When IT Meets Politics

Some still view the Transformational Government Agenda as the ICT industry's invitation to write to Father Christmas for a new generation of big, new consultancy contracts and systems.

How wrong they are.

The rhetoric at the party conferences, the subsequent Comprehensive Spending Review and now the Queen's speach indicate clearly that those selling to the public sector have to adjust to a world in which they and their departmental customers will be under increasing pressure to co-operate across organisational and commercial boundaries, competing over time on delivered cost and quality of service, rather than up-front on price.

Next week will see the annual Get Safe On-line campaign and also the Internet Governance Forum in Rio de Janeiro - at which the need to improve security will be a major thread. Last week the government response to the report of the House of Lords select committee enquiry on Personal Internet Safety was published. The doctrine of Ministerial Infallibily means that no department can publicly accept in full the recommendations of a committee that it did not appoint. The wording of the response is, however, such that I would expect all the main recommendations to have been adopted before the next General Election - provided they have the necessary support and commitment from industry: users as well as suppliers.

Do you agree with the decision by the new Department for Innovation Universities and Skills to withdraw funding for ICT skills updating programmes, including the MSc conversion programmes that are our main source of high level security skills.

If so, do nothing.

If not read the HEFCE (Higher Education Funding Council for England) consultation on the Withdrawal of funding for equivalent or lower qualfications and reply before the 7th December.

The Conservative Government similarly withdrew funding for MSc Conversion Courses twenty years ago, helping exacerbate the then IT skills crisis and triggering the start of the trend towards offshoring..

The effect of this short-sighted action will be to hasten the demise of what is left - because the "exemptions" for critical skills in short supply do not currently include those needed to produce reliable, secure ICT systems, network or content. Such skills need continual updating - and MSc Conversion courses are one of the main sources.

Yesterday the Cabinet Office Mnister, Gillian Merron MP presided over the launch of the annual Get Safe On-line security awareness campaign. The GSOL website now includes material on business, as well as consumer protection and every customer-facing website should have a hot-link. And if you think the material needs improving, join up and help improve it.

Those at the launch event heard the usual barrage of statistics, this time from a survey of 2000 adults conducted by ICM in October. Three hit home.

- 88% of end users (and 99% of SMEs) now have some form of Internet Security software,
- 73% believe some-one else should have prime responsbility for their on-line security, usually those who want them to transact on-line (i.e. only 27% beleive they themselves should have prime responsbility)
- 36% will not bank on-line (and 21% will not even shop on-line).

Yesterday I received the following "Update" from Ofcom

"New Ofcom notification service - advanced notice of possible interuption to Global Positioning Systems: The Ministry of Defence conduct occasional tests on military systems which may result in some loss of service to civilian users of the Global Positioning System (GPS) including in-car navigation devices and networks which rely on GPS signals. Ofcom has today launched a new email update notification service to give advanced notification of these tests - To sign up for these email updates please register here: http://www.ofcom.org.uk/static/subscribe/select_list.htm

Yesterday the European Commission published its plans for a Single European Telecommunications Market . Meanwhile the Internet faced a "Bretton Woods Moment" .

The Bretton Woods Conference, which created the world systems for commercial and financial management was even less well reported in the world press in July 1944 than the
Internet Governance Forum on Rio de Janeiro that is happening this week. But the consequences of the IGF meeting are likely to be at least as profound.

"Who do you trust? The Government, Marmite, Michael Fish .. Tesco .. ? So begins Matthew Gwyther, in a Management Today editorial on corporate trust. Debate over on-line trust is even more surreal.

Much will be written about the loss of a couple of CDs of personal data by HMRC. But it is those organisations which track their data and report such losses that are publicly crucified. Those that keep quiet and cover up...

Those who believe in the benefits of the on-line world must act rapidly and effectively to turn the current backlash against its perceived insecurity into well-informed votes of customer confidence in those who practice, not just preach, secure information sharing.

Recent revelations as to the scale and nature of data losses in both public and private sectors, like events at the Northern Rock, show that current information governance regimes are not fit for purpose. So who can be trusted to act?

Until last week, HMG information assurance policy assumed that hundred of thousands of public servants would follow security procedures better than the Wermacht, Luftwaffe and Gestapo whose codes were broken by Bletchley Park.

The petition on the No 10 calling for urgent action on an NHTCU replacement has been signed by two of the House of Lords Committee on Personal Internet Safety, many leading lights of the ICT world and not a few journalists

Recent revelations and those yet to come, including from the private sector, threaten untold damage to trust in the on-line world. The time has come to transform attitudes towards information risk management.

"Su-veillance" is when residents of all ages (teenagers to silver surfers) use mobile phones et al to record their dealings with "authority" and post the results on youtube: customer feedback in action - whether you want it or not.

I have just received the letter asking for inputs to the independent review requested by the Prime Minister. Inputs to this review will be discussed at most of my meetings tomorrow. What will you be doing to help?

The announcements this week of further data losses result from a flurry of overdue reviews across Whitehall. But attention is still focussed on "data protection" rather than "information risk management". It therefore risks doing more harm than good.

The growing flood of data leak stories means that few, if any, large UK public sector ICT programmes will be progressed until political confidence is rebuilt. That is a major challenge for an industry that has lost touch with reality

From puberty to senility we are urged to put intimate details on-line via services like Bebo, MySpace, Facebook, Linked-In and Friends Re-United to be trawled by friends, predators, on-line marketeers, anti-piracy lawyers and information aggregators.

This evening the Number 10 Website had 8,245 petitions, on all sorts of subject from the serious to the frivolous. That on e-Crime has now climbed out of the noise. It may have only 348 signatures: but what quality!

External directors have the opposite problem to journalists. Under "fin de siecle capitalism" and in public sector "quangoland" they are sacrificial goats: little or no power to effect change but expected to share responsibility for failure. The time has come to butt back.

In my rant against Data Protection and Information Assurance snake-oil yesterday I forgot what is by far the best, cheapest and most authoritative source of good advice: the Information Commisioner's website.

The failure of half the bandwidth to the Middle East and India reminds us just how far the theoretical resilience of the Internet is undermined by the vulnerability of the physical communications networks over which it runs.

Today is "Internet Safety Day" - it also sees the launch of the "Information Security Awareness Forum" - the UK ICT professional bodies coming together to present common and compatible messages to employers and consumers

Across the UK we can see unholy alliances of data protection and security consultants, technology salesmen and regulatory lawyers bureaucrats queuing up to "help" Sir Humphrey "protect" our privacy.

On July 4th 2008 the frogmen of the Global Privacy Alliance cut TATnn and Helvetica, removing 80% of currently operational Internet capacity between the United States and Europe. Simultaneously they struck PCn and PACnn, with similar effect on trans-Pacific capability ...

No wonder there was such a massive attempt to bury or re-write the Crosby report. The release of his report on the same day that David Davis launched a stinging attack on the lack of priority being given to action on e-Crime entails a major change of rationale as well as of implementation strategy. Don't settle for the press cover. Read the report.

The news that Yahoo is to move its European Headquarters from London to Geneva, following the location of Google's European Engineering headquarters in Zurich (as opposed to London or Cambridge), confirms the fears I have long expressed over the impact of what is now the Audio-Visual Media Services Directive.

The authors of the House of Lords Select Committee report on Personal Internet Safety are seeking comment on the Government Response with a view to doing a follow up exercise. The Earl of Erroll, explains why, in this “guest blog”.

I have just received an e-mail from "The Excellent Network" on "10 Thinks you didn't know last week" inviting me to click for actions in the coming week. If arrived just after a reference to another data breach at US supermarket chain; I decided not to trust it. I also concluded that my wife was not irrational when she declined to trust the security of our local supermarket.

I have agreed to chair the session on "Ethical aspects related to the use of government on-line services" at the European Commission workshop on "Ethics and e-Inclusion" in early May. In parallel I am mapping "issues and players" for the new UK Internet Governance Forum. As with climate change it looks as though we are walking backwards into a most uncertain future.

Yesterday at Infosec the Information Commisioner said that the Cabinet Secretary's Review was expected to be focussed on "issues of accountability and governance", indicating that the heads of departments would be personally responsible in the event of serious data breaches. But where is the guidance on how to share information securily going to come from?

There in no excuse for permanent secretaries and senior responsible owners to ignore "The Directors' Guides to Managing Information Risk" published yesterday. Each of the eight guides follows the format a Churchillian "prayer": "pray let me know on one sheet of paper ..."

How ethical is it to try to persuade the socially-excluded and digitally naive to go on-line when you are not going to provide them with easy to use and secure access or keep the data they enter secure from predators, fraudsters or those who would use it to enforce the "honour" of the family, clan, school, gang or other community?

Most government on-line systems are inaccessible to most of those of those they are most intended to serve - was my personla summary of the of the introductory discussions at the EU workshop on Ethics and e-Inclusion that I attended on Monday. The consequences are not only unethical, they are indefensible by almost any measure other than technophilia.

This week the Economist publishes an excellent article describing the ambivalent attitude of the British Public towards Civil Liberties and the Surveillance Society. It could be, but is not, summarised as: "We want to be looked after but do not trust the systems".

Over 20% of the population of the world and over 60% of that of the UK population now use the Internet to do business, learn or play. The proportion of criminals who use it to identify and exploit victims is at least similar.  So who is policing it - everyone or no-one?

The loss of the Home Office prisoner mash-up on an unencrypted USB appears to have triggered a long overdue "review" of the national children's database ("the honeypot for pederasts"). Meanwhile the inflexibility of current contracts and the drop in the value of sterling have triggered similarly fundamental reviews of private sector ICT strategies..

A strong response to the consultation on the "Additional Uses of Patient Data" (e.g. to help planning, research, audit etc) could change the nature of UK debate on data protection and information security . Respond as a patient. Ensure responses from all organisations with which you are involved. Get them to distribute to their employers and members to also reply as patients.

The shut down of the Government Gateway after an apparent compromise may influence your response to the NHS consultation on other uses of oatient data, on which I blogged on Friday. It should not. There is whole array of privacy enhancing technologies that can be used to prevent such failures. The problem is not hardware or software. "Its the wetware stupid".

"A Fine Balance", the joint conference of four Knowledge Transfer Networks in Thursday provided an excellent update on the current state of "privacy enhancing technologies". When I introduced the Earl of  Erroll I made the point that the Lord High Constable of Scotland was not only the sole cybersecurity professional in either House of Parliament, he is also the only person genetically cleared to draw a sword in the presence of the monarch

At a meeting of the steering committee of the Information Security Awareness Forum on tuesday I suggested we do a note on the Twelve Scams of Christmas and what to do about them. Below is the collective wisdom to date.

Twelve Phishers phishing
Eleven Spammers spamming
Ten Bots a' herding
Nine Virus writers coding
Eight Snoopers snooping
Seven Worms a' spreading
Six Crackers cracking
Five Tro-jan Horses
Four Logic bombs
Three Software patches
Two Denials of Service
And a hacker at your back door!

I will not name and shame the authors of the draft but thought it worthy of a wider audience - rather than wait on perfection - comments welcome - especially regarding additional links on how to address the scams. The links given are to Get Safe Online.

Do visit the ISAF website, especially the blog, for updates as the feedback comes in.  

The publication of the recent House of Lord report , the debate over ill-drafted proposals for data sharing and the consultation over the implementation of the EU Data retention directive have triggerred a rash of press cover on surveillance. The National Audit Office plans to look at value for money in HMG spend on e-crime. The time has come for a similar study into the value of its spend on electronic surveillance.

In my blog entry yesterday I forgot to elaborate on the threat to electronic privacy of our friends, enemies and neighbours. Facebook and Bebo are now included in more UK searches than eBay, the BBC, Amazon, Tesco, the BBC and Sky added together.  

What other industry would collectively spend over £3 billion a year on protection and less than £30 million a year on tracking, tracing and removing the predators who are milking them? Come to InfoSec (Tuesday to Thursday) and see how and why the security of the on-line world is in such a parlous state.

Today is the first day of Infosec. In my article in the Guardian supplement, I refer to comparisons of the Internet with Railways and the Wild West. The first police force in England was created by the Stockton and Darlington Railway Company to protect their construction sites, then their tracks and later the goods they carried.

What is the difference between the Larry Page's claim that making Google wipe data after six months would hit Flu Protection and a Ministerial claim that spending umpty £billion on data retention and Interception Modenrisation would help the War Against Terror"? This morning I also received an eloquent lawyer plea "Please kill this cookie monster to save Europe's websites".