Governments across the world have realized that to get out of lockdowns while also avoiding a “second peak” from COVID-19, testing and contact tracing are critical. Like other European nations, the UK has decided that a smartphone app will be an important part of its contact tracing program. Although details are hard to come by, we know that it will use Bluetooth to inform individuals if they have been in close contact for a certain period of time with someone who has tested positive for COVID-19. There will also be a reciprocal function for people to automatically alert people they have been in contact with that they have subsequently tested positive. Beyond these details, we have had little visibility on the technology underpinning the app, other than that NHSX has decided against working with Apple and Google on the project.
Creating an app such as this under normal circumstances would be difficult. Doing it in such a short period of time, where its functionality, stability and accuracy are literally a matter of life and death, is an astonishing challenge. Add to this mix very legitimate privacy concerns and you have probably one of the highest-pressure digital projects ever undertaken by the UK government.
Having worked with the Home Office for several years on delivering a range of technical infrastructure projects, I can tell you that the UK has never been in a better position to successfully build and scale this app. A lot of time and money has been spent on increasing the government’s DevOps and cloud capacity and the platforms and personnel needed to ensure complex projects can be undertaken effectively.
While we don’t yet know which platforms will underpin the contact tracing app, there’s a strong chance that Kubernetes is playing a big part. One of the main objectives of the app at the time of launch is for it to be reliable, so the app doesn’t crash when hundreds of thousands of people download it. Very often, the applications can become unresponsive due to insufficient computing resources; Kubernetes allows for automatic scaling up and down the applications, ensuring the app can withstand the moments of intense use.
Another very important aspect of the contract tracing app is security. We are yet to see what sort of information we will be asked to provide, but regardless of that, the government needs to ensure that our data is protected from the bad actors out there. It is crucial that if Kubernetes is to be used, the security setup is being thought of right from the beginning. I would put a lot of emphasis on keeping tabs on role-based access controls (RBAC), keeping the least privilege and short-lived time-based access and separation of concerns where possible. The goal here is that every person working on the app has only limited privileges available to them while allowing them to do the necessary work. In this scenario, if any cyberattack occurs, they will only be able to access a very limited part of the estate, keeping the majority of the application intact.
NHSX has confirmed it will make more information available on the app’s technical specifications including its source code ahead of its launch in mid-May. At this point, the tech industry should know more about how it was built and determine how subsequent iterations could be improved. In any case, for governments that are further behind in developing their own contact tracing technology, there is a clear advantage of using Kubernetes to underpin the construction of an app at this scale.