Surviving the post Heartbleed Cyber Security Skills Crunch

| No Comments | No TrackBacks
| More
IT users and suppliers, particularly those in financial services and its suppliers are about to be hit by an IT Skills shortfall akin to that during the run up to Y2K: for similar reasons. A surge in demand for skills in short supply is hitting an industry which has not recruited sufficient trainees for over a decade.  

Why you need to act now

The Heartbleed  fiasco, with the requirement for an audit and update effort akin to that of Y2K, together with advice to end-users that mixes the unrealistic, incomprehensible and misleading with opportunities for further malpractice, has brought forward a skills crisis that was building steadily. As with Y2K, it is unclear how serious the problem really is, but few have the skills to work out whether they are at risk. As with Y2K, some of the plethora of tools available add to the confusion by, for example, flagging as unsafe sites that do not use or need Open SSL 

Meanwhile the rising tide of on-line fraud and abuse, facilitated by leaks from insecure transaction processing systems and by increasingly sophisticated phishing attacks linking phone, mail, text, e-mail and physical contact (e.g. courier fraud ), threatens to overwhelm those with neither the in-house skills to understand what is happening nor the skills and resources to respond effectively. The problems are about to be compounded by ill-considered regulatory intervention, e.g. data breach notification, and (of course) the post-Snowden fall-out. 

There is a serious and growing shortage of those with the skills to help organisations follow good practice in self protection and take effective action when they or their customers come under attack or disaster strikes.

Even before the Heartbleed incident there were estimates that the vacancies to be filled will more than double this year. Supply is not keeping pace. Demand for those with two years or more of relevant experience is estimated to be four times the trainee intake last year, let alone the year before. Those who do not act now to train their own will have difficulty in retaining existing staff, let alone recruiting, as the salaries on offer to those with two or more years experience rise sharply.

Those who recruit graduate trainees also know that they will have to compete harder for the best, diversify the sources they use and ensure they have employment policies that enable them to retain more of those they train.

Your three pronged strategy to turn problem into opportunity

1)    Retain and retrain those you already have in post in the face of offers from consultancies, audit practices and law firms bidding for experienced staff as well as from your peers and your competitors.

Seeking to recruit experienced security staff (often of uncertain quality) on the open market at a time of skills shortage can actually be counterproductive, especially if it also takes longer for outsiders to understand the business than for existing staff, including users, to acquire the skills needed. But effective retention and retraining programmes require organising and supervising rapid, modular skills acquisition, while using trusted contractors to handle those tasks which can be outsourced.Training and apprenticeship contracts, with repayment of costs in the event of departure within two years, are legally enforceable, Strathclyde v. Neal was the test case, but remember that these cut both ways, the training and work experience must be delivered. 

An obvious "solution" is therefore to offer apprenticeship contracts to those you wish to retain or redeploy, to fill the gaps in their knowledge, as well as to new recurits, and then volunteer to help review and test the skills frameworks for the apprenticeship programmes  being piloted via e-Skills as part of the Government Cyber Security Skills Strategy. These are based on bringing together the relvant sections of the main industry skills frameworks (SFIA, IISP, CESG etc.). The published result can be found in the City and Guilds handbooks for their Level 3 and Level 4 diplomas. The City and Guilds handbook covering technical knowledge for the Level 4 diploma maps these onto relevant materials and examinations, including CISCO. Comptia, Linux, Microsoft, Oracle and VMware qualifications.

I have agreed to help e-Skills identify employers, particularly from the financial services sector to review the new frameworks against their own needs, suggest any necessary extensions and help pilot the result. Early feedback has been very positive although I expect suggestions for extensions and new material to better cover compliance with the identity, authorisation, access control and reporting standards particular to financial services, from the Payment Card Industry standards, through those for fraud detection, money laundering, asset recovery and co-operation with law enforcement, including internationally, to meet the requirements of the Bank of England, the Financial Conduct Authority and regulators and law enforcement agencies around the world. 

I would like to hear (copy to e-skills) from employers in the financial services industry willing to work with their peers and their suppliers to help ensure that the frameworks do indeed meet their needs, particularly from those wanting to use participation in the pilots to help recruit and retain their existing staff and their 2014 recruitment intake. I still have some places available at a couple of round tables next monday (28th April) on the eve of Infosec to identify those interested in working together and excpect to organise more.

That leads me to the second strategic prong

2)    Try before you buy using active participation in careers, work experience and internship programmes to pre-select better prepared and motivated trainees from school, college and university and position your organisation as an employer of choice, assessing potential employees outside an artificial interview situation and letting them see what life will like, working for you.

Those who complain about the quality of recruits, but do nothing to help improve their attitudes and abilities and  better inform their study and career choices, have only themselves to blame for the quality of those available for them to select. Those who engage locally, not just nationally, providing mentoring, work experience and internship opportunities, also acquire the opportunity to choose from the best without having to pay upper quartile salaries. Those willing to offer flexible working conditions for mature entrants and returners can also expect well above average retention rates for those they retrain.  

There are a wealth of programmes to help educate potential recruits and make advance contact with the brightest and best - from the Computer Clubs for Girls  (I have blogged before on why women are better suited to information security than men ) that reach over 150,000 girls from over 4,500 schools, through careers materials such as the Secure Futures section of the e-Skills "BigAmbition"   careers website and the Behind the Screen  for the curriculum and mentoring programmes such as  Cyber Champions   and the STEM Ambassadors  programme to the  Cyber Academy internship programme , which publicises opportunities of 3 - 12 months for undergraduates taking IT-related degrees or postgraduates on specialist Masters courses with employers providing meaningful work, mentoring and a fair rate.
The competitions in the annual Cyber Security Challenge  are used by a growing number of well known employers to attract and assess entrants of all ages and backgrounds, outside a formal interview situation, for a variety of security related careers. Support for the local and national heats of the competition(s) of your choice is an inexpensive and enjoyable way of also publicising the opportunities you offer to participants. 

I have blogged before on the final prong, beginning with how to get support from the board .

3)    Use awareness programmes for all staff and those in your supply chains to build strength in depth as an organisation which protects its staff, its customers and the families of both: The attitudes of your staff towards protecting their own information, as well as that of the organisation and its customers are essential to building trust and competitive advantage, in a world of increasing consumer cynicism. Being seen to be serious about educating your staff and their families in how to protect themselves, as well as the organisation, has a major impact on attitudes and loyalty. Working with those in your supply and distribution chains is also essential to reduce the risks to you and your customers if their systems are compromised.

So where do you go for assistance to turn you skills strategy into an action plan? 

"Cyber Security Skills: a guide for business", produced in support of the recent BIS publication "Cyber Security Skills: business perspectives and next steps"   lists the main initiatives recognised by Government or in receipt of public funding. I am in the process of trying to summarise it into a short web-based action guide, structured around the above three prong strategy and would be happy to hear from potential reviewers before I put my first draft up as a blog entry in the near future.      

Can BT claim a rates reduction for an "unbundled" exchange that has no other users?

| No Comments | No TrackBacks
| More
Further to my blog calling for readers to input to the Treasury Consultation on Business Rates, I have been asked "what is meant by unbundled?". The example sent to me is Shurdington which geography buffs will realise should be in the heart of one of the UKs high tech business areas - the "commuter belt" for GCHQ.

It is a very good question. I would be delighted to hear from a reader who knows the answer.  If BT has been able to get rates reductions for such exchanges then I would simply say "congratulations on a hand well played". I would also say "shame on you" to those who have not clubbed together to get comparable deals for alternative suppliers. I have no sympathy at all for those give the excuse of "commercial confidentiality". 

Treasury Consultation on Business Rates: speak now or shut up

| No Comments | No TrackBacks
| More
The Treasury Consultation on the Administration of Business Rates gives a long overdue opportunity for those who believe that innovative broadband suppliers are unfairly treated.

I have blogged regularly on the way in which the business rates system penalises the competitors to BT and how this has come about: a tone list based on fictional costs and hypothetical revenues deterring investment in local alternative infrastructures, while BT's rates bill was coming down .

It was only today that I learned of the impact of SI 2008/2333 , which reduces BT's rates bill every time a line is unbundled. This is indeed odd, given the revenue that Openreach derives from unbundled lines. More-over no impact assessment was produced because "no impact on the private or voluntary sectors is foreseen". This is odder still, given that the SI was drafted (within DCLG), signed by the Minister (one can imagine what he was told albeit an FoI request is said to have failed to find any record of this) and approved by Parliament while the Vtesse Case was winding its way through the courts.  So much for joined-up Government. 

However, enough of the past.

This consultation is an opportunity to not only expose current inequities and iniquities but to suggest ways forward that will help pull through investment in alternative networks and end discrimination against the "hot standby" routings that are essential for a society that is critically dependent on robust and resileint communications.

Remember the rules:

Read the Examination Paper
Answer the Questions Set

and release your answers, together with the reasons for them, to the press at the same time as you submit them to HM Treasury.

This is very political consultation. Those who keep silent will get stitched up. Those who make a good case for constructive change may well get what they ask for - especially if it leads to increased investment (and thus taxable revenues) at no net cost to the Treasury.

Has Heartbleed done more than Snowden to dent consumer confidence in the online world?

| No Comments | No TrackBacks
| More
If Mumsnet, which takes the privacy of its users very seriously, has been compromised by heartbleed, who is safe? Until I read that Mumsnet had been affected, I was planning to say that incidence shows the strength, as well as weakness, of the open source software that runs the Internet. If the Wikipaedia article on Heartbleed is correct is correct, the weakness may have been two years old but it was found, publicised and the source identifed rather faster than with comparable proprietary software. However, the source of the weakness, a lack of bounds checking , took me back to the days when I like to think I was competant.

Part of the acceptance testing of any new system when I worked at STC Microwave and Line in last 1960's was the "peer review". Thus, when I thought my first system  was ready for customer testing, I had to put up £5 (£70 in today's money). Any member of the department could then put up 10/- (£7 in today's money) to wreck my system, using any possible means of sabotage - short of actually bribing the operators of our new IBM 360/40. To add insult to injury, failure also meant buying a round for the entire department. The chief programmer warned me that he would lead the assault by finding a weakness in my bounds checking. He failed. The systems analyst for whom I usually worked and the senior programmer in the bay next to me said they were not going to try because they had given their ideas on the short cuts I might have taken to the chief programmer. I drank free that evening with what my apprentice "masterpiece" intact.

When I see reports of systems being hacked because of lack of bounds checking and/or buffer overflow I groan at how much and how little the world has moved on. Of course bounds checking is a pain in the butt and it is lovely to have tools to help check that you have done the job, but this is not just a technical gripe.

Mumsnet runs forums where privacy, security and anonymity really matter, including for those at risk from violent partners and honour killings. If they have been compromised, who is safe?

The recommendations made as a result of the publicity for heartbleed do not help rebuild confidence: initially "change your password", then "change your password, but do not do so until any infected systems you use have been updated to remove the vulnerabilty."

Much better and clearer is the advice on the Get Safe On-line website.

Looking at the wider issues of confidence, if Government is serious about wanting more of us to transact with it on-line, then it needs to give far more support to Get Safe On-line as the UK's "first stop shop" for guidance when incidents like this occur. In particular it should fund GSOL to serve as the "public face" of the new UK Cert when incidents like this occur. There is a link on the CERT website but where is the routine for e-mailing the technical correspendents of the media with a link to the relevant advice on the GSOL website with  guidance on what do, as a result of the latest CERT alert?


A Confucian perspective on UK Broadband, Spectrum and Cyber Security

| No Comments | No TrackBacks
| More
I very much enjoyed the discussion at the Nominet "UK Internet Policy Forum" on 2nd April. on  "The Open Internet and the Digital Economy". The debates were insightful, balanced and nuanced leading me to new insights on some of the issues, but the "user voice" - whether business or consumer, was not well represented. One of those helping organize policy studies for the Labour Party, was there. We found ourselves in agreement on several issues where the Internet community wishes to "educate" its users (alias the majority of voters of left, centre and right) into accepting current business models instead of listening to what they want. Hopefully, we can work together to organise cross-party studies, bringing together users (including business users) as well as suppliers, to address some of the priorities as seen by voters, using the Digital Policy Alliance and its memorandums of understanding with PICTFOR and the EIF

Another of my opposite numbers, from the days when I was an ASMTS representative on the TUC policy study at the same time as working on a study for Sir Keith Joseph, during the run up to 1979 General Election, asked the panel what they would like to see in the party manifestos. I later used the opportunity to ask a number of those in the audience what they would like to see. On Friday I received the followed from one who has spent ears looking at UK and European markets through the eyes of a major Asian technology supplier. I will use the name "David Lee" and reproduce his comments below, without comment:
 
==========================

Intro and "teach-in" for newbies!

There are 3 key considerations which help to explain Internet and Digital Issues

1 TRANSMISSION - how to get data from one point to another...
2 CAPACITY -  in big volumes
3 PROTECTION - securely, vital as digital data is still easy to copy and to hack

The problems we have stem from the fact that we are trying to run motorway traffic levels over roads, most of which were not designed to cope with big volumes.  The disease of hackers/hacker State(s) is ever present...

If you get stuck, just think Transmission, Capacity, Protection!  This will cure most ills.

Issue 1 - Broadband

1 TRANSMISSION - We need better infrastructure (copper = old).  Fibre is best but dearest.  Radio needs masts and cannot do "big" due to the laws of physics
2 CAPACITY - Copper = small, radio = small/med, Fibre = big!
3 PROTECTION - We have to protect networks and devices or e-commerce dies and CNI threatened

Possible Policy Ideas

•    ABOLISH wayleave taxes to encourage rural fibre "self builds" (we must not alienate rural voters and they are typically anti-mast). By taxing we are giving a "leg up" to all our competitors and this matters!  We also increase congestion - businesses have to move to urban areas to get Broadband, so we upset our own core vote!
•    OFCOM to be mandated to set out the key elements needed to "self build" to help non-specialists ("Let 1000 fibres bloom!" - Lord Carter). 
•    Devise a "free licence" for villages (though they already don't really need one due to general authorizations we are expecting non specialists to know too much!
•    Where there is no mobile coverage, allow the villages FREE ACCESS to the spectrum currently licenced to the mobile operators... If after 30 years they have not connected villages then they are responsible for inefficient utilization of a scare national resource - and planning to coordinate with them is perfectly possible - plus mobile termination on the village's mast could go into a fund for free calls for OAP's (who often vote for us). 
•    Ofcom must be mandated to encourage such developments and simplify interconnection issues - we are heading for free calls anyway and regulators need to keep up or they become part of the problem!
•    Mandate information to be provided on connection types when looking at Broadband speeds - as current stats hide the true problem that there is not enough fibr e.

Issue 2 - Spectrum

1 TRANSMISSION - Spectrum is congested so we are having to use ever higher frequencies.  Higher frequencies need more masts because higher frequencies means shorter ranges.. but voters want fewer masts not more!!!
2 CAPACITY - Higher frequencies however offer more capacity (tech reasons)
3 PROTECTION - CNI needs its own network - MNO piggybacking is simply placing the whole of the economy at risk.  This is NOT current policy.  Radio, including particularly Wi-Fi, is horribly vulnerable, as are devices.  Networks are normally protected.  The Internet of Things ("IoT")  means that there is about to be a MASSIVE increase in cheap sensors - and it is already happening

Possible Policy Ideas

The future for transmission will be fibre deep into the networks with high frequency radio tails able to carry much data short distances. The division between fixed and mobile networks is bad for everybody and prevents economies of scope and scale and the growth of the Internet backbone which we should be encouraging to create future prosperity. With Machine to machine ("M2M") and device ubiquity, commercial devices may piggyback other devices to complete calls in urban areas not need the same kind of network topology that we have today. 
•    Abolish spectrum pricing - it's taxing the deployment of the very networks we want to see deployed.  Economic efficiency arguments are floored too.  The emergency services and RNLI need spectrum - but who pays for this society gain? Voters. The emergency services still need a hard shoulder of spectrum just like the Motorway does and current Home Office Policy relies on sharing Mobile networks not designed to cope at military grade resilience plus creates a single point ot network failure - a shared mast in a known location... very very bad for CNI and SCADA type services. Maybe 7-8 years out things will change - and this is likely... but NOT in the lifetime of the next Government. Why then is this Home Office Policy?
•    RNLI to be recognised as a special spectrum case - popular measure with voters. Today we charge a charity for spectrum... how can that align with our value system? Political danger here if ignored
•    Allocate spectrum via an independent expert panel NOT OFCOM OR GOVERNMENT, who assess ALL costs and benefits to society in all cases.  One economist, one banker, one policitian, one blue light representative, one scientist, one business person... etc (idea needs refining). 
•    MANDATE full national (meaning FULL rural) coverage for mobile networks, especially if in future that may carry CNI services.  If they objected we'd know they were not serious about carrying CNI traffic on their networks.

Issue 3 - Cyber and data Security

1 TRANSMISSION - The fuzzy pink cloud does not exist - it's a bank of very hackable routers in some physical location not an ethereal dreamland we all imagine and frequently drw to explain it!
2 CAPACITY - Big data analytics means more big brother accusations...
3 PROTECTION - CNI needs its own network.  Data centres, especially offshore, need UK data protection safeguards, cyber security should be a mandatory requirement - along with deliberate network attack stress testing for UK plc

Possible Policy Ideas

Data and Cyber are two sides of the same coin.  We need better protection on devices, in networks at data centres and controls on how the data is used, by whom or when - remember the next Snowden could be here in UK...  If we do not do more and confidence is undermined in e-commerce, e-government, and Internet services including application data snooping, this is a surefire route to disaster.
•    Actively support the EU data Protection regulation - problem is International in scale and this means we cannot in isolation protect our borders and lift up a drawbridge
•    Mandate devices (e.g. handsets) be shipped with basic security pre loaded. Already done by one company in the Nordics but not UK policy
•    All mobile makers to publish UKCCIS informed advice for Child protection on their websites and to promote it in communications to their sales affiliates
•    UK to DOUBLE its offensive Cyber capability and stress test our own data centres... as well as offshore ones where our driving license, NHS, tax and other records are already held - possible election danger area if no plan in place
•    UK to actively promote bilaterals to build on Seoul Cybersec conference - especially  with India - this improves Internet governance
•    All business to conduct at least one "stress test" per year and all business to be given CESG 10 point plan to protect themselves in an e-format to spread the word
•    Update "cookies" legislation - no-one makes an informed choice on the safeguards now in place thought he intentions were honorable at the time. Champion this in Europe

======================

I would be most interested  in readers comments. So too would "David". He is well aware that Western Internet and Communications "interest groups" share neither the perspectives nor the business models of those for whom he has been accustomed to work: our "long" term is their "short" term. 








Ofcom launches consultation on UK Business Broadband Market: your opportunity to make your views known

| No Comments | No TrackBacks
| More
The very title "Business Connectivity Market Review" of the consultation announced by Ofcom today, is measured and the wording and questions are in convoluted "regulator speak" but this is the opportunity to make your views known. It is, perhaps more importantly, the opportunity for you to work with your peers, your suppliers, your customers, your chamber of commerce and your trade association to make your collective views known and help blow apart the current morass of misinformation as to what is happening in UK business telecommunications, not just broadband, markets - both demand and supply.

Of course you should answer the questions asked, with all the evidence you can yourself give, but you should use the opportunity to answer the questions that are not asked and to copy your answers, together with a succinct summary, to your Local Councillor, Member of Parliament and Local Newspaper at the same time.

Welcome though this review is, you should not allow it to be used by as an excuse to postpone debate on the need for action to open up the UK Business Broadband market until after the date for final submissions 27th May, i.e. after the Local government and European Elections and after decisions on the next tranche of BDUK funding. You and your peers should use this review as the starting gun for a stampede to trample under foot as those who stand in the way of giving your business, your local business park and your local business community the connectivity needed to survive, let alone thrive, in the on line world. 

A Digital Strategy for Britain: let market forces replace crapband with a world class mesh.

| No Comments | No TrackBacks
| More
Boatrace_600 (2).jpgThe original definition of broadband was the bandwidth necessary to deliver broadcast quality video to the home by 2002. It was redefined to mean "always on internet" when the Labour Government introduced "Local Loop Unbundling" to protect the US bondholders of NTL and Telewest from taking a haircut - because their fibre roll-out had fallen so far behind that of BT. Lord Carter said that was one of his finest achievements. As a lobbyist it was. But it nearly bankrupted BT, destroying its business strategy and leaving it massively overstretched, so that only now, with over a £billion of state aid, is it approaching where it had planned to be in 2002. 

Meanwhile the rest of the world has moved on.

Last Monday the Digital Policy Alliance organised a Parliamentary Briefing in co-operation with the European Internet Foundation and Digital Business First (who I thank for use of the carton above) on the theme of Mobile and Broadband: what your Constituents would like to know

That meeting was notable for the juxtaposition of alternative realities and visions of the future. The contrast betwen the EIF Vision of the future, "The Digital World in 2030" and the current UK position as seen by Digital Business First in their report "Britain's enduring Broadband Deficit: A divided nation - time for an effective plan" could not be more marked. I was also reminded of my personal reaction to a previous exercise on "The Digital World in 2025". 

Amidst claims from Ofcom, DCMS and Cabinet Office that the UK is powering ahead into a world of Digital by Default, one of my regular contributors drew my attention to the press release for last years' Oxford Internet Institute survey "More than half of the British people who use the Internet do so without enthusiasm".  Perhaps they share the views of a speaker at a security event yesterday who said that the only certain prediction is that within five years something will cause the US-Centric Internet to go down for three or four days and you should not be caught out when it does. I suspect that sooner or later the sheep will begin jumping the walls and try more seriously to escape the world of ubiquitous on-line surveillance and cyberfraud into a world of off-line, tax free barter. I am delighted to note that Microsoft has recognised the danger and announced a fundamental change of policy in the light of the reaction of publicity for its monitoring of e-mails.

Since 1977 when I left ICL to join the Wellcome Foundation as a corporate planner I have always looked as technology from the perspective of the victims, alias users. At Wellcome I had to try to get reliable service from suppliers, including telcos, around the world, including those seeking to sell us supposedly seamless global services. Then as Technology Assessment Services Manager at the National Computing Centre I had responsibility for "End User" computing, including the Microsystems Centre and the attempts to provide realistic  guidance to SMEs,

Why are the British so unenthusiastic about the Internet while they are among its biggest users?

But more interestingly 

Why are IT suppliers, including Telcos and ISPs, so reluctant to listen to their customers?

The answer may be found in industry reactions to the current Which campaign on broadband speeds  The suppliers appear united in the view that those who complain are ignorant muppets who do not understand, appreciate or properly use the services they have been sold.  There appears to be little or no attempt to measure what they actually receive - at the end of a supply chain of websites and servers, tranmission lines, routers, PCs, operating systems, browsers, security and applications software.

Is the poor user experience because they are on cheap, unbundled and overloaded crapband, circuits that are delivering well below the claimed performance?  Is it because they are on elderly and slow PCs with limited storage? Or is it because they have listened to all the security and keep their operating systems, browsers and filters bang up to date so that these spend their time arguing with the surveillance bloatware that is inserted whenever the users visits an advertising funded website?

Menawhile the pace of market change is beginning to acclerate. Amazon is invading the video streaming market . Google is invading the Cloud. BT wifi has invaded the mobile markets. Huawei is about to show the West how a 4G Mesh can transform a community. And so on.

But is it growth or churn?

Are the major players (from Amazon, Apple and BT, through Google, Microsoft and Netflix to Sky, Virgin and Vodafone) competing for static (or even falling) household spend on a mix of communications and content (including fixed line, mobile and entertainment subscriptions and pay as you go)? Is their "growth" merely a transfer of advertising spend from traditional media? Will the off-shore download market survive the imposition of VAT in the budget? 

And what about the needs of  UK business for seamless connectivity if they are to remain globally competitive?   

Nations whose Digital Policy is other than "pull your regulatory finger out and allow the markets to drive" appear set to be left behind when we are taken unawares by new players who have taken a cool look at what paying customers actually want, instead of asking investors to fund more of the same. I have regulatory blogged on the need to allow market forces to compensate for regulatory failure - with officials focussing their efforts on actual abuse, including anti-competitive behaviour, particularly that against smaller players, new entrants and innovators. This is now urgent. If we do not act soon we will remain, as we have become, a latter day Cannery Row, surfing the cybercrud. It is no accident that the UK, which spends more on-line than the rest of Europe, has the lowest indigenous market share and biggest problems with abuse over off-shore services.       

The good news is that, in the wake of the crumbling of confidence in US-based operations, we are seeing players like Google, HP and IBM moving data centres as well as development staff to the UK. In looking at forward policy we need to build on that opportunity and ensure that our on-line balance of trade in services becomes as healthy as that in off-line services,  

That means a more constructive and "nuanced" set of policies than is currently under debate, so that the UK becomes the global location of choice for trusted on-line services. That cannot happen unless we have reliable, secure and resilient broadband that is fit for purpose, serving locations where those who could be based anywhere in the world would like to live.

Hence the reason that opening the way to allow market forces to expedite the replacement of  copper "crapband" by ubiquitous high speed, world class, continuously evolving mesh infrastructures has to be at the heart of the forward digital policy of who-ever hopes to win the next general election. If it is at the heart of both Conservative and Labour policies, (just as Telecoms Liberalisation was built into both Conservative and Labour policies during the run up to the 1979 election), then perhaps we can give investors the confidence to bring the necessary implementation forward.

On Monday I am due to stand down as Chairman of the Conservative  Technology Forum, although I hope to continue as Vice Chairman in charge of policy studies. I will be making this point in my report and hope to have it included in my terms of reference going forward. Obviously we will be going for "thought leadership", but leadership is of little value if others do not follow. And if they are fleeter of foot ... .       

My blog describing Bletchley as where "Women won the War" has, not surprisingly, come in for some flack, including the numbers. The "roll of honour"  lists only those, slightly under 10,000, known to have worked on crypto and sigint, including the outstations. It does not include those running the site, including the provision of security. It does not include the Americans: several hundred from the US Navy running the UK end of the massive twinning operation that continues to this day. 

Of the 9,500 listed, just under 7,000 were women.

Many of the entries are cryptic, to say the least, but they show clearly that the women were not just running the Bombes, Collosi and decoding machines - doing what they were told.

They ran many of the key analytical functions, using techniques that have never been declassified because they remain at the heart of what GCHQ and NSA does today. These include several "big data" techniques which Google and others are said to have patented over the past decade or so, not knowing they were already over 50 years old.

The women also provided many of the main crypto breakthroughs.

The big difference between the women and the men was that the former (like the Americans who also served at Bletchley) never felt the need for public recognition.

All that we know about Bletchley comes from a small group of men. I will not compare them to Edward Snowden because they sought and obtained clearance for what they wrote. But you get my drift.

Hence my comment that Information Security is an unsuitable job for a man and my strong support for plans to organise trips for schoolgirls to visit the Museum of Computing at Bletchley (not just the theme park with its comfortable and patronising male mythology) and start preparing for the jobs of the future, securing a society that will be critically dependent on the security and resilience  of complex systems and networks: jobs too important to be left to men.   

Google shows the NSA how to make surveillance socially acceptable - with a £30 TV Dongle

| 2 Comments | No TrackBacks
| More

Do read the press cover on the launch of the new Google Chromecast TV dongle . In my blog entry on the breaking of the "Social Contract" that underpins public acceptance of the way the Internet works, I mentioned the reaction at a CTF meeting when we learned that smart TV licenses require you to give permission to transmit data on your viewing habits to anywhere in the world. The gathering pace of the convergence of the worlds of the TV, mobile phone, personal computer and Internet, often with no off-switch to protect against 24 by 7 surveillance, is now truly transformative.

The volumes of data which threaten to seriously overload our current telecommunications infrastructure and clog wifi capacity put debates over broadband policy, net neutrality, privacy and surveillance, into a different context. I have not had time to blog over the past week because I have been trying to draft possible terms of reference for studies to look at the political consequences. The hardest has been that for the study on how to balance privacy, security, consumer choice and a seamless Internet with the aspirations of suppliers to have contractual control over data on their customers' usage (for commercial purposes) without making that data available to law enforcement to take action when they fail to protect their their customers from criminal abuse.

The members of the "Reform Government Surveillance Group" have taken the collection of data on our on-line behaviour to extremes beyond the wildest dreams of state surveillance operations - and most consumers appear happy to agree, in return for cheap access to on-line content. That has many consequences and their public statements need to be cmpared with their contractual practices.

To illustrate the direction in which they are leading debate, I would like to juxtapose the Microsoft claim that it is entitled to examine hotmail traffic to find a leak with what happened when a former  Deutsche Telekom security manager undertook similar activities over their networks to also identify a leak. He went to jail[see footnote]

If the "difference" is "merely" that between US law and German law (including the EU Data Protection and Telecoms Regulations) then the Balkanisation of the Internet is only a matter of time - unless and until the members of the Reform Government Surveillance Group help lead the way towards a new global Internet social contract. The current "contract" was reflects the hopes and fears of a generation of software engineers whose political views (we good, them bad) were formed during the Vietnam war and the side they took during the protests against that war. But Google and its peers have since taken the technologies of big data and surveillance (pioneered by Bletchley and Fort Meade) to a nature and scale that dwarves the operations of GCHQ and the NSA. 

I happen to be content to use Google and Microsoft products and services, despite their monitoring operations. But I would have far more trust in those services if they provided better and faster access to law enforcement to help protect myself and my family from those who have gained access to their data, whether legally or not, in order to impersonate, defraud or otherwise abuse us. My (qualified) trust in the political and commercial impartiality (more or less) of UK law enforcement working in partnership with industry to protect me does not, however, extend to that of the United States (more "democratically accountable" and therefore more leak-prone and policitised) or other (Roman Law) members of the European Union, let alone other parts of the world.

I would like to think that, provided others share that view, there is an opportunity for the UK to take a lead in rebuilding trust in the on-line world. But, if so, the reconciliation of that approach with a globally seamless Internet, not just technology assisted arbitrage across egualtory boundaries, will depend on the stance taken by the members of the Reform Surveillance Group. I would particularly like to see them collectively fund and publish serious research into the attitudes of consumers towards security, privacy and choice and how their business models reflect the priorities of their customers, not jsut their employees and shareholders.

Why should they do this?

If they do not their current share prices have reached their zenith and will more than halve over the next five years, whether or not the UK is capable of taking the necessary lead because:
 "Times they are a changing".    

FOOTNOTE 29th March - Microsoft has changed policy in the wake of the reaction to publicity for this case

The internationalisation of the Internet begins today: ISOC notice on ICANN sessions on transition and accountability

| 2 Comments | No TrackBacks
| More
Last week the US government formally announced that it was giving up control of the addressing system of the Internet.Yesterday I received the e-mail below from the Chief Executive of the Internet Society. I take this opportunity to remind you why you should join ISOC if you are serious about wishing to influence the future of the Internet:

=======

Dear Colleagues,

Last week the National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce announced that it has asked ICANN to convene global stakeholders to develop a plan for transitioning the current role played by NTIA in coordination of shared Internet resources through the Internet Assigned Numbers Authority (IANA).

In many ways, the U.S. Government has been preparing for--and the Internet community has been working towards--this moment since 1998, when ICANN was established and was awarded the first IANA contract. The US Government has played an important role in guaranteeing the security and stability of the Internet, and we believe the criteria set out by the NTIA for the transition plan provide an important framework for the work ahead:

+ Support and enhance the multistakeholder model

+ Maintain the security, stability, and resiliency of the Internet DNS;

+ Meet the needs and expectation of the global customers and partners of the IANA services; and,

+ Maintain the openness of the Internet.

The Internet Society was recognized as one of the key Internet organizations by the NTIA statement. The Internet Society has consistently advocated for the US Government to complete the transition of its stewardship role to the global multistakeholder community. We have previously submitted comments to the NTIA, and recently joined with the leaders of other Internet organizations in the Montevideo statement calling for the globalization of the IANA functions.

The global Internet community now has an opportunity to further strengthen the multistakeholder model. We can ensure the continued evolution of the IANA functions and security of the Internet. And, we can establish a framework that is accountable, transparent, bottom-up, and sustainable over time.

We have much work ahead of us. It critical to the future of the global Internet, and important to get it right. The Internet Society is looking forward to working with ICANN and all other stakeholders, and to supporting our community's engagement in open and inclusive processes. We are committed to an Internet that remains managed by distributed collaboration. This collaboration has been key to its dynamic and resilient growth as a platform for innovation, communication, and economic development.

On Monday, 24 March 2014, ICANN has scheduled two sessions entitled "IANA Accountability Transition" and  "ICANN Accountability".  Both sessions will be audio streamed in a number of languages.

We have set up a dedicated email list for the Internet Society community, and invite you to subscribe.

We will look forward to your input and ideas, and will be working to actively engage you as developments and discussions progress.

Kathy Brown







Have you sold your on-line soul for a mess of potage?

| No Comments | No TrackBacks
| More
See my next blog entry . It is not just smart TVs that require you to agree to global surveillance by you technology or service provider and those to whom they decide to provide information. Do you care? What are you going to do about it. I am currently grappling with drafting the terms of reference for a Conservative Technology Forum exercise to look at the consequences and find a way forward based on mixing consumer choice and democratic accountability.   

The Broadband Blue Tape Gambit: guest blog from Hamish Glenlivet

| No Comments | No TrackBacks
| More
Hamish Glenlivet (looking at the broadband scene through the bottom of a glass while waiting for a snail-mail attachment to download) drafted a response to tell me that my blog entry forecasting the breaking of the broadband logjam was far too optimistic because of the blue tape, not just red tape, that binds that logjam together.
 
I am always happy to accept material for guest blogs, whether the authors wish to be attributed or, in this case pseudonymous. In the latter case I will not disclose their identity unless requested by a court or a Select Committee sitting in private session (unlike one former Computer Weekly journalist I will not risk going to jail, or Strasbourg, for my sources). This is, however, a moderated blog and I might change my mind if faced by a well-argued submission to the Press Complaints Commission - although I would mcuh prefer to give right of reply.   

Back to the material from Hamish, which I have edited slightly for clarity (and added a few links) while trying not to change the sense.

====================================

He defines "Blue tape" as "the structural spaghetti that large corporates use to tie-up the Public Sector, Regulators & SMEs". 

"With weak regulation, these corporates end up dominating their chosen market.  BT, the BBC as well as Sky and Virgin Media are expert practitioners and the laissez-faire attitude of the current government is similar to that shown by many of the Western Governments to the bully Putin over the Ukraine: "Live and let live - and all will be well."  [his thoughts, not mine].
 
"The real issue is lack of vision and of strong and fair regulation.
 
So long as Ed Richards stays in post (and where else is there for him to go?), then we will continue with a telecommunications industry where BT, the BBC and the other, large corporates keep their place through Blue Tape and cash flow manipulation: forcing SME suppliers onto skewed contracts and 60 or 90 day payment terms - just as the big supermarkets do to their suppliers.
 
The underlying problem has been created by the Financial Services industry who reward companies that "roll-up" a sector through acquisitions.  This knocks-out the Medium-sized businesses you find in balanced markets (like Germany) and creates the "too big to fail" mentality.
 
It will take more than the incumbent coalition government or any fuzzy-thinking from the Labour manifesto (the Labour list Blue Tap blog entry reads well but links to 90 pages: the "recommendations" from which could probably be stated in 90 words) to change this imbalance.  But, if we do not address it, we will continue to have successive governments locked in the headmaster's office, unable to manage the bullies and gangs that have taken over the classrooms and playgrounds.
 
We obviously don't want a war in the Ukraine - or between the government and the private sector - but we do need a more proactive and visionary regulator for the telecoms and media sectors that will do the right things to create truly competitive, fair markets that are not dominated by playground bullies.  I hope that, within the next five years, we have a government that not only stands up to Putin, but also stands up for its own position against the large vested interests that tie up their customers and suppliers in what the Labour Party calls Blue Tape".

======================================
 
I note that Hamish has no more love for the Labour Party or its Telecommunications Apostle than he has faith in the current Government to do better. His comments, however, reminded me of the material I received for a guest blog on regulatory reform that was sent to me by his equally robust cousin, "Jardine Glenlivet", another Scots ex-patriate. Jardine helped create and enforce regulatory frameworks for some of the critical intrastructures serving the high tech, high growth industries of the Pacific Rim:
 
======================================

"The Need to Reduce and Simplify Regulation: The dangers of "Comfort in Complexity". 
 
•    Government must take a stand on reducing the flood of regulation in almost all sectors, both in terms of the number of regulations and, most importantly, in the way they are presented.
 
•    There is an accelerating trend towards more regulatory verbiage causing business, from main boards to SMEs to spend more time on compliance than on running the business, let alone identifying and managing the most serious and important risks they face.
 
•    Flooding business with compliance verbiage increases the risk that operational managers may miss something important or critical in the detail. THICKER MANUALS INCREASE RISK, NOT REDUCE IT.
 
•    Tough rules and laws may be required, but short sharp checklists should replace most of the prose and will help all concerned watch out for what is critical.
 
•    All those proposing new regulations should be seen to make a cost/benefit analysis, to determine whether the change meets the objectives intended at less cost than that which it seeks to replace.
 
•    Academics, consultants and lawyers who charge by the word or hour have no place in drafting. Those responsible must practice the art of precise so that regulations are short and sharp. They must learn to KISS: keep it short and simple. They must also aim for quality not quantity. 
 
•    Regulatory material should be better laid out with less wasted space on each page and no large logos. The Department of Education recently made a good start when they cut health and safety guidelines for schools from 150 to 8 pages. 8 pages will be read. 150 pages will sit on the shelf.
 
•    Any regulation intended to be read by main board directors or the proprietors of small firms should be no more than 2,000 words. Some comparisons may help focus the mind:

a. The Ten Commandments - 336 words words
b. American Declaration of Independence -1,344 words
c. EU Regulation on Exportation of Duck Eggs  - 28,911 words

==============================

Jardine's comments were as crisp as the 500 to 2,000 word regulations that he helps draft and enforce in other parts of the world.

That raises the question of how we might achieve "The Glenlivet simplification" in the UK and across the EU - short of getting it included in the UKIP manifesto.
 
I suggest beginning with an attempt to get all-party support for a Ten Minute Rule Bill which states that only the first 2,000 words of any Statutory Regulation or any Public Sector  Terms & Conditions or Contract should apply to organisations with under 10 (or 20) employees or the 25% of contracts supposedly to be awarded to SMEs.

Everything else should default to common law and legal precedent..

Those who think such radical simplification impossible should recall the exercise to produce the original VAT return (one side of A4 because everything else is on file), the DVLA vehicle tax renewal system (simple because everything save for the payment should be on file, with only updates needed) and the Scottish (as opposed to English) rural payments system.

P.S. Such simplication could/should also be applied to complex public sector IT-related procurements, specifying the use of organisations like CEDR instead of contractual gobbledeygook. The first really complex contract negotiation with which I was professionally involved at a senior level ended up with an exchange of letters between the Finance Directors of buyer and supplier, totalling barely 1,000 words, which voided the standard contractual terms of both organisations.

Neither had faith that their legal advisors could agree a forms of words that reflected their concerns and those of the teams of engineers who had been looking at how to achieve the agreed objectives, given changing markets and technologies. They decided it would be much simpler to rely a simple statement of the high level objectives and constraints (on both sides), common law, an arbitration clause and a break clause for use if the objectives changed.

Barely six months later the break clause was used. Changed business needs enabled a much simpler solution before either side had committed resources beyond starting to recruit and train the implementation teams - by far the longest task on the critical path! [whose neglect is still the second most common cause of major systems failure].   

Agile is not enough, neither is "systems integration" - we need a new approach to Digital Government

| No Comments | No TrackBacks
| More
John Alexander and I have been exchanging e-mails over my analysis of the tensions between Cabinet Office and the "Silos of State" over the way forward for the delivery of public services, including how much of the problem is technology and how much is using arguments over technology are proxies for disputes over power. Instead of accepting comments from him to some of  the relevant blog entries I have asked John to summarise his argument in a guest blog:

================================= 
The Universal Credit programme is a microcosm of the situation in Digital Government in the UK today, in that there is an unresolved dispute as to which of two, very different, approaches should be deployed. These approaches are agile development, advocated by the Government Digital Service and systems integration, advocated by the oligopoly of global suppliers. To make matters worse neither of these approaches delivers a solution that maximises the potential of the Web.

However, there is a third approach that does maximise the potential of Web.

Agile is not enough small.png

The current situation and rationale for change are as follows. Today, the UK Government is heavily dependent on application software, the value-adding component of digitisation, for the day to day running of public services, as shown in the bottom-left of the figure below. These applications are now old, expensive to support and hard to extract further value from, witness Connecting for Health and Universal Credit.
 
If we look at it from the citizen's perspective then we are passive recipients. These applications were designed before the Web, and although there are examples of self-service being bolted on to some of these systems, e.g. tax self-assessment and booking healthcare appointments, they were designed for the supplying organisations, e.g. HMRC or a hospital, rather than the citizen.
 
Compare this with eBay and facebook. Their applications have been designed around the individual as an active participant within a virtual community, trading and social networking respectively.
 
With ubiquitous Web access it is now time to create virtual community applications for public services based around the citizen, e.g. replace the myriad of General Practice, pharmacy and hospital applications with a healthcare application designed around the patient. This democratises public services, makes them more effective for service providers and reduces IT costs by over 90%.

Neither of the current approaches to Digital Government bridges the fundamental design discontinuity illustrated above. As a result, today's approaches can never be as effective, efficient or democratic as the new design.
 
It is essential to start again with new application software to release and enhance the massive value currently trapped in the legacy applications.
 
Unfortunately, the participants in the agile development versus systems integration battle are too caught up in the fray to look for alternatives.
 
Let's celebrate the 25th anniversary of the Web by using it more effectively to deliver more efficient and more democratic public services.

=================================
I am happy to accept comments which I will forward to him if they are not in the form of open postings.


What is the difference between John Wicks (expenses database) and Edward Snowden?

| No Comments | No TrackBacks
| More
I have just been asked the difference between John Wicks (the former anti-terrorism team leader who leaked the MPs expenses database to the Daily Telegraph)   and Edward Snowden (who leaked the NSA/GCHQ surveillance processes to the Guardian) - apart from twenty years and active military service.

My answer was "hmmmmm".

Are we moving towards an on-line democracy where everything is potentially knowable to everyone or towards "the dictatorship of the sysadmins" with the masters of big data (such as Google) providing rather more comprehensive (and privatised) surveillance and censorship operations for the J Edgar Hoovers and Francis Walsinghams of today.

In that context we need to take a cool look at the developing roles of BDUK and Ofcom and their crablike progress towards the creation of a Fabian (alias Orwellian) world of "co-ordination", planning and regulation in which they work together to protect national "champions" (like BT and the BBC)  against both global players (like Liberty, Sky and Vodafone) and local enterprise (Commercial, Community or Municipal).

The politics of broadband, broadcasting, censorship, competition, net neutrality, surveillance and subsidy have under-currents that may well be taking us in directions that are very different to the public claims of the various players. Those who believe in freedom of choice, competition and open government may well have an even harder road ahead than they think.  
The long overdue debate on policy towards the all-pervasive surveillance of our on-line activities is finally under way. On Monday morning the Shadow Home Secretary moved on from the "trust us" policy of the last Government with regard to state surveillance. On Monday evening a Conservative Technology Forum round table identified a clear way forward with regard to improving the governance of the surveillance done by the state and law enforcement but not with regard to the more frightening situation regarding the private sector and consumer devices. It  heard that the terms and conditions of widely sold smart (i.e. Internet enabled) TVs include permission for data on your viewing habits to be transmitted to anywhere in the world. It was told of the break up of a couple after a friend warned them of the default tracking settings on their iPhones (they took a look and it became apparent that one of them was spending rather a lot of time at a particular location when they said they were ....). 

Forget the NSA and GCHQ. This is getting personal and serious. Big Brother is all around us.

Then on Tuesday morning the Deputy Prime Minister anounced an Obama-like review to be led by the Director General of the Royal United Services Institute.

This juxtaposition of events is not coincidence.

The Internet Engineering Task Force, (the engineers who agree the technology processes that enable the Internet) are meeting this week, in London. They are accompanied by their collective conscience, the Internet Society  . On Tuesday evening both met with politicians from the three main parties in Westminster to rehearse the arguments currently under way.
[The video and audio recordings on the meeting are now on-line]

What emerged, including over drinks in the Marriott afterwards, was more profound than I expected. The way in which the Internet operates is based on an implied social contract between 1,400 engineers (and their employers) and 2 billion users. That "contract" has not kept pace with the evolution of the Internet. It is now broken. It is up to "who?" to fix it before the consequences cause business and regulatory models to unravel - as users withdraw their consent to be treated as commodities to be bought, sold and told what to do, with no effective voice or choice. 
 
The Orwellian Society is with us. The screen we carry (our Smartphone), let alone the one in the corner (the Smart TV or Laptop/PC, now with its built-in video camera and microphone) is spying on us for who-ever will pay (or can hack into the systems of the supplier or ISP). A little bit of legislative tidying and some transparency for the existing governance procedures of GCHQ will probably do wonders for rebuilding faith in the procedures followed by the security services and law enforcement as they seek to help protect us. It is, however, quite another matter to retrofit effective governance to all those private sector suppliers who claim the right to monitor what we are doing and where, over the devices or apps we have acquired from them.

In the mean time those who care about their security and privacy have to set about  protecting themselves.

Press cover for the recent Mobile Threat Report from Webroot, with its bland advice on how to handle very real threats, comes on top of yet another Guardian scare story on the evils of GCHQ, implying that the supposed pederasts of Cheltenham are a greater threat than the insecurity of information passed to Guardian journalists - whether via Edward Snowden or others. [I should add that I recently attended a meeting on intelligent led security at which we heard of the scale, nature and success of well targetted hacking attacks on the media and their lack of preparedness for handling the consequences].

Meanwhile the Drum story on the damage to Last Minute.com illustrates the impact when a search engine censors traffic using the excuse that descriptive terms used by rivals to its subsidiaries are also used by nasty people. This links to the point made, towards the end of the recent UK Internet Forum, that we should look at the need for effective governance (and effective redress) for internet blocking services that are applied in the UK but based in the United States.

Meanwhile guidance on good practice with regard to protecting corporate systems in a Post Snowden world with a "bring your own device" culture nearly always omits the identification and registration of the TCM components in most modern distributed devices, from phones to printers, let alone tablets, PCs and self-encrypting drives.

Is it because this approach enables dramatically improved security at greatly reduced cost, thus wrecking the business models of much of the security snake-oil industry?

Or is it because the spread of "encryption by default" greatly weakens content scanning, surveillance operations in support of advertising funded business models, not "just" those in support of state security services?

"Both" was my conclusion after the recent Real Time Club Debate. My blog entry on the recent sale of NHS data contains a reprise of my opening arguments . I would not, however, dare incur the wrath of colleagues by reprising the off-the-record arguments that followed - other than to say that, given the wealth of security technologies that are not being promoted or deployed, the conspiracy theorists have a very good case.

There appears to be a similar "conspiracy" to avoid covering the protection techniques that can be used by individuals to protect themselves, such as those covered in my recent guest blog from John Walker  to simpler and more complex "solutions".

Instead we have impractical and/or meaningless advice. How does the average user identify whether a website or app is trustworthy - as opposed to one which pays fees/royalties to their ISP, Search Engine or their major customers?

I do not believe we can wait for the next generation of Internet savvy youngsters to fix the contract that their parents generation has broken. We cannot (and should not even try) to "educate" them to respect the hypocrisies we have adopted.

So what are YOU going to do about it.

I joined ISOC back in 1995, during the run-up to the Atlanta Olympics, the first major event to have the Internet at its heart. I was persuaded that sooner or later it would develop into the governance body that would be needed. I have been disheartened many times over the years, but the very fact that it was a ISOC event last night that triggered this blog gives me heart that at last .....

Those I talked with from leadership team do indeed recognise that we need far more than introverted national debates about the regulation of our own state surveillance services, important thought those are. I therefore recommend you join as soon as their relaunch gets under and help with what will not be an easy task.

In the mean time I also recommend you help the political party of your choice to understand what is at stake and why they need to act. The Conservative Technology Forum meeting last Monday identified a balanced and well-informed group of volunteers to not only lead its study but also to review the recommendations for sustainability as technology structures and business models continue to evolve. I hope that it will prove practical to co-ordinate that work with similar teams looking at the issues in other parties, probably via the all-party Digital Policy Alliance, using its memorandums of understand with PICTFOR in the UK and European Internet Foundation in Brussels.

Remember the motto of this column: the silent majority gets what it deserves - ignored. Please do not be silent.
Enhanced by Zemanta






Is the great broadband logjam about to break? If so, who will be swept away?

| 3 Comments | No TrackBacks
| More
The weekend press cover for the impact of broadband on house prices came just days after DCMS updated its website on the various funding programmes and the Public Accounts Committee said that BT should be given no new money until it has better accounted for what it has already received. Meanwhile Ian Grant has drawn attention to a Broadway Partners event on innovative funding models, timed to help Local Authorities and Community groups who are scrambling to meet March 3Ist deadlines for bids for public money before it reverts to Brussels.

Why is momentum gathering?

Probably because estimates of impact of broadband on property prices have risen from "up to 5%" to "up to 20% - thus rubbishing previous claims that there is no real business case for fibre to the premises.

The case for leapfrogging BT's deficit funding model for fibre to the cabinet was neatly summarised by a Ventura speaker last year. The Rightmove Broadband Checker and the way in which those agitating for better broadband are beginning to make the necessary information available to heir communities indicate we may be on the cusp of change: with market forces riding to the rescue of regulatory failure. It will probably not be long before a commercial consortium sets about fine tuning the correlation of property valuations and broadband speeds in order to target their pitch for selling fibre to premises on those who will benefit most.   

The death of the South Yorkshire Digital region, arguably killed off by BT's spoiling tactics including the promotion of Plusnet as "Good honest broadband from Yorkshire", should not be used to make the case that a Council is safer with BT. The fibre to the cabinet model now appears likely to be leapfrogged, to short order. Its competition is no longer just Virgin Media. Newbuild players like Hyperoptic (who appear about to acquire codes powers) will increasingly offer bulk deals for fibre to the premises to property developers and housing associations. Meanwhile Gigaclear, being so often screwed over recent rural broadband projects (while winning those which go to open procurement), appears to be exploiting its link up with Fluidata to offer equally attractive deals to the business parks and commercial centres who are being left out of the current FTTC rollout as BT seeks to preserve its leased line business. In that context I note that the enablement of the exchanges serving Wapping and Whitehall has slipped by at least three months (to March 2014) and the exchange serving Smithfield is now "under evaluaton".

But BT has not been idle. It is now a serious contestant in the fight to provide backhaul for the urban wifi networks that already carry over 80% of mobile data traffic. Thus it recently won the Glasgow  contract to provide services for the Commonwealth Games akin to those which O2 provided to Westminster and Kensington and Chelsea in time for the Royal Wedding and the Olympics. I am told that the same consultancy, (not one of the big names but the kind of SME that HMG say it wishes to encourage), advised both Westminster and Glasgow and is currently helping others get value for money, from who-ever makes the best bid to meet their needs: one size of package does not appear to fit all for either supplier or buyer.

In that context, there are repeated allegations that  BT is using its BDUK contracts to cross subsidise "commercial" fibre to the premises, as in Dolphinholme. That may be unfair because it supposedly had to lay the fibre anyway to service a new 4G mobile mast. If that is correct it, in turn, raises questions about where and why state aid is really needed, given the way that  markets are changing.

Meanwhile, it should be a no-brainer for the government to enable and encourage landlords and property owners tenants to club together to cover the cost of providing "fibre to the flat" and "fibre to the workshop"where this is less than it adds to the value of homes or business premises. It risks handing thousands of votes in marginal constituencies to the opposition if it fails to do so. And that is before considering the electoral (as well as moral) value of facilitating the provision of "real broadband" to those in social housing at risk of social exclusion (see "How Rural is Shoreditch").

I remind readers that this blog is called "When IT Meets Politics"  for a reason.

In US pork barrel politics it is common for candidates to use broadband plans to win the support of those concerned about jobs and property values in their constituency. We may be about to see the first local government elections in the UK where the broadband vote becomes a serious factor.   

Those at risk, when the log jam finally breaks, include politicians and regulators as well as those caught defending obsolete business models and technologies rather than finding niches and/or surfboards (large or small) which will survive or ride the waves of change.

How rural is Shoreditch, our supposed technopolis?

| 1 Comment | No TrackBacks
| More
There is currently a rush to bid for broadband funds which evaporate on March 31st with events being organised  to help Communities and Councils get better value for their contributions to investment in infrastructure.  Meanwhile "to those that have shall be given and from those that have not ..."

Last year J. Small posted a comment on my blog "How Rural is Smithfield"   She has just sent me a copy of letter she has sent to her MP which I reproduce below.

The answer to her first question "Why are DCMS officials forwarding correspondence to BT to respond to?", may be quite simple. The e-mail addresses used for the departmental official and for the Minister's parliamentary office appear to have been out of date. The e-mails may well not therefore, have found their way into the normal routine for handling departmental correspondence.  Even if they had, the department would almost certainly wish to contact BT to check the facts or provide comment before drafting a reply for the Minister to send. Given the controversies over broadband I would expect the department/minister to receive hundreds of e-mails per day. DCMS has fewer staff competent to respond on such issues than Ofcom, let alone BT. I would therefore be surprised if BT were not able to respond more quickly.

More interesting are the reasons for the inability of DCMS to take more effective action against appaent anti-competitive behaviour. Ministers cannot give orders to Ofcom about how to do its job and Ofcom has decided on a rather less robust interpretation of its powers than its predecessor, Oftel.  I have blogged before on the differences between Ofcom's statutory duties as they appear on its website and as they appear in the Communications Act 2003:  particularly the omission of factors to which the Act says Ofcom should "have regard": from promoting competition and investment to considering the different interests of different ethnic and geographic communities.

I would draw particular attention to Section 5 of the Act: "In performing their duty under this section of furthering the interests of consumers, OFCOM must have regard, in particular, to the interest of those consumers in respect of choice, price, quality of service and value for money." Those differences, which complemented the policy of the previous government to preserve the BT local loop monopoly until Virgin Media was in a position to compete, help explain much of what has happened since.

Meanwhile  Ofcom's inability to hold BT to account with regard to the charges it makes to its resellers is illustrated in the small print of relevant NAO reports, I recommend that you read pages 6 and 7 of Volume 2 of that on the Impact of Investment on Consumer Bills. The problems were not only predictable but predicted. They were the reason that previous Conservative Government regulatory policy focused on price and behaviour, not fictional calculations of return on capital.

I ask you to bear this preamble in mind when you read the letter J. Small copied to me and some of the activists of INCA:

=======================================
Queries to an MP, Friday 28 February 2014

I am a resident in a shared-ownership development built in 2003 and owned by a very large housing association. Like thousands (maybe tens of thousands) of residents up and down the UK, we have "Exchange Only" (EO) lines, not eligible for delivery of superfast broadband via the new fibre infrastructure.

We find ourselves locked down to old ADSL technology, condemned to the wrong side of the digital divide. And ironically, our development is in "Silicon Roundabout", the UK's answer to Silicon Valley! I can't imagine there are whole tracts of premises without superfast fibre access over there, can you? Closer to home, what sticks in the craw: if I could afford to move to live/work in Cornwall, I would be able to get access via fibre. While I applaud efforts to ensure rural areas are as well-connected as urban ones, I do not see why whole swathes of urban areas should be condemned to become digital ghettos. This is utterly outrageous in my opinion.

Over the last two years we have petitioned the housing association, BT and BT OpenReach, plus our local authorities to no avail. In my own experience, the housing association abdicates responsibility, BT sends me to OpenReach, OpenReach asks me to sign an online form expressing interest.

As I said, this isn't an isolated issue. Sadly, I see others up and down the country trying to highlight this issue by various means, also to no avail. There is a Direct Gov petition . I hear now that the London Assembly is planning to investigate. There are so many discussion postings about this that I'm cross-eyed. Unbelievably, I see distressing postings from folks in brand new developments with EO lines - when there should be a moratorium, right? So yes, I see a lot of blah-blah but no real Plan of Action.

Most recently our Residents Association contacted Simon Towler, Head of Spectrum, Broadband & International ICT, Department for Culture Media and Sports AND Ed Vaizey, UK Minister for Culture, Communications and Creative Industries but neither replied. Instead Andrew Campling -- BT's General Manager, London -- got in touch to arrange a meeting, which in the end was also attended by another residents' association rep as well.

Post-meeting notes report Mr. Campling explained the usual:
-- BT are prioritising fibre connectivity into commercial premises, and due to a government grant into rural areas;
-- BT therefore charges residents/businesses to re-route EO lines into street cabinets;
-- BT prices up the re-routing work, using a hidden and proprietary formula, which ensures BT's commercial return over a number of years;
-- residents/businesses pay the entire bill.

Mr. Campling was also unwilling to help identify EO lines in our area - perhaps to prevent too many people working together?

A number of questions have arisen out of this process, which need addressing. This is the list sent to our local MP :

1) Why is BT replying to queries addressed to the Government?

2) Why exactly are EO lines unable to have fibre provision when they are directly wired into a fibre-enabled exchange?

3) What provision is being made by government to ensure that EO lines are dealt with? What happened to FTTP and FTTH? If trials could happen, the technology clearly exists AND there is no legal or other blockage, so why is there not a nation-wide roll-out?

4) How many properties are on EO just within your constituency? Andrew Campling refused to provide it to us, citing "commercial confidentiality". However I know for a fact this is a matter of public record.

5) Why should residents/owners pay the cost of re-routing EO lines to street cabinets? Why is the assumption that we should bear the brunt of bad decisions made by developers together with BT (OpenReach?) -- up and down the country over the last decades and continuing even today -- to avoid installing street cabinets when the development was built? Why should residents now pay for BT's commercial success? Why should developers/original property owners dodge responsibility?

6) Why does BT have a monopoly as the only commercial entity permitted to draw up a quote for re-routing our EO lines into a street cabinet? As a monopoly, why are they permitted to cite "commercial confidentiality" as the reason they cannot reveal their costings?

7) Finally, why should BT Openreach be permitted to not install a street cabinet in or just outside the exchange and re-route our lines into it? That would seem to be a simple and cost-effective solution not just for our development but for all citizens up and down the country who find themselves in this predicament.
=========================================

I too would love to know the answers to the other six questions, particularly those regarding "commercial confidentiality" both with regard to information that which is (or should be, unless the Council has lost its copies of the planning permissions) a matter of public record (albeit hard work for anyone other than BT to assemble) and with regard to the costs and prices of a regulated monopoly (as is Openreach, albeit not the rest of BT).  

Meanwhile I have suggested that the residents of Housing Associations should band together to ask their landlords to go out to tender, Korean style, for 21st century communications services for their tenants. Hyperoptic , for example would undoubtedly be among the alternative suppliers interested supporting such an exercise. This clip on YouTube shows the CEO of Ventura explaining why  I also draw attention to the low cost (only £25 for community activists) event  being organised by Broadway Partners on how councils and communities can get better value for their money: and not just when matched with BDUK funding .

I suspect we are about to see current broadband roll-out plans overtaken by a perfect storm, as market forces compensate for regulatory failure in the wake of an economic crisis  triggered by events in the Ukraine and the consequent sharp rises in energy and food prices. That will probably be the subject for my next blog.  


How relevant and practical are awareness programmes designed for a PC world to the mobile world?

| No Comments | No TrackBacks
| More
John Walker of SBLTD has given me permission to reproduce the following e-mail that he sent to me this morning  in response to my recent blog on the fight back against the surveillance society. It would appear that most of us are either unaware that "everyone is watching us", or think that the odds that any is actually watching "them" are so low that it does not matter. 

====================================
'Recently, a friend of mine got hacked, costing him some hard earned cash, a lot of time talking to his bank, and the frustration of knowing he had been had. Post a little Q&A, it was established that, that day he had utilised the services of an insecure public Access Point [AP], which was, it would seem the commencement of his troubles, when he logged into his PayPal, and Bank accounts with complete disregard for his logical security.
 
The first thought that entered my head was 'just how silly can you be', as my friend should have known better - but should he? Confronted with the offer of free WiFi, do we assert that every member of the public is fully savvy on the subject of logical security, and the associated exposure they face when throwing caution to the wind?
 
The fact of the matter is, in my opinion the missing element with the topic of, shall we call it, Cyber Security is that there is no real Security Education and Awareness Programme in place to protect the public from others, and themselves. Granted this will cost money - but let us not forget, in the absence of doing something, this is exposing individual users, the SME, and the economy to losses which are now reaching significant proportions

Getting back on to the topic of my friends issues, after a little bit of education, and a few configuration tweaks, we bolstered up his local security with complex passwords, the used of Symantec VIP Services, and the employment of a piece of software to create VPN Tunnelling - all of which was easy stuff to implement. Thus now hopefully, enriched with a little education and awareness, and the implementation of a few easy to use tools, my pal will be fine, and all was well with the world - or was it? Until....
 
Today,  I am traveling down to London on the train, and sitting offset to the left in front of me, I observed a user unbeknown to me fire up their laptop, share the entire contents of their big screen with me, and then, as if not to add to my concern, logged directly into the mobile public AP without a care in there world- yes, Security Education and Awareness for the Public should be considered a High Priority if we are ever to dent the successful growth of Cyber Criminality.'
 
=======================================

Where does John's advice to his friend appear on any of the current mainstream "security awareness programmes"? Who do you trust to give similar advice to your local silver surfers club and, more importantly help install the necesary software for them and check that it is working?

What price net neutrality in a non-competitive broadband market

| No Comments | No TrackBacks
| More
The recent agreement between Netflix and Comcast in the United States illustrates what lies behind the current minuet involving BT, Sky, Virgin, Vodafone, EE and O2 as they negotiate cross licensing deals over content and access packages, turning what might otherwise be an open and competitive market into a clone of that in the United States.

The time has come for thorough review of the role of Ofcom as a competition regulator if we really do want open, competitive access to the on-line world and of the role of BDUK if we want that access to socailly and geographically inclusive.
Enhanced by Zemanta

Shock, Horror, Tomorrow came Yesterday: entire NHS Hospital Episodes database already sold to insurance company

| No Comments | No TrackBacks
| More

The story that an medical insurance company has already done an exercise to  "refine" its premiums by collating the NHS Hospital Episodes Database with Mosaic helps put the current debate over access to medical records into perspective. It also adds "bite" to my reprise on the "Bled Report" yesterday, particularly with regard to the sale of data collected as part of the delivery of a public service.   

However, the more interesting question is why the NHS has not done such an exercise itself to help "refine", alias plan, provision - particularly for those in most need because they are uninsurable. Had it done so, it should surely have made the results publicly available to heklp local authorities with their planning, as well as insurance companies.

At this point I should, however, add that I personally would have much more faith in the security of an exercise done by a phamarceutical or insurance company in co-operation with Experian, than one done by the NHS or any academic researcher.

The former understand the importance and value of confidentiality and have the budgets to go with it. The latter tend to think that their project is more important than all that security flummery, which they cannot afford (time or money) anyway.   

I would be most surprised if this exercise was done in such a way as to compromise  patient identity and confidentiality but there is little doubt that had it not been done by an organisation which takes information security and anonymity very seriously when doing such exercises, like Experian, it could have been.  

Find recent content on the main index or look in the archives to find all content.

Archives

Recent Comments

 

-- Advertisement --