The latest press cover on the BRC survey on the cost of e-Crime still misses the point. The biggest cost is lost business . And I do not mean hypothetical losses because of "piracy" but actual order abandoned because intrusive security or lack of confidence means, for example, that more transactions (by value) are abandoned than are completed. as in so many other areas, those concerned with the future of London as a global financial services are ahead of the curve (and in this case ahead of both government and most of their technology suppliers) in looking at the consequences.
How do you apply "My
word is my bond" to the on-line world.
Who am I? Which version of which translation of which
e-mail or tweet was my word? What is my bond worth? Does it matter (and if so, to whom) if the transaction is subject to irrevocable payment in advance or on delivery?
Which suppliers can you trust? Which credentials, regulators and enforcement agencies are trustworthy?
A fortnight ago I
attended a workshop to develop ideas for the TSB "Trusted Internet" Catapult. (the latest HMG funding initiative in the cybersecurity space. The timetable for the launch of the new facility parallels that for a competition for University Masters Students to look at some of the questions that need to be asked. The aim is to get those who will be designing the products and services of the future to throw rocks
into the stinky pools of introverted discussion on "trusted identities", "trusted
computing", "trust services" and "trusted intermediaries". Their generation will have to live with the consequences
of the decisions currently in prospect with regard to research priorities, business
plans and regulatory initiatives. They are also in a position to think the
unthinkable and be rewarded not punished.
After discussing the original proposal, the Director of one of the new UK Cyber Centres of Excellence said that the questions he would like to see his students tackle included:
"What constitutes lawful protest online and how can this essential aspect of a democratic space be reconciled with an online environment that promotes economic prosperity?"
"Which of the grooming techniques employed by online "phishermen" could be used to foster a beneficially greater sense of trust online and would it be ethical to use these methods?"
"How do you bring about behaviour change at board level regarding to the value of information, security strategies and budgets? What arguments, language and evidence are needed?
My first thoughts were: "Ouch", Ouch" and "Ouch". My second thoughts concerned those who I would like to see brought together to debate such questions. My third thoughts concerned the mix of academic disciplines that wwould need to be brought together to provide credible answers.
The competition appears to be gaining widespread support from some of those with difficult decisions to make over the next year or so as well as from those who wish to stretch the minds of their students across academic boundaries and those who wish to work with them on applied research and technology and/or subsequently recruit them. Over the next couple of months we will be looking to go firm on the organising team and sponsors, the support available to entrants and the prizes. But first we need to take a good look at the questions.
The idea for the competition began during discussions after a presentation I attended as chairman of the Security
Panel of the IT Livery Company. The presentation was on the need to rebuild trust in banking and
financial services after the "problems" of recent years.
banking crises can be seen as a failure of information governance. Major
organisations are unable to identify and collate risks and vulnerabilities in
time to take effective action. The systemic weaknesses which enable criminals
to organise computer assisted fraud (accessing supposedly secure information)
or lead to on-line financial and transactions services going off-line for hours
or days are often caused by similar failures of technology governance. Both information
and technology governance failures commonly involve communications problems
across professional, cultural and regulatory boundaries.
What are the governance standards against which conduct should be measured?
How should that conduct be judged and by whom?
How do we bring about the changes in attitude and behaviour necessary to genuinely make London the best place to locate business operations that need to be trusted globally?
How do we ensure that regulation supports that process by rewarding good conduct with more and more profitable business?
The issues may be complex and far reaching but finding and implementing better answers than those available in Dubai, Frankfurt, Hong Kong, New York or Singapore is essential to the future of London as a global trading centre. Hence the support for using a mix of research, discussion, competition and conviviality to tease out possible answers and, more importantly, to identify those willing and able to work together to secure implementation.
issues of trust in the secuirty and integrity of on-line services and centralised databases and of those running them go much wider
than financial services.
The "Big Data" bandwagon will be rapidly detailed if would-be
suppliers do not improve trust in the security and reliability of their
offerings among decision-takers and budget holders.
The business models of those dependent on advertising revenues as well as of those dependent on revenue streams from public and private sector users, are similarly at stake.
Most attempts by "experts" to provide credible "answers" have failed. Some simplify the "question" to fit the "answer" they are selling. Others attempt to boil the ocean.
The proposal is therefore to exploit the desire of universities to improve relations with industry by asking "the thought leaders of the future" (their brightest post-graduate students) to look at the questions of their choice, supported by those in industry who are looking for good recruits, as well as possible answers. We then hope to collate the best of their thinking, giving public recognition to the students and those who helped them.
means is a "competition" for 2012 - 13 Masters' Students
whose research theses relate to the most interesting of the "questions".
This entails obtaining the support of a
critical mass of University and Industry
supervisors and sponsors who will ensure
academic rigour and help with research facilities. The exercise therefore starts
with round tables in September and October to identify possible
questions and secure academic and industry commitment in advance of a high profile
launch event during the run-up to Christmas.
is a wide range of possible questions and the start point is a paper produced
by EURIM (now the Digital Policy Alliance) last year to suggest topics related to Information and Identity
governance for Masters Students to look at. This is, however, only one possible way of structuring a brief
on questions that Masters' students might be invited to address.
Masters Students supposedly to go firm on the topics in January/February and submit papers to their academic supervisors in July - September. Over the period February - June we would expect to organise industry supported, teleconferencing networks to help them with contacts and sources of material. Once they have submitted their work, copies would be forwarded to the judges who would select winners and commended entries for an awards ceremony in November 2013. In parallel with the judging process, the competition organisers and sponsors would look at the material generated with a view to discussing possible action plans for announcement as part of the awards ceremony.
Invitations to participate are being sent to:
· those concerned with Internet governance and delivery issues including the relevant professional bodies, interest groups, Trade associations and City Institutions
· Those concerned with national and international financial and transaction services delivery (Banks, On-line retailers etc) and the main Internet and Communications service providers
· Those providing Forensics, Intelligence and Investigation services, private swctor as well as law enforcement
· Those Universities believed to have with relevant courses and research programmes
It already looks as though the exercise will have the support of three or four Livery Companies, a dozen or so Universities (including at least two of the new Centres of Cyber Security Excellence), most of the relevant professional bodies and trade associations and half a dozen major employers.
E-mail me c/o email@example.com if you have not received an invitation and would like one.