September 2012 Archives

New Minister brings outbreak of common sense to UK Communications policy

| No Comments
| More

The news that Maria Miller has called in the Mobile Operators for a round table at which she will offer to bring forward the 4G auction, provided they stop playing legal games, indicates why we need more women in cabinet. As some readers will know, I was programme manager for the start of the first (and by far the most successful) campaign to get more Women into IT (1988 - 94). Some say that I organised the campaign. I did not. The team did so. I listened (for once), then did as I was told. My main contribution was that no-one could point at me and say "well she would say that, wouldn't she." 

There are many jokes about the differences between men and women. One of the most profound, at least in the business world, is that men tend to focus on winning battles (and being seen to do so, even if it costs more and achieves less) while women focus on securing results (even if that means appearing weak, because they avoid battle in order to do so faster and more effectively). The lamentable consequence is that inferior (and underperforming) men are all too often promoted over their heads.   

I look forward to the Secretary of State using similar tactics to bring about the convergence of our fragmented broadband funding and procurement policies (preferably without humiliating those still trying to fight unwinnable battles in order to save face) in order to pull through the roll out of rural and inner city broadband (both fixed and mobile) in time to help save a few Conservative and LibDem councillors from the slaughter next May. The ability to demonstrate progress in delivering real (inter-operable and upgradable) broadband, not just promises, may be sufficient to tip the electoral balance in notspots where the consequent educational and economic exclusion are as big a problem as the social exclusion of young and old.    

If she can make progress in time for announcement at the Conservative Party conference, that should also help harness the groundswell of discontent on lack of progress that is otherwise likely to surface during the Conservative Policy Forum discussions that I mentioned in my blog on the IT at this year's Party Conferences. Using converged broadband to help pull through economic recovery at the same time as delivering better public services at lower costs should also help provide a more credible win-win-win political strategy than is currently on offer for the local government elections next year.   


Enhanced by Zemanta

Which cyber-topics will feature at the Party Conferences

| No Comments
| More

As the three main party's implode into a period of soul searching, wondering why their faithful have drifted away, what topics are the lobbyists promoting to those who attend their annual fund-raising events?   

A quick scan of the exbition guides and fringe listings indicates that the lobbyists main priorities are:

  • energy: particularly subsidies for windmills and nuclear
  • the use of social media and networking for political campaigning
  • digital skills programmes: education, schools, universities etc.
  • encouraging the further outsourcing of service delivery (including but, not just IT).
  • privacy and surveillance policy (albeit driven by civil liberties rather than corporate lobbyists).

I could find little on the use of IT to help improve service delivery - except for education or in the context of promoting further outsourcing. More suprisingly there appear to be no broadband events - except for the Next Gen event in London while the Conservatives are in Birmingham.    

The only directly IT-related event, apart from the Big Brother Watch meetings on the Comunications Data Bill, is the Conservative Technology Forum meeting to put Smart Meters and Smart Grid policy into the context of a converged 21st Century Smart Infrastructure (including ubiquitous broadband to support ubiquitous computing and communications for the Internet of Things).

That meeting appears likely to be one of the few with two Ministerial speakers (one current, one former) that is not commercially sponsored. The reason is probably that none of the lobbyists can find out, or influence, what is to be said by the speakers. I am chairman of the CTF and I do not know, although I sat in on most of the discussion meetings and have seen earlier drafts of the policy proposals to be presented for comment. I should perhaps add that I delegated the organisation of the policy paper and the meeting to those who understand that subject much better than I - and look forward to listening and learning. Most sponsors would, however, be more fearful of things being said which did not fit their current lobbying position than would appreciate the benefits of being seen to support genuinely open discussion.  

That leads me to the question of whether Party Conferences should be an annual lobbying exercise or a rally of the faithful. If they are primarily a rally of the faithful, should it be to listen to their leaders, for their leaders to listen to them or for leaders and followers to try engage in genuine dialogue?

The use of IT to improve service delivery may no longer be a headline item in the mainstream or fringe programmes this year, but it is likely to be a serious topic of conversation elsewhere at the Conservative Party Conference - perhaps more robustly than many lobbyists would like. One of the welcome innovations this year is a series of Conservative Policy Forum meetings for party activists to discuss what matters to them them.

The CPF has a surprising number of former information systems and project management professionals in membership, possibly because of the "downsizing" of the UK IT industry over the past twenty years.  Many have strong views on how to get better for money than by paying 30% (or more) over the odds from that small number of dominant suppliers who spend tens of £billions p.a. on behalf of central government. Unfortunately their analyses of what went wrong and why are often better than their ability to suggest realistic ways forward. 

Microsoft (one of that minority of suppliers which still takes support for long-term "public affairs", as opposed to short-term "government sales support" seriously) recently hosted a very well-informed Conservative Technology Forum round table on the politics of co-operation in service delivery. This indicated the scale of change in prospect as we attempt to refine gold standard information from the toxic sludge that is current public sector "Big Data" in order to support the delivery of better targetted public services. We agreed to return to this topic after the Conference. I then hope to balance the inputs (derived from far better informed and profound thinking than I had anticpated) from Microsoft with those from others who are equally serious about responding to change rather than trying to prevent it.      

Enhanced by Zemanta

Time to to prepare for the "insourcing spring" of 2013

| No Comments
| More

The difficulties experienced at Mouchel has triggered a series of reviews which will lead to many, perhaps most, of its local government service contracts (run by companies which it had taken over) being taken back in house rather than left to tender mercies of Treasury-owned banks. That process will gather pace next spring as Councils seeking to get re-elected by cutting costs without cutting services stop renewing inflexible outsourcing contracts and start bringing services back in-house so that they can be restructured and shared. 

Meanwhile the collapse of health care across South East London , in the wake of a series of disastrous PFI and Outsource Contracts (particularly those for the Princess Royal and Queen Elziabeth hospitals, will hopefully trigger legal action against those responsible (including the law firms and consultancies) for contracts which not only flew in face of good practice at every level (clinical, management etc. etc.) but may have been in breach of legal requirements (e.g. for the emergency lighting in the operating theatres) as well as ultra vires.   

Bryan Glick makes some good points in his blog on the lose-lose contracts to implement the NHS National Plan for IT but was wrong to point the finger at Granger for pushing the balance of risk "too far the other way", when he set about enforcing the small print of the crass contracts he inherited in order to bring about renegotiation. He was merely following private sector good practice. His former employers. Accenture, saw what was about to come and walked away: writing off only a £hundred million or so. BT, CSC and Fujitsu should have done likewise - in the interests of their shareholders as well as of the patients and taxpayers. 

Now the coalition parties face electoral melt-down in the council elections next year as officials continue to cut front line services in order to fund redundancy payments. We can therefore expect to see attention turn towards making real cuts in IT costs, not just the nominal 10% offered up by the current incumbents to Cabinet Office, in return for an inside track on future business. 

The LGA statements in this area are mostly generic but evidence to date is that co-operation with regard to ICT procurement can lead to costs of less than half the central government average for equivalent products and services. Meanwhile co-operation in service delivery (including from sharing communications networks and back offices) has enabled savings of over 50% at the same time as service improvements (e.g. by giving mobiles to midwives and carers to do the paper work from the patient's home).

However, ongoing savings as needs and technologies evolve require a flexibility that is missing from most outsource (let alone PFI) contracts. Hence my view that the zenith of outsourcing was during the run up to Y2K. That does not mean that it will take a long time to fade out of fashion. The zenith of the British Empire was probably before the Boer War, even though more of the world was painted pink (League of Nations Protectorates) after the Treaty of Versailles in 1919).

I think we can expect to see others to follow suite if Milton Keynes is successful in making significant savings by bringing services back in from Mouchel. Meanwhile the Local Government collaborative procurement strategy is likely to gather pace with services increasingly delivered by local co-operatives and SMEs within inter-operability frameworks (like those for PSN). The challenge will be to help Local Authorities to deliver savings on positive cash flow, because few, if any, still have cash balances to invest up front and their suppliers cannot afford to borrow to fund risk investment. That requires innovative thinking on the part of those IT and Communications suppliers who are not in the process of quietly withdrawing from UK public sector markets.

How can major IT and Communications suppliers re-engineer their operations to work more profitably through local partners, with lower sales and support overheads, when those running them usually got to the top by running big sales campaigns (whether or not the subsequent implementation was profitable or successful)?   

The good news is that a number of suppliers (large and small) are looking at how to adapt, using the new Digital Policy Alliance as an umbrella for co-operation with Local Government and SME consortia. One of the cornerstones to that co-opeation is the move towards mandating open standards for inter-operability. This not only preserves  competition, avoiding lock-in to proprietary solutions, it also means that if a supplier fails, for whatever reason, the contracts can be picked up by others (albeit not necessarily at the same price) without the need to write-off a dead-end investment. 

[The DPA is a relaunch of EURIM. I am getting quite jealous of the commitment being shown by major players towards the exercises planned by my successor. The key to his success is that he is making the members do the work - dropping exercises where he cannot see the necessary commitment. My failure was because I tried too hard and they thought they could leave things to me if they were "too busy". I learned my lesson too late. But now I am also free to advise some of the DPA members on how to reap direct short term business benefits from working together.

That is important because those who do not help Local Authorities achieve their cost-cutting objectives next spring are unlikely to still be serious players in the UK public sector come the time of the next General Election. Waiting for this government to go away is not a serious option. If it fails, the next one will face an even harder job - in a world where IT is used to ration demand at a every level - and therefore under systemic attack from all sorts of "freedom fighters" and not just copyright pirates.]  

New DCMS minister releases evidence of BDUK failure

| No Comments
| More

Maria Miller has acted fast to announce long overdue measures to remove some of the planning obstacles to the installation of new, lower cost, fibre networks. This is linked to the release of a BDUK progress schedule dated May 23 showing the sclerotic progress in bringing forward procurements using funds agreed the year before.  Meanwhile 400 homes in rural Appleton (Oxfordshire) have just acquired what is truly the Best Broadband in Europe - close to a gigabit both download and upload from Gigaclear, trunked by Cable and Wireless (who pulled out of the BDUK framework and are now part of Vodafone) to the London Internet Exchange.

The BDUK UK schedule indicates why so many MPs and Councillors are incandescent.

What is less clear is "what happens next?"  

Given that it is the Department of CULTURE, Media and Sport I remind those advising ministers of the fate of Macbeth when he took the view that:

"All causes shall give way, I am 

in blood steeped in so far, should I wade no more

Retreating were as tedious as go o'er".

Andy Burnham may no longer be at DCMS but the constituency of the SNP spokesman for CMS, Peter Wishart, includes Dunsinane. 

My simplistic summary of the state of 50 or so projects which applied for BDUK funding as at May 23rd is: 2 on course, 5 with procurement under way, 4 with procurements due to start, 25 stuck in the treacle of the BDUK procurement framework, 4 bypassing the need for state aid clearance, 6 in negotiation (i.e.the councils had told BDUK they wanted the money to combine with other projects which did not fit the framework) and 5 withdrawn (i.e. they decided that the funding available was not worth the hassle). Little appears to have happened since then save that Birmingham got its EU go ahead in 10 weeks flat. 

Meanwhile the overall broadband scene has potentially been transformed by the success of the BT and Mobile infrastructure upgrades to handle the Olympics and the decisons of mobile operators to share their infrastructures, including their investments in "fibre to the femto".  There is still a real possibility that the UK really good have "the best broadband in Europe" by 2015.  

It is unclear how many Councils still have available the funds they had at the start of 2011. More-over those which have not had to commit their balances elsewhere are concerned to use these to help them reduce their own service delivery costs, that means investing in PSN compatible network procurements to support shared service delivery.

I hope that the release of the BDUK progress report indicates that the new Minister is clearing the decks for a shared (with other departments including Treasury) infrastructure investment policy review. Reliable, resilient and ubiquitous broadband (both mobile and fixed) should be seen as one of the four cornerstones of a 21st century infrastructure. The other cornerstones are smart meters, smart grids and a smart standards regime.

But we also need consistant, compatible and predictable fiscal and regulatory regimes which create and preserve open markets which give good service to customers and fair rewards to those who make risk investments - without locking out innovative newcomers. Because unless we enlist market disciplines to compensate for regulatory failure we will indeed face the future of bandwidth and energy rationing for which officials at Ofcom, Ofgem, DCMS and DECC have been preparing.  

CESG has indeed produced a readable and succinct "Executive Companion" to Cyber Security

| 1 Comment
| More

Yesterday I questioned whether the new CESG Cybersecurity Guide, now available on the BIS website, would be any better than that produced by the US FCC. 

It is. But it is what it says on the cover "an Executive Companion". It is not a "ground breaking new scheme" and I doubt whether any FTSE 100 Directors will read it.  

The guide, with its simple usage cases, and the back up material on the CPNI website covering critical controls and other guidance and education is a good check list for a corporate Chief Information Officer reviewing the objectives and budget of his Chief Information Security Officer. Whether it is of much value to the CIO when trying to make a case to his Board to give priority to information security over other matters at a time of all-round cost-cutting is another matter. I fear that we are still in a world of "experts producing material to impress other experts".

Last night I attended a Computer Weekly 500 club event on relations between the CIO and the Board. This is perennial topic and Professor Jim Norton's presentation on the roles of the CIO might have been delivered 30 years ago (indeed the messages closely echoed those at a session on "Who should be responsible for IT" at the opening conference of IT 82, the first and most succesful "awareness" campaign). What was different is that Jim has not only been a main board chairman but helps run the Institute of Director's training programme. His summary of the roles of the CIO, from translator, through gatekeeper and accountant to sherriff helps position the value of what was announced yesterday - the CDESG material is a useful piece of support material for the CIO who has also got a credible business case for action and a strategy for delivering on the promises he will have to make in return.

I have three criticisms regarding the otherwise welcome CESG companion and the helpful supporting material on the CPNI websites.

The first is that the basic approach is reactive, adding controls rather than preventing vulnerabilities from being introduced in the first place: (e.g. by poor system architecture and the recurrent use of development short cuts which replicate 20 and 30 year old vulnerabilities to be picked up, if at all, by subsequent penetration testing).

Those who are serious about security really must most towards mandating good practice in security by design . BCS and IET must take a lead (working in co-operation with e-Skills) in mandating this in the undergraduate degrees and any other courses that they accredit. from schools to continuous professional development. We must also bridge the growing gulf between the cyberwarfare skills development plans of CESG and MoD and the civilian security skills needs of most of industry.

The promotion of this guidance might provide an opportunity to do just that.

What are the plans for follow up with and through the civilian sector skills councils: where e-Skills is tasked to provide the lead on information security (as well as commuications and computing) skills?           

My second criticism is that in saying "who we work with" it is apparent that the CPNI has ignored the WARPs (Warning, Access and Reporting Point), its previous partnership network. Ineed there appears to be not link to the WARP website from CPNI.

The WARP programme appears to have been quietly cut adrift a couple of years ago, when central funding and support was transferred to sexier programmes. Even so, a couple of dozen (particularly those covering parts of local government, the health service etc.) are still listed as active. What are the plans for working with and through those that survive rather than duplicating effort.    

My third is that there is no reference to the value of participating in or linking to awareness exercises like "Get Safe On-line". There is a reference to "Action Fraud". I suspect that this is another symptom of silo'd thinking. Awareness without action is not enough but the two should be symbiotic.    

Will GCHQ give more serious guidance than the FCC?

| No Comments
| More

This morning's announcment of a GCHQ initiative to help British business improve its cybersecurity was damned with faint praise in a FIPR "alert". They queried whether its guidance would amount to much more than that issued by the US Federal Communications Commission. I do hope it will not repeat the falsehood that 80% of the threat can be handled by "good house-keeping", i.e. keeping anti-virus et al up-to-date. The ceased to be true a couple of years ago, if it ever was.

Yesterday at the end of my blog on the first meeting of the pre-legislative scrutiny of the surveillance bill, I commented on the need to stop confusing the skills needed to update the UK's cyberwarfare capability with those needed to protect business and rebuild confidence in the safety, security and resilience of the on-line world. I should have qualified that statement.

There is an overlap - but it is in a taboo area.

Our cyber-warriors and those of the US and Isreal (and probably also those of Russia and China) have long been working on tools (e.g. those inside Flame and its more sophisticated counterparts), for covertly penetrating and exploring on-line systems in order to cause damage (e.g. Stuxnet) or loot their contents (e.g. the thefts from US transaction processing and payment clearing operations). Those tools, which current generations of anti-virus et al do not detect, are increasingly being used to steal customer files (including passwords, certification and authorisation details  etc.) from on-line retailers and commercial secrets (including from the research and development operations of pharmaecutical and on-line gaming companies as well as from defence and aerospace).

Is GCHQ going to share its expertise in detecting and blocking those tools?

More-over is it going to support the effort necessary to mandate the use of security by design across the public sector (and its suppliers) and to support its adoption by major private sector players so that we stop the development of new applications which incorporate 20 and 30 year old vulnerabilities?

If so, we really will have cause to celebrate. Such co-operation could indeed help catapult the UK into poll position as a location in which to base globally trusted on-line operation.          


Enhanced by Zemanta

Enjoy your right to surveillance on the scrutiny of the surveillance bill

| 1 Comment
| More

While getting bored with watch comment on the Cabinet Office reshuffle I received a Linked In message recommending I watch the Communications Data pre-legislative scrutiny committee evidence session instead. The first thing I noted was that David Davis was not expecting a phone call from Number 10. He was sitting behind the witnesses as they responded to some lovely questions - such as "Do you trust GCHQ and its staff with the roles being expected of them?".

The answers to that question were as profound (in their implications) as those to more predictable questions, such as: "What is communications data?" (as we move from e-mail and browsing, through social networking and always on smart phones to ubiquitous computing).

The answer to the question of trust illustrates the entertainment, as well as educational, value of the session. Peter Sommer trusted those he had met at the personal level but commented on the narrow world view of those living in Cheltenham. Sadie Creese pointed out that she lived in Cheltenham and trusted her neighbours. Ross Anderson did not trust their technical competance because they offered only £25,000 (with no prospect of a career leading to a top management role) to those being offered $200,000 (and a route to the top) by Google. Glyn Wintle said that he would be far more concerned about the trustworthiness of those working for the ISPs collecting the data, or of any major data file linked to the Internet. 

Do watch, enjoy and then think. I am not just delighted with the broadcasting of pre-legislative scrutiny. I am surprised that it should be so entertaining.   

P.S. I should perhaps add that I am getting concerned over the way the information security skills agenda appears to have been overshadowed in the eyes of BIS and its funding agencies by the very different needs of GCHQ and MoD for cyberwarfare skills. 

The skills initiative planned by BIS, OCSIA and CESG should be viewed as a piece of long overdue defence spending. It has little to do with the need to address on-line security - where the prime need  is to educate mainstream software developers to embed security by design and stop building twenty year old vulnerabilities into new applications. I would argue that important thought the former undoubtedly is, the latter should have priority at a time when trust in the security of the on-line world is crumbling.  

Enhanced by Zemanta

About this Archive

This page is an archive of entries from September 2012 listed from newest to oldest.

August 2012 is the previous archive.

October 2012 is the next archive.

Find recent content on the main index or look in the archives to find all content.


Recent Comments

Mike Kiely on How rural is Shoreditch, ... : Currently Ofcom are proving very slow to consider ...


-- Advertisement --