November 2011 Archives

Are the cybersecurity professionals actually in league with the cybercriminals?

| No Comments | No TrackBacks
| More
I co-chaired a Westminster Media Forum conference on the eve of the announcement of the new UK Cyber Security Strategy and mused on why it is that the cybercriminals find it so much easier to co-operate. I said that computing and telecommunications professionals still do not really understand each other, let alone security (information or otherwise) professionals and that the only thing that unites all three is a mix of fear and loathing for their colleagues in marketing. Afterwards I chatted with Wendy Grossman and commented that part of the problem is that many, perhaps most, of our security products and services are "as user friendly as a cornered rat". That led  to reminiscences on Michael Becket, who found that phrase in a software review before I copied it for use at the National Computing Centre technical conference in 1983 to describe the current state of most of the supposedly "user friendly" products and services then being promoted.

This morning I was trying to find a way of checking whether a message that purported  to come from my ISP telling me my mailbox was full was genuine. It quickly became apparent that their security guidance was directly akin to that mix of patronising platitudes and incomprehensible detail which so infuriated my staff at the NCC Microsystems Centre in the 1980s when we were evaluating products and services intended for use by end-user professionals (such as doctors, lawyers and accountants) or by small and medium sized firms with no professional in-house IT staff.

In those days over half of what we tested failed on some very simple tests:
  • did the documentation say what it did in language the customer could understand?
  • did it do it correctly (including any legal/fiscal requirements e.g.  tax calculations etc.) ?
  • did it do it reliably (including graceful degradation and restore in the event of power cut) ?
Most suppliers had no wish to pay for their products to be kite-marked and had many reasons why the very approach was impractical or irrelevent for a creative, new and "vibrant" industry.

One of the exceptions was a small company called Sage. They were one of the first to be tested. They took the process much more seriously than most of their larger competitors. Today they are one of the few UK-owned IT suppliers left. Who even remembers most of the others from a time when the UK supposedly led the world?

Recently in the wake of the EURIM study on Security by Design and the emergence of a whole new generation of products and services to help secure communications and transactions in a deperimeterised world, I have been looking at how vendors sell and support these today. Not much has changed. Those seeking to implement the recommendations in the strategy announced on Friday for "kite-marking" will face the same excuses. Those seeking to educate and train their staff to make systems secure by design will find little on techniques that have been around for a decade or more. For example, where are the courses or materials on how to specify, procure and deploy the "trusted computing" techniques that enable a rapid, low cost check that the person you think is making the transaction is using a physical device (e.g. desk top or mobile phone) that has been registered to them?  

It is as though the supply side has no wish to actually improve the security of their customers. It appears only concerned to sell more "stuff", whether or not the customers know how to use it. If that is correct, it is because that is how they are rewarded.

"How do we change that motivation ?" is, however, the wrong question.

We need to begin with "Who really wants to change that motivation ?" 

This is where things may have changed. Until the recession and the transfer of economic power from West to East it was possible to off-load the losses onto customers and taxpowers. That is no longer the case.

In a couple of days the Chancellor is expected to announce the biggest cuts in government spending since the 1920s. If he does not then we probably face hyperstagflation and worse. If he does, the need to cut the tens of £billions being lost to fraud and waste becomes imperative. That will entail making much better use of existing budgets  - not spending more money that we have not got. 

Hence my pre-occupation (both as Chairman of the Conservative Technology Forum and as Chairman of the Security Panel of the IT Livery Company) with taking a top-down look how to to bridge the gulf of understanding between the professionals and those above them - who have to take a holistic view of the business case. Bridging the gaps between the computing, communications, security and marketing professionals is important - but is not sufficient.

P.S. I am pleased to note that under my successor, an Information Society Alliance sub-group will be drafting guidance on how to procure trusted computing products - with the aim of having this available in March, i.e. in time for the next round of contracts. The group aims to move fast but joining (via the mainstream membership routine) is still ridiculously cheap (my fault for setting it too low in the first place) for the benefits the exercise will give to those wish to strip out cost, waste and fraud by deploying effective solutions in this space - whether for themselves or their customers. If you are joining simply to take part in this group do remember to say so when you apply.  

Enhanced by Zemanta

Can the tribes of Whitehall implement a co-operative Cybersecurity Strategy

| No Comments | No TrackBacks
| More
The UK Cybersecurity Strategy announced today provides a long overdue linkage between  initiatives led and planned via Home Office, BIS, MOD, Cabinet Office, DCMS, FCO. It contains much that is to be welcomed, such as using the unique resource that is GCHQ to help protect the private as well as public sectors. I particularly welcome the focus on drawing in private sector expertise, including volunteering programmes for the police and armed forces. I also like the way that strategy majors on the need to act on skills at all levels from basic awareness to post graduate, mandates that 25% by value of government security be spend with SMEs and flags the need to kite mark security products and services.


Given that I have spent nearly a decade calling for many of the actions that have finally been announced it would be surprising if I was not pleased. We need to recognise, however, that difficult though it has been to get commitment across Whitehall to a meaningful joined up strategy, it will be even harder to sustain that commitment and secure the implementation of the actions plans.  

£650 million was a powerful carrot but the task will cost nearer £6.5 billion and there is no more new money. Therefore the blance will have to be found by making much better use of the £4- 5 billion a year the public and private sectors (combined) already spend on the inefficient use of "sticking plaster" products and services. Much of the savings should come from the moving to security by design, including making use of the physical addressing facilities that are built into almost all mobile devices (Trusted Computing) 

Implementing the strategy will present major challenges, including to major private sector players whose business models are a decade behind the times as well as to those in the public sector who are used to command and control, not co-operation. But we can no longer afford to let the cybercriminals continue to lead the way in organising effective partnerships. The stakes are too high.  

We all have to help ensure that players (including regulators and compliance teams who get in the way of good practice) stop jockeying for position and start working together, across departmental and organisational boundaries to remove opportunities for malpractice.

That means finding reasons to co-operate which demonstrate rapid payback and whet  appetites for more co-operation. I expect to be able to blog on a number of tehse over the next few weeks.


Enhanced by Zemanta

The way in which Broadband UK has effectively "postponed" already agreed procurements by a year or more raises questions as to what drives the DCMS broadband agenda: a desire to postpone spend and help cut the short term government borrowing requirement or the need to make best use of the public funds available to help pull through private sector investment and aid economic recovery.

 

We are likely to find out within the next week or so.

 

Meanwhile I was struck by the statement released by INCA today (see below). They are clearly embarrassed at being caught between their desire to work constructively with officials and the growing anger of those who wish to see DCMS and DEFRA  funding combined with local authority communications budgets and the funding available from property developers and business users.Meanwhile DECC plans to duplicate DCMS spend and increase the cost of smart metering by a £billion or so - manana. 

 

The membership of INCA includes those seeking to organise world-class communications for businesses located in small rural communities like Birmingham, Bristol, Derby and Manchester. One of the most pungent contributions to the discussions on broadband at the Conservative Party conference was from a publisher who resented having to hand-over 70% of his gross to on-line operations based in the United States - because he could not even get the bandwidth to video-conference over Skype from suburban Glasgow. The availability of Broadband is now one of the standard questions on any house purchase and can make a difference of hundreds of thousands of pounds to commercial property values.

Why do 28% of users not deploy a security package?

| No Comments | No TrackBacks
| More
The Get Safe Online State of the Nation Report makes interesting reading but I am more interested in why 28% of us still do not use anti-virus - and over a third do not switch on the  anti-spam in the packages we have bought.

Having had to switch off the security on my system in order to download material from well-known and reputable sites, to over-ride warnings in order to transact with well-known and supposedly reputable web-sites, to adjudicate between rival security packages trying to cancel each other out and to watch the system stop dead while the packages update themselves - and having been told the packages I use, between them, still pick up only about 2/3 of what might infect my system - I have more than a little sympathy with those who decide not to bother.

So who is asking why they do not bother ?

More importantly  who is taking action to address the reasons - so that they will bother?

And what about all those who think their system is protected - because it said so when they bought it - but never worked out how to switch it on - or to pay for the upgrade because it was only a 30 day trial?

And is that really an invitation to renew the security service or a piece of malware imitating     the renewal notice? 

And why do most ISPs not notify (via a trusted channel - and what is a trusted channel) those whose systems they know are infected and/or are part of botnets?

Is it moral or responsible to advocate "digital by default" including for for the most vulnerable in society without ensuring that the systems  they use are adequately secure?

The Get Safe Online website is as good as we will get by way of guidance until the security vendor community starts telling us how to use their products and services - with material that is neither patronising nor requires a degree in computer science to understand. Googling your  questions and then pondering which of the answers might be from reputable sources is fine for geeks with time to spare and no family or friends but is not a credible solution for most of society.

No wonder so many of us are migrating to mobile phones where we think, foolish us, that we are safer. 



Don't just cut the ribbon, fuse the fibre

| No Comments | No TrackBacks
| More

Last monday, in an ad lib that was not in his script, Francis Maude said, at the Get Safe On-line summit, that the government was so serious about the need to address on-line crime that it was giving new money to cybersecurity at a time when it was in the process of making the biggest cuts to public spending since the 1920s. The current meldown of the eurozone shows that the Government is, unfortunately all too right to do make those cuts. 

But how do we prevent a re-run of the 1930s when recovery was driven by re-armament?

As executive chairman of the Conservative Technology Forum I am seeking to assemble teams to look at the issues that have to be addressed to enable the UK recovery to be driven by market-driven, high tech investment.Then we have to put forward policy proposals that will withstand outside peer review and appeal to voters, if they are to be adopted by the party. Finally the proposals have to sold to the Government - remembering that Government policy is that set of compromise on which the tribes of Whitehall can persuade their ministers to agree, embellished with sound bites that may or may not relate to reality.

My personal point of reference is the late 18th century when a bonfire of regulation (and of taxes which cost more to collect than they raised in revenue) enabled Britain to grow its way out revolution. The comparator is France where Jacques Necker, (who married Edward Gibbon's former girl friend Suzanne Curchod, "I sighed as a lover and obeyed as son") cooked the books (the Compte Rendu) to demonstrate that the finances were sound and the government had met its targets - and thus condemned the ruling classes to the guillotine. Meanwhile the UK Board of Trade, with Gibbon as a member, was a model of masterful inactivity - allowing the economy to recover from bankrupcy after the loss of the American colonies while the government spent as little as possible on anything.

Gibbons' "The Decline and fall of the Roman Empire" describes an over-centralised welfare state (bread and circuses) brought down by over-taxation and regulation as much as by corruption and civil war. The first volume had as least as much impact on the politic al thinking of the day as Adam Smith's "Wealth of Nations".  

So what should ministers do?

One answer is to celebrate the success of those who do not ask their officials for millions or billions that government has not got. Lindsey Annison was given a mile of 96 core fibre for her birthday and the local farmers have given her the wayleaves. This morning she sent me a link to the video of the Secretary of State splicing the fibre to connect the local cyberbarn. At first I thought it was looking a video of a speach in the House of Commons terrace - the cyberbarn is a lot smarter than I expected.

Economic recovery will come when those living in the Eden Valley (or Bristol, Derby, Manchester and the London broadband deserts) can compete on an equal footing with those in China, Finland, Japan or Sweden who already have fibre to the backwoods.

In order to achieve that, we will have to allow market forces to overcome the damage done by a decade of regulatory failure which destroyed BT's previous business case for investment (which was a gallop to fibre so that it could massacre the Cable companies after 2002 - the  Conservative target for competition in the local loop to supply entertainment quality, motion video to the home). Local loop unbundling destroyed that business case and we have yet to put a credible alternative in its place. In consequence we have demand rationing (alias traffic management) as the current incumbents seek to get others to fund those investment programmes that cannot be covered from current cash flow.     

The current morass of semi-incompatible networks has "more bottlenecks than a brewery".  The incentives for customers, property developers and long term investors to provide the investment funds necessary to make money by removing them have been regulated out of existance. In consequence British investors are funding the networks of South America because they cannot get a return from investing in those to serve London, south of the river.

Now that I have recovered from man-flu I hope to make time to blog on some of the actions necessary. But this monring I was cahllenged to give my vision for 2015.

I should say that, given the necessary bonfire of regulation and obfuscation I looked forward to a situation in which 

  • Local Authorities are collecting more cash from busines rates on fibre - but are using it to cover their share of the cost of the bonds used to fund local improvements or to subsidise access for the disadvanted.
  • BT is a making more profit and employing more people from providing backhaul services to others (including the mobile operators) than it does from all its services at present - and is providing better (and more profitable) local services to about a third of the nation.
  • Virgin, Fujitsu, Cable and Wireless, Arqiva etc are making a good living competing with BT on backhaul and are (between them) are prime providers of local services to another third.
  • Another third draw services from a kaleidoscope of providers, all using international inter-operability standards, from Google (to set the pace on net neutrality) and Chinacom (for those who want services at least as good as mainland China) to community networks (where the local authorities, businesses and residents organised provision themselves).
  • All of of us have a choice of services that do not pass through the same "single points of failure", whether local or national (albeit in rural areas that choice may be between powerline transmission and terrestrial and satellite radio).        
  • The prime function of Ofcom is to ensure that we are provided with accurate information on delivered quality of service so that we can make informed quality of choice  
  • And the pace of investment and employment growth in providing upgraded services, as well as in indiginous and exported content is still accelerating  

When the Cybersecurity S**t Hits the Fan

| No Comments | No TrackBacks
| More

I have spent much of the past year trying to stimulate the supply of training for when the cybersecurity skills crisis breaks. But the new courses organised by those who listened have not sold. Various reasons have been given - mainly to do with headcounts and training budgets being cut, particularly in the public sector.

Today we have a global summit on cybersecurity issues.

One of the topics not being addressed is the skills to address those issues.

In front of me I have the current list of jobs for which one of the main security headhunters is seeking candidates. It is three times a long as the last such list I looked at from the same firm. It is not that demand from their traditional clients in the Financial  Services sector has grown. It is that government and law enforcement have suddenly started recruiting after nearly a year of cut-backs, lay-offs and redundancies.  At the same time the Utiltities appear to be building teams to address the threats being belatedly discussed today.      

Where are the candidates going to come from?

Will they have the skills needed?

Why do we never learn? I have written on this topics many times, usually in the context of public sector delivery but it is well to remind readers of the economic analysis on pages 13 - 18 of "The End is Nigh" . This, published in 1996, showed the "skills cycle" and the other factors which underlay my all-too-accurate prediction of not only the skills crisis that would occur during the run up to Y2K but also the bust that would follow - before the world of "broadband, networked and multi-media skills" (alias the mass-market Internet)  took off.  

A similar analysis today shows that the only way out of the cybersecurity skills crisis is for a massive short-order skills programme, akin to that for the Millenium Bugbusters , the only one of the previous governments skills programme to deliver results - mainly because it was also the only one subjected to rigorous quality control on the trianing providers - by a team drawn drawn from the main ICT professional bodies, organised by ITNTO the fore-runner of e-Skills.    

We almost certainly need a similar programme today, building on the work for the security stream for the National Skills Academy for IT Skills .

But central to success will be the active participation of the public sector, particularly the tribes of central government who need to retain those they have rather than compete in the market place for those they cannot afford. They also need to remember that this is an area where those who come cheap and have not been previously worked in the public sector or otherwise been security vetted, may well have an ulterior motive.       

 

About this Archive

This page is an archive of entries from November 2011 listed from newest to oldest.

October 2011 is the previous archive.

December 2011 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Archives

Recent Comments

David Moss on Is Universal Credit on th... : "By Philip Virgo on September 9, 2013 12:04 PM" To...
Philip Virgo on Who do you trust less? Go... : This is a good point but raises the question of wh...
Paul Rhodes on Who do you trust less? Go... : Risk is about more than threat it is also about im...
Philip Virgo on How many Bradley Mannings... : I fully accept your point regarding spell/grammer ...
Marc Escreet on How many Bradley Mannings... : Whilst all this is opaque, to the public, the shee...
Rob Kenna on BT to give fibre to the p... : OK so you can't talk about anything but "contentio...
Philip Virgo on Why can't small firms adj... : I am hoping that this post may draw responses from...
Darren Graci on Why can't small firms adj... : Have the businesses in the local area thought abou...
jo small on How rural is Smithfield (... : Ah, totally agree. Let's also discuss a fund for t...
Philip Thomp on BT to give fibre to the p... : GFor comparison, Gigaclear costs £69/month for Hom...

 

-- Advertisement --