The latest press cover on the BRC survey on the cost of e-Crime still misses the point. The biggest cost is lost business . And I do not mean hypothetical losses because of “piracy” but actual order abandoned because intrusive security or lack of confidence means, for example, that more transactions (by value) are abandoned than are completed. as in so many other areas, those concerned with the future of London as a global financial services are ahead of the curve (and in this case ahead of both government and most of their technology suppliers) in looking at the consequences.
How do you apply “My word is my bond” to the on-line world.
Who am I? Which version of which translation of which e-mail or tweet was my word? What is my bond worth? Does it matter (and if so, to whom) if the transaction is subject to irrevocable payment in advance or on delivery?
Which suppliers can you trust? Which credentials, regulators and enforcement agencies are trustworthy?
A fortnight ago I attended a workshop to develop ideas for the TSB “Trusted Internet” Catapult. (the latest HMG funding initiative in the cybersecurity space. The timetable for the launch of the new facility parallels that for a competition for University Masters Students to look at some of the questions that need to be asked. The aim is to get those who will be designing the products and services of the future to throw rocks into the stinky pools of introverted discussion on “trusted identities”, “trusted computing”, “trust services” and “trusted intermediaries”. Their generation will have to live with the consequences of the decisions currently in prospect with regard to research priorities, business plans and regulatory initiatives. They are also in a position to think the unthinkable and be rewarded not punished.
After discussing the original proposal, the Director of one of the new UK Cyber Centres of Excellence said that the questions he would like to see his students tackle included:
“What constitutes lawful protest online and how can this essential aspect of a democratic space be reconciled with an online environment that promotes economic prosperity?”
“Which of the grooming techniques employed by online “phishermen” could be used to foster a beneficially greater sense of trust online and would it be ethical to use these methods?”
“How do you bring about behaviour change at board level regarding to the value of information, security strategies and budgets? What arguments, language and evidence are needed?
My first thoughts were: “Ouch”, Ouch” and “Ouch”. My second thoughts concerned those who I would like to see brought together to debate such questions. My third thoughts concerned the mix of academic disciplines that wwould need to be brought together to provide credible answers.
The competition appears to be gaining widespread support from some of those with difficult decisions to make over the next year or so as well as from those who wish to stretch the minds of their students across academic boundaries and those who wish to work with them on applied research and technology and/or subsequently recruit them. Over the next couple of months we will be looking to go firm on the organising team and sponsors, the support available to entrants and the prizes. But first we need to take a good look at the questions.
The idea for the competition began during discussions after a presentation I attended as chairman of the SecurityPanel of the IT Livery Company. The presentation was on the need to rebuild trust in banking andfinancial services after the “problems” of recent years.
Our ongoingbanking crises can be seen as a failure of information governance. Majororganisations are unable to identify and collate risks and vulnerabilities intime to take effective action. The systemic weaknesses which enable criminalsto organise computer assisted fraud (accessing supposedly secure information)or lead to on-line financial and transactions services going off-line for hoursor days are often caused by similar failures of technology governance. Both informationand technology governance failures commonly involve communications problemsacross professional, cultural and regulatory boundaries.
What are the governance standards against which conduct should be measured?
Howshould that conduct be judged and by whom?
Howdo we bring about the changes in attitude and behaviour necessary to genuinelymake London the best place to locate business operations that need to be trusted globally?
Howdo we ensure that regulation supports that process by rewarding good conductwith more and more profitable business?
Theissues may be complex and far reaching but finding and implementing better answers than thoseavailable in Dubai, Frankfurt, Hong Kong, New York or Singapore is essential to the future of London as a global trading centre. Hencethe support for using a mix of research, discussion, competition andconviviality to tease out possible answers and, more importantly, to identifythose willing and able to work together to secure implementation.
But theissues of trust in the secuirty and integrity of on-line services and centralised databases and of those running them go much widerthan financial services.
The “Big Data” bandwagon will be rapidly detailed if would-besuppliers do not improve trust in the security and reliability of theirofferings among decision-takers and budget holders.
The business models of thosedependent on advertising revenues as well as of those dependent on revenuestreams from public and private sector users, are similarly at stake.
Mostattempts by “experts” to provide credible “answers” have failed. Some simplify the”question” to fit the “answer” they are selling. Others attempt to boil the ocean.
The proposal is therefore to exploit the desire of universities toimprove relations with industry by asking “the thought leaders of the future” (theirbrightest post-graduate students) to look at the questions of their choice,supported by those in industry who are looking for good recruits, as well aspossible answers. We then hope to collate the best of their thinking, givingpublic recognition to the students and those who helped them.
Themeans is a “competition” for 2012 – 13 Masters’ Students whose research theses relate to the most interesting of the “questions”. This entails obtaining the support of acritical mass of University and Industrysupervisors and sponsors who will ensureacademic rigour and help with research facilities. The exercise therefore startswith round tables in September and October to identify possiblequestions and secure academic and industry commitment in advance of a high profilelaunch event during the run-up to Christmas.
Thereis a wide range of possible questions and the start point is a paper producedby EURIM (now the Digital Policy Alliance) last year to suggest topics related to Information and Identitygovernance for Masters Students to look at. This is, however, only one possible way of structuring a briefon questions that Masters’ students might be invited to address.
MastersStudents supposedly to go firm on the topics in January/February and submit papers to their academic supervisors in July -September. Over the period February – June we would expect to organise industry supported, teleconferencing networks to help them with contacts and sources of material. Once they havesubmitted their work, copies would be forwarded to the judges who would selectwinners and commended entries for an awards ceremony in November 2013. Inparallel with the judging process, the competition organisers and sponsorswould look at the material generated with a view to discussing possible actionplans for announcement as part of the awards ceremony.
Invitationsto participate are being sent to:
· thoseconcerned with Internet governance and delivery issues including the relevantprofessional bodies, interest groups, Trade associations and City Institutions
· Thoseconcerned with national and international financial and transaction services delivery(Banks, On-line retailers etc) and the main Internet and Communications serviceproviders
· Thoseproviding Forensics, Intelligence and Investigation services, private swctor aswell as law enforcement
· ThoseUniversities believed to have with relevant courses and research programmes
It already looks as though the exercise will have thesupport of three or four Livery Companies, a dozen or so Universities (includingat least two of the new Centres of Cyber Security Excellence), most of the relevantprofessional bodies and trade associations and half a dozen major employers.
E-mail me c/o firstname.lastname@example.org you have not received an invitation and would like one.