The House Of Commons Science and Technology Select Committee Enquiry into Digital Skills has so far focused on education, whether in schools or colleges or for the digitally excluded. It has yet to address the gulf between the skills (often technology or vendor specific) specified by employers when recruiting staff and the generic qualifications specified by public sector agencies when deciding what to fund.

Thus the English Trailblazer apprentice programme requires adherence to the Skills Funding Agency Qualifications Guide which effectively prevents (page 6, para 19) use of the vendor, professional, trade association or other "commercial" qualifications and associated materials commonly required by recruiters. This policy dates back to Ofqual decisions in 2012 which led to a collapse in FE/HE use of the materials available (often at no charge) from, for example, the CISCO Academy (which had previously underpinned most UK training in network skills) or the vendor neutral courses available from global trade associations like COMPTIA. The situation with regard to IBM, Microsoft and Oracle appears similar but the problem also appears to apply to the courses and qualifications developed by the trading and certification arms of all UK  trade associations and professional bodies - not just those linked to IT and Digital.

The reasons for the policy result from abuses that are more common to other industries, such as the motor industry. If your car is serviced by a local garage instead of a main dealer, the walls of the office may be plastered with certificates showing that the mechanics are competent to use this or that piece of computer-controlled diagnostic equipment. Even the certificates issued on behalf of reputable trade associations or professional bodies may be from money making subsidiaries over whose fees and processes their members have no vote. Meanwhile vendor specific certifications can be an integral part of policies designed to lock independents into the dealer networks of the motor manufacturers and squeeze out motor factors.  

But it is not as though the processes which Ofqual and the SFA are seeking to impose on the new trailblazer apprenticeships will curb the abuses of which most employers, students, practitioners and professionals complain - poor quality for the time, not just money, invested. There appears to be a wish by OfQual and BIS to mandate "open access", with the quality control of those running courses limited to sampling their certification processes after the event - as opposed to actively encouraging the inspection of the learning materials and equipment used and the CVs of the trainers.

The latter approach was used for Gordon Brown's Millennium Bugbusters programme - arguably the most successful large scale IT training programme the UK has ever run. It not only helped ensure a trouble free Y2K, it transformed the UK supply of competent microcomputer technicians and maintenance staff. Many of those running IT education and training programmes for the Department for Education and Employment failed to meet the "industry strength quality control" criteria demanded by Treasury as a condition of the Bugbusters funding, Unfortunately the new Department for Education and Skills, created in 2001, then reverted to previous procurement practice, despite what had been revealed during the fiasco of the Individual Learning Accounts.

That may been 15 years ago but the lessons are still, unfortunately, apposite - hence the importance of Julian David's comments in his excellent recent article on the need to get the right leadership and processes in place for the new Institute for Apprenticeships.

The limited and skewed response to the consultation on the Apprentice Grant and Levy proposals (most inputs were from medium to large organisations in public sector, health and services, few from engineering, manufacturing, construction or small firms) may help explain what is now happening.

We appear set for a fragmentation of standards: those for "Internet of Things security by design standards for mobile widgetmakers" differently organised to those for "non-mobile widgetmakers".

Meanwhile funding rules, intended to prevent double funding,  require recalculation of costs according to which material is used if students are allowed a choice of vendor supplied certifications to demonstrate generic competence.

Perhaps worse, the proposals focus on the completion of two year apprenticeships at a time when many IT employers are moving towards using eight week intensive, hands-on, blended and experiential learning "boot camps", to cover that which was traditionally spread over a year or two. The rest of the period covered by any "apprenticeship contract" commonly covers structured, but also productive (and often fee earning) work experience, interspersed with higher level modules, to ensure a return on the up front investment before the trainee is free to leave without incurring a penalty/transfer fee.  .  

We need to find ways forward that better meet the needs and practicalities of the Internet age if the grant and levy process is not to rapidly fall into disrepute..

At a meeting of the Digital Policy Alliance 21st Century Skills Group last week (to review progress with the plans for Local Skills Partnerships), representatives from FE and the IT industry agreed to work together to put flesh on the analysis I summarized in my own submission to the Select Committee (based on discussions at previous meetings). More importantly they agree to invite others to join them to find constructive ways forward. The key points from relevant discussion, (summarised in the meeting report due to be mounted on 9th February after the deadline for comments by those at the meeting) are as follows: 


The issues that need to be addressed in order to provide an effective and accountable framework for closing the resultant gap between FE/HE education and Vendor/Technology training were identified as:

a.    Identify, publish and maintain (the rate of change is accelerating) lists of employer recognized vendor, professional and trade association content and certifications.  

b.    Ensure FE/HE access to subject matter experts who can support delivery.

c.    Establish and maintain frameworks for positioning employer recognized training & certification within the qualification (QCF) constructs

d.    Processes for validating that trained students can apply the skills learned to meet employer needs

e.    Geographic (Skills Funding Agency and other) restrictions on use of employer recognized  training & certification.

The suggested means of addressing the issues is to ask CEdMA (The Computer Education Management Association is the global professional body for technology trainers) to bring those running trade, professional and vendor certifications alongside these in FE/HE to:

a.    Suggest processes for working together to align product, technology, trade and professional certifications with current qualification / frameworks (QCF).

b.    Make recommendations to address SFA regional (England, Scotland, Wales and Northern Ireland) inconsistencies and restrictions regarding the use of vendor training/certifications.

c.    Engage Vendors and propose a framework of engagement and support covering:
i.    Access to training materials for non commercial use for no charge.
ii.   Discounted access to certification.
iii.  Access to online facilities.
iv.  Support for FE/HE trainers.
v.   Terms and content access processes to enable FE/HE to offer local short courses
vi.  The alignment of vendor training & certification with Government/Industry needs.

The reason for suggesting CEdMA was that its UK and European membership straddles those running IT training operations for vendors, trade association and professional bodies and those contracting them to help with in-house training operations.

Other professional bodies (such as BCS), might not be seen as so neutral because of the revenues they derive from their own training and accreditation operations (e.g. what used to be known as ISEB) - already decimated by current policy and now at growing risk. Meanwhile the Sector Skills Partnerships would not find it easy to take a robust line with those on whose funding their programmes depend.       

If you would like to participate in carrying this exercise forward, and implementing the results, please contact the Digital Policy Alliance or one of its partners in this exercise (there is a growing list in the Skills Partnership progress report on the website.  
It is important to not "just criticize" the policies of the Skills Funding Agency and OfQual but to understand why they have come to be as they are - and help agree ways forward that meet not only the needs of IT employers but of all those facing a world in which the practitioner skills in demand can change faster than any professional body or funding agency can reasonably be expected to agree new specifications.

We also have to stop confusing practitioner skills with professional and academic disciplines, which change slowly, if at all.

The most important gap is therefore that between education and training.     

Who is winning the Broadband war? BT, Sky, Virgin or the Altnets

| 1 Comment | No TrackBacks
| More
BT claims to have achieved a 71% share of new broadband customers  in the most recent quarter. But Thinkbroadband reports the number as 177,000 of which only 130,000 were new to BT. The difference appears to include many of the 120,000 upgrades. Meanwhile the number of BT's new TV customers is 97,000 customers, excluding upgrades. So it seems that not all the new customers are taking up the TV services, however cheap the offer. 

Meanwhile, Sky is said to have added 144,000 new customers in the same quarter.

The loser is Talk Talk, said to be down 101,000 users, 95,000 of them as a result of the well-publicised breach,   

I was not able to find figures for Virgin, but where "pure fibre" is on offer it appears that players like Gigaclear and Hyperoptic are giving customers a significantly cheaper service and thus achieving a take-up that gives investors a significantly faster payback than BT's stated 15 years.

But that is only part of the story. Mobile and wifi now account for over half the traffic: from sport and pornography to shopping and gossip. We should therefore be factoring in services like the 4G infrastructure installed by Arqiva in Canary Wharf and elsewhere. Hence the significance of teh takeover by BT of EE. 
Do read the full report of the Science and Technology Select Committee "Investigatory Powers Bill: technology issues" released this morning, not just the press cover or even just the summary. It is barely 30 pages (plus appendices) long. Then think about the tension between the desire of Government to consult on supposedly future proof legislation, (without saying how it will actually be used) and the desire for certainty and clarity on the part of those most likely to be affected.  Then re-read the report and ponder the conclusions.

I stand by my view, quoted in the report, that the concept of "internet connection records" is meaningless and that the legislation should be based on something vague like "the addressing information used for electronic communications".  My reason is that making clear which communications will be monitored, and thus how to avoid monitoring, is incompatible with the objective of the legislation. That marks me out from all those seeking clarity while stating how impossible this is. 

My comments (page 11) are juxtaposed with a comment from Exa Networks that "some of the definitions of the Bill do not seem to accommodate the complexity of Internet Protocol networks". Andrews and Arnold correctly point out that greater clarity and consistency in definitions would "limit the scope of future governments to expand the retention beyond current limitation without a change to the legislation".  I agree with the analysis and disagree with the conclusion. It is as though the denizens of Bletchley Park were to be asked, in advance, to define the nature of the wireless networks they wanted monitored, in case they were carrying traffic that some-one might want them to try to analyse to see who was talking to who, and thus whether it might be worth trying to mount a decryption exercise.

Today, as Ross Anderson put it "technology changes just too fast".

The Home Office said "we will certainly not place obligations on every one of the "200 or 300" communications service providers". LINX already handles traffic from over 700 providers and that is barely a third of those whose traffic should already be liable to analysis and monitoring if the current legislation means what it says. The number will rise sharply with the transition to a world of smart and ubiquitous computing. On Friday I saw a poster describing a research project into the practicality of using a modified fitbit as the hub of a communications network.

Richard Clayton is quoted as saying "the present Bill forbids almost nothing ... and hides radical new capabilities behind pages of obscuring detail". Once again I agree, but draw a different conclusion: scrap the obscuring detail, admit the all-embracing nature of the powers, concentrate on  the accountability and governance of those the targeting the use of those powers.

This raises the interesting question of whether Tech UK is correct in saying that the consequent uncertainty is bad for British business (page10). Provided that the Home Office is willing to cover the full cost and provided the powers are actively used to help protect businesses based in Britain from fraud and abuse, I suspect the overall effect would be positive - although it will require changes to the business models of some leading members of Tech UK.  But the devil is in the governance, including the governance of co-operation. That leads to the question of whether ISPs should be liable to a requirement to open up end-over-end encryption services (if they can) and, if so, under what circumstances. I see this as directly analogous to an old fashioned telephone interception warrant.

When it comes to equipment interference Ross Anderson is well quoted as saying that "The right way to get round encryption is targeted equipment interference, and that is hack the laptop, the phone, the Barbie doll ... of the gang boss you are going after, so that you can get access to the microphones, to the cameras and to the stored data." I agree that "bulk equipment interference" is probably an inefficient method with uncertain (and potentially hazardous) side effects. This an area where the quality of the Technical Advisory Board and its ability to work with the Judiciary to maintain and police effective Codes of Practice will be critical.

The discussion of the impact on the Communications industry is largely confined to those who know they will be affected by the new definitions, but if the Bill is to meet its declared objectives then almost everyone running any kind of network or wifi or blue-tooth hot spot will potentially be affected. Mark Hughes is quite correct to raise the position of ISPs not based in the UK (page 26). The legislation cannot achieve its objectives if these are not covered. The issues of clashes of jurisdiction need to be clearly addressed - perhaps by lifting the veil on the current state of international "mutual assistance" arrangements.

The most interesting discussion was, however, that on cost. If Home Office does plan to reimburse all costs and expect these to be under 200 million pounds, then the ambitions for data retention are very much more targeted (and modest) than current debate implies and the risk of "mission creep" will be controlled by what the security services and law enforcement can afford. The reluctance to include 100% reimbursement on the face of the bill is understandable - but calls in question all other assurances. This is one area where lack of clarity will not help the UK to remain a trustworthy hub for global on-line business.

The recommendation of the Committee (page 32) that "The Government should reconsider its reluctance for including in the Bill an explicit commitment that Government will pay the full cost incurred by compliance" is therefore, for me, the most important part of a thoughtful and thought provoking report.      

More CISOs looking to recruit cyber-security trainers than leaders, analysts, engineers or pen testers

| No Comments | No TrackBacks
| More
I have often said our IT skills crises is not of skills, but of employers who train and have been looking at why that is. Evidence is emerging that the shortage of trainers is a prime cause. The headlines from the Harvey Nash/PGI 2016 Cybersecurity are not unexpected: "Half of all boards lack real understanding of cyberthreat" [one might same the same of supposed cyber-security "professional" with their obsessions over technology rather than strategy]. I was not therefore surprised to see that half of all respondents (CISOs) were looking for security architects. I was, however surprised to see that more (42&) are looking for those to run in-house training and awareness programmes than for leaders (39%) or analysts (34%).

Barely 21% were looking for pen testers but 78% had outsourced this, so that finding should not be surprising . Nut only 13% had outsourced training (lower than for anything other than incident management or security strategy). Given than outsourcing decisions were claimed to be based on getting guaranteed access to subject matter expertise or lack of in-house skills, this implies a serious lack of awareness of the shortage of those competent to organise security training and awareness programmes.

It was also interesting to note how few respondents (large or small) have invested in cyber insurance cover and half have no plans to do so in 2016. Mid-sized companies (large enough to be worth attacking but too small to have serious in-house security teams) were the most likely (29%) to have taken out policies. I plan to address this topic when I speak to a joint meeting of BCS Elite and the IoD next week. 

Next Thursday (4th February) will see the next meeting of the Digital Policy Alliance 21st Century Skills Group (click here for the papers to be discussed) and I do recommend that those who are serious about addressing the consequent problems consider joining. While there are some policy issues that need to be addressed, such as the gap between Skills Funding agency approved content and employer needs (on which I will blog separately), the core objective is to bring employers,  trainers and recruitment and employment agencies together in local partnerships to deliver "blended learning" - making best use of those who do possess the necessary organisation and delivery skills. These include, of course, Harvey Nash's co-sponsor PGI, but also many under-used teachers and lecturers in FE and HE institutions whose time would be better spent helping industry experts develop and deliver packaged materials and supervise structured work experience - whether as part of tailored in-house apprenticeships or CPD or via virtual colleges.

I am particularly looking to engage  those recruitment and employment agencies who see helping their clients organise in-house skills programmes as a more constructive and profitable business opportunity than helping them compete (all too often in vain) for those with the skills they most need.         

BDUK "state aid" to be brought into line with EU law and good practice

| No Comments | No TrackBacks
| More
Thee is much to be welcomed in the BDUK "focused market engagement" exercise to get views, by 24th February, from Local Authorities and Network Operators on the replacement for its previous procurement arrangements to get superfast (whatever that means) broadband "to 95% of premises by 2017". The State Aid decision which gave grudging, qualified and limited approval to the BT deficit funding model,  SA. 33761, expired on 30 June 2015. The aim is to bring any new BDUK arrangements fully into line with both EU law and good practice.

Local Authorities remain, of course, free to go ahead with plans akin to the many public private partnerships approved across the rest of the EU, including under the General Block Exemption Regulation II: "safe"  in the knowledge that there is now an army of lawyers waiting to take on BT, with the support of other network providers and potential customers, were it to try to repeat the exercise that blocked Birmingham's aspirations to copy Stockholm.

It is worth quoting from the summary of the "National Broadband Scheme: Market Engagement on Procurement Approach":
"As part of these discussions between BDUK and DG Comp, a new approach has been developed which has incorporated learning from both organisations since the approval of the previous decision in 2012 and reflects the publication of the 2013 Broadband Guidelines.  A key principle of these Guidelines is that networks built with public funds should where possible offer full open access, which requires the network operator to offer access to any part of the network for any purpose (this is further described in section C below).

The proposed approach aims to achieve the following:
●    Optimise the number and quality of bidders, in particular reducing the hurdles to participation in procurements by smaller suppliers;
●    Align supplier incentives to maintain competitive tension as far as possible.

While Local Bodies have the option of procuring networks that would only require open access networks, based on discussions with the market, BDUK anticipates that such procurements may not always yield suitable bids.  For example, if potential bidders consider that the value from new broadband customers is offset by the risk to existing business customers as a result of opening up their network. 

Working with the Commission, BDUK has developed an approach to mitigate this risk through a procurement approach that would consider a reduced form of network access, where no suitable open access bids are submitted.  This would be compatible with State aid rules while supporting deployment in the context of the marketplace across the UK."

I assume that "open access" means "networks which operate to international connectivity standards" while "reduced form of network access" (page 9 and 13) means extensions of the BT 21CN fibre to the Cabinet/G.Fast architecture and protection of its leased line business. 

I was concerned that the apparent mandatory requirement for "copper local loop access" (page 11) could be used to hobble support for fibre only networks while the references to NGA (Next Generation Access of 30 Mbs) also indicated an apparent desire to enable state aid for that which may would claim is already obsolete.

But those caveats apart, I was impressed by the document and the changes that now appear to be in prospect, bringing BDUK into line with good practice in other parts of the world and opening the way for incremental change (procurements broken into small chunks) on the scale (far more than BT can handle) necessary to create a "future proof" converged  communications infrastructure.  When I read the details on access and interoperability I began to ponder whether every state-aided BT exchange should now be viewed as a potential  open access local Internet Exchange. If so, how/should the necessary trust in the inter-operabiity and neutrality (as well as resilience and reliability) of their operation be assured.   

Yesterday I attended an excellent briefing on the need to devolve UK's internet peering from LINX to local internet exchanges (not just Manchester, Edinburgh, Cardiff and Brighton but one for each aspiring "smart city") to handle the rapid mushrooming of traffic generated by the UK's 2,500 "autonomous systems" (access and content networks with direct access to the global internet): 700 of which do their Internet peering via LINX. LINX expanded its capacity by 50% last year and planned to install 15 new hundred gigabit port. In the event traffic growth and customer demand was such that it had to install 50.

I was interested to learn that Sky (which is likely to have completed its transition to IPV6 within a couple of months) has already publicly announced its support for local internet exchanges because of the way they help reduce latency: traffic generated within a smart city no longer has to go to London for transfer between networks while commonly used services (e.g. Netflix) can be cached locally.    

Hence my concern over allowing BDUK and/or Local Authorities to continue to provide "state aid" funding to support improvements to networks which are not fully "open access" and therefore risk becoming obsolete as the rest of world, as well as UK cities like Bristol, Edinburgh, Peterborough and York begin the creation of resilient fibre and wireless communications meshes capable of supporting both:
  • a smart society (from smart phones, consumer goods and telecare devices through smart buildings and cars to and smart transport and power grids) in which everything is connected and people die when networks are corrupted or fail, even for short periods

  • iGov (informed, intelligent and interconnected central and local Government and public service delivery) from policy formation, through implementation to performance monitoring: with all the associated challenges of privacy, security and democratic accountability, not just of technology
There may be a case for state aid to help Openreach upgrade/extend particular local networks because BT has an expensive and difficult transition to engineer: paying for the acquisition of EE at teh same time as competing with Sky to subsidise the Premier League. But councils need to apply the questions on page 6 of the Market Engagement paper to BT and not just to its competitors, large or small. There is, however, one very important missing question - arguably the most important of all: is the network being built and operated to common international standards: if so it can be completed, operated or taken over by any one of a growing number of network operators - albeit not necessarily at the same price. If not ... then the other questions become important.      

It would be interesting to know how many of the MPs who supported the BIG report did so because they really believe a separated Openreach would do better, or merely because they wished to give BT and BDUK a kicking. Either way, it will interesting to see how many of them not only support their local authorities in giving measured, not merely robust, responses to this thoughtful (and thought-provoking)  consultation - but would go on to support the transition to a Victorian style competitive market: i.e. one in which co-operatives, mutuals and municipal enterprise competed with co-partnerships and stock companies to built most of the transport and utility infrastructures of today.   

"The BIG Issue" - can DCMS safely ignore over 120 MPs protesting over constituency broadba[n]d

| No Comments | No TrackBacks
| More
The British Infrastructure Group report publicised in the Daily Telegraph today uses available data (assembled by the House of Commons Library) but puts on it a rather different interpretation to that recently used by BDUK to boast of its achievements to date and thsoe in the pipeline. The consequent call for action is backed by 120 MPs. Whether the break up of BT is the right action is another matter. If it were to be the right "answer" that raises the more interesting questions of whether "merely" separating out Openreach would achieve the objective of stimulating BT to invest in infrastructure (back haul as well as local loop) as opposed to content (alias subsidising premier league football) and whether that would be enough.

Can BT afford the scale and nature of investment necessary to build the communications infrastructure needed to underpin a "smart society"? A 'smart society" is one in which everything is interconnected: from smart phones, TVs, toys and consumer goods, through smart meters, cars, buildings, telecare and telemedicine to smart grids and cities. It is also one in which those dependent on on-line medical devices (for example) may die when networks go down.

It is not just that BT has not maintained its previous rate of investment in recent years - it does not appear to have plans to increase it in the future and may find it hard to do so. We might have expected to see further refinancing announcements (additional to those announced alongside the merger plans) now that the EE merger has been agreed - but now is not a good time to be raising money from the City

In consequence those cities who are serious about leading the way into the 21st century, like Bristol, are looking to alternative suppliers, like City Fibre. Meanwhile US players like Zayo are investing heavily in UK back haul networks to fill the gaps left by BT (business parks, commercial centres etc.) and meet to the growing needs of the mobile operators. In parallel Gigaclear has just received backing from the European Investment Bank to leapfrog BT's offerings in rural areas and Hyperoptic (backed by George Soros and others) is able to put 100 mbs symmetric fibre into social housing for less than BT charges for slowband over a 40 - 50 year-old copper/aluminium twisted pair.

We should also juxtapose the recent CMA judgement with regard to the take-over of EE by BT, "two cash-strapped dominant players trying to cut costs by converging their broadband, wifi and mobile operations" with the deal under which Arqiva is putting 4 and 5G aerials into Canary Wharf, to be shared by all mobile operators  We already need 4 - 5 times as many aerials to address current problems with overload and notspots. The problem is about to become very much worse as we transition to a world of ubiquitous wireless communications piggybacking on "fibre to the femto".                 
Over recent years the BT has accounted for a decreasing proportion of investment in UK communications infrastructure and that proportion looks set to fall further. The task for DCMS is therefore to enable our newly competitive market to flourish, with investors getting rapid payback from supporting the construction of new, "future proof" networks so that we are no longer critically dependent on a single set of crumbling, bottlenecks, increasingly liable to serious outages. A that dependence reduce it should also become easier for BT to focus on what it does best and enter into serious partnerships, rather than pretend it can do everything.   

I am currently working on a Communications Manifesto for the London Mayoral Candidates (and would welcome inputs) but in the meantime readers might like to read my personal  submission in response to the "Building the Foundations" section of the recent DCMS Digital Strategy "consultation"

Creating a 21st Century Communications Infrastructure


Summary and Key Points


1.             Society is increasingly interconnected and dependent on reliable, resilient and ubiquitous on-line communications:  from smart consumer devices and buildings to telemedicine and care. People will die when networks goes down as they have in recent weeks . 70% of on-line consumer time  is now spent using mobile devices, roaming across wireless connections to domestic or workplace routers, wifi hot spots and mobile networks. All need fibre backhaul, but with the transition to 4 and 5G, many times more aerial sites are needed to maintain the mobile connectivity and reliability of a decade ago when traffic volumes, using different parts of the radio spectrum, were much lower.  


2.             The rewards for investment in new infrastructure do not necessarily accrue to current operators, who may prefer to ration current capacity or invest in content. Collapsing prices (down 75% over the past year for the routers and servers used for new fibre networks) mean new entrants can build more powerful networks, more cheaply, provided they can obtain the access and wayleaves necessary. Meanwhile, as with the construction of many of the railways, the biggest short term beneficiaries are landlords and property owners whose sites and buildings rise in value with better connections. It is no accident that Hong Kong's main communications companies are linked to property companies.


3.             Given the need for resilience and the effect of public sector procurement on communications investment, multiple (at least dual) sourcing should be mandated wherever practical: requiring the use of at least two networks which are not mutually independent.  This is becoming easier as less of the UK is critically dependent on BT owned bottlenecks but there is a need to underpin competitive investment (including back haul and bottleneck bypasses) across those parts of the UK that are not yet well served, even if the alternative routings are mainly used for hot standby.


4.             Government should increase the pressure on those running separate public sector networks, e.g. those linked to road and rail transport, health and education, to make these available to multiple network operators in return for improved national cover and resilience arrangements rather than departmental income, above that to cover any incremental costs.    


5.             Valuations for business rating purposes should be based on actual revenues and changes in property valuations, not estimates based on limited historic data. This will remove an obstacle to investment in advance of demand and  in standby facilities. It will also result in overall economic benefits, including to HM Treasury, well in excess of the limited revenues foregone .


6.              Past national agreements for utility access and wayleave arrangements are problematical for all sides. The consequent cost of negotiating individual agreements can account for over half the set-up and installation costs. For some the rental from masts/aerials rental can be a significant source of income.  Others, e.g. commercial landlords and building managers, are more concerned about the risk of disruption to existing services to tenants. Government should support collective exercises to agree new generations of access and wayleave arrangements (fixed, mobile and converged) and should mandate their use for public sector properties.


7.             Government should support exercises to agree planning guidance and building regulations that make it easier to install and maintain a choice of multiple (and changing) fixed, mobile and converged networks across existing buildings and estates as well as new build. It should mandate their use across publicly owned properties, including those where the management is outsourced.   


8.             Central Government support for the construction, upgrading and/or operational subsidy of communications services which are not otherwise commercially viable, should be subject to open market testing and/or competitive tender for each local authority requesting funding under national or EU programmes.  There should also be a programme to help local authorities with market testing, including both supply and demand, with regard to the areas for which they are planning to seek support.         


Almost every paragraph raises more questions that it answers. I therefore look forward to working with many of the "BIG" supporters in ensuring constructive public debate.

P.S. I will blog separately on my responses on how it should address skills gaps and "transform government" .   

Investigatory Powers and Civil Liberties in practice: "Think of Cicero as Al Capone's Pocket Lawyer"

| No Comments | No TrackBacks
| More
My blog yesterday on the Scrambling for Safety event has been criticised for focusing on governance and safeguards rather than the powers themselves. Perhaps I should explain why.

As a student I joined the National Council for Civil Liberties but left quietly in 1974 or 5 (I cannot remember exactly when) after meetings became pre-occupied with protecting the rights of pederasts.  Until then I had seen nothing wrong with pictures of naked children and thought that paedophilia, as opposed to pederasty, was a little odd, but harmless. Listening to discussions which linked the exchange of photographs to arguments about the age of consent "opened my eyes". Ever since then I have been almost as suspicious of the motives of those arguing for greater on-line privacy as I have been about those wanting more access to personal communications for the security services.

My views on the need for coherent frameworks covering the use of electronic surveillance to help law enforcement began to take shape when I was organising briefing sessions for MPs during the run up to the original (1984) Data Protection Legislation, including on the audit of activities over pre-Internet global messaging services. Those views became sharper with the reasons for the inability of the police to convict Kenneth Noye for killing John Fordham on top of the reasons why the latter had been engaged in such "close" physical surveillance in the first place. Then came the Alison Halford affair and the IOCA review: largely ignored by the industry lobbyists until it transmogrified into the proposals that led to RIPA.

Since then I have listened to nearly two decades of arguments about the needs of the security services and the concerns of human rights and civil liberties lobbyists. Meanwhile little is said about the practical problems of obtaining reliable and admissable evidence and convictions to protect children or those in living on estates controlled by organised crime. We now also have the problems of "community leaders" using co-operation with local authorities and access to information on lifestyle choices or the location of "runaways" to help them protect "family honour".

Hence my concern to see more efficient authorisation routines for the security services and mainstream policing and coupled with more effective governance for "other law enforcement" - all within credible judicial oversight for technology neutral processes. Hence the tenor of my own evidence for the Science and Technology Select Committee and to the Joint Scrutiny Committee.

The title for this blog relates to when I was doing "A" Level History with Foreign Texts (a short lived subject in the 1960s). The class was struggling to reconcile the supposed republican ideals of Cicero with a speech (Pro Lege Manilia) in favour of giving the command of the Mediterranean fleet to a brutal (convicted and pardoned) pirate. In the end the Master said "Think of Cicero as Al Capone's Pocket Lawyer". It came to my mind during last week's "Scrambling for Safety". It does not help that Law Enforcement is so reluctant to give genuine usage cases, lest the information be used to enable criminals to avoid future surveillance.

I do, however, again recommend that you watch the full recording and then take a look at some of the responses to the Select Committee and Scrutiny Committee.

P.S. One of my Christmas Presents was Max Hastings "The Secret War"  which aims to put the code-breaking, spying and espionage triumphs and disasters of all sides into perspective. I have got as far as the revelation that Stalin mistrusted the information he received from the Red Orchestra network during the run up to the Battle of Kursk because parts of the wording was identical to that being "leaked" to him by his spies in Whitehall. The similarity was because one of the supposed Red Orchestra "networks" was actually two teleprinter operators passing the paper tapes from the teleprinters attached to the Lorenz coding machines to Rudolf Roessler instead of destroying them. The breaking of Tunny, culminating with the creation of Colossus was indeed a supreme intellectual triumph but its contribution to the Battle of Kursk may actually have been negative!                  

I want to begin by thanking Ross Anderson for reminding me to attend the recent Scrambling for Safety event on the Investigatory Powers Bill. I will not try to reprise the full event, I recommend watching the livestream recording from end to end. Also George Danesis has posted summaries of Session 1 and Session 2. As with previous Scrambling events it intertwined the profound and paranoid. I leave you to work out which is which and will simply comment below on the points which made the most impact on me.

The first was made at the beginning of the debate by Sir David Omand and echoed again and again by other speakers: This is the first attempt in 500 years to bring the surveillance activities of the state under rule of law instead of "the prerogative of the crown". More-over the UK is one of very few states attempting to do this and our success or failure has profound implications for our position as a global hub for on-line financial transactions, e-commerce and content.

I was very pleased when Gail Kent, who recently moved from the NCA to Facebook pointed out that the legislation has to be put into international context so that those running cross-border are not trapped by extra-territoriality conflicts between UK and, for example, US. The Draft Bill has made a start on this, but is not yet consistent.  

Credible judicial oversight requires the support of security vetted, competent and independent technical expertise in order to be able to assess proportionality and balance of risk (e.g. when "interfering" with equipment in order to find out what it is being used for). That will not be easy to source and maintain. Those who can provide it are likely to be in global demand - with all that entails.

For me the second most important point was made by David Anderson when he said, towards the end of the event, that in his experience the security services did not want more powers. They did not want useless powers. They did not want encryption keys. But they did want proper supervision. He said they were staffed by young idealists, rather like the audience, but who saw the dangers our society was facing. Those comments were in response to a series of accusations from the audience about demands from the state for ever more information and comments about the futility of bulk data collection and the dangers of "interfering" with systems in order to collect it and giving authority to "them" to trawl through our personal information. Ross Anderson asked for a term for "bulk data collection" worthy of Caspar Bowden.. I afterwards suggested they be called "Hoover Powers", as in both the use by J Edgar Hoover of his "imprecise authority" and in collecting big bags of rubbish and fluff that might, but more probably will not, contain something of value.

I do not believe the surveillance services want bulk data. They want targeted data, with the dross filtered out. The problem is how to get it. If that is correct then we need to move the debate away from debating "how many angels there are on the head of  a pin", with regard to the shapeshifting (as technology changes) world of communications data (alias internet communications records). We need instead to look at the governance of the techniques for filtering whatever is available - in order to make effective the use of the limited resources (including time) that are usually available. Here we have a problem, illustrated by the fate of Gordon Welchman when he attempted to trigger such a debate by publishing a History of Hut 6 in 1982. The currently available version of his book omits the "controversial" material so we can assume that well-informed debate, is still off-limits.

The current Bletchley "story" focuses on their success in decrypting that proportion of German Traffic they tried to break rather, than the much larger traffic analysis operation that tracked the German Order of Battle and targeted the codebreaking effort. The processes for the latter still sit at the heart of modern surveillance (including Google et al) and were not leaked until Edward Snowden published them - thus also leading to the pressure to bring the state surveillance operations of the UK and US under judicial accountability. Describing the techniques for targeting makes it easier to evade them. This makes the credibility of the judges providing secret, but credible and effective governance all the most important. 

The third point that came through from a number of speakers at the Scrambling for Safety event was the inability of law enforcement to make timely and effective use of the information already available - while still supposedly asking for more. Hence again my continuing focus on partnership policing and the need for industry to be permitted to help the police identify abusers (of all kinds) in time to take action. That too raises many issues of governance, including with regard to the status of the "Codes" intended to put flesh on the Bill - will they have statutory authority (implying clunky predictability) or be akin to "judges' rules" implying reactive evolution in the face of bad practice as it is identified by those exercising oversight?

For those who want further robust debate on the technical practicalities I commend the next meeting of the Real Time Club, where Adrian Kennard will be explaining and defending, (hopefully from well-informed attack) the ISP position. His original and subsequent supplementary written evidence to the scrutiny committee illustrate why I took such a different tack in my own evidence - leading to a call to focus on the governance of partnership policing and of ALL those being given powers, including regulatory agencies and local authorities.

[I also commend listening to the "in memoriam" thoughts on Caspar Bowden - if these are on the Scrambling for Safety video - I confess I have not checked - as Caspar would have done. I found it too difficult to order my own thoughts but his character and contribution were well summarised by those who gave their memories. I first met him at a Trades Union event before the 1997 election. I was told I should make a point of inviting him to any relevant discussion meetings because he would make well-informed trouble if I did not. I quickly realised that we were both being used as "litmus paper" to test for the "toxicity" of specific proposals. Our approaches were very different but we came to the same conclusion surprisingly often. Over nearly twenty years I found his attention to detail invaluable, even when I did disagree with his conclusions. Meanwhile he never gave up on trying to educate me ...]         

UK Digital Strategy - two weeks to give your views on how the UK will cross "the next frontier"

| No Comments | No TrackBacks
| More

On the 29th December, while most of the world's digital leaders were off-line , Ed Vaizey called for inputs to from the public and from industry by 19th January to a new cross-departmental UK Digital Strategy for the next five years. not a very momentous consultation you might think, given the timing and low key nature of the release.

After comments calling for a customer centric approach he homed in on four themes:

1 - Unlocking digital growth - to make the UK "the default place entrepreneurs want to start new digital business over any other tech hub in the world from Silicon Valley to Shanghai, scaling up to be global brands" . In this context he referred to the need to push "for the completion of the Digital Single Market", across ball usiness, not just the tech sector.

2 - Transforming government - "to make sure interacting with government is as simple and seamless as possible"

3 - Transforming day to day life - with reference to "massive open online courses  ... so lectures and courses can reach a much wider audience, costing less. Could schools benefit from similar innovations", making our "health system more efficient and joined up, so that our amazing doctors and nurses can spend more time saving lives and improving care" and making sure that "the UK is at the cutting edge of ... developments"

4 - Building the foundations - with reference to ubiquitous internet access, cyber-security and digital skills.

The call for inputs came while I was assembling my inputs to the Science and Technology Select Committee Enquiry on Digital Skills Gaps and, unsurprisingly my immediate  response focus eson the need for joined up Government Policy on skills, skills, skills and skills.

In the course of a recent Digital Policy Alliance round table to review progress with the formation of Local Skills Partnerships I was startled to learn that the Skills Funding Agency rules (Page 6, Para 19)  actually forbid the use of the courses, materials and qualifications funded by vendors, trade associations and professional bodies by those organizing the new trailblazer apprenticeships . They also effectively bar their use by FE on publicly funded programmes, thus denying students the certifications most likely to be specified, rightly or wrongly, by their prospective employers .

I can fully understand the need to go beyond the qualifications of any one vendor, for balance and to prevent abuse. But if we are to unlock digital growth, surely we need to encourage innovators to work with FE and HE to ensure their prospective customers have local and affordable access to the skills to use the products and services on which they are working.

The recent  National Audit Office report into the DEFRA systems collapse and the role of GDS was all the more shocking because it showed  how comprehensively the lessons from past NAO and Select Committees  have been ignored when it comes to Transforming  Government for the better. All those responsible for Government change programmes need to have at least basic training in how to identify and ensure the pre-conditions for success. Why do we never learn? - the reasons can be found in the Old Testament, not just Kipling or the Royal Academy of Engineering. The digital enthusiasts need to learn how to distinguish between education (and basic disciplines, which change slowly, if at all), and training: to use the latest digital app techniques, where the relevant content (to be able to understand that which is supposedly intuitively obvious and is therefore undocumented and unexplained) changes faster than the course can be sufficiently defined to qualify for public funding.       

Most of the technologies capable of transforming day to day life have been around for over twenty years, sometimes longer.  The reason they have not been applied is, once again, a matter of skills: particularly across our fragmented and silo'd public sector planning and funding hierarchies.  Encouraging Fintech entrepreneurs to do that which is forbidden by Financial Services Regulators will not help. Nor will encouraging healthcare innovations which the NHS will not authorise. And trying to bludgeon professional bodies and trade associations into doing what they have not been allowed to do is not the best way forward.  Juicy carrots and well publicised awards and rewards for cross-boundary co-operation would  be far more effective. That will require addressing public sector budgeting and expenditure processes
And so we come to building the foundations. Shortly after I welcomed the excellent DCMS-Treasury Communications Infrastructure strategy released with last year's budget I began blogging on the need to help expedite a Victorian style, open market, investor led, transition to an ubiquitous, robust and resilient, internet age communications mesh which is nowhere dependent on a single supplier or set of bottlenecks and I am pleased to see the progress now being made.  But the key is skills, skills, skills. skills - we need once again to focus on the carrots not the stick and build on the UK traditions of helping create the best in the world.

It is often forgotten (perhaps it might be better to say the story is never told) that the University of Phoenix (whose parent now owns BPP)  is the most successful  and profitable (in terms of fees and royalties, albeit not to the University itself) spin-off from the Fenland Polytechnic since Harvard . The underlying business model was based on John Sperling's Cambridge PhD and the contacts he made at King's . Pearson is the world's largest education and training operation (but most of its business it now outside the UK).  Many of the world's "vendor" qualifications were developed by moonlighting Oxford Dons who were later forced to choose between commercial and academic life and left accordingly. 

The core to the strategy should be the removal of obstacles to co-operation across boundaries, inter-departmental, public- private, professional and sectoral before the UK dies in a flurry of red tape. But that too leads us back to skills, skills, skills and skills (both education and training, remembering the difference) from the top to the bottom.

I hope you will all, despite the short time available, make your views known.

Will Ofcom drop the ATVOD ball on age checking and content regulation tomorrow?

| No Comments | No TrackBacks
| More
Tomorrow Ofcom takes control of "on demand" content back from ATVOD and s said to plan to align it more closely with linear TV.

Last year the Prime Minister made an election pledge that on-line age-checking would be made compulsory to help protect children from accidentally accessing pornography. He repeated the pledge after the election. ATVOD, the content industry co-regulator led the way on consultation as to how this might be achieved but in October it was announced that its functions would be taken back into Ofcom.  

The summary of the Draft Ofcom plan for 2016-17, to which I asked readers to respond earlier this month, refers to its duties to protect consumers from harm but contains no reference to any plans to continue the functions performed by ATVOD. The only reference is to "Considering the watershed and other tools to protect children from inappropriate content". Meanwhile the Advertising Standards Authority will remain the co-regulator for advertising content.  

The automatic application of controls in services like the SKY Shield imply that major players are moving beyond the current Ofcom Guidance in response to audience pressure. Hopefully, therefore, the omission is a mistake and not a capitulation to those opposed to the routine use of the low cost, anonymised, on-line age-checking processes that have been developed in response to the pioneering work of ATVOD. The need for these goes much wider than aligning to the watershed concepts of the "dying" world of linear broadcasting. It also goes much wider than child protection. But it also strikes at the heart of business models aimed at luring children into a world of on-line exploitation that is not just sexual.   


Why do we still have "digital skills gaps" when the government of Harold Wilson identified both "problem" and "solution"?

| 2 Comments | No TrackBacks
| More
1.    Until earlier this year we were trapped in Groundhog Day

There have been regular enquiries into shortages of what we now call "digital skills" for 50 years.  A cyclical pattern was identified in the 1980s. Each recession after that of 1979 - 83 accelerated the decline in demand for old "digital skills" skills and delayed investment in training for the new generation of "digital" skills that as taking their place. Each recovery (from 1982 onwards) saw a "crisis" and another attempt "to predict the unpredictable" in order to better target public funded education and training. 

Training levies and grants were scrapped in the 1980s as a bureaucratic waste of money which did not lead to more training but proposals to reward employers for recruiting trainees and retraining existing staff were regularly turned down by those whose status depended on dispensing public funds via hierarchies of committees. [see the blog continuation, section 5 onwards, below for a potted history, with links].

The biggest obstacle to employer organized training programmes is still the cost, particularly staff time, to organise supervised work experience before trainees and/or apprentices can be trusted to work on their own. Hence the need for generous tax incentives (e.g. exempting apprentices from National Insurance and Income Tax), on top of good quality mentoring support via local training providers, to help cover that cost. The current limited exemptions for low paid level 2 apprentices are a good start but the approach needs to be extended to those on higher level contractual training programmes (e.g. those in line with the main test case Strathclyde Regional Council v. Neal  )   

2. Why do employers  import contractors instead of hiring/training Britons?
Tax, Tax and Tax.    

Until about a year ago it was more economic for most employers to compete for skilled staff or import from overseas, rather than train their own. Now it can be cheaper to train than to recruit - but only if you can find those able to help you deliver relevant and well-targeted blended learning modules when and where you need them.  No attempt has yet, however, been made to level the playing field between those who recruit trainees and retrain existing staff and those who import supposedly skilled "contractors".  We still appear to have a situation where some of the latter can be paid tax free allowances for travel and accommodation and exempted from national insurance up to year . This enables their employers to save 50% (sometimes even more) compared to UK staff or contractors with equivalent take-home (after tax and expenses) earnings.

In looking at big business bleats about attempts to control the Tier Two visas used to import IT skills in supposedly short supply, it is as well to note that over 36,000 of the 60,000 in the UK at this time last year were from India and nearly 7,000 were from one company alone 
apparently outnumbering their indigenous workforce by about 2:1.        

Last year, in my evidence to the House of Lords Select committee, I said that we needed to copy our overseas competitors in exempting employees following professionally and technically accredited training programmes from income and payroll (c.f. National Insurance) taxes and allowing individuals acquiring new skills, not essential to their current jobs, to offset the cost against current and future earnings. We also needed the same tax and expenses regime for imported staff and contractors as for their UK counterparts. The changes needed also include addressing how IR35 penalises those contractors seeking to keep abreast of changing demand for skills.

Since then we have seen welcome tax breaks for apprentices but not yet for the growing number of subcontractors, including those working direct for the public sector (at a fraction of the cost of those employed via waterfall framework contracts), who need to keep their skills up to date. [see section 7 onwards for what else has changed, or not, since the last century!] 

3.    Why our failure to distinguish between digital education (disciplines) and digital training (specific skills) cause such problems.

One of the reasons so much public spend has been wasted has been the common failure to distinguish between core disciplines (which change slowly, if at all, over time) and technology, product and service related skills where demand can change before the curriculum headings, let alone content, is agreed.

The core disciplines for the successful  use of complex technologies have changed little, it at all, since structured programming and programme/project  management were added to the grounding in organisation and methods, operational research and systems thinking methodologies recommended by those who organized the systems analysis and programming courses of the 1960s. Those who helped me concoct the original Micros in Schools Programme (Cashing in on the Chips, 1979) saw programming as the new Latin or Algebra, much as those running Code Clubs today - then we had the obsession with computer literacy - alias how to use the office software products of the day - which turned off a generation.
The subsequent neglect of such basic principles as the separation of code and data and of "public" and "private" processes,  in favour of  transient techniques and technologies, as "professional" and "hobby" computing "merged" in the 1980s, lies behind many, perhaps most, of our current reliability, resilience and security problems.

4.    We need to find better ways of assessing current and future demand

We also need to find better ways of relating publicly funded and accredited qualifications and courses to current and emerging skills needs and employers' recruitment and training plans, without overloading those who do seek to plan ahead with "consultations" asking questions they cannot answer. The solution entails pooling budgets for demand assessment and forecasting via, for example, consortia of Sector Skills Councils and LEPs, to enable the use of industry strength market research

Few employers can forecast their needs more than a year ahead in the detail needed to plan conventional courses and qualifications. Those able to do so commonly wish to mix and match modules for just-in-time delivery (to meet immediate skills needs) with those for longer term career development across academic and professional disciplines. This presents challenges to colleges, universities and funding agencies. Those willing and able to respond can derive significant earnings from the delivery of short course modules (both residential and on-line) within the global apprenticeship and continuous professional development programmes of major engineering and financial services employers.

They are however FORBIDDEN from doing so. The English Trailblazer apprentice programme requires adherence to the Skills Funding Agency Qualifications Guide This bars (Para 19) using the vendor or commercial (including those organized by professional bodies or trade associations) qualifications and associated materials  that are more commonly required by digital employers than those funded by the agency.

The other fundamental problem is that the definitions used in almost all public sector accreditation, let alone funding, planning and forecasting, processes are too broad for employers to understand the competence they can expect. More-over the delivery programmes are segmented into technical and professional career development "drainpipes" that do not fit a world in which employees and students need to acquire patchworks of skills to meet changing needs. The need is to mix and match just-in-time delivery modules from a variety of sources in ways that depend more on the ability to respond rapidly to changes in demand than to predict those changes. I have blogged on this in the context of the cyber-security skills needed by financial services employers a couple of times.

Those seeking to prepare current and potential customers to use the product and service innovations they are planning should be taking responsibility for ensuring the availability of the necessary modules. But they are constrained by demands to fit UK into accreditation and funding frameworks which cannot respond in time to meet evolving needs. In consequence there is a basic split between those who are seeking to meet global skills needs (whether the UK delivery of courses and materials developed elsewhere or the UK development of courses and materials designed for overseas delivery) and those responding to the demands of UK-centric funding agencies to produce courses and qualifications that will fit government targets, including for accreditation revenue streams and royalties.

Have a Merry Christmas off-line and a prosperous and Happy New Year having taken control of your own data.

| No Comments | No TrackBacks
| More
Even if the Phantom Squad does not repeat the Lizard Squad's exploits last year, taking down games networks to ruin Christmas for children (and nerds) there are warnings that anyone without super-duper fast broadband is likely to face problems as millions go on-line to install and download operating system and app updates for their new "toys". Then there are the 144 (12 by 12) Scams of Christmas (take your pick from the lists).

Hence my greeting. wishing you a merry off-line Saturnalia: food, drink (not forgetting the  first drink of Christmas day) and family rituals.  Your New Year resolutions should include checking your ad blockers and anti-spyware filters, not just your "security" software, if you really do want a Happy and Prosperous New Year.   

Innkeeper: Sorry our broadband has been so slow recently and we are in a mobile notspot so we haven't been able to get on-line to check the bookings.

Joseph:  But assured us our guest room was confirmed.

Innkeeper: Is it OK if I clean out the manger in the stable?.  

[For those who think the reality was different, I recommend the explanation on the website of the United Church of God . I too have learned not to assume that on-line confirmations from village pubs mean anything - always ring and check. Hence also the strength of feeling from those afflicted with that peculiarly British mix of rural crapband and digital by default services].  

There are no shortages of "digital skills", only of employers who train their staff with the skills they need. But why don't they?

| No Comments | No TrackBacks
| More
This time last year the House of Lords Select Committee on Digital Skills had collected over a thousand pages of evidence. Over Christmas the members ploughed through the evidence and in February they published a report to which the new majority Government responded by moving "digital" skills from BIS to DCMS, alongside "digital" infrastructure and "information security".  The House of Commons Science and Technology Committee has now announced an inquiry into the Digital Skills Gap to see whether the Government response to the House of Lord Enquiry is adequate.

The traditional career ladders/drainpipes have broken down.

The Commons committee has asked some interesting questions but the answers are not likely to help employers address the skills shortages they face. The shortages are not of "digital" skills but of the specific mixes of skills (not all of them digital) that meet their current (and evolving) needs. Underlying disciplines may change slowly but the content of the skills modules in current demand (see appendix below for some examples in one area) change faster than most academic or professional planning and budgeting processes can handle. More-over the mix of modules, some digital, some application specific, increasingly cross professional and academic boundaries:

What is the mix of skills needed to plan, specify and develop, or test the integrity, performance, resilience and security of, "smart" engine control systems (as supplied by Bosch to VW), "smart" medical devices like the pacemaker implanted in the Vice President of the United States, let alone the smartphones that most of now use to check our bank balances, the "smart" toys with which our children play and the "smart" marketing systems that track our transactions movements.

"Digital" should not be seen as a new opportunity ladder/drainpipe manufacturers

Information Security, Internet of Things and Big Data Analytics are among the "digital" skills in currently shortest supply, but within those broad definitions the skillsets sought by employers tend to be sector and application specific. Thus the Internet of Things can be broken into "smart weapons systems, smart medical and healthcare systems and equipment, smart transport (road, rail, marine etc.), smart buildings and cities, fintech, "smart" marketing and so on. Each needs to mix mix "digital" with more "traditional" disciplines. 90% of the roles do not require degrees, let alone PhD's in computer science or electrical or mechanical engineering. They require "technician" level skills. But these have to be picked and mixed across a variety of trades and disciplines.

The value of grad
uates is that they have learned how to learn (hopefully) and can therefore pick up new subjects more quickly - but they nearly always need 18 months to two years of training and supervised work experience to fulfill their potential. Those who offer such training have, until recently, tended to compete in a narrow pool (Oxbridge and/or Russell Group) for the very best (Firsts and 2:1's plus demonstrable leadership and organisation qualities) and then complain about lack of choice, diversity or imagination. Hence the reason that many leading edge employers are now going direct to schools careers advisers to get access to top talent three to five years earlier. The reactions they get are varied, with leading schools welcoming the choice it provides to their brightest and best and lesser schools still fearing their parents will regard apprenticeships (even those which include global study programmes and modular degrees and/or post graduate qualifications) as second best.    

It can be quicker and cheaper to train than compete for skillsets in short supply 

The reality is that most of the skills in shortest supply can now be given to existing staff or raw talent in the eight to ten weeks it used to take to turn a cross section of society into squaddies capable of servicing the boredom and bullshit of National Service)  or to turn the 10% of Virgin Soldiers with military aptitude into competent Commandos . The "secret", known to most large organisations with well established in-house apprenticeship and graduate training operations, is to mix blended and experiential earning. A recent example regarding one of the skills sets in shortest supply is the SANS Academy Boot Camp - for which most of the most of whose participants in the Cybersecurity Challenge linked pilot (from teenagers to over 50s)  came in the top 10% for the three GIAC security qualifications offered - thus fast tracking them for jobs with US Defence Contractors and Banks. They had been selected on aptitude. They acquired the attitude during the eight weeks of intensive group exercises and mentoring.  Over half are now working with the employers who supported the exercise.

But we lack the local support services for employers who wish to do so

This example also , however, illustrates why the the majority of UK employers still prefer to recruit rather than train - even when the latter is demonstrably quicker and cheaper for the skills in shortest supply. They are too small and/or lack the in-house skills, to properly organise such training and do not know who can help them locally. More-over, most of them do not not need the level of narrow skills provided by such courses. They want a mix of modules (not just digital modules) that are relevant to their business - where the secretary/receptionist/CEO's personal assistant is in charge of IT, including information security, and the mechanics try to work out what the IoT devices in the equipment are up to. If you have watched a modern plumber trying to correct faults in a computer heating system you will understand the mix of skills required by the latter.

Such problems are not, however, confined to small firms. They are common to most employers whose core business in not "digital".  Last year I was asked by e-Skills, now the Tech Partnership, to get the views of Financial Services employers on the new cyber security skills frameworks. I blogged at the time asking for comments on my first draft and reproduce the summary of my final report at the end of this blog.    

The points, where "digital" can be substituted for cyber or security and which apply to most commercial and industrial "user" sectors included:

"The ... industry is internationally focused not UK-Centric"  [in other words UK training modules and qualifications are of little interest except where the UK regulatory regime is different or where the UK genuinely does lead the world and others are happy to follow]

" A focus on ... results in contact being delegated to those with operational rather than budget responsibility".  [in other words those who do have neither training budgets nor influence over mainstream corporate training programmes]

"Roles which do not require understanding of the business are increasingly "co-sourced", to joint operations ... Those roles which are not outsourced commonly require skills mixes which cut across professional boundaries." [in other words they do not fit inside "digital" skills, apprenticeship or professional development frameworks]

"It is therefore easier to get support for adding ... components to employers' existing training and continuous professional development and update programmes but the degree of "outsourcing" and "co-sourcing" means that the in-house skills to organise such additions are often lacking. [In other words the problem is to find personnel consultants and training providers who can manage the process as well as deliver the components]

LOCAL partnerships are needed to turn national aspirations into practical reality

The good news is a growing number of traditional Further Education colleges are now seeking to turn themselves into "virtual colleges" to support local employers with the cross-cutting mixes of skills they need - including to organise their in-house training and supervision. Several recruitment and employment consultancies are also exploring the commercial viability of helping clients organise apprenticeship programmes. So too are commercial training providers. [One is said to be about to announce a programme for several hundred information security apprentices for a couple of well known defence contractors].   

The problem they all face is of trying to work with national programmes, including those of the professional bodies and trade associations, as well as those funded by government, that are sector and/or silo specific. Hence the proposal on which I will be reporting progress on 21st December to the DPA 21st Century Skills Group. This was to pilot "Local Skills Partnerships" approach to join up national programmes at the local level, involving local politicians (MPs and Councillors) who wish to be able to demonstrate results before they stand for-election. The aim is to put the MPs alongside employers (both national and local) who have immediate needs to meet, as well as longer term ambition for their own children and those of their employees. The result should be to add focus and "bite" to a debate that has been looping for 50 years since the study that led to the creation of the National Computing Centre (for which I worked in the 1980s until it "lost its way")  

I have been agreeably surprised by the response from all sides, particularly from those running national programmes who are looking to see local joining up and success. The problem is how to harness that response and turn it into local leadership teams because most of  the effort in recent years has been on big projects to meet "national" needs and we currently has the "distraction" of a return to levies and grants. My fear is that the focus of the Science Technology Select Committee could once again be on "national needs". The need to remember that the "average" UK digital worker is a 30 something-year-old hermaphrodyte (73:27 male/female) living just south of Coventry.  Their digital skills needs are likely to be equally untypical.

Tell the Select Committee on Science and Technology what you are doing to help fill the gaps

Employers (and professional bodies and trade associations) submitting evidence to the select committee should therefore unpack what "digital" means to them (and their employer members) and why it is so hard to organise cost effective training and career development programmes to meet their needs, whether in house or locally. Those who are telling me what they are doing to help address skills needs in their own areas, with a view to finding local partners with whom to work, should also tell the Science and Technology Select Committee.

Meanwhile, I hope that on the 21st we will also be able to organise publicity for local attempts to join up schools support programmes, careers advice, apprenticeships and modular degrees, cross-training, continuous professional development and returner programmes - all working together, to help secure the jobs of the future for their communities (based on realistic travel to work/school/college maps) and their resident (or would be) employers.     

Meanwhile, I hope that the appendix below will help you understand what happens when you try to unpack what "digital" means in practice for just discipline, in just one sector, with the aim of  identifying which "gaps" most concern them and who they would trust to help fill them.


Report on engaging financial services employers with the

Cyber Security Apprenticeship and CPD frameworks and programmes

being developed by e-Skills and its partners


Key Constraints and opportunities

·         The UK Financial Services Industry is internationally focussed not UK-Centric.

·         The drivers are a mix of fraud prevention, resilience, customer confidence and compliance.

·         A focus on cyber and information security results in contact being delegated to those with operational rather than budget responsibility.

·         Roles which do not require understanding of the business are increasingly "co-sourced", to joint operations serving a peer group and/or to trusted partners providing securities services. Those roles which are not outsourced commonly require skills mixes which cut across professional boundaries.

·         It is therefore easier to get support for adding security components to employers' existing training and continuous professional development and update programmes but the degree of "outsourcing" and "co-sourcing" means that the in-house skills to organise such additions are often lacking.

·         It appears (needs to be confirmed) that it is more effective to promote action on the part of those with budget and strategy responsibility via sector-based peer groups.

The Skills Gaps identified to date

·         There was favourable comment on the e-Skills "Learning Outcomes Draft"  as a check list to aid the assessment of recruits

·         The Generic Gaps, common to all sectors, found to date were:

o    Mobile: including identity, authorisation, data access, transactions and privacy

o    Big Data: both for detection and for protection

o    Cloud: including secure access and regulatory and liability issues

o    Website Security, including and the handling of abuse and impersonation

o    App Security, including the application of security by design disciplines

o    Collaboration across cultural and professional boundaries  

o    Process Control: alias SCADA, Internet of Things, Ubiquitous computing


·         The Sector Specific Gaps, albeit often with common underlying disciplines and technologies, were:


o    Putting risks into business context and justifying spend

o    Intelligence led Security: direction, collection, analysis, reporting

o    Access Control: who has access to what, under what circumstances

o    End User Skills and Processes: including for access control and authorisation

o    Vetting and personal behaviour

o    Identity Management: including individuals, organisations and devices

o    Authorisation Processes: including PCI-DSS, HMG, major suppliers/customers

o    Governance/compliance: inc. AML, KYC, SARS, Data Retention and Protection

o    Support for Small Firms, generic and those in the supply chains of large firms

o    Incident Response: damage limitation, notification, consequent liability, public relations etc.

o    Reporting: what to report to who and how, what response to expect.

o    Investigation: forensics, evidence collection/preservation, co-operation with law enforcement

o    Asset Recovery: local (not just in the UK) and cross border


Action Plan


Organise follow up activities to identify priorities, those willing to comment on their needs in sufficient detail to enable suppliers to address them, plus those willing to work together to achieve common objectives in identifying, recruiting and harnessing talents.

e-mail me if you would like a copy of the full report


Will the Investigatory Powers Bill apply to all those others, from Google to Battersea Dogs Home, who are tracking your movements

| No Comments | No TrackBacks
| More
Those who drool over the wonders of Big Data and Internet of Things should take a look at the video of the "Looking for You" campaign piloted by Battersea Dogs Home at Westfield Shopping Centre. Those who stop to look at a cute stray dog are given a leaflet which contains a tracking chip. Display adverts around the centre then show the dog following them or popping in front of them looking appealingly. Now look at the plans of Pernod Ricard for "intelligent bottles"  Will GCHQ be able to follow James Bond by the empties, without the need for a chip implant, let alone "smart blood"? And what do we think of the growing attempts to stop us (and our children who are more likely to have discovered that it makes their smartphones faster and more usable) from using adblocking software. This also helps put the BCS consultation into context. The announcement is anodyne but there is real anger among those professionals who understand what is happening and why. My sister-in-law is very happy at being able to track her wandering dog on the Internet (after one of his periodic "escapes") to see whether he is one his way home or genuinely lost. The idea that a stranger could be similarly tracking the movements of her niece's Barbie Doll would fill her with horror.

This morning I learned, in the margins of the Digital Leaders "Digital DNA" conference, that it is no longer possible to store phone numbers in the sim card of the latest android phones. They have to be backed up in the Google Cloud, i.e. become Google's "property", to be sent back to the USA. Given that US anti-surveillance protections do not apply to "foreigners" I wonder why we should be so concerned about the governance provisions of the Investigatory Powers Bill as they apply to UK security and law enforcement when our phones are reporting back to those in Mountain View or Cupertino whose main concern appears to be that they should not have to share what they know about US citizens (not us, we are "foreigners") with Fort Meade.

One of the EURIM achievements of which I was proudest, (none of the other players even recognised its importance), was the rewrite of the statutory instrument covering the "lawful interception of business communications" (part of the implementation of RIPA), including the notice that had to be given to customers that their communications might be recorded. That is why the planned Digital Policy Alliance (the current reincarnation of EURIM) exercise on the Internet of Things (albeit a new term is needed) is so important (DPA reaches the parts others do not even think about). That exercise will be focused on the positives (e.g the actions necessary to help the UK lead the world into telecare, smart buildings or transport) but the negatives also need to be defused. [Contact them, not me, for details - this is one for the younger generation. My son is helping organise the exercise and we have reached the stage where I listen to him more than he listens to me. For those who know me that is an "interesting" change!!!]   

I would, however, like to belatedly add to my previous blog on the consultations on the Investigatory Powers Bill, the need to not only recognise that it applies to the tracking operations of Apple and Google (and all the other adware and spyware operators whose bloatware is clogging the Internet and slowing response times), but the importance of giving us all informed and genuine (not forced) choice as to whether we want our "communications data" to be recorded in the unsafe (to foreigners) harbours of the USA. This happen to be another area where the Digital Policy Alliance, with Malcolm Harbour chairing the relevant working party himself, is at the heart of organising well-informed, well-targeted, balanced and timely inputs to both UK and EU policy. I am now personally focussed on socially inclusive broadband and skills, where we I believe we have just crossed a watershed - but that will be the subject for my next blog.    

Ofcom consults on plans to tackle the UK Communications Confusopoly

| 1 Comment | No TrackBacks
| More
Ofcom has just published its Proposed Annual Plan for 2016/17  with a deadline of 26th February 2016 for responses. It has three clear objectives:

  1. Promote competition and ensure that markets work effectively for consumers
  2. Secure standards and improve quality
  3. Protect consumers from harm

First the bad news - why YOU need to call for additional action

Once again, despite the comments of the Ofcom CEO to the DCMS Select Committee earlier this year, the need for markets to work effectively for business users has been left out of its priorities. That is, however, in line with her predecessor's reading of legislation which assumed that business users could look after themselves - with the Communications Management Association acting as their voice. But CMA fell silent when its finances imploded after the failure of TMA 2002 . Today the FSB is doing an increasingly good job articulating the varied needs of Small Business and the Institute of Directors is about to follow suite but, apart from INTUG and sporadic local campaigns, the needs of medium to large business are ignored: hence my series of blogs beginning with "How rural is Smithfield?" and leading through to the Ministerial advice to those on business parks to forget BT and BDUK and do their own thing

If Ofcom is not going to address the needs of British business users perhaps it is time for them to call for action by the Competition and Markets Authority, but first they need to find a collective voice.  In the mean time, I suggest that readers responsible for the communications of medium to large businesses consider whether they should ask the Computer Weekly 500 to organise a meeting (perhaps in co-operation with the Digital Policy Alliance and its members) to discuss their inputs to the consultation on the proposed Ofcom work plan. It may be that "simply" organising a "communications channel" with Ofcom from a working group which collates attributable evidence of problems and of need will be sufficient. I personally have become tired of those who whinge but do not follow through with evidence of the problems they face and the impact on their business. I understand why this may not be easy but ...     

Now the good news - why you should support the action planned by Ofcom

The draft for consultation indicates that Ofcom may, at long last, be about to act as a Competition Regulator, responding to market developments when it is necessary to prevent abuse, particularly by current and would-be dominant players, instead of acting as a backdoor state planning agency, protecting the past from the future.

This is particularly important given the scale of change that is now taking place: from communications technologies and architectures to operating costs and business models. I recently blogged on how this affects the Investigatory Powers Bill,: with the convergence and divergence of fixed, mobile, wifi and lifi and the compounding impact of adware and insecurity all combining to make technology specific legislation obsolete before implemented. My views were informed by an exercise to look at why those living in inner city social housing complexes in London, have such inferior and expensive broadband access to those in similar blocks in Seoul or Hong Kong.

In my "Dirty Digest" of the Ofcom Strategic Review Discussion Document (back in July)  I linked the reasons back to the way Local Loop Unbundling destroyed BT's business plans for fibre to the home, not cabinet. What I had not appreciated, until I started visiting some of the social housing complexes that are now extending "fibre to the flat", was that the cost of installing fibre, let alone of the associated equipment, has plummeted over the past year. A combination of technology advances, mass production and a global price war between Huawei, CISCO and Alcatel-Lucent has led to equipment costs coming down by 50 - 70% in a year . Meanwhile competition in the provision of backhaul services (including from players like Zayo, who area busy buying and relighting fibres switched off in recent years to avoid business rates) have forced BT to bring its prices down, in areas where it faces competition. Thus the price for 10 Gpbs Ethernet has fallen by 37% this year. Where BT does not face competition and change would cannibalise its more captive SME leased line business (e.g. 1 Gbps lines) , the prices have not moved since April 2014. Meanwhile Ofcom allowed an increase in the price for obsolete copper/aluminum Openreach twisted pairs.  

When I read History at Cambridge in the late 1960s, one of the papers concerned the conduct of two seminal enquiries (1799 and 1800) into monopolies. One was into the way Thpmas Williams had acquired control of the Parys Mountain copper mine and driven down the price of copper so that he could destroy the Cornish mining cartel and establish his own monopoly. In doing so, he had, however, helped transform the UK economy and enabled the Royal Navy to copper bottom its ships and beat the French at sea. The other was into the abuses of the cartel that ran the coal trade from Newcastle to London. In both cases the potential recommendations were regularly overtaken by events. The experience prepared me for when I did the regulatory economics module under Michael Beasley at London Business School and later worked on the 1978-9 policy studies that led to telecoms liberalisation and privatisation. The messages were the same, it was just that events moved faster. Today the pace of change has further accelerated.

As so to a few thoughts on the Proposed Ofcom Annual Plan.

The second sentence of Paragraph 2.1 is a masterly summary of the task "Communications markets are fast moving, with changing consumer and business needs, new and evolving network, device and service technologies, and significant activity in mergers and acquisitions".

Paragraph 2.4 refers to the way that "over the top" services are complicating market comparisons leading to a very polite statement in Para 2.6 of the need to address the current industry "confusopoly" (my description not theirs): "The array of services on offer at different prices, with different tariff structures and contractual terms may reduce price transparency and complicate user decisions". 

Over the week-end I spent some hours trying to work out the comparative cost of the services currently on offer to those in social housing from BT and its competitors. The Draft Ofcom Annual Plan is 28 pages,  including appendices. The BT Tariff Guide for Residential Customers is 57 pages. BT's websites are full of special offers but relating these to ongoing charges after the period of the offer is not at all easy.

I finally worked out that, unless in receipt of one of five benefits which qualify them for the BT Basic Phone and Broadband package, the minimum telephone bill is likely to be about £72 per quarter (including call charges or a UK only "anytime" service) while the basic (up to 17 mbps, usage capped to 10 Gbps)  broadband service is £24. This gives a price for phone and broadband of £85. Meanwhile those offering fibre to the flat tend to charge around £60 for entry level broadband, rising to £84, when an anytime UK voice over IP service is added. [Note that I have done the comparisons using quarterly list prices: everyone has special introductory offers - that from Hyperoptic has raised more eyebrows than most, providing a gigabit service for less than the average phone bill, albeit this may, in practice, be available only to those who have access to its services but have not yet signed up].    

The price gap widens significantly rapidly for those wanting more than a basic service or who breach the usage caps. More-over, those with the ability to unravel the various package deals, would usually be better off taking raw broadband and subscribing service by service. The poor and gullible are indeed being systemically confused. This gives a clear case for "robust" action by Ofcom to improve the quality/clarity of the information on offer (Para 3.11 in the section of the Draft Plan on goals and objectives).

Para 2.11 of the Markets section contains another splendidly polite under-statement: this time regarding the way that technologies may be nearing retirement. It is not just that the physical tracing of the origin of emergency calls is now more reliable and accurate for VOIP calls  which include the GPS location of the originating device, but that whole network technologies (written down in regulatory theory but not in accounting practice), are now worth no more than scrap: hence the relevance of my earlier reference to the predatory Thomas Williams wiping out much of the Cornish copper industry in the 1780's and 1790's.

This leads to another of the questions that Ofcom does not ask, and arguably should not ask, because it is for politicians not regulators:

Should providing regulatory certainty extend to protecting incumbents against change because previous regulatory decisions prevented their attempts to respond to those (or similar) changes a decade or so earlier?

I believe it should not: but that is because regulators should not discriminate between investors, whether to protect past investment or to artificially encourage new investment. Such interference is for politicians - and the political lobbying that takes place today is every bit as murky as it was in the 1800's: the main difference being that lobbying is now nearer to being an equal opportunities career than engineering, IT or political cartoonist (only two female entries in the Political Cartoonist of the year 2015 awards).      


Forty two organisations and individuals submitted public (as opposed to confidential) evidence to the Science and Technology Select Committee inquiry into the technical aspects of the Investigatory Powers Bill. The links to the full list of oral evidence to date and of published submissions, including my own, are here

Apart from the collective submissions from membership organisations like TechUK, JISC and UKISA none appears to be from the (very wide) range of service providers who might have to help (or at least not actively prevent) the retention of data concerning their users on-line activities. Many submissions, such as that from Mozilla, are from those who believe, as a matter of principle, that the liberal/libertarian ideals of the Internet should not be compromised by the need to protect its users from abuse because they do not trust those who might exercise the necessary powers.

As I suspected, my submission is out on a limb in its support for lack of clarity, on the grounds that the legislation must be "generic" if it is to be effective and not out out of date before implemented. I was pleased, however, to see that others shared my concerns over the security of retained data - although not to the extent of suggesting remedies.- as I have also done in some of my recent blogs, including the need to look at the governance of partnership policing if we are serious about the objectives of the legislation.   

Could/should London match Hongkong or Singapore, with unsubsidised fibre to the flat at less than the cost of POTS?

| No Comments | No TrackBacks
| More
Singapore and Hongkong are London's most dangerous global financial services rivals and also have the best big city broadband. What do we and they they have in common? The high proportion of residents who live and work in housing and office complexes which are cheap to fibre up - provided this is done in co-operation with residents and building managers.

Why did London not copy Seoul when it led the way with affordable fibre to every apartment in every social housing tower?  The prime reason appears to that "pure" fibre customers commonly pay less for broadband including Internet telephony, that those without fibre pay for a traditional telephone service, even without broadband. It was, therefore not in BT's interest to co-operate with such a revenue destroying "opportunity", even if it could afford the cost of change at the same time as building a TV business and (now) buying EE, unless its content revenues more than make up the difference. Hence the current "Quad Play" fight to the death with massive discounts for new customers (on the assumption that existing customers will be loath to risk the disruption of change - unless actively driven away by poor service}.  

I have blogged in the past on why BT's competitors can build rural broadband networks at a fraction of its costs. The local contractors who installed shared aerial systems to inner city tower block estates during the digital switch-over in the run up to the Olympics are similarly capable of installing fibre to social housing complexes for significantly less than it costs BT to replace aluminum exchange-only lines by Gfast quality copper. Meanwhile competition between Alcatel Lucent, CISCO, Ericsson, Huawei and others has caused relevant equipment cost to come down by around two thirds over the past year. Some of the competitors to BT can therefore get payback inside two to three years, as opposed to the twenty or more years quoted by "establishment" (using Richard Hooper's excellent definition which I unfairly summarised in a blog on the USO) analysts.

The actions necessary to permit them, particularly the streamlined agreement of shared wayleaves, would also enable BT to cut its costs, while upgrading its networks (architecture as well as technology and cabling) to provide more profitable backhaul for the mushrooming traffic volumes (fixed, mobile, wifi, lifi and m2m) that a smarter, greener city will generate. I would add that Gfast may been overhyped, but it is a seriously competitive technology (at least for a decade or so) for housing complexes and office blocks with under 50 units and good quality copper wiring. 

As a Londoner, I would argue that the City Corporation and the London Boroughs should work together to allow market forces to work before London haemorrhages jobs and tax revenues migrate to smarter, greener, less polluted cities where bandwidth-hungry businesses can get symmetric gigabit, "full fibre" connections to homes and offices, leading to more home-based working and less travel stress and pollution. A modern reliable and resilient IPV6 compliant mesh will also enable London to make effective use of intelligent devices and systems, from energy and traffic management to the health and welfare monitoring that enables independent living instead of bed-blocking our clogged NHS hospitals.

The forthcoming Mayoral election will provide an opportunity to argue how this could and should be achieved and readers will not be surprised to know that I am happy to make proposals to anyone who will listen. However, we do not need to wait for the result of the mayoral election to make serious progress.  and I am delighted that Hyperoptic has agreed to support me in a modest exercise to try to collect and publicise case studies of how broadband has already been brought to some of the social housing complexes whose votes will determine the outcome of the mayoral election.

I ask therefore ask readers to comment on the synopsis that follows and suggest case studies that will support or destroy the thinking behind it


There is growing political concern at the deepening (if not necessarily widening) of geographic, social and economic digital divides within the UK. Those in most need of on-line services (from home shopping and security to monitoring and telecare services) often have least access to what the Prime Minister has described as an essential utility. There is confusion among public sector decision-takers as to how best to address the consequences at a time when their budgets are under increasing pressure 

Many of those in most need live in 40 - 50 year old social housing complexes. Some of these are run by Local Authorities. Others are run by Housing Associations.  Even where tenants have exercised rights to purchase, the buildings may still be managed by Local Authorities, Housing Associations or their agents.  Korea's success in becoming the world's most connected nation is said to be in large part because half the population lives in similar complexes. The main reason the UK has not followed suite appears because copper/aluminum wiring was installed when the complexes were built and carries traditional telephone services which generate more revenue for the incumbent telco than VOIP over broadband. This removes the incentive to invest, unless and until it is needed for content services that generate additional revenue (e.g. subscription TV channels) and/or it is threatened by competition that can make money from providing better services at significantly lower costs over new networks using different technologies and architectures.    

BT is therefore seeking to offer broadband over the existing telephone networks but is limited by the quality of the wiring within buildings as much as the need to upgrade the services to them. In parallel a growing number of organisations are seeking to provide low cost monitoring and care services over mobile networks which do not always work well within inner city estates: mounting problems of overload and interference.  Many buildings will therefore need recabling, unless there is the opportunity to piggyback on more recent investments, such as the communal aerials installed during the run up to the Olympics or electricity cabling capable of carrying powerline services.  Over recent years housing associations and council housing departments have therefore begun working with partners to refrofit fibre networks akin to those included in new build private sector apartment complexes. 

The good news is that the cost of  fibre and both landline and radio is falling dramatically and a variety of technologies and business models could be used to provide reliable access at well above the universal service obligation on which the Prime Minister has announced a consultation starting in January.

The question is therefore "How can Local Authorities best work together with suppliers to ensure these are used to meet the needs of those for whom they are responsible at a time when they too must make massive savings in the cost of service delivery?"

The start point for the answers is to look at what has been done already.

Case Studies (covering different technology start points and solutions, business models, benefits)
1) Technologies and technical issues:
•    Traditional (copper/aluminium) wiring  - Exchange Only, FTTC, GFast 
•    Community aerials and/or "rediffusion" networks - coax and fibre
•    Powerline, Fixed Radio, Mobile/Wifi
•    Fibre (P2P, GPon)
•    Backhaul issues
2) Business Models and viability issues:
•    Capital Funding:  public or privately owned or leased (including PFI et al deals), community/co-operative, revenue sharing etc.   
•    Operational Funding: Included in rent, separately charged (to tenant, social services etc.), utility service (e.g. basic broadband/telephony with choice of upgrades and content services), bundled (e.g. including TV and other content), building services and/or revenue share for building owners/operators.
•    Access and wayleave arrangements and charges: one-off/standard, exclusive/shared, responsibility and liability arrangements.
•    Other issues:  e.g. security, privacy, interference (both accidental and criminal: e.g. were/are drug and rave related tower-block pirate radio complexes a significant issue).    

3) Quality of service, including performance measures and monitoring
•    Disruption (on installation or during maintenance/upgrades),
•    Speed,
•    Reliability,
•    Response time,
•    Problem handling 
•    Customer satisfaction

Choices, Trade-Offs and Decision Criteria)
To be collated, distilled and summarised from case studies

Possible Conclusions (hypotheses to be tested in the course of collecting case studies
Horses for courses

1)    Technology choices and criteria
? A Gfast box on the outside of small blocks (up to 48 units) with good copper telephone wiring
? Powerline to small blocks with poor telephone but good power supply wiring
? Piggy back on good coax-fibre community aerial networks
? Full fibre to the rest (but "future proof" P2P in risers, or low cost GPON pinned to the outside?)
2)    Business Model
? Affordability and predictability of cost to the tenant should come first not last.
? Models based on revenue share from sales of content and/or upgrades that are essential for usability should not be at the expense of those in most need.
? Cutting the cost, delay and uncertainty imposed of private sector partners gets a better deal for all  

Nest steps

Co-operation (? via GLA, LGA, SOCITM, other channels) on detailed guidance and/or shared projects and/or negotiation and/or lobbying  and/or education/awareness (of whom: suppliers, councilors, tenants, public ...)

Will publicity for the Northamptonshire Open Market Review help open up the UK broadband market as whole?

| No Comments | No TrackBacks
| More
Northamptonshire has announced an "Open Market Review" to help plan an invitation to tender to provide broadband services to those who will not be covered by its Phase 1 and 2 BDUK contracts. The intention appears to be to assemble a premises (not just post code) level map of coverage. It it is not the first attempt but it is the first for which I have received a copy of the notice (via INCA) and a clearance (from Atkins) to publish in this blog.

Similar maps for the City of London and the Greater London Boroughs could start a gold rush among those who would see just how many opportunities there are to make money out of providing fibre to the flat or workshop (including voice over IP), at less than the price tenants and small firms are currently paying for an elderly copper/aluminium telephone service (with or without "broadband").  [I plan to blog separately on how the lack of incentives for BT to upgrade the networks serving most Londoners have left them so far behind those living and working in its main commercial rivals, Hong Kong and Singapore].   

The text of the Northamptonshire OMR notice is as follows:

"Atkins is supporting Northamptonshire County Council in the Superfast Northamptonshire project which aims to secure access to Superfast Broadband to all business and residential premises by 2017. In addition to the fibre deployment plans under Contract with BT, the County Council is pursuing other initiatives under the Superfast Northamptonshire project to extend superfast broadband. In particular the County Council intends to run a new public procurement. This will not be tendered under the BDUK Framework which has now expired and instead will be advertised in the Official Journal of the European Union (OJEU).
The County Council currently intends to release an ITT in early 2016, after completion of this OMR and consequent State Aid Public Consultation and approvals for the area of intervention. Further details can be found in the attached OMR Request.
We are sending the attached OMR request to all broadband infrastructure owners known to have infrastructure in the County following the previous OMR exercise and those known to the Council since. This document requests details and supporting evidence of any current or planned investment in broadband infrastructure (basic broadband and NGA broadband) in Northamptonshire for the period up to December 2018. The OMR will be followed by a formal Public Consultation Process with the information received used to determine the eligible Intervention Area for the forthcoming procurement.
It is important for you to notify the County Council of your commercial plans through this OMR to ensure that future public investment does not result in overbuild of your commercial deployment.
Full details of the information requested can be found in the Annex of the attached OMR Request. Responses to the questions set out in the Annex are required by close of play Friday 18th December 2015.  A full OMR response template incorporating a spreadsheet with all of the premises within the OGA will be released to providers once the attached Ordnance Survey PSMA Contractor licence has been signed and returned. This is a requirement of the County Council's license with Ordnance Survey in order to share the base data with suppliers. Please ensure that the relevant company details are provided where highlighted in the Contractor license document before returning.
When responding, we would be grateful if you could confirm your organisation's name and address, as well as the name, position and contact details of the person responding on behalf of the organisation.
Please send your responses via e-mail to Chris Bond (  If you need to discuss the requirements further, please contact me by email or by phone on the numbers provided below.

Does the Investigatory Powers Bill go far enough? Is the Scrutiny Committee Asking the Right Questions?

| No Comments | No TrackBacks
| More
I received the press release for the call for evidence by the Joint Scrutiny Committee for the Investigatory Powers Bill on Friday, immediately after I had submitted my evidence to the House of  Commons Science and Technology Committee inquiry into the technical aspects of the Bill. I understand that the Commons Committee plans to publish the evidence that it has received next week. That gives a window of three weeks for better informed debate before the deadline for submissions to the main scrutiny committee, just before Christmas.

The Scrutiny Committee asks well targeted general and detailed questions but these need to be placed into context.

The bill is attempting to create a "future proof" regime at a time when the rate of change of architectures and technologies used for on-line communications is accelerating. Any attempt to "define" the services covered, data to be collected and technologies envisaged is therefore likely to be out-of-date before the legislation is implemented.

The legislative framework should therefore:

  • be based on objectives and principles rather than specified services or technologies.
  • apply to all types of communications service provider, large and small, including those yet to be invented.
  • cover the full cost to all service providers, (particularly smaller players such as community broadband operators or wifi providers), whose users include sufficient "persons of interest" for the security services or law enforcement to require data to be retained. [Most will never be worth covering, but it is essential both to avoid "tipping off" criminals on how to evade surveillance and to avoid crippling the potential for the UK communications market to be the world's most competitive]            
  • cover the duties of those given Investigatory Powers to maintain trained and authenticated single points of contact and have security processes that are fit for the responsibility [The biggest cost will not be recording or even retaining the data, but keeping it secure in the world's biggest set of "honeypots for hackers". Many of those with investigatory powers delegate these to junior staff and/or have already been warned or fined by the Information Commissioner's Office.]  
Viewed in that light, the Bill may have shortcomings but is a massive improvement on RIPA and DRIPA. I particularly welcome the provisions for judicial oversight. 

The scrutiny process is also a great improvement.

I fear, however, that the public debate has not yet matched those improvements. It appears stuck in a time warp - with far too many unrealistic expectations as to how legislation can be both specific and agnostic when it comes to technology issues.

The Bill is, and should be, about a technology neutral framework for investigatory powers as a whole. The debate appears to be about the ability (technical or legal) of Central Government to demand the retention of IPV4 Communications Data in a post-Snowden world, in case it is needed.  Debate is only partially linked only to the application of traditional standards of conduct and law enforcement, including traditional UK partnership policing, to the on-line world and the role, if any, of the security services and GCHQ in the process with regard to addressing the mass-market on-line abuse, fraud and impersonation that so concerns the public.

Over the past 18 months the world has changed in ways that give a whole new context to esoteric and introverted technical debates concerning definitions of the data to be retained data and the processes for authorising access. 

  • I am referring to the convergence and divergence of fixed, mobile, wifi (with li-fi in the wings) and machine to machine communication services over which "persons of interest" may route their traffic. The shortage of IPV4 addresses means that many devices avoid using IP for short range communications and when IPV6 becomes a mass market reality, the volume of those that do may again change the scale of IP communications volumes. 
  • I am referring to the explosive growth of short messages over existing networks generated by apps which include device and transaction tracking to support adware and other forms of spyware , whether or not devices are in active use by a human, Each "user controlled" transaction, message or site visit potentially triggers dozens of monitoring and tracking messages, plus further streams of messages, including as mobile devices change location.
  • I am referring to the known insecurity (as measured by data breaches notified to the Information Commissioner) of many of those entitled to use the powers in the Bill, let alone of those who might be expected to retain data in case it might be needed. The cost of securing such "honeypots for hackers" is likely to be very much greater than the £175 million currently estimated as the cost of implementation.  
My own submission to the Common Select Committee collated views from those with whom I have spent over a decade looking at the issues of "partnership policing" and "enhancing confidence in the on-line world", as well as at privacy, surveillance and information security issues, This led to me to look at why the Bill is as it is, and what has been left out, rather than criticise what is included - most of which is rather good.  
I believe that those responding to the questions posed by the Scrutiny Committee need to address some wider points:

  • If the legislation is to be meaningful, any communications or internet service provider (large or small) has to potentially "host" interception and/or storage facilities. Whether or not they need to be aware this has been done is another matter.
  • The references to Internet Connection Records captured by network access providers "...e.g. the Internet Service Provider or Wi-Fi operator...". indicates that  these might be demanded from schools, universities, libraries, banks, coffee shops, community centres and anyone else providing public internet access. If this is not the intention, then these provide a simple way for local communications to by-pass the system. If not, then  assuring users that their communications are not liable to surveillance is "tipping off" and should be as much an offence as telling them that they have been targeted.
  • The statement that small ISPs do not need to worry because they are most unlikely to be of "interest" does not give confidence because it is too easy to envisage circumstances in which community ISPs serving inner city estates or or leafy suburbs should be of interest, whether as centres of organised crime or terrorism or both.
  • Meanwhile technologies such as Tor and Freenet and the adoption of VPNs to proxies in other jurisdictions provide increasingly accessible ways for the hardest and most dangerous targets to bypass "traditional" systems monitoring Tier One (also a fluid definition) communications providers.
  • The necessity and proportionality of (inevitably ineffective) population-scale surveillance is not credible. Costs are likely to increase in proportion to current and expected growth in traffic volumes, adjusted for Moore's Law. Given changing infrastructure architectures and the cost of securing large databases against increasingly sophisticated attack, they could, however, be an order of magnitude higher.
  • We can therefore expect granular (location and/or service) access to be required, with most communications service providers not required to retain data at any time but even modest operators required to do so when they are identified as serving targets or communities of interest.  If so, the legislation have again to be generic with a "guarantee" to cover the full costs, including those of keeping data secure, incurred by any service provider (large or small) required to retain data.
  • The need for legislation to be technology neutral and to avoid giving too much information to those wishing to avoid investigation also make it unreasonable to define the communications data elements that should be retained. It is more important to consult service providers on how to best to capture and retain information that would help meet generic objectives over the networks and architectures they already run or are planning.
  • There have long been concerns that government and law enforcement agencies (especially those outside the core intelligence services) do not secure data adequately. The number of local authorities suffering data breaches (according to the Information Commissioners' Office) illustrates that is a serious problem among many of those with investigatory powers. The clauses concerned with unlawful access to data in Part 1 need to be extended to cover the failure to adequately secure retained data, particularly that claimed under warrant, notice or authorisation. Penalties should be linked to, but significantly more severe, than those under Data Protection legislation and cover anyone in industry or government holding such data.
A more serious flaw is that the Bill does not address the organisation of practical co-operation in time to meet operational needs, as occurred during the 2011 London Riots, when law enforcement was unable to make effective use of the information streams on offer from mobile operators and ISPs. Here the need is for access to the real-time computing power of industry in time to make a difference and save lives. This raises problems of governance more profound and difficult than those covered in the bill.

The Bill contains an attempt to improve processes for cross-border co-operation but the extra-territoriality are unlikely to help sufficiently to make a material difference. The need is to make voluntary co-operation, including across borders, very much easier. Thus during the London Riots a communications service provider in North America obtained a local warrant which enabled it to legitimately decrypt communications between gang leaders before UK law enforcement was able to work out how to organise a request.

The current pressures on police budgets also mean that their ability to act as the first line of defence in addressing cyber-crime or terrorism depends on making practical progress with implementing the recommendations for Partnership Policing made by EURIM and IPPR a decade ago

The time has come to also implement the suggestion, discussed in the margins of RIPA, that  all organisations with investigatory powers should route their requests through a well-identified and authenticated "Single Point of Contact" (SPOC) with staff trained to keep the results secure. The security requirement should include physical inspection (not just a paper validation of theoretical processes). Those without such a SPOC should be required to route requests through an organisation which can meet the requirements.

The welcome inclusion of penalties for the abuse of the powers does not address the problem of Councils giving powers to dozens of staff, from senior to junior or lacking the procedures to keep the results secure. Pages 17 and 18 of the guidance from Weymouth and Portland Borough Council (picked because the investigation into the "Portland Spy Ring" is such a good example of the use of the investigatory powers of the day) illustrates why this problem is of such public concern, particularly in other local authorities where officials are expected to work in close co-operation with community leaders who may be more concerned with family honour than personal privacy.
A requirement to provide adequate security and protection against potential abuse might well led to a welcome drop in the number of organisations seeking to retain historic powers. 

I also recommended reading the excellent briefing from the House of Commons Library as well as the evidence to the Commons Select Committee when it is published.

I do not expect the Digital Policy Alliance to try to organise an exercise akin to that which we (i.e. EURIM) ran on RIPA, the of the scrutiny arrangements already in train mean that it would add little, but those who think it should organise a round table before 21st December for those planning to submit evidence should contact them, not me. I will, in any case, try to order my thoughts round the questions asked by the scrutiny committee,            

How relevant is the Investigatory Powers BIll to preventing a Bataclan style massacre in London

| 1 Comment | No TrackBacks
| More
The attacks in Paris yesterday give a terrible topicality to debate over the Investigatory Powers Bill and the issues I raised yesterday. I have already received interesting feedback on some of the questions that need to be clarified for the legislation to achieve its supposed objectives but the news from Paris raises a core question of priority:

Is it more important to retain more data for longer or to give the security services and law enforcement more rapid access to analyses of the data that is already available?

Amazon, BT, CGI, Experian, Fujitsu, Google, HP, IBM, Microsoft, Paypal, Vodafone and others routinely analyse massive volumes of traffic in real time to run their own businesses or on behalf of customers, including to detect potential crime (particularly fraud and impersonation) as it is attempted.  At the time of the London Riots the mobile operators offered real time feeds (including of decrypted traffic) to the police in far less time than it would have taken to organise requests under RIPA. The police were unable to handle the volume of information on offer. They lacked both the people and the technology. Even were we not facing a massive shortage of the relevant skills, (subject for another blog), they are unlikely to ever get the necessary budgets to have such facilities on hot standby.

The time has come to take the recommendations in the EURIM-IPPR study on partnership policing rather more seriously - albeit updated for the decade that has passed since.

That study used the story of the FBI US response to the Love Bug to make the case for the large scale programmes of cyber reservists, specialist constables and community support officers and other forms of volunteer support, that we still have not got.

With 48 hours the FBI claimed to have 400 agents working on the Love Bug. In fact there were approximately 40 FBI employees supporting nearly 400 information security staff employed by EDS, IBM and others, working on the issues from company workstations. The latter were now wearing their "hats" as military reservists or part-time law enforcement officers, having been "mobilised" into their wartime/emergency command and control positions: The zig-zag career path of Rear Admiral Grace Hopper helps illustrate the US approach. [I had similar ambitions as cold war reservist working in the computer industry but was persuaded to drop them by my future wife after the sinking of HMS Fittleton. [ICL would not let me take two weeks off immediately before year end and I knew the radio operator who drowned in my place alongside the CRS who taught me morse].

But today we also need processes to call on the cloud computing resources of industry to analyse the data already available, in time to "make an operational difference".
The core objective of the Investigatory Powers Bill should not be to just retain more data for longer in case it might be useful. it should be to enable industry and academic experts, operating under "appropriate governance" to use Corporate, Commercial and University computing facilities to do that for which law enforcement (and even GCHQ) will never have sufficient budget - to identify threats in time to respond effectively, not just investigate afterwards.  

That raises questions of governance, probity and impartiality that are far trickier than the meaning of "judicial oversight" or "communications data". At this point I ask whether we are serious about finding "answers" or merely playing expensive "displacement activity" games.

I will stop there because I do not know the answer. I know what I think it should be - but my brain begins to hurt when I try to think through the consequences.  

Find recent content on the main index or look in the archives to find all content.


Recent Comments

James Suther on Scramble for Safety but n... : After re-reading the report, my concerns remain. T...


-- Advertisement --