In the run-up to the budget we will hear much special
pleading for special measures because "IT is so important to the economy". Investment in the IT related infrastructure,
industries and jobs of the future is indeed at the heart of any credible programme for
economic and social recovery. But the misuse of IT, focussing on the technology instead of the information and the people processes, is at the heart of
our economic problems.
- The financial crisis was caused in large part by a failure of information governance (the casino bankers did not appreciate how many of their risks were closely correlated).
- The government funding crisis was in large part the rsult of another failure of information governance. Much, perhaps even most, of the information used for service delivery, let alone planning, was systemically flawed.
- The future has been mortgaged with a toxic mix of inflexible outsourcing and PFI contracts, many with already obsolete and disfunctional IT components locked in for years to come.
Meanwhile DTI/BIS, has a 50 year track record of turning IT-related potential winners into losers and two decades of outsourcing has hollowed out the skills of the rest of central government to do much more than plan challenge programmes and employ think tanks and consultancies to organise yet more PFI and outsourcing contracts.
Unless and until the in-house skills and experience of the Civil
Service have been rebuilt, the less that central government does, the less harm
it will do. But first it must stop the bleeding .
Francis Maude has written of the need to address fraud as a second target after cutting waste. I would like to be able to disagree - save that public sector anti-fraud measures have tended to morph into spend on hardware, software and regulatory programmes that increase cost and risk, rather than remove vulnerabilities and deter and punish malpractice. I therefore suggest a "modest" nine point plan as the first part of my personal suggestions for inclusion in the Budget Statement.
1) The Chancellor should publicly recognise the nature and scale of the problem and the need to give priority to effective action.
Fraud (most of it computer assisted) costs (over £38 billion) the UK more than education (£33 billion) or military defence (just under £33 billion). Over half the losses (£21 billion) are to the public sector (including tax, benefit and procurement fraud). Such figures and those for the cost (estimates range up to £30 billion more) of hacking, extortion, piracy and other on-line crime are used to help justify spend on electronic identities and communications interception that will not produce results for many years. We need to focus on using the technologies and information already available and take action on current vulnerabilities, threats and predators.
2) The Chancellor should require all central government department to produce action plans (with the performance measures they would like the National Audit Office to use to monitor their success) that put flesh on their roles within the Cybsersecurity Strategy and Fighting Fraud Together . These should include how they plan to rebuild their in-house information assurance and security skills at the same time as removing people and process vulnerabilities and the security and regulatory overheads that get in the way of customer service - and thus tempt staff to take short cuts.
The following generic, cross-cutting actions, which might also inform those plans, need to be done in parallel, not series. They require thought rather than money, but unless and until they are given priority any new government spend on security hardware and software is almost certain to be wasted.
3) Retrain rather than recruit: information security and governance skills development programmes, backed up by awareness programmes for all staff, from the top down, including contractors and subcontractors.
Departments have been making redundant those with the skills
of the past while seeking contractors with the skills of the future. Many of
the latter have turned out to have fewer relevant skills than those they replace. More-over contract
rates for information security staff are rising sharply as competition for scarce
skills increases and budgets are switched from retraining to recruitment. It is not enough for BIS to help fund the production
of new skills frameworks. BIS and its agencies, as well as other government departments, must use them, sending those
already in post on the modular short courses that are already available to update
their skills to handle the emerging threats and vulnerabilities.
It is also
vital to update those at the top to recognise where and why their support and commitment
is needed to help remove systemic vulnerabilities.
Departments also need ongoing awareness and regular update programmes for ALL staff, akin to those organised by HMRC, Unilever, Vodafone or the main Banks.
4) Move public sector data handling operations across to those organisations which have cost- effective and secure people processes, not just technology.
Government databases (e.g. Companies House, DVLA, the Electoral Register, the Land Registry and
the DWP NINO) are key reference points for much, perhaps most serious UK
fraud and impersonation. The Fighting Fraud
Together action plan recognises the need
to act on those credentials that are
most commonly used to support fraud but
the need to improve accuracy and security are too often seen as being in conflict
with plans to merge central government
ICT operations. They should be seen as one of the drivers.If the consequences include outsourcing to those who run the secure data services of the financial services industries - then so be it - provided data collected under statutory authority does not leave UK jurisdiction or otherwise fall under foreign jurisdictions. [The issues raised by that proviso are profound - and already appear to be seriously compromised - this an area where we need honest and open debate - not more fudget].
5) Issue guidance to the public sector on how to organise an incremental switch to security by design, beginning with how use the physical identification and encryption systems that are now routinely embedded in PCs, laptops and mobiles so as to give better security at lower cost. The subsequent implementation programmes should be incremental, following industry best practice to give payback in months not years (e.g. counting the savings from cutting the help desk and support costs of software upgrades and password resets etc.). There should be no need to rely on theoretical estimates for fraud reduction - albeit is the main long term benefit.
The production of that guidance cannot be left to the overworked and understaffed security teams of central government and certainly not to the expensive outsourced legal and security teams who produced the externally contracted guidance that has led to so much overhead and waste over recent years. It needs, of course, to involve CESG and others, but it should be resourced and driven by those suppliers prepared to work together to bring forward actions that can be implemented on positive cash flow by customers who have no new money and must make savings before they can spend from them. That entails working alongside those in financial services with experience of making the business case for incremental programmes and those in the local authorities and charities to which responsibility for public service delivery is being devolved at the same time as their funding is being slashed. Building on the work that the EURIM trusted computing group has already started is an obvious way forward.
6) Task GCHQ to lead an exercise to collate feeds from McAfee, Symantec and Trend, showing the IP addresses from which malware appears to originate, with the Information held by Telcos, ISPs and Domain Name Registrars on the equipment used by their customers. Require the latter to contact those whose systems and/or website appear to be being used to disseminate malware and/or illegal content, copying the relevant law enforcement agencies.
We hear much on the need to modernise the UK's ability to monitor on-line communications and share information. But the information is supposedly already available to, for example, dismantle most botnets: those networks of zombie systems used for extortion and cyberwarfare attacks as well as collecting information to aid fraud. Using it to take action would greatly reduce the volume of traffic that needs to be "intercepted". Unfortunately law enforcement lacks the remit and resource to collate and use the information to take action. Meanwhile the cyberwarfare teams of the West (as well as those of the East) appear to be more interested in taking control of the botnets. Removing the fig-leaf of "innocent carrier" status, by providing usable "actual knowledge" will help industry to take action under civil law. That raises many issues, hence the next action:
7) Task the Attorney General's Office to support the Fighting Fraud Together team in producing guidance on "what constitutes actual knowledge", falling outside the "innocent carrier" defence. It should have the parallel task of helping establish credible and effective UK-basaed routines to notify Telcos, ISPs and Domain Name Registrars accordingly.
As mentioned in my last blog entry "Can you block a website", US experience is that 40% of current notifications are from those seeking to disrupt the operations of commercial rivals, whether or not they have any real legal basis for doing so. ISPs operating on small margins cannot afford the overheads of being caught as piggy-in-the-middle ... BUT if the UK can produce routines that cause such disputes to be routed through the alternative disputes resolution processes of the City of London and give competitive advantage to ISPs based in the UK - that might well be worth several £billion a year in taxable revenues moved from Ireland (or the USA) to England.
8) Progress item 21 of the Fighting Fraud Together Action plan and create frameworks for mixing criminal and civil proceedings to take action against malpractice and obtain redress against those who aid and abet it, whether or not there is sufficient evidence for criminal proceedings.
This is central to recovering the £billions lost in systemic fraud against both public and private sector as well as to deterring current and would-be fraudsters. Collecting the forensic evidence necessary for a criminal prosecution in the UK, let alone one which requires co-operation across jurisdictional boundaries, is fraught with difficulty. Civil action is far more practical, especially if it is possible to identify which of those who added, abetted or benefitted from the malpractice has assets which can be frozen, pending a "negotiated settlement".
9) Compare the address and identity information collected and collated (as above) with that held on the files of Experian, Equifax and Call Credit, with that used to pay benefits and taxes, (whether central or local) and with the electoral register. Whether or not the data is then used to organise prosecutions, it should be used to support a rolling programme of home calls to all who appear to exist only on the electoral register and benefits files - i.e. they have little or no other transaction footprint.
There are mounting allegations as to the scale of fraud on
the electoral register, linked to benefit fraud as well as to local elections
(to create and maintain no-go areas under the control of the local gang bosses
and community leaders). The main benefit
comes from terminating payments to those
who do not respond and who no longer reside where claimed, if they ever did. They
should also be deleted from the electoral register. That will, however, require physical visits.
Unless this final problem is addressed the government may cease to have a "democratic mandate" to stop the bleeding before "terrorism on the dole" becomes as big a problem in the nogo areas of Birmingham or Brixton as it was in Belfast.
Cull all "challenge", "initiative" and other competitive "support" programmes
where the likely cost of bidding times number of expected applicants is exceeds the funds on offer.
I have focussed mainly on opportunities to cut the cost of fraud but I would like to finish with a simple and way of cutting waste and frustration. "Challenge" programmes became fashionable after Michael Hesseltine used the concept to help kick start innovative thinking about inner city regeneration at a time when he had the funds to support most, if not all the good ideas that came forward. They have since become part of the departmental mindset of DTI/BIS, DCLG, DCMS and others with limited funds who wish to be seen to be active, giving roles to experts to promote "best practice" and publicity platforms to ministers. The benefits are now commonly outweighed by the downside: wasted effort and frustration on the part of those who bid and fail and delay to the implementation of good ideas which cannot be started until the adjudication is over. By all means reward and publicise good practice with awards and case studies - but do not let it get in the way of harnessing local enthusiasm and initiatives by trying to force local initiative to comply with the latest fad of the Westminster village.
In my next blog I plan to cover Part 2 of "A Budget for IT-enabled recovery". I expect to focus on removing the barriers to market led, investment driven recovery - including items like 100% capital allowances for infrastructure investment (where the net cost to Treasury could be zero and the payback immediate - but for the need to fund imported switches and generators).
In the mean time I would welcome feedback - especially from those who disagree and will give good reason why I am wrong or too simplistic. I plead guilty to being simplistic. None of the proposals is easy. If they were, the failure to have adopted them already would be unforgiveable. I also appologise to those who are progressing some of the ideas already and who have not been acknowledged. Please posta comment and I will fix the necessary cross references.