The media cover has an additional edge because journalists from the New York Times to the BBC are now painfully aware that, even if the NSA and GCHQ have not rummaged through their files of private contacts, agencies of the Chinese, Iranian and Syrian media may well have done so.
Meanwhile the latest NFA Annual Fraud Indicator would appear to show that over 25% of us have been actively defrauded (average lost over £1,000), not just had our personal identities or information compromised. Most frauds now have an on-line component, albeit increasingly integrating voice, text and e-mail customer communications in ways well in advance of most legitimate commercial players: 20% of us according to Which have now received telephone calls from Microsoft techncial staff offering to help us fix problems they have found.
The total cost of Fraud to the UK is over £50 billion, 40% of it from the public sector. There is, therefore, mounting pressure on Government to do more to tackle fraud and money laundering as part of the deficit reduction package. That pressure now extends from tax fraud (over £10 billion), through evasion to avoidance. Hence the case for using surveillance to track the proceeds of crime and sources of terrorist funding to also identify the means used to move taxable sales and income off-shore and question their legality. PRISM, RIPA and the Communications Bill may not cover content but there is plenty of legislation regarding the regulation of Financial Services et al that does, once the communications to be "unpacked" have been identified .
The Internet, as perceived by the mix of Californian liberals and libertarians who created its current "governance" structures, is now under attack from all directions:
- from perverts and terrorists seeking victims and converts,
- through criminals impersonating and defrauding businesses and consumers,
- to taxmen seeking to recoup the sales and property taxes they have lost as traditional retailers are put out of business by "out-of-state" or "off-shore" on-line operators
- and lawyers seeking to enforce intellectual property rights that go way beyond those which stimulated created and growth in previous centuries.
Recent press cover in the Washington Post and Guardian has focussed on leaked "evidence" regarding long-standing trans-atlantic co-operation with regard to communications monitoring - as though the revelations are surprising, new or scandalous. Those who suffer from deja vu (Echelon et al) will not be surprised at the leak of the modern equivalent of a "D-Notice" asking journalists to refrain from doing "real" harm.
Such cover has almost buried the, far more worrying, allegations that major players, including defence and security contractors as well as major ISPs, have had their networks comprehensively penetrated and their most sensitive files copied. If such allegations were to be widely believed, whether true or not, the result could be a collapse of confidence in the expensive technical solutions the suppliers promote to supposedly protect "big data" solutions that are inherently insecure because of the number and variety of sources (hardware, software and information) and of users (with privileged access) involved.
I happen to think that such a collapse, or at least a much wider degree of well-informed scepticism, including at the political level, would be an excellent development. Those designing such systems commonly lack the necessary training in information systems and security, (people processes not just technology), to be anything other than a menace to their employers, let alone the rest of us. Worse, there have been several, as yet little publicised, cases of damning reports on the impossibility of adequately securing major applications (such as national programmes for detailed children or patient records) not being passed on or being described to Ministers as "technical problems that can be overcome during implementation".
The current controversies, however, also risk burying good news: such as how the takedown of the Citadel network shows that industry and law enforcement can work together to make a real difference. The problem is to organise co-operation across well established, and sometimes well-deserved, barriers of mistrust between networks of insiders indoctrinated with concepts of "need to know" which mean "we need to know what you are doing but we will not tell you why, let alone tell you what we already know, unless we are convinced that is in our interest that you know too". Progress will be limited until we have found and tested better ways of organising trustworthy (and trusted) "connections" (people not just technology) to handle communications between such networks.
Is the current mix of assaults from all direction such that confidence in the Internet (seen in context as core part of the world's largest machine, the global communications network) is about to collapse? Or is it about to be reborne around different conceptual models?
If so what will trigger the collapse?
And which of the players currently trying to screw each other will help conceive its successor?
As I have said in previous postings, these are questions we should be putting to the next generation of thought leaders. What I am personally calling "the Cyber Integrity Challenge" has now had its first registrations (one of the very first was from a masters student at a post-graduate school of journalism), even though we have yet to have the first briefing event for students and employers. Students whose University is not among the initial participants should ask their supervisor to contact their University's CPHC contact (or to e-mail the Cyber Security Challenge contact using the website link). Additional Universities can be added until shortly before the deadline for registration: thus Lancaster (which has one of the goverment funded, cross disciplinary cyber security centres of excellence) was confirmed last week as an addition to the announced list.
Employers seeking contacts with those who will help them build an on-line future in which we can have genuine confidence should make similar contact remembering that the pilot is being organised as a stream within the main Cyber Security Challenge . So too should those wishing to support entries and sponsor prizes (to show that their organisation is serious about building confidence in the on-line world) should do likewise. I am happy to pass on details to the organising team but am now only one among a growing number of cheerleaders and supporters. This is clearly an idea whose time has come.
One of my reasons for spending so much time on getting the competition off the ground is that I believe the Internet as currently conceived cannot survive unless those who want it to do so work together - to help rebuild confidence that it is worth protecting. If it is going to have to continue to evolve, it is even more important to work together to ensure that it evolves into something better suited to the needs of the majority of law abiding citizens and businesses. As some-one whose personal "open market" politics are near to "where Tribal Tory meets Old Labour, round the bike sheds at the back", I would also like to think that future might involve a measure of democratic accountability and personal freedom, as opposed to ...
But those who are serious about such matters often have to be ready to kill for them, not just die for them. That leads us back to PRISM. I do not see what the fuss is about. I would be dismayed if the NSA and GCHQ were not doing such things. However, I do not believe it is worth recreating the BT monopoly as part of a vain attempt to expensively prop up a surveillance strategy that is fast becoming obsolete. I would far rather we looked forward to a world of genuine partnerships in "civil defence" as well as "policing" that are genuinely fit for the on-line world.
Hence also my comments quoted by Michael Dempsey in the Financial Times on Friday on why we need to make much better use of industry expertise as "cyber reservists" and "specialist constables" with governance frameworks which also enable those working in key roles in industry to "change hats" without necessarily leaving their desk or control console when an attack develops. Now that raises far more interesting questions of trust and accountability than PRISM et al.