Cybersecurity in Cloud Cuckoo Land

I spent the week-end reviewing forward political agendas, including for information and identity governance. I skipped the No2ID celebrations over the end of ID cards. That was partly because I believe in the value of locally issued residents’ cards, linked to properly validated electoral registers and access to local libraries, sports facilities and shopping discounts. But it was mainly because I expect to see the arguments back again next spring in the context of ….


  • bids for cybersecurity budgets and surveillance powers during the run-up to 2012,
  • business models for on-line customer service (alias identification, monitoring and exploitation), including loyalty (alias control) programmes,
  • plans to give “protection” to those we are seeking to attract on-line to be supposedly better served – at lower cost to those claiming to serve them,
  • competition between those selling ID management systems to gain market share,
  • the desire of those running ID systems to cut their own costs and
  • the desire of those who have to interface with multiple ID systems to reduce the cost of doing so.

While I was editing a draft one by A4 “flyer” for MPs on why the issues deserved their attention, I received a string of FIPR alerts related to attempts to frighten us into giving more powers to the security services to protect us from their chosen nightmares. The most interresting was a press release on how 1 in 5 of the population use their birthday for their pin number. I suspect my reaction was the opposite to that intended. I believe that attempts to genuinely improve our on-line safety, including to apply the recommendations in the recent report on Security by Design, need to recognise that most of the population uses similarly “robust” approaches to ensuring that “security” does not get in the way of everyday life.

We have to design mass-market security systems round human nature. We cannot afford systems which rely, for example, on hundreds of thousands of NHS staff following security processes rather better than the German Army in World War 2. We need to begin by accepting that those collating information to impersonate us have already far more “leaked” files of personal information, let alone computing power, available to them than did the allied World War 2 teams at Bletchley Park and Fort Meade. And that they are collecting more iformation and more cash to fund their exploitation strategies, each day that we delude ourselves with cloud cuckoo land approaches to cybersecurity.

Next monday will see the relaunch of Get Safe On-line. Do get involved – but do not just mouth the words – think what it really means to deliver systems that are fit for use by those with whom you wish to transact on-line. Then join the Information Society Alliance (EURIM) and work together under the aegis of the e-Crime Reduction Partnership and the Information Governance Group to help bring cybsersecurity policy (corporate as well as governmental) into the real world.