Hundreds, perhaps thousands of regulatory and law enforcement organisations around the world claim jurisdiction but almost none exercises it with any degree of determination or competence - save with regard to child abuse.
I recently attended the ACPO E-crime Conference to speak on the many current initiatives and was brought back to earth with a jolt. Apart from the Metropolitan Police and City of London police with their specialist units for anti-terrorism and card fraud, over 90% of UK police e-crime resource is once again fully occupied on child protection.
The situation is akin to that at the time of Operation Ore with forensics backlogs of 6 months to 2 years - only worse. Then the allegations were complicated by the associated card frauds. Today the leads are much better, coming from the social networking and peer-to-peer networks sites to which the predators have migrated, following their targets.
It is six years since EURIM published "E-Crime - A new opportunity for partnership", calling for law enforcement to at least match the emerging criminal partnerships. The six papers published in the course of the subsequent EURIM-ippr "Partnership Policing" study found consensus on nearly sixty recommendations for action - mainly to reduce barriers to co-operation and make better use of existing spend. The other papers were on: Protecting the Vulnerable , Supplying the Skills for Justice, Reducing Opportunities for e-Crime, the Reporting of Cybercrime and the organsation of Co-operation.
Today we have globally integrated criminal malware and information supply chains while the UK has yet to replace the National High Tech Crime Unit, wiped out by mistake rather than design, during the creation of SOCA.
The impact of the Internet on society is akin to that of the railways, only more so, including with regard to the need for cross-boundary policing. By the time the police forces of the railways were finally brought together to form the British Transport Police, they accounted for over half of reports of theft, by volume and by value. One major difference between railway policing and on-line policing is that it was relatively easy to report rail-related theft (goods lost or stolen in transit or from passengers) albeit there were regular complaints that little was done as result. Today it is almost impossible to report Internet related theft and almost nothing will be done if it is.
That means you, like the railway companies who still pay for the British Transport Police Force today, have to protect yourselves and your customers from all other forms of computer assisted crime, from information theft, fraud and impersonation to denial of service and associated extortion. And according to Kew associates you are spending well over £3 billion a year doing so.
That is good news for all the information security industry but it is not good news for the consumers who are being routinely defrauded nor the shareholders of the banks, insurance companies, retailers, publishers and other user businesses, including the pension funds that will maintain you in your dotage, you hope.
A tenth of that spend, used collectively to track, trace and remove those causing the current mayhem would give massive return all round.
Meanwhile, however, a third of the 1.2 billion Internet users already access it via mobiles which might be anywhere in the world - and moving. Even when the hate e-mail comes from the neighbour next door it may require co-operation from Telcos and ISPs around the world to confirm this. That is best organised via a team that has staff continuity, not the normal police rotation. It also needs to be multi-disciplinary, capable of immediate reaction alongside the incident response teams of industry, the fire brigades (albeit engaged in electronic shoot-outs), not just the fire investigators, working out who did the damage after the event. More-over much of the work will undoubtedly be in support of investigations into all those traditional crimes that are increasingly organised (or in the case of teenagers boasted about) over Internet-enabled mobiles.
The UK Internet Governance Forum meets on Friday and includes with workshops on strategies for cutting Internet crime, disorder and fraud and on personal Internet safety and empowering people. Those discussions will inform the creation of the E-Crime Reduction Partnership that Ministers (both Home Office and Depertment for Business) have said they welcome.
Law and order was brought to the Wild West by the Pinkerton Men, hired by the banks and railway companies, and by Sheriffs and Deputies hired by town shopkeepers to protect their trade. The UK's only unit actively investigating and prosecuting on-line fraud, the DCPCU, is funded by industry. Meanwhile the members of the Internet Enforcement Group, deploy more resources to protect copyright on-line than are available to law enforcement for investigating the use of the Internet by would-be child abusers.
It is said that only the discipline imposed by organised crime saves the Internet from melt-down: "They wish to milk the cow, not kill it". Hence the replacement of mass virus attacks by phishing to recruit botnets for targeted extortion in parallel with collecting and collating personal information to impersonate anyone who is creditworthy, whether or not they actually have funds worth stealing.
Time is running out if you do not wish to rely on the self-discipline of criminals to preserve confidence in the on-line world.
The last of the EURIM-ippr Reports, on the organisation of Interent Policing, "Building Cybercommunities: Beating Cybercrime" , raised the thorny issues of democratic accountability for policing partnerships where the bulk of the contribution comes from industry, not the "public purse". It bears re-reading before you make your inputs to discussion at the UK Internet Governance Forum.
First come the responses to a selection of the recommendations from the report of the Joint Committee on Human Rights report on "Data Protection and Human Rights" . Then come those to the Select Committee on Justice report on "The Protection of Personal Data"
Then come those to "Protecting Government Information: Independent review of Government information assurance, by Nick Coleman". These are interesting for what is not addressed even more than for what is. That review ranged well beyond the issues raised by the "mere" loss of data. Nick's recommendations covered information risk management as a whole and included greatly improving the professionalism of those responsible. The government response included clarifying the split of responsbility between the Information Commissioner, the National Audit Office and CESG. "through peer review and other independent experts". However, it failed to address many of the wider issues. This was not surprising because several of the recommendations represented major threats to departmental automony.
Then comes the surprise: page 41 includes Government promises to "consider" some of the sharper recommendations of the House of Lords report on Personal Internet Safety "in the light of the Walport/Thomas review due shortly." - including with regard to on-line banking liabilities akin to thsoe in the Bills of Exchange Act (1992) on which I recently blogged
I have been scanning the responses to date from the flock of security experts. Most share the tunnel vision of the Government response to the Coleman review: they mouth the words "culture change" and then support the creation of a"Chief Information Risk Owner" with his own add-on security silo.
The time has come for a far wider vision.
Either the security of information, and the resilience of the systems giving access to it, really are important, in which case systems should be designed, from the start, to embed BOTH "security by default" (i.e. it takes a conscious effort to over-ride the safeguards and do it insecurely) AND "graceful degradation" (e.g. default to equally secure federated and/or local access).
Or they are not that important - in which case we should resign ourselves to a world in which no electronic communication can be trusted or relied on for life or business critical functions at a time of rising fraud, impersonation and cyber-assault.
It they really are important - then we need to stop talking about "mere information security professionalism" and start overhauling mainstream information systems and computer science education and training - so that information security and resilient access are at the heart, not the periphery of ICT professionalism as a whole.
And that means beginning with an overhaul of the courses accredited by BCS, IET and others.
That is why, two days ago, I said these reports might well be the most important of the decade for the ICT industry. Hence also the refocus of the EURIM Personal Identity and Data Sharing Group on Informaton Governance.
Then I spent two days at the ACPO E-Crime conference at Wyboston: listening to the concerns of a hundred or so, dedicated professionals fighting a rearguard action against a rising, not falling, tide of reports of paedophile activity across social networks - unable to make time to seriously address anything else.
Are we on the cusp of a crisis of confidence in the on-line world?
And does that mean we are on the brink of catastrophe (the fall of Rome or Byzantium to the Barbarians or Turks) or on the brink of the turning point of the war (the start of "the real fight back" and the run up Midway or Kirsk - depending on whether you are American or Russian, German or Japanese).
I do not know - but I do urge you to read the reports and recommendations and then put them into overall context - beginning with Nick Coleman's wider vision.
]]>Its like buses - you wait ages for one and then a convoy comes along.
These are almost certainly the most important Government statements of the year (perhaps the decade) for ICT suppliers and professionals, far more important in the long term that the latest multi-billion pound order.
Please down load and read - they will take some time to digest - including the implications - I will be most interested in your comments when you have - but not before then.
P.S. In my orignal entry I forget to add a link to the HMRC review, also released yesterday.
]]>
The result was the widespread deployment in the US of systems like the laptop guardian for use by nurses and doctors making housecalls and therefore at risk, for example, of being mugged for their laptop. This particular system was among the examples of existing good practice in information security demonstrated on June 10th at a parliamentary showcase . The visitors included two Home Secretaries, the shadow spokesman for Immigration and the officals responsible for the security of a number of high profile public sector systems. Most of the other exhibits are also available case studies ,
One of the questions raised was the quesiton of professional responsibility for the failure of large organisations to provide their clients' records with security akin to that of organisations like Barnados, Citizens Advice or the Salvation Army who need to prioritise and ration every penny.
We have also had publicity for the break-in at a ministers' constituncy office. Over the years I have lost count of the number of MPs, including past and present minsiters, who have asked for advice on how to reconcile easy access/use with security on their constituecy systems and personal laptops. I have also lost count of the number of security "experts" who have offered assistance and failed to deliver. Most have failed to even understand the need to reconcile, not just prioritise, ease of use and security - let alone the conflicting pressures on the politicians of today, catching up on their workloads late at night and early in the morning when support is not available.
The EURIM Personal Identity and Data Sharing Group, which organised the showcase, is about to change its name to "Information Governance" with the aim of working with the relevant professional bodies and trade associations (accountants, lawyers, company secretairies etc. not just information systems and security) to establish what is good practice and what is prima facie evidence of misconduct and/or recklessness. The aim is to secure the production, publication and use of guidelines that not only command credibility but can be used by auditors and regulators to ensure that good practice is indeed being followed.
]]>
]]> Do read the article and then look at the fieldwork on which it is based.
There is strong support for more CCTV cameras - and interestingly David Davis' complaint is that most of them are unmanned, out of order and do not provide material of evidential quality recording. They are therefore almost useless for crime prevention purposes.
There is a modest majority in favour of a DNA database covering the whole population, mainly because women are strongly in favour and men are less strongly against - presumably because so many of crimes resolved to date have involved sexual assaults.
There is a narrower, split over ID cards: again men against and women in favour. The exception is London, by far our most cosmopolitan City and the one most at rsik of terrorist attacks, which is strongly against. The Midlands, North and West are equally strongly in favour. This may therefore reflect views on ID cards as an immigation control.
There is a clear majority in favour of doctors being able to get the information they need to give the best possible care for patients. But this must be viewd in the context of a two to one vote against collecting more personal information in general:
"Improvments in efficiency and the quality of service provided outweigh the risks to privacy "
29%
"The risks to privacy outweigh improvements in efficiency and the quality of service provdied"
55%
Don't knows 16%
There is a very clear message for the ICT industry: the recent collapse of confidence in the security of big centralised databases has been such as to overcome the innate desire of much, perhaps most, of the electorate for service improvement.
That makes a compelling case for major systems suppliers to collectively support exercises to greatly improve information governance at every level. They face a lean time until the rebuilding of confidence that they and their customers can design, implement and operate trustworthy large systems - people processes at least as much as technology.
Hence the planned EURIM exercise for a high level exercise in the autumn to test whether there is indeed be the support to move from rhetoric to action with regard to information governance processes after the impending crop of reports on information security problems has been published.
]]>While you are there, do remember to download their consultation document and respond by the end of the month.
This is your opportunity to help avert the disaster we all face with the down-turn of bright, well-prepared youngsters embarking on ICT careers at the same time as the skills of the existing workforce are being allowed to atrophy, with the increasing difficulty of funding refresher or conversion training our of after tax earnings.
]]>
Now ponder the security systems for the material used by those organising all those surveillance systems that will supposedly make us all safe(r) - includng that which they have demanded from files of business, telcos and Internet Service Providers.
Now compare these with the way the financial services industry uses technology to support the basic people disciplines (wetware) that have underpinned global correspondence banking, securing transactions and communications from thieves, fraudsters, pirates and warlords along the world's great trading routes, since the days of ancient Babylon.
The report of the Home Affairs Select Committee is the first in a series of reports due for publication in the near future. These include: :
What is missing is an exercise to follow up the recommendation by Sir James Crosby that Government look at the track record and practices of the financial services industry.
Last week the Personal Identity and Data Sharing Working Group of EURIM organised a showcase covering the practical experience of those running large scale systems which have NOT had significant data breaches and has asked the exhibitors to write up the examples used, especially the people processes, for wider circulation. At the event, the Parliamentary Chair of the working group, Philip Dunne MP, an ex-banker and also chair of the All-Party Corporate Governance Group, described plans to distil that experience into "practice notes" that could be used by the relevant professions to hold their members to account - i.e. going well beyond "mere" codes of conduct.
]]>
"Since the 2005 edition of the code (which dictates how UK banks do business with customers), section 12.9 has advised customers to keep their PCs secure. "Use up-to-date antivirus and spyware software and a personal firewall," ... The contentious addition to the new version is section 12.13. "Unless you have acted fraudulently or without reasonable care (for example, by not following the advice in section 12.9), you will not be liable for losses caused by someone else which take place through your online banking service."
Read the full text of his article for the arguments that follow.
The report of the House of Lords on Personal Internet Safety recommended "the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held laible for losses incurred as a result of electronic fraud"
Many users would probably stop banking on-line if they feared losing more than trivial sums as a result of their own mistakes. Some of the ramifications are indicated by the recent refusal of a bank to reimburse a customer who lost £3,670 after a phishing scam (reported Which April 2008 and also referred to the Financial Ombudsman Service) and by the growing sophistication of on-line fraud and impersonation, including that using information obtained from data "leakages". The sharp rise in "card not present fraud" involving transactions outside the UK that bypass the domestic chip and pin controls, also adds urgency to the need to reassure users about the risks they run, or rather do not run, when they transact on-line.
The subject also came up when ministers met with the House of Lords Select Committee last month. The trancript of that hearing indicates new and more positive thinking on the part of government. Baroness Vadeera, the minister now responsible for this area in the Department for Business. commented on the possible need to make the Financial Ombudsman better able to "decipher" the reality beneath disputes over liability. Vernon Coaker, the minister responsible at the Home Office volunteered notes to the Select Committee on progress and on the activities of the new inter-ministerial group. He also said that they would support the creation of the Internet Crime and Disorder Reduction Partnership on which the Rt Hon Alun Michael MP, chair of the EURIM E-Crime Group, has been working.
]]>Without rapid action to remove the barriers to reskilling, many will soon be unemployable.
It is not just the threat to what is left of the UK ICT industry. The shortage of those capable of supporting computation intensive industries threatens the continuance of the UK as a major location for leading edge research, let alone product development and support, in pharmeceuticals, aerospace and multi-media content production and publishing.
The need is for a crusade, bringing together not only the ICT professional bodies and trade associations, but also the Trades Unions, to remove the obstacles to cost-effective reskilling and updating programmes for those already in the ICT workforce.
For over twenty years, since I ran the National Computing Centre studies into the skills crisis on the early 1980s I have been calling for indivduals to be able to offset personally funded training and mentoring costs against tax and for employers to be able count time under professionally supervised and accredited training, including the structured work expereince that is the most expensive part of most programmes, as "education" - and thus outside national insurance and PAYE.
Politicians have regularly listened but the idea of using tax incentives, as opposed to tax and spend has long been anathema to officials in what is now part of DIUS. Interestingly Treasury was always more receptive and wanted to know about the means of protecting against abuse - rather than dismissing the idea out of had. Indeed the then Chancellor, now Prime Minister, piloted some of the ideas, including mandating "industry-strength quality control" of suppliers, in the ring-fenced funding for the highly successful Millenium Bug-Busters programme.
But we can now see the consequences of nearly twenty years of inaction on the part of what was the Department for Education and Skills/Science.since the recession of the early 1990s temporarily "cured" the ICT skills problem.
So what could/should you do?
1) Visit the CPHC website amd download the excellent paper on the IT Labour Market in the UK, published on 2nd June
2) Vist the e-Skills UK website and respond to the consultation on their five year strategy.
What is EURIM doing?
EURIM is organising a pilot exercise focussed on security skills, at all levels - with the aim of organising a tightly focussed battering ram to break the logjam by setting precedents in an area which is becoming of critical importance to government as well as industry.
This exercise began on June 4th with a workshop funded by the Cybersecurity knoweldge Transfer Network to start mapping the security skills scene, from definitions through accreditations, qualfications and courses to materials and mentoring.
]]>In talking to the press this morning the chairman of the Select Committee referred to the millions of surveillance cameras in the UK. Most are out-of-order, unmanned and/or fail to produce images of evidential quality. Many are useless after sunset, e.g. those supposedly protecting unlit pub carparks. The recordings from those that are working are rarely held securely. Recordings of "courting couples" and other "amusing incidents" are regularly available for exchange or sale.
The debates over data retention, in case required to investigate possible offences, from misleading school selectors as to your main home through conusmer protection to anti-terrorism, are as divorced from reality as thsoe over CCTV.
Those calling for records of communications or transactions to be retained to aid consumer protection or the war against terror rarely know what they may need to know and do not appreciate that stored data becomes inaccessible unless actively managed. And active managment is not only expensive, it reduces security and removes evidential value.
Calls to simply stop collecting, storing or sharing data are not the answer. More people suffer and die because information is not shared when it should have been than because of abuse. A key part of the EURIM agenda is therefore to bring together informations systems and security practitioners to reset the agenda around organising efficient, secure and democratically accountable sharing and surveillance.
The problem is not the hardware or software that so obsesses ICT professionals. It is the probity, morality and competence of the "wetware", the people who design, build and operate the systems and who enter, retrieve ir analyse the information.
The UK currently spends somewhere over £3 billion a year on electronic security and less than £30 million a year on e-policing, including child protection. The Citizens Advice Bureau and Salvation Army may protect their clients' data, routinely encrypting all laptops - including those that are not supposed to leave the office - while government departments and Ministry of Defence regularly lose unecrypted systems, including from supposedly secure areas. Discs of data awaiting analysis have even been stolen from supposedly secure forensic facilities.
Society is now critically dependent on on-line systems. The Internet may be resilient in theory but most of access it over networks that have more bottlenecks than a brewery. It was built for ease of use - with attempts to retrofit security. Today most of the western world is on-line: including most of our criminals.
Shortly after Y2K, EURIM set up a group to look at the issues of E-Crime. The tille we chose for our first report was "E-Crime - a new opportunity for partnership". It has proved to be all too accurate. Criminals have seized the opportunity to create integrated global supply chaiins, from malware production and data theft, thrugh phishing, botnet recruitment, herding and exploitation to netwroks of mules to launder the gains. Meanwhile law enforcement is still at first base, obessing over better intelligence to help justify future budgets.
In parallel, our ability to spy on our on-line neighbours, possible future recruits or business partners, is frightening.
I recently asked a colleague about some-one who had sent an e-mail asking to become involved in a sensitive study. I expected to receive a note of their current job title and organisation. It was easier for my colleague to forward me their Linked-In entry: being a secuirty consultant the peson who had sent the e-mail was not on Facebook.
In my essay for the 50th Anniversary of LEO I predicted that we would pass through a nadir when no-one trusted what they found or received on-line. I would like to think that are close to the bottom of nadir - and that the current crop of reports and recommendations will mark a turning point.
P.S. The Report is now on the Commons Website
In the meantime, we may already have a surveillance society - but hardly anyone is watching and we do not know if we can trust those who are.
The plans to update the legislation on the Regulation of Investigatory Powers offer a great opportunity to improve the governance and accountability of those who most (but not all) of us would like to be able to trust to watch over us.
]]>I would also like to see a more serious debate on what consent really means, the means of checking that it really has been freely given by individuals who knew what they were doing, the conditions under which the data is stored and accessed and the responsibilities and liabilities of those running the systems.
I was not aware that e-mail I send to some-one with a g-mail account is liable to have the content analysed to aid the targetting of advertising to the person I am sending it to.
I wonder if the recipient was?
EURIM has been asked to organise a balanced briefing for MPs and policy advisors on the issues that might need to be discussed when Ministers do bring forward new legislation with regard to surveillance powers.
The better-informed MPs and some of the policy advisors would also like to see HMG plans discussed constructively in the context of:
We cannot boil the ocean but, ever since I was a child, I have enjoyed throwing rocks into stinky pools to see what rises to the top. Today my excuse is "to help clarify debate".
I await with interest the terms of reference that the EURIM Communications Regulation Group will agree. I confidently expect that they will decide this is a big issue to be taken step by step over time - not one for knee-jerk reactions.
However, I do expect that they will wish to avoid spending time and money on "solutions" based on technologies and business models that may be obsolete before they are operational. I also expect that they will wish to see the conflicting ethical and moral positions debated with rather more rigour than has hitherto been the case.
FIPR is one of the places where that debate will take place and I do recommend those of you who have not become a "friend" of FIPR to do so. I do not agree with all that is said - indeed some of it infuriates me - just as I delight in winding up some of the other "friends".
But without the illumination that comes from the fire of some of their discussions, as at their recent anniversary, I would find it very much harder to even try to understand what is happening and why.
]]>
The points highlighted by the editor (his choice, not mine) spell out a simple message:
"There have been many studies into the causes of failed computer systems over the past 35 years. Much excellent guidance material has been produced, from the days of the Ministry of Technology to the latest guidance from the Office of Government Commerce ...
Confusion and conflict over objectives and priorities and split responsibility for policy and implementation commonly mean that no-one knows what success looks like or is responsible for achieving it from conception to completion ...
The main reason why such problems persist, long after they were first identified, is that those who plan clever policies using fashionable technologies are promoted to repeat their mistakes elsewhere, before they have time to learn ...
Those facing global competition [i.e. in the Private Sector] can no longer afford to try to conceal problems, as opposed to earning reputations for acting fast to resolve them ...
Government systems do not fail because they are larger and more complex than those of the private sector, nor is their size and complexity necessitated by most underlying applications ...
Once a proposal has been said to have ministerial support it acquires a mystical status - to be justified and defended at almost any cost, until such time as a new minister can announce that "technologies have changed" and thus justify a new approach ...
There have been many reports into why systems fail, especially in the public sector. There have been many fewer on why systems succeed ...
The successful implementation of a change programme [in the private sector] is not only well rewarded but is one of the common routes to the top. In consequence those at the top [often] have personal experience of what is entailed - unlike most of those at the top of central government."
The overall theme of the issue is on "Managing large-scale projects" and I strongly recommend downloading it and reading the other articles, especially the interview with John Suffolk.
The population of Slovenia is not much more than that of the County of Kent population and the Presidency event in Lubljana meant that all the hotels were full so the workshop was in Bled, Slovenia's tourist jewel, beside a magnificent lake with a medieval castle towering over the tiny town from on high. From the terrace of the castle it was easy to appreciate how those on high get delusions of grandeur and feel they have the right to order the lives of the serfs and plebs, several hundred feet below.
Much of the workshop was taken up with whether it is right for the state of today to similarly order the lives of those supposedly unable to look after themselves, let alone use the wonders of modern technology.
It was certainly felt to be immoral to demand information that was then available to hackers,fraudsters, blackmaiilers and investigative journalists because of lax security: people processes even more than technology weaknesses. How much of the information that regulators and law enforcement across the EU have demanded be kept in the name of anti-terrorism or consumer protection has already been supplied to those who would abuse it?
It hones thinking when you are in a meeting that brings together those who grew up in nations where 10% of their neighbours were police informers and those who can see "community leaders" using their relationships with the local and central government bureaucracies of liberal democracies to filer communications and maintain "family honour".
There was a clear majority in the workshop that I chaired, that we should be making much better use of technologies already available to empower the disabled and excluded, to consult them, to give them a voice and to give them choice.
This raised many interesting questions, including around the responsibilities of those working in the industry not only to help "educate" politicians to much better balance risk and reward but also to actively condemn that which is unthical and impractical and to regard failure to do so as "unprofessional conduct".
One of the eye-openers was the high proportion of the population who cannot use a conventional screen and keyboard. The 70% of the population accessing the Internet via this means may well be close to a maximum. Most of the rest, including probably the majority of those dependent on public services, need other interfaces.
And the conventional call-centre is not one of these. Indeed it is a moot question as to whether some call centres, like some websites, "lose" rather more business than they handle.
I have just received the notes of the rapporteur for my session and plan to blog again when I have finished editing these - but that may be a couple of days, given my current workload.
]]>