August 2012 Archives

The latest press cover on the BRC survey on the cost of e-Crime still misses the point. The biggest cost is lost business . And I do not mean hypothetical losses because of "piracy" but actual order abandoned because intrusive security or lack of confidence means, for example, that more transactions (by value) are abandoned than are completed. as in so many other areas, those concerned with the future of London as a global financial services are ahead of the curve (and in this case ahead of both government and most of their technology suppliers) in looking at the consequences.

How do you apply "My word is my bond" to the on-line world.

Who am I? Which version of which translation of which e-mail or tweet was my word? What is my bond worth? Does it matter (and if so, to whom) if the transaction is subject to irrevocable payment in advance or on delivery?

Which suppliers can you trust?  Which credentials, regulators and enforcement agencies are trustworthy?

A fortnight ago I attended a workshop to develop ideas for the TSB "Trusted Internet" Catapult. (the latest HMG funding initiative in the cybersecurity space. The timetable for the launch of the new facility parallels that for a competition for University Masters Students to look at some of the questions that need to be asked. The aim is to get those who will be designing the products and services of the future to throw rocks into the stinky pools of introverted discussion on "trusted identities", "trusted computing", "trust services" and "trusted intermediaries".  Their generation will have to live with the consequences of the decisions currently in prospect with regard to research priorities, business plans and regulatory initiatives. They are also in a position to think the unthinkable and be rewarded not punished.

After discussing the original proposal, the Director of one of the new UK Cyber Centres of Excellence said that the questions he would like to see his students tackle included:

 

"What constitutes lawful protest online and how can this essential aspect of a democratic space be reconciled with an online environment that promotes economic prosperity?"

"Which of the grooming techniques employed by online "phishermen" could be used to foster a beneficially greater sense of trust online and would it be ethical to use these methods?"

"How do you bring about behaviour change at board level regarding to the value of information, security strategies and budgets? What arguments, language and evidence are needed?

My first thoughts were: "Ouch", Ouch" and "Ouch". My second thoughts concerned those who I would like to see brought together to debate such questions. My third thoughts concerned the mix of academic disciplines that wwould need to be brought together to provide credible answers.

The competition appears to be gaining widespread support from some of those with difficult decisions to make over the next year or so as well as from those who wish to stretch the minds of their students across academic boundaries and those who wish to work with them on applied research and technology and/or subsequently recruit them. Over the next couple of months we will be looking to go firm on the organising team and sponsors, the support available to entrants and the prizes. But first we need to take a good look at the questions.  

If "Big Data" is the answer, what was the question? Back in 1984 I organised an event on the application of data mining techniques to very large financial services transaction databases to aid the detention of insider trading and fraud. That was a closed round table for the C3 Club of Investment Analysts and Fund Managers. Philip Treleaven did a tour de force, describing exercises where he and his students at UCL had already helped detect serious misconduct. Over the past thirty years the techniques have matured. Brought alongside the Internet and the World Wide Web, they now lie at the heart of a wide variety of on-line models: from enabling Internet Services to be funded by targetted advertising to the analyse of on-line gossip to detect political and social trends. They also lie at the heart of most of the worlds monitoring and surveillance systems. 

Today, thanks (in part) to the success of films like The Bourne Trilogy and television series like Person of Interest they are being seen as either a threat to society or the "answer" to a whole range of problems facing central and local government government. In consequence we have a rash of policy round tables and conference planned over the next few months as lobbyists see a bandwagon on which clients anxious to fill their server farms and data centres or sell mass storage and analytical software can jump.   

This has led to confiusion on the part of Civil Liberties Lobbies as to whether their "real" enemy is the State or those who collect, collate and analyse data sets and sell the results to who-ever pays. Meanwhile regulators huff and puff and exempt those with the legal fire-power to paralyse their enforcement activities.   

In November 2008 EURIM organised a Director's Round Table on Infomration Governance. This was followed in February 2010 by a high profile round table with the title "Uncovering the Truth". Recordings of the discussion are available on the EURIM website. Some of the allegations as to the scale and nature of random error and systemic in public sector databases were truly frightening. Most speakers were focussed, however, on the potential for using the better management of data to better target and also greatly improve public services and on the issues that needed to be addressed in order to deliver that potential. Most of the latter were to do with the wetware, the people processes: from basic training through to high level governance. EURIM then organised a series of studies and reports on these, including topics such as trust, identity, value, quality and security by design under the broad umbrella topic of Information Governance .

Most of events being organised this autumn still, however, obsess over hardware, software and the organisation of shared outsourcing. There appears to be a belief that hyping these  will help kick start a new round of customer (particularly public sector customer) spend. I believe this is waste of marketing effort, given the shortcomings of public sector files, the scale of leakage and compromise from centralised databases (public and private) and the financial pressures on customers to demonstrate rapid return on new ICT spend. There is good business around, including from using the PSN framework to help leverage shared services, including for data cleansing, security and fraud detection. But this is not the most cost effective way to access the more profitable opportunities.     

I have therefore asked my successor to include another round table (building on the formula that was successful for the previous EURIM Round Tables) in the launch programme for the new Digital Policy Alliance. Given that the exercise will need to be funded by suppliers looking for new business, the aim will be to focus on those activities which help them switch their efforts from "pissing in the winds of change" into finding new and more profitable ways of helping their customers deliver more (and more securely and reliably) for less. I have done a brief for my successor with my ideas as to what these might be and who should be invited. If you want to know what is in that brief you will need to join the DPA and volunteer to join the planning group.

I will, however, say that, as Chairman of the Conservative Technology Forum, I am asking whether the time has come to make use of the laws of libel, slander and tort to void contractual small print and take action against those who (by design or negligence) pour streams of unvalidated data into leaky vats of toxic sludge which they then sell or publish. The House of Lords Select Committee on Personal Internet Safety made a similar point - which has been studiously ignored by all and sundry since then. 

My aim is unashamedly to tilt markets in favour of those who are serious about working together to help educate and train their customers in the proper use of the people processes and support tools available to cleanse, collate and analyse the growing morass of data becoming including from smart phones, meters, grids, buildings and "things".

But what is "proper".

That is a debate that should take place on an all-party basis  - hence my desire to see an open and swell-publicised DPA activity, as well as the rollicking session that I am that I expect the CTF to organise under the Chatham House Rule.  

P.S. Just been sent a link to a Register Article on the integrated surveillance system sold by Microsoft to the NYPD . What really surprised me was the royalty deal. It was "Soooo 20th Century". I remember customers being persuaded to sign up to similar deals in the 1970s. The managers who signed the deals used to appear on the conference circuit, all expenses paid by the suppliers concerned, trying to drum up business. I do not recollect any of them generating a serious revenue stream for either customer or supplier. In consequence the model fell out of favour in the UK by the early 1980s. That is not, of course, to say that it is  not valid - after all SAP was created using a similar business model to cover the development cost of application modules using standard business approaches within an inter-operability framework which it could knit together and resell.                       

"E-crime is the biggest emerging threat to the retail security as the rapid growth in e-commerce in the UK sees new ways of shopping being accompanied by new types of crime ... the British Retail Consortium ... estimates the total cost to retailers in 2011 - 12 was at least £205.4 million. That includes £77.3 million in losses from frauds themelves as well as prevention costs and legitimate business lost as a result of those measures ... " 

Look at the headlines from the first BRC e-crime study. But then read the press release and  download the report .

"Estimated losses in revenue experienced as a result of legitimate business being rejected through on-line fraud prevention measures came to £111.6 million in 2011-12."  

That is more than half the total cost and puts some of the e-crime data, at long last, into perspective. Another finding was that e-crime cost double the percentage of on-line turnover (0.75% out of £28 billion) as it did of overall turnover (0.36% out of £303 billion). Given that on-line margins are commonly much tighter that is serious. But the doubling of cost appears to be mainly due to the effect of intrusive on-line security rejecting attempted sales. [I know the feeling ... I have walked away from at least as many sites as I have shopped at].

Yesterday I submitted a submission to the Home Affairs Select Committee Enquiry into e-Crime. A key message was that we still have no better idea of what is "really" happening than we had at the start of Eurim-IPPR study.  All of the 50 or recommendations from that study had consensus support. Most appear somewhere in the action plans to implement the current UK strategies for Cybersecurity and "Fighting Fraud Together". But few have yet been prioritised and resourced, let alone implemented.

In my submission I contrasted the claims of £27 billion of "losses" in the Detica "report" for Cabinet Office  with the demolition job by Ross Anderson and others. The latter compared criminal earnings in the $millions with security spend in the $billions. In the BRC report the biggest "cost" is, however, the abandoned transactions. You should also read the BRC recommendations, including those in their paper on Future Challenges and compare these with those in other reports. .

The press reports of the speech delivered yesterday by the Jeremy Hunt at Google's new complex are intriguing. So too is the script released by DCMS. I remain puzzled as to why DCMS defines Superfast Boardband as 24 and not 30 mbps (as across the rest of the EU). I am told that this was to do with technical constraints on BTs networks in some of the target rural areas. If that is correct, then it is little wonder the Commission sees the BDUK framework as state aid for an incumbent supplier to install dead-end solutions.

However, the post-Olympic situation, as predicted when I blogged on the "real" BDUK strategy, is very much more positive. The UK may yet have the fastest broadband in Europe by 2015, overtaking those currently well ahead of us. If so, it will be based on almost ubiquitous 50 - 100 mbps and rather more public money will have flowed through the PSN frameworks than those of BDUK.

It is worth taking a look at UK progress against targets in the context of the Commission working papers as well as reports of delivery where the OECD figures (based on advertised speeds) show the UK to be 16th in Europe while the Akamai figures, (based on measurements of actuals) show us 15th. However Akamai indicates that average delivered speeds have grown by a global average of 25% over the past year with the fastest incrases being in Scandinavia at 38 - 39%. about the same time Ofcom reported that UK speeds had risen 20% over the past 6 months. I anticipate a further sharp jolt as BT Inifinity is actively promoted to all whose whose exchanges were upgraded during the run-up to the Olympics.

This will, however, also show that the nominal speed of the last mile is only one factor in the user experience. For example, I have noticed a deterioration in website availability and response over recent months even as the nominal line speeds on my two main broadband connections have increased. I suspect it is largely the effect of the various levels of "security bloatware" installed by my ISPs and/or operating systems and browser providers. But it may also be because many ISPs have failed to upgrade their capacity to handle increasing volumes of traffic. Meanwhile, like my son, I am increasingly accessing the Internet over a variety of  mobiles.

So who will actually bring the fastest broadband in Europe to the UK, for business as well as for consumers. And what is the role, if any, of DCMS and Ofcom?            

The BBC summarises an article in the Independent on the effect the G4S experience has had on Philip Hammond's "starting prejudice" that the public sector could learn from the private sector.  The G4S saga has shown only too clearly that is not always the case. The lessons should, however, have been learned from the National Plan for IT. In retrospect this will proably be seen as having been the zenith of "the Anderson approach to public service delivery.". NPfIT was planned by those seconded to help rebuild the Labour party after its defeat in 1992. In the end they could not deliver and managed to walk away almost without penalty after a former colleague (now in charge of implementation) let them off the hook - despite the spluttering of the then opposition. BT, CSC and Fujitsu were left to pick up the impossible, costing £billions to their shareholders as well as to the UK taxpayer. 

Unfortunately, by then, many of those responsible for planning NPfIT and other delayed big bang exercises (such as ID "cards") had moved successfully into Central Government planning and procurement. This year the reshuffles have seen former Andersen (renamed as Accenture in 2001) consultants succeeding former Andersen consultants - despite a change of Government. Little wonder that the drive to get UK Central Government IT spend into line with that of other countries (who typically spend 30% less for equivalent products and services) is making such slow progress . More-over forward spend also appears mired in consultant driven "delayed big bang" projects (such as the DWP Universal Credit) and high overhead frameworks (such as BDUK and PSN for broadband and communications and Ed Milliband's Smart Meters project).

Meanwhile Local Government attempts to respond to a 28% cut in funding are gathering pace ; based on pooling residual in-house expertise rather than hiring in consultants with no experience of delivering value for money in a public sector environment. They are also learning from "smart procurement" in other parts of the EU, using the Directives to get round the obstacles placed in their way by central government attempts to hire consultants to find ways of using state aid to protect incumbent suppliers and outdated outsourcing models.      
  
I am now yesterday's man but believe we can do very much worse that look back to the last time a new Conservative Government inherited such a dire situation - and learn from what they did well, as well as from their (our) mistakes.

I get depressed when I hear commentators (as this evening) talking as though the only weapons available to the Chancellor to kick start economic recovery are public spending and quantitative easing. This is the way to a rerun of the 1920s, the wipe-out of the saving of the middle classes, an unholy mix of national and socialism and re-armament for World War 3 over food and fuel suppliers. The main difference is that Europe is likely to be a decaying and powqerless backwater, throttled by regulatory overheads and riven by tensions between North and South and between the unemployed and those with state jobs and pensions.     

I hear people talk of the need for an imaginative "third way".  It does not need much imagination to assemble a simple Six Point Plan for Economic Recovery based on policies that have succeeded in the past.

The plan that I aim to elaborate over my next few blog entries is based on the classical business approach to turning round a bankrupt business:

1)      First top the bleeding

2)      Second cut the overheads

3)      Then go for growth on positive cash flow  

The problem is that all three strategies are alien to central government, both politicians and officials. More-over "outsourcing" is now part of the problem. It is no longer part of the solution.

The rhetoric is of cuts but there are more civil servants, regulators and quangos today than when the Coalition Government took over, albeit the rate of growth may have slowed. More-over the value of outsourced contracts has also risen, albeit their profitability may have fallen in a set of lose lose negotiations in which only the lawyers and consultants have benfited. Instead of employing profit motivated consultants and politically ambitious special advisors to attack those whose objective is to serve the public, we need to remotivate and reskill our public servants to do their jobs properly under open and democratic accountability.

That requires that they know what their "job"  is.  That requires clear and prioritised departmental objectives.  But ministers like to make promises and Civil Servants are promoted for serving  Ministerial wishers. Hence the ragbag of unprioritised initiatives that passes for policy within most Departments.

Time and money have run out. We can no longer buy time to remotivate, retrain and replan, we have to ACT and to act fast. I blogged on some of the ideas below during the run up to the budget but over the next week or so I plan to elaborate on thse in the context of the six point plan below:  

1)      Stop the Bleeding: including the use of marginal impact modelling(*) to create a more just, simple and enforceable tax and benefit regime

2)      Cut the overheads:  A Rationalisation of Regulation: including a "Regulatory Impact Assessment Unit" to use marginal impact modelling  on all new proposals and in support of a rolling reform programme   

3)      Smart procurement:  including devolution from Whitehall to Townhall within mandatory frameworks for service inter-operability, performance monitoring  and disputes monitoring

4)      Window of 100% Capital Allowances, Business Rates and VAT relief to kick start investment in a 21^st Century Infrastructure

5)      Tax Free Education and Training to Global Standards

6)      The UK as the world's most Trusted On-line Trading Hub

"Marginal impact monitoring" is an elaboration of the ideas of the later Donald Michie on which I have blogged before  . It entails the computer modelling of proposals to see whether they are likely to have the impact expected.  Sir John Hoskyns tried in vain to apply similar "systems thinking"  in the early days of the Mrs Thatcher's government. As one mandarin put it afterwards : "It took us 18 months to work out what he was up to - and another 18 months to stop him. He would have destroyed the service."  The error was to think of systems thinking as a weapon for Ministers, Spads and Consultants to use against Sir Humphrey as opposed to a technique that should be taught to all aspiring Mandarins to help harness their new ministers' enthusiasm  to the long term benefit of the nation.  

Last week I received an FIPR alert covering the Hawktalk Blog entry on a supposed warning  from the UK Surveillance Commissioner on significant RIPA failings, particularly with regard to unregulated private sector surveillance using the Internet. Hawktalk is worth reading but it is almost exactly twelve years since I set in motion the EURIM (now the Digital Policy Alliance, website under construction) exercise that led to the rewriting of the draft regulations for the "Lawful Interception" interception of Business Communications. I  recommend that those who agree with the Commissioner and/or Amberhawk read the BIS summary of the inputs to the consequent DTI "re-consultation" 

Many of the points made then remain valid today. Current UK and EU initiatives (such as the draft Data Protection and Identity Regulations) are just as ill-informed and potentially damaging as the draft Lawful Interception regulations were then. Those whose business models are at risk today need to similarly work together to ensure that common sense prevails over the regulatory and compliance empire building that drives the businesses of the future off-shore.

After my recent blog welcoming the House of Lords report "Broadband for All" it was pointed out that the recommendations may also offer some "interesting" solutions to the way in business rates fall more heavily and uncertainly on new build networks.

First: The business rating valuation is based on market values. The market value of local  access networks to dark fibre hubs in those rural areas that are uneconomic for BT and Virgin is surely below the level for rural property relief for essential services. It should therefore be relatively easy to organise a blanket exemption except where the effect is to open up serious growth opportunities. If so ...

Second: one of the exemptions from business rating is that for enterprise zones. Would it not give a real boost to rural life if all those without current fibre access (except for the National Parks) were to be classified as enterprise zones? This proposal has interesting side effects and perhaps Parish Councils should have the right of veto, albeit at a week day meeting (no postal voting)  between October and March when the second homers and nimbies are in London, Birmingham, Manchester or where-ever they commute from.

The time has, in any case, come for new thinking on how to kick start rural broadband roll-out after the Olympic break.

P.S. Two days into the Olympic Break I got a call on my domestic phone line offering me BT Inifinity. I had to ring another number from the business line but I am looking forward to hearing when the engineers will arrive to upgrade my BT Business broadband services, presumably after the games are over and the teams on standby are ready for the local mass roll out programme. A week before, my son had been surfing the Internet (for bus, ferry and train times) over his Galaxy from a hill top on Mull. I was agreeably surprised because the last time I tried, using a laptop, even the best line of site speed was too slow for more than downloading e-mails. I should, however, add that it was after several attempt from locations where he had thought he would get a signal but appears to have had no better service than I had in previous years.  

I have just read a pungent US article titled "Why you should not train employees for security awareness" . It has been codemned by the American equivalent of "the usual suspects". They defend awareness exercises while failing to address the core message. Indeed the article itself failed to follow through on its own argument: that awareness training is no substitute for mandating security by design in new systems, not just patching them after a penetration test has shown the vulnerabilities.

I get annoyed when I hear the mantra, "80% of problems can be fixed by awareness". It is blatantly untrue, unless "awareness" includes that on the part of (for example) "app" developers that they will themselves be held professionally accountable if they fail fail to follow good practice. That, in turn, require the IT industry to finally discover the concept of "professional accountability".

I recently heard of the efforts of a major organisation to train its development staff to routinely ensure that "extraneous inputs" (my words not theirs) could not be used to enable hackers and malware to "escape" (again I have simplified) from their "apps" and exploit the 20 and 30 year old known vulnerabilities (e.g. to SQL injection) that are still commonplace on apps and devices being shipped this year.  They had a very sensible and practical approach. What I found most interesting  was that it was not only so necessary, but also so difficult, to mandate good practice in the light of current professional norms.

The STC chief programmer who ensured my systems followed his structured programming disciplines had no such difficulty. Before hand-over I had to put down £5. Any member of the department could put down 10 shillings and subject my work to the 1960s equivalent of a penetration test. If they succeeded I then had to cover a full round in the only pub in Basildon that would hold them all. Failure to secure the input and inter-operability routines, before the users got their hands on the system, could be very expensive.

I happen to also believe in the value of awareness exercises. I help run the Information Security Awareness Forum and have agreed to be an ambassador in support of the next Get Safe Online Campaign. One of the items for the next meeting of the Forum is a review of the current research on "behaviour change" - supposedly the objective of any awareness campaign. I will ask whether anyone is interested in helping organise an awareness  campaign to change the behaviour of the app developers who condemn so many of us to be victimised, however many  anti-malware products we install to slow down our systems as they fight each other for control while failing to protect us against well-targetted phishing.

I would very much like to see such an exercise under the umbrella of the new Digital Policy Alliance (website currently under construction) to implement the recommendations it inherits from the EURIM Security By Design Group.