While getting bored with watch comment on the Cabinet Office reshuffle I received a Linked In message recommending I watch the Communications Data pre-legislative scrutiny committee evidence session instead. The first thing I noted was that David Davis was not expecting a phone call from Number 10. He was sitting behind the witnesses as they responded to some lovely questions – such as “Do you trust GCHQ and its staff with the roles being expected of them?”.
The answers to that question were as profound (in their implications) as those to more predictable questions, such as: “What is communications data?” (as we move from e-mail and browsing, through social networking and always on smart phones to ubiquitous computing).
The answer to the question of trust illustrates the entertainment, as well as educational, value of the session. Peter Sommer trusted those he had met at the personal level but commented on the narrow world view of those living in Cheltenham. Sadie Creese pointed out that she lived in Cheltenham and trusted her neighbours. Ross Anderson did not trust their technical competance because they offered only £25,000 (with no prospect of a career leading to a top management role) to those being offered $200,000 (and a route to the top) by Google. Glyn Wintle said that he would be far more concerned about the trustworthiness of those working for the ISPs collecting the data, or of any major data file linked to the Internet.
Do watch, enjoy and then think. I am not just delighted with the broadcasting of pre-legislative scrutiny. I am surprised that it should be so entertaining.
P.S. I should perhaps add that I am getting concerned over the way the information security skills agenda appears to have been overshadowed in the eyes of BIS and its funding agencies by the very different needs of GCHQ and MoD for cyberwarfare skills.
The skills initiative planned by BIS, OCSIA and CESG should be viewed as a piece of long overdue defence spending. It has little to do with the need to address on-line security – where the prime need is to educate mainstream software developers to embed security by design and stop building twenty year old vulnerabilities into new applications. I would argue that important thought the former undoubtedly is, the latter should have priority at a time when trust in the security of the on-line world is crumbling.