How do we rebuild trust in the on-line world - not just Government?

| 7 Comments | No TrackBacks
| More
The messages in the Cabinet Office, HMRC, IPCC and MoD reports and recommendations released on 25th June will keep security experts occupied years. But the responses to the recommendations of recent Parliamentary reports and its own Independent Reviewer, raise far wider questions.

These are hidden away in "Annex V: Cross-references to other work" starting on page 37 of the report on "Data Handling Procedures in Government", 

First come the responses to a selection of the recommendations from the report of the Joint Committee on Human Rights report on "Data Protection and Human Rights" . Then come those to the Select Committee on Justice report on "The Protection of Personal Data"  

Then come those to "Protecting Government Information: Independent review of Government information assurance, by Nick Coleman". These are interesting for what is not addressed  even more than for what is. That review ranged well beyond the issues raised by the "mere" loss of data. Nick's recommendations covered information risk management as a whole and  included greatly improving the professionalism of those responsible. The government response included clarifying the split of responsbility between the Information Commissioner, the National Audit Office and CESG. "through peer review and other independent experts". However, it failed to address many of the wider issues. This was not surprising because several of the recommendations represented major threats to departmental automony.  

Then comes the surprise: page 41 includes Government promises to "consider" some of the sharper recommendations of the House of Lords report on Personal Internet Safety "in the light of the Walport/Thomas review due shortly." - including with regard to on-line banking liabilities akin to thsoe in the Bills of Exchange Act (1992) on which I recently blogged

I have been scanning the responses to date from the flock of security experts. Most share the tunnel vision of the Government response to the Coleman review: they mouth the words "culture change" and then support the creation of a"Chief Information Risk Owner" with his own add-on security silo.

The time has come for a far wider vision.

Either the security of information, and the resilience of the systems giving access to it, really are important, in which case systems should be designed, from the start, to embed BOTH "security by default" (i.e. it takes a conscious effort to over-ride the safeguards and do it insecurely) AND "graceful degradation" (e.g. default to equally secure federated and/or local access). 

Or they are not that important - in which case we should resign ourselves to a world in which no electronic communication can be trusted or relied on for life or business critical functions at a time of rising fraud, impersonation and cyber-assault.

It they really are important - then we need to stop talking about "mere information security professionalism" and start overhauling mainstream information systems and computer science education and training - so that information security and resilient access are at the heart, not the periphery of ICT professionalism as a whole.

And that means beginning with an overhaul of the courses accredited by BCS, IET and others.

That is why, two days ago, I said these reports might well be the most important of the decade for the ICT industry. Hence also the refocus of the EURIM Personal Identity and Data Sharing Group on Informaton Governance.

Then I spent two days at the ACPO E-Crime conference at Wyboston: listening to the concerns of a hundred or so, dedicated professionals fighting a rearguard action against a rising, not falling, tide of reports of paedophile activity across social networks - unable to make time to seriously address anything else.

Are we on the cusp of a crisis of confidence in the on-line world?

And does that mean we are on the brink of catastrophe (the fall of Rome or Byzantium to the Barbarians or Turks) or on the brink of the turning point of the war (the start of "the real fight back" and the run up Midway or Kirsk - depending on whether you are American or Russian, German or Japanese). 

I do not know - but I do urge you to read the reports and recommendations and then put them into overall context - beginning with Nick Coleman's wider vision.  

No TrackBacks

TrackBack URL: http://www.computerweekly.com/cgi-bin/mt-tb.cgi/37717

7 Comments

The sooner all the jocks and suits get off the internet, the better as far I'm concerned.

I've never understood trying to ban peadophile material on forums, etc. Paid services, yes - relatively easy to track down both the suppliers (thus, hopefully, the producers) and the users. Use published materials to identify victims (and even perpetrators) - yes. But try to close down published materials? King Canute wouldn't joke about it.

Secure communications? Easy to do over the internet as long as you ignore Verisign et al's use of the word 'security'. Security = privacy, identity and integrity. Anyone who talks about security without addressing all three concerns is a shark. All three are well covered in various place on the internet.

Finally, your examples of 'catastrophe' seem a bit stupid. Problems in a communications method can't really be compared to the collapse of civilisations.

Good comment but with regard to the last paragraph I would recommend reading Jonathan Zittrain on "The Future of the Internet - and how to stop it". Unless those who believe in the Internet as a force for good come together and ensure that it is indeed so ...

I really do believe that, for good or ill, we are at a turning point.

Indeed we are at a turning point, they may try and control the internet but they'll never manage to close the pandoras box they've opened. A cornucopia of ideas and information free to all! Yeah it's going to make things a lot more complex but from that much beauty will flow.

Welcome to the dawn of a new enlightenment, renaissance and industrial revolution all at once.

Comment: another one living in the last century - do read Zittrain on what is happenning now that the Internet has come of age with one in five of the worlds population on - line, with all that follows, Those who wnat the good things to continue must help address the bad things - or live with the consequences - - including surveillance, censorship, impersonation, disinformation and disillusionment.

On the one hand there is totally, vitally, private information. On the other a data handling industry that largely doesn't give a damn as long as it gets paid. Doesn't put privacy or security high in its training or anything else, and is largely incompetent. Where really competent people are unemployable because they know more than the boss. A reflection of the totally computer-incompetent prime ministers who launched so much of this. It is bad government on a huge scale. And to take one very specific instance: the report you reference, which I presume you were handed as a paper copy, doesn't download from the URL you give, which is exactly as on the Cabinet Office site. So the link to the report on data security is broken. And then, gloriously, the Cabinet Office page for reporting such faults creates a server-side error. Are these people competent?

Philip Virgo reply - I have just checked the links and they all appear to be working -which one could you not get?

The importance of a holistic approach to security strategy is now becoming clear to a number of commentators. But what does this mean and how could it work in practise?

Firstly there is a growing emphasis on Enterprise Risk in large corporations and depending on the organisation's culture this may lead to an effective relationship between physical and digital security. But as Deloitte's Global Security Survey (2006) indicated this is still rare (14%). A recent Honeywell survey of CS0s and CIS0s supports this perception but found that in the next two years the possibilty of converged real time monitoring of physical and digital systems led leaders to think that Corporate security will be managed jointly in the future (33 - 67%).

This is a very positive sign and is reflected in the make up of the recently formed Information Security Awareness Forum. A number of member organisations, including ASIS International, UK Chapter 208 primarily focus on physical security risks in the protection of information and the individuals involved in accessing data. Hence the forum is concerned to develop relations between IT and physical security leaders. As Dave Tyson (Director of Information Security, eBay and board member of ASIS International) explains in his book, Security Convergence, 'often it is very difficult to determine whether a cyber crime should be investigated by a physical or IT security specialist'. He continues, 'the threats have converged and this means our investigation techniques need to converge as well'.

It seems that in many ways the importance of security leaders from all areas working closer together is being recognised and valued. Whilst it is, in fact, really just starting, in practise the ISAF is a great example of the excellent relations which are being developed between physical and IT security organisations."

James Willison, Convergence Lead, ASIS International, UK Chapter 208.

@ Jenny - I've double-checked the links too, and they do all seem to be working. However, quite a few of them are to PDF files, so depending on what web browser you're using, what version of Acrobat PDF Reader you have on your system, and how much memory you have available, you might find some of them fail to open because of that. I'd recommend checking you've got the latest Acrobat Reader installed, and clearing your browser cache before trying to follow the links... Hope this helps!

We may be on the cusp of hasty legislation or agreements at the IGF that will seriously damage the future of the Internet.

Many vested interests in the political arena see attacking the Internet as a way of getting behind public sentiment and many vested interests in industry have been looking for a way to carve out private walled gardens to monetize the Internet. Both may look on this as a divide and conquer opportunity.

The uphill struggle against the tide of negative publicity and trying to make clarity and reason prevail will be very, very difficult.

The IPCC report is not that easy to find, but here's the link:
http://www.ipcc.gov.uk/final_hmrc_report_25062008.pdf

Commetn Form Philip Virgo - thanks for adding this.

Leave a comment

About this Entry

This page contains a single entry by Philip Virgo published on June 28, 2008 9:46 AM.

Lets have an end to bicker, bitch and divide and move from rhetoric to action was the previous entry in this blog.

Self-policed e-paradise or a vigilante-ruled e-anarchy? is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Archives

Recent Comments

 

-- Advertisement --