving Digital Services And Security

Expert Insights interviews Mike Bracken and James Stewart, Partners at Public Digital, and co-founders of the UK Government Digital Service.

Public Digital Interview

In April 2011, the UK Government’s Cabinet Office formed the Government Digital Service (GDS), a new unit tasked with transforming the provision of online public services in the United Kingdom, across government departments. By 2015, GDS had over 500 employees, and has influenced the formation of similar projects globally, including the Canadian Digital Service, The DigitalService4Germany, and 18F, the United States Digital Service. 

Mike Bracken was a co-founder of the Government Digital Service and was the Executive Director of Digital and Chief Data Officer for UK Government until October 2015. He has since worked as a Co-Operative Group board member as Chief Digital Officer, and prior to joining the civil service served as Digital Development Director at Guardian News and Media. 

James Stewart was also a co-founder of GDS, where he led the technology architecture and all of the work done on building technology, leadership, and culture, across departments. He is a non-executive director in the UK Parliament and was also heavily involved in setting up the National Cyber Security Center (NCSC). 

Bracken and Stewart are currently Partners at Public Digital, a global digital technology consultancy firm which operates in thirty countries around the world to help public, private and third sectors to improve digital services and foster digital teams.

At OpenUK’s recent Open Source Software summit, Expert Insights interviewed Bracken and Stewart to discuss Public Digital, the impact of COVID on digital technologies, and how to ensure privacy and security is baked into digital services. This interview has been edited for clarity and length.  

Can you introduce Public Digital, the work you do, and the organization’s objectives?

Bracken: Public Digital is a digital transformation consultancy, we have about fifty people in the UK, and over one hundred in our network around the world today. We’re working in Madagascar, Mauritius, Latin America, Argentina. We work with countries all over the world to help them on digital and public missions. 

We’re called Public Digital because we believe that everything with a public mission, whether it’s in the public, private or third sector, that is at scale, is worthy of working on digitally. 

So, we work on things like helping people safely get back into grounds with the Premier League. We’re working with the NHS to educate its digital executive and to help reorganize itself digitally. We work with the World Bank. We’re currently dealing with the IMF and how it currently funds technology. 

These are big and important missions of scale. And, by and large, we are practitioners. Pretty much all of us have got decades of experience in technology, leadership strategy, product design and all manner of skills in public institutions. That’s why we’re called Public Digital. 

What are the common challenges and roadblocks that you see when implementing these digital services at scale, across the different nationalities and industries that you work with?

Stewart: We work across different countries, nationalities and also sectors. We work primarily with the public sector, but we also do private sector work, third sector, which sees in many places the same challenges.

Most of our clients are organizations that predate the internet. They’ve got a set of established ways of working, of managing their risks, of deciding on their financial investments, which are based on ways of working that were common sixty, seventy plus years ago, rather than modes of collaboration and delivery which have emerged over the last twenty years. 

So, our standard is to help people understand digital services and how to build a direction that is common to the insurgent start-up organizations that increasingly compete directly with the private sector or improve of credibility and ability to deliver for the public sector. 

And that starts with investing in teams in a very different way. Multi-disciplinary teams who are freed up from the legacy governance structures. Not governance free – but freed up from a lot of the restrictions that would have been in place before – and then working together as experts in a disciplinary way. 

Just the act of investing in those kinds of teams can be radical for those organizations and that is where new momentum comes from. 

Mike, in your panel you discussed COVID, and that how in the UK context that there were some lessons to be learned around the rapid development of digital systems. What lessons should we take away from COVID? 

Bracken: Well, there are dozens of things, and I wouldn’t claim to know them all. But I think one is that every country was dealing with COVID, which is relatively consistent as a virus. And every country has a political and economic and cultural context in which it’s trying to resolve this issue, which is not necessarily a like-for-like. But I think it’s easy to see now that the countries with more curiosity, more receptors, more working with other countries, had more strings to their bow in how they dealt with COVID.

COVID didn’t have a single solution, it wasn’t just test and trace this, or using an app. It was a variety of people, leaders, technologies, public health responses, to an emerging public health problem. And I wonder openly whether in the UK – while we were quite reasonably busy with our own stuff – whether we could have learned more from other countries dealing with this in different ways. 

James [Stewart] had a great piece of work to analyze COVID responses around the world, showing some great examples and some really poor examples. And I think it roughly correlates to: did they have a digital team, and were they working in the open? And did they have the infrastructure and setup open to deploy new things?

Stewart: If you look at the examples coming out of Africa, a lot of the places that responded most rapidly and strongly were the ones who had been through previous pandemics. They recognized that they needed to put in place rapid response infrastructure and invest in that, rather than treating it as an on the shelf thing. You have to work on important public infrastructure all the time with the agility to change focus as you’re going. 

So, we have analyzed the quality of websites that governments put out and the clarity of them. And there was a very strong correlation between that and who had invested in digital teams and empowered them to not just work quickly, but to really understand the needs of the services they were building, and the impact of the work they were doing.

If they built those two muscles, they were positioned to change what they were doing very quickly, to communicate clearly, and to really help organize government policy around areas where impact could actually be had. But all of that was based on prior investment, not something that was purely set up in the pandemic.

When you’re advising organizations about these digital services and digital infrastructures, in both the public and private sector, how do you ensure that security and privacy are kept at the forefront of those conversations?

Stewart: The traditional way that we’ve done that is by treating privacy and security as effectively audit compliance functions. You try and get hold of some documentation at the start of a process, but really you only check towards the end of a complication design and deployment process. That multi-disciplinary team approach that we talked about really includes bringing governance, assurance, risk thinking into the team, and equipping teams to make good decisions as they’re going along. 

In the UK, the best example I have seen of these was with Universal Credit. When this was reset in 2014/2015, the risk, fraud, and security thinking was brought right into the heart of the team. If you went into their office, you’d see all of the sorts of things they were worried about up on the wall, to help the team to keep it at the front of their mind. They built a list of things they were trying to avoid and achieve to design into the system resilience to those risks. 

Some fairly common themes come up through lots of open source circles. Shifting left on security (making changes in when, where and how to apply security best practices), and we take that a bit wider, because it’s often purely a technology conversation. But actually, a lot of your fraud and security risks are about the human systems around the technology, not just the tech itself. Bringing that into a multi-disciplinary team lets you think about all of the ways that you can solve these challenges. 

Are you optimistic about the future of open source technology and security today?

Bracken: I feel very optimistic. I remember being an internet researcher in the 80s, and the very basic ideas behind open source were so revolutionary: and it was thought: “this will never happen our lifetime.” And look at what it’s become. So, I am hugely optimistic. 

There seems to be – without going too far with what has happened in my lifetime – some intractable problems I thought I’d never see the end of. Apartheid, or peace in Northern Ireland. I never thought I’d see the end of the IT lobbying industry killing open source at birth. And yet here we are. The rise of cloud, all the things we have discussed today, are incredibly good. But like life, you don’t always get what you wish for, because it brings a whole new set of problems. And it’s really a question of renewal now. 

I’m optimistic about the future because the past has been largely positive. However, I think we need to be quite realistic about some of the challenges facing this movement and open source software generally. It’s about time some of the people who are interested in this stepped into some of those leadership roles in a more muscular way, I think.

The power of collaboration can no longer be latent in some areas such as finance, the top level of politics and some of sectors that we see including defense, health, and energy. So, I am optimistic, but we have got some challenges. 

Stewart: To add to that, in the last couple of weeks we had the UN General Assembly and IMF World Bank annual meetings which included major announcements and investments around digital public infrastructure and digital public goods in which open source plays a huge role, and so coming to that with political capital is really exciting. 

Last year, we really thought about creating the conditions for success with open source, and I think that still feels very salient in thinking about the need for procurement reform, recruitment reform, and some other changes that are needed to make this more bedded, based on our experience in the UK, but also a number of other governments worldwide. And that still rings true; the investment is exciting, but there’s a lot of hard work behind it.  

Thanks to Mike Bracken and James Stewart for this interview. You can find out more about Public Digital here.