The current global controversies over cyberbullying (including over Twitter), fraud (where the willingness of small firms to transact on-line has stalled), hacking (including on behalf of blue chip clients) and surveillance (whether by GCHQ or by Google and whether via Angry Birds or PRISM) gives urgency to the need for new thinking on how to improve confidence in the on-line world.
I have therefore been ask to do a more detailed blog on progress with the competition for new thinking which I have mentioned several time before. Sixteen Universities are now involved in the pilot. The Rt Hon David Blunkett has agreed to be a patron and the Earl of Erroll has agreed to chair the judging panel and the deadline for registrations has been extended to the end of August. I will cover the background, aims, objectives, challenge, rules and judging criteria and conclude with some of the questions that I hope the entrants may address. We will have routines for late entrants and supporters and I would also like hear from those interested in helping organise an expanded exercise next year.
First the Background: Why the topic is important
The “City of London” is the shop window for over a million jobs in financial services, from Exeter to Edinburgh, but the issues of trust and confidence go well beyond financial services. Society is now critically dependant on the functioning of complex computer systems, from the generation, processing and distribution of power, food and water to health and welfare. The bad news is that debate on the consequences is fragmented and most partiicpants has tunnel vision. The good news is that there are a rapidly growing number of education and research programmes to advance skills and knowledge in relevant areas of technology and personal behaviour, including those which cut across the various academic and professional drainpipes.
But time is running out and we need to expedite the process of “harvesting” and cross-linking the good work that is being done before the current erosion of trust and confidence in the on-line world and, more critically, the ill-considered reactions of politicians and regulators, do irretrievable damage to the position of the UK as a location of choice for globally trusted and competitive businesses, products and services.
A little over a year ago I attended a presentation by the City Values Forum, set up in the wake of the banking scandals to help rebuild trust in London as a global financial centre, at which they asked for help in looking at the issues of on-line trust. After some very challenging discussions hosted by the Worshipful Company of Information Technologists (the IT Livery Coimopany of the City of London ) we came to the conclusion that we could not define the questions let alone the answers. We decided instead to enlist the thought leaders of the future, who will have to live with our mistakes. The IT Livery Company is therefore working with the Council of Professors and Heads of Computing, the Cyber Security Challenge, the BCS, DPA. IET and others to organise competitions to get students to look afresh at the issues. The Universties participating in the pilot include: Bedfordshire, City (London), Cranfield, De Montfort, Greenwich, Kent, Lancashire, London Metropolitan, LSE, Northumbria, Nottingham Trent, Queen Mary, Royal Holloway, St Andrews, Strathclyde and UCL.
The aims are:
· to improve academic relations with employers (from financial services and on-line retailers through communications to safety critical, infrastructure and security service providers)
· to harvest ideas that can be used to rebuild confidence in the on-line world and in the UK as a supplier and location of choice for globally trusted services.
Rebuilding trust requires action along many dimensions: from enhancing the ethical standards and competence of organisations, institutions and individuals to facilitating the use of trustworthy processes, products and services for handling identity, authentication and certainty of delivery.
The plan is:
To put potential employers (banking, finance, on-line retail and critical infrastructure utilities as well as technology and security suppliers) in touch with interested Universities to identify and support students (including Business, Law, Sociology, Engineering as well as Computer Science and Information Security) whose dissertations contain ideas that may help make lasting improvements.
Two to three entrants from each of the participating Universities will be invited to present to a national final where the prizes will include publicity for the supporting employers as well as the winning students and their universities.
The strategy combines ambition and caution
The overall objective is ambitious. Launching an ambitious exercise during a recession is more than ambitious. The intention was therefore to organise a pilot in 2013 and build on success over the next two years to reach full scale in 2016 when, hopefully, the recovery is under way. The pilot, targeted at Masters’ Students, is being organised as a Gold Stream within the Cyber Security Challenge with the aim of cross-fertilising support, at the same time as reducing cost and risk.
Success will be measured by:
· Enhanced Universities – Industry partnerships leading to apprenticeships, internships and jobs
· Ideas that also enhance UK/EU competitiveness as a location for globally trusted operations
· Participants and Supporters achieving their objectives (including corporate social responsibility and publicity) and willing to work together build on success in years two and three
Confidence in the on-line world is being eroded at all levels, from personal experience of phishing and impersonation and the inconvenience of changing card and banking details, even if we are reimbursed, to press cover for stories of whole databases being copied in support of systematic fraud.
The ongoing banking crisis and the scandals that have accompanied it (from the mortgage frauds that brought down the northern banks through LIBOR to the “mis-selling” of swaps) can be seen as failures of information governance. The systemic weaknesses which enable criminals to organise computer assisted fraud often arise from similar failures of technology governance.
Such failures cross professional, cultural and regulatory boundaries and every Government Department and Agency (UK, European or International), from Westminster, to Brussels to Davos has initiatives. Most are based on assessments of the problems that began to emerge a decade ago and focus on notifying breaches, sharing intelligence and retrofitting layers of add-on security.
How do we look ahead to remove vulnerabilities, deter malpractice and rebuild confidence over the next decade?
Above all, how do we ensure that London and the UK are not only a safe place for our families and ourselves to go on-line but a trusted location of choice for globally trusted on-line operations, from entertainment and gaming through retail and distribution to financial services and international trading global. Success will help bring about economic recovery. Failure will condemn us to long term decline.
There are many aspects to this challenge – ranging from enhancing the ethical standards of those developing and running on-line products and services to the technical mechanisms of identity, authentication and certainty of exchange. All serve to enhance trust. Their absence diminishes it.
How do we bring about the changes in attitude and behaviour necessary to make the UK the best place to locate business operations that are expected to be globally trusted? What are the governance standards against which conduct should be measured? How should that conduct be judged and by whom? is technical innovation required? Does regulation have a part to play?.
The issues are complex and far reaching but implementing better answers than those in other financial services centres is essential to the future of London. Developing better answers than those in other nations is essential to the economic recovery of the UK. Sharing those answers with the rest of the EU is essential to the future prosperity of Europe.
This exercise is intended to be first stage of a phased approach to using a mix of research, discussion, competition and conviviality not only to tease out some of the answers, but, more importantly, to help major players to understand and act on those answers.
Most attempts to date by “experts” to look at the issues have failed. Some simplified issues down to those with which they were comfortable and where they believed they could produce results. Others went into too much detail. The competition exploits the desire of many universities to improve relations with industry and enlist “the thought leaders of the future” (their brightest post-graduate students) to look at the issues. We will then collate the best of their thinking, giving public recognition to the students and to those who helped them.
The pilot competition this year is for Master Students whose dissertations contain ideas which might help answer the high level question: How do we improve trust in the on-line world?.Each participating University will select two or three students to be invited to summarise their ideas as 2,000 word reports and/or 15 minute presentations for the national finals.
Masters Students agree the topics for their dissertations with their supervisors. Most of those related to improving trust can be addressed from a variety of perspectives, technical, behavioural, legal, ethical and cultural and the supporters of the pilot have different but overlapping objectives.
We need to exploit the variety and overlap to generate material (research, recommendations) that help bring about changes in attitudes and priorities among those developing, maintaining and using “trusted” products and services, as well as among the students and research and educational communities who will provide the next generation of thought leaders.
Timetable for pilot
· Supervisors in the participating Universities have already informed students who are picking topics for 2013 Masters dissertations of the details of the pilot competition and the employers interested in students looking at such questions. Sponsorship and support packages are being added as they are agreed. The process is also being used to help reinforce and extend existing relationships between industry players and those universities with whom they partner on research programmes and staff development (including apprenticeship) programmes. The packages reflect the objectives of the donors (e.g. visits and support for students looking at topics of interest to potential employees, corporate social responsibility and cultural change, publicity as an employer of choice or for products and services, networking with potential R&D or delivery partners and customers, inputs to policy and regulation).
· By end August: students doing relevant Masters Dissertations should have registered interest via the Cyber Security challenge website (and also have the opportunity to enter the other challenges). Details of those looking for industry support for their dissertation (e.g. CV, topic and university) will be on linked university webpages (alongside contact and detail for relevant research programmes, recruitment etc.). The University webpages may also carry links to sponsors’ webpages carrying reasons for their interest, support for entrants looking at topics of interest, recruitment opportunities, relevant products and services etc.).
Those at other Universities who wish to enter should ask their supervisor to contact Kevin Jones (Kevin runs the City University School of Dependability and Security and chairs the organising committee for the Competition) to discuss whether to thier University should join the consortium or orgnaisation a submission via one of the existing participants.
· By mid October: each participating University selects one or two students to submit a 2,000 word “white paper” (supported by video and/or presentation) for national finals. Those invited may be supported by the department and/or interested employers. The participating Universities will be expected to stage events during Get Safe On-line week (commences 23rd October) at which their candidates are announced as part of local activities, supported by industry partners to help actively boost confidence in the on-line world and not just give awareness messages.
· November: national judging, and, subject to review of success to date, completion of planning for scaled up 2014 competition to be announced at National Awards ceremony.
· December/January: National Awards Ceremony and announcement of 2014 plans.
Entry and Judging Criteria
Entrants will be asked to register their dissertation topic, areas of interest, place of birth and nationality on the Cyber Security challenge website. This is so that interested industry participants can offer visits (some of which may require security clearance) and/or materials and information to help their entries.
All entrants will be expected to provide synopses which can subsequently be made available on-line with their status (e.g. whether they were selected for the national finals or won a prize) and to state whether the full dissertation is available – under non-disclosure agreements or with IPR reserved as necessary.
The participating University departments will invite two or three students who have produced project/dissertation material that not only demonstrates the quality of thought and intellectual rigour that they would expect from a good Master Student but also contains ideas worthy of a much wider audience.
The national judges will not repeat that assessment.
They will be making their initial judgements on the basis of a 15 minute “presentation”, submitted electronically. This is expected to comprise at least two of the following:
· 2,000 word synopsis,
· a slide show
· a short video.
This may be accompanied, by 10 minute “presentation”.
It should engage the attention of the target “audience” inside the first 250 words, three slides or three minutes.
Those shortlisted for the national awards will then be invited to present in person or via a video conferencing link and should expect about 30 minutes of questioning.
The entries will be expected to address at least three of the following:
· How the idea(s) will increase the confidence of a given target audience (business, consumer, professional, civilian, military etc.) that a product, service or organisation can be trusted for the application in mind
· The use of technology to support and/or reinforce good people processes (e.g. to make it easier to follow “good” practice than “bad”)
· The people processes necessary to make effective use of technology (e.g. for linking “secure” keys or “known” devices to people)
· Who will be expected to pay, how much for the implementation, who will benefits and by how much and the business case for the former to carry the cost.
· Whether the idea gives competitive advantage to early adopters.
· The political case and business impact of any proposal that requires regulatory intervention
· The ratio of “cost” (people processes, technology etc.) to “trust” (added confidence, security etc.) for different approaches and how to ensure that recipients can have reasonable confidence that they will receive the benefits for which they pay
· How to handle issues of cost and trust across boundaries (different technologies, processes, architectures, organisations, cultures, jurisdictions etc.)
Appendix: How do we improve trust in the on-line world? – some ancillary questions
1) What is the meaning of Trust?
What are the determinants and components of trust – both on-line and off-line? Is there a difference and if so why? What is the current state of trust “ecosystems”, including who trusts whom with their identity and/or personal information. How do we distinguish between exercising trust and being trustworthy. How do you build trust online? How do you rebuild trust after a failure? What about trusted technologies/devices? Is there a difference between trust at the wholesale level (institution to institution) and retail (institution to individual customer)?
2) How do we decide who or what we trust?
Accreditation, Certification, Experience, References, How do you produce meaningful testing that deals with the claims made for the individual, organisation, product or services – given that tick box compliance and complex processes may have little to do with delivered honesty or security
3) Who am I?
Issues of identity (personal, legal, etc.), registration, reliance, liability, authorisation, impersonation and anonymity: not only is identification irrelevant to many transactions but some market transactions require anonymity in order to avoid distortion.
4) What is my word?
Issues of authentication, translation, in contractual, cultural and legal contexts. How is trust affected by complex and conflicting product and service terms and conditions? Are these meaningful or enforceable? Would standard terms, streamlining, standardisation, harmonisation improve trust?
5) What is my bond?
Issues of responsibility, liability, governance etc. Does civil law, adjudicated in London, provide a better recourse against abuse than criminal law? Legislation covering the City of London Police is different to that of the rest of the UK. This enables cooperation across legal boundaries which cannot not organised elsewhere. How could/should better use be made of the consequent potential?
6) What, if anything, is different about the on-line world and why?
Multi-cultural, multi-lingual centres like London have been handling transactions between people who never physically meet for centuries. So what really is different: problems, threats and opportunities?
7) How do we bring about behaviourial change?
Awareness and education programmes? Regulatory or compliance regimes? Civil or criminal law? Publicity? The roles of industry players, professional bodies, trade associations, self-regulators, statutory regulators, governments, auditors. Insurers. The use of technology to make it easier to follow good practice and harder to follow bad practice etc.
8) How do we enhance trust in the UK/EU as a location for globally trusted services?
How does improving on-line trust fit into the overarching objective of improving trust? Who (Financial Institutions, Regulators, Professional Bodies, Trade Associations, Interest Groups) should do what? What is the role of National Governments, Regional Groupings (e.g. the EU), International Bodies (from ICANN, IGF or ITU to the City of London, when seen as “a global virtual entity”)?
9) Which is more important to Trust – security or resilience?
Is improving trust that services will not fail (e.g. fire, flood, power or “failed upgrade” bringing down a system or network) more important than routines for reducing the risk of incidents (e.g. known or suspected security breaches)?
10) How much are we willing to pay for what level of Trust (and get what we pay for)?
How could/should trade-offs between cost, privacy, resilience, reliability and security be handled? How could/should “trust” be “arbitraged” across identity and transaction systems run by different organisations, in different ways and to different standards?
11) What are informed choice and informed consent?
Do these change according to time/circumstance? Who can be trusted to ensure/record that choice was given, changed or revoked? Can consent be revoked?