In the run-up to the budget we will hear much special pleading for special measures because “IT is so important to the economy”. Investment in the IT related infrastructure, industries and jobs of the future is indeed at the heart of any credible programme for economic and social recovery. But the misuse of IT, focussing on the technology instead of the information and the people processes, is at the heart of our economic problems.
– The financial crisis was caused in large part by a failure of information governance (the casino bankers did not appreciate how many of their risks were closely correlated).
– The government funding crisis was in large part the rsult of another failure of information governance. Much, perhaps even most, of the information used for service delivery, let alone planning, was systemically flawed.
– The future has been mortgaged with a toxic mix of inflexible outsourcing and PFI contracts, many with already obsolete and disfunctional IT components locked in for years to come.
Meanwhile DTI/BIS, has a 50 year track record of turning IT-related potential winners into losers and two decades of outsourcing has hollowed out the skills of the rest of central government to do much more than plan challenge programmes and employ think tanks and consultancies to organise yet more PFI and outsourcing contracts.
Unless and until the in-house skills and experience of the Civil Service have been rebuilt, the less that central government does, the less harm it will do. But first it must stop the bleeding .
Unless and until public finances are brought under control the Chancellor has to prevent a run on sterling by taking short term measures, such as quantitative easing (alias wiping out the savings and pension funds of the middle classes by forcing UK banks and insurance companies to led to government at zero interest rates while inflating the currency).
Francis Maude has written of the need to address fraud as a second target after cutting waste. I would like to be able to disagree – save that public sector anti-fraud measures have tended to morph into spend on hardware, software and regulatory programmes that increase cost and risk, rather than remove vulnerabilities and deter and punish malpractice. I therefore suggest a “modest” nine point plan as the first part of my personal suggestions for inclusion in the Budget Statement.
1) The Chancellor should publicly recognise thenature and scale of the problem and the need to give priority to effectiveaction.
Fraud (most of it computer assisted) costs (over £38billion) the UK more than education (£33 billion) or military defence (justunder £33 billion). Over half the losses(£21 billion) are to the public sector (including tax, benefit and procurement fraud). Suchfigures and those for the cost (estimates range up to £30 billion more) ofhacking, extortion, piracy and other on-line crime are used to help justify spendon electronic identities and communications interception that will not produceresults for many years. We needto focus on using the technologies and information already available and take action on current vulnerabilities, threats and predators.
2) The Chancellor should require all central government department to produce action plans (with the performance measures they would like the National Audit Office to use to monitor their success) that put flesh on their roles within the Cybsersecurity Strategy and Fighting Fraud Together . These should include how they plan to rebuild their in-house information assurance and securityskills at the same time as removing people and process vulnerabilities and the securityand regulatory overheads that get in the way of customer service – and thus temptstaff to take short cuts.
The following generic, cross-cutting actions, which might also inform those plans, need to be donein parallel, not series. They require thought rather than money, but unless and until they are given priorityany new government spend on securityhardware and software is almost certain to be wasted.
3) Retrain rather than recruit: information securityand governance skills development programmes, backed up by awareness programmesfor all staff, from the top down, including contractors and subcontractors.
Departments have been making redundant those with the skillsof the past while seeking contractors with the skills of the future. Many ofthe latter have turned out to have fewer relevant skills than those they replace. More-over contractrates for information security staff are rising sharply as competition for scarceskills increases and budgets are switched from retraining to recruitment. It is not enough for BIS to help fund the productionof new skills frameworks. BIS and its agencies, as well as other government departments, must use them, sending thosealready in post on the modular short courses that are already available to updatetheir skills to handle the emerging threats and vulnerabilities.
It is alsovital to update those at the top to recognise where and why their support and commitmentis needed to help remove systemic vulnerabilities.
Departments also need ongoingawareness and regular update programmes for ALL staff, akin to those organisedby HMRC, Unilever, Vodafone or the main Banks.
4) Move public sector data handling operations acrossto those organisations which have cost- effective and secure people processes,not just technology.
Government databases (e.g. Companies House, DVLA, the Electoral Register, the Land Registry andthe DWP NINO) are key reference points for much, perhaps most serious UKfraud and impersonation. The Fighting FraudTogether action plan recognises the needto act on those credentials that aremost commonly used to support fraud butthe need to improve accuracy and security are too often seen as being in conflict with plans to merge central governmentICT operations. They should be seen as one of the drivers.If the consequences include outsourcing to those who run the secure data services of the financial services industries – then so be it – provided data collected under statutory authority does not leave UK jurisdiction or otherwise fall under foreign jurisdictions. [The issues raised by that proviso are profound – and already appear to be seriously compromised – this an area where we need honest and open debate – not more fudget].
5) Issue guidance to the public sector on how to organisean incremental switch to security by design, beginning with how use thephysical identification and encryption systems that are now routinely embeddedin PCs, laptops and mobiles so as to give better security at lower cost. The subsequent implementation programmesshould be incremental, following industry best practice to give payback in monthsnot years (e.g. counting the savings from cutting the help desk and support costs of softwareupgrades and password resets etc.). There should be no need to rely on theoretical estimates for fraud reduction – albeit is the main longterm benefit.
The production of that guidance cannot be left to theoverworked and understaffed security teams of central government and certainlynot to the expensive outsourced legal and security teams who produced theexternally contracted guidance that has led to so much overhead and waste over recent years. It needs, of course, to involve CESG andothers, but it should be resourced and driven by those suppliers prepared to worktogether to bring forward actions that can be implemented on positive cash flowby customers who have no new money and must make savings before they can spend from them. That entails workingalongside those in financial services with experience of making the businesscase for incremental programmes and those in the local authorities andcharities to which responsibility for public service delivery is being devolvedat the same time as their funding is being slashed. Building on the work that the EURIM trustedcomputing group has already started is an obvious way forward.
6) Task GCHQ to lead an exercise to collate feedsfrom McAfee, Symantec and Trend, showing the IP addresses from which malwareappears to originate, with the Information held by Telcos, ISPs and Domain NameRegistrars on the equipment used by their customers. Require the latter to contactthose whose systems and/or website appear to be being used to disseminatemalware and/or illegal content, copying the relevant law enforcement agencies.
We hear much on the need to modernise the UK’s ability to monitoron-line communications and share information. But the information is supposedlyalready available to, for example, dismantle most botnets: those networks of zombiesystems used for extortion and cyberwarfare attacks as well as collectinginformation to aid fraud. Using it to take action would greatly reduce the volume of traffic that needs to be “intercepted”. Unfortunately lawenforcement lacks the remit and resource to collate and use the information totake action. Meanwhile the cyberwarfare teams of the West (as well as those ofthe East) appear to be more interested in taking control of the botnets. Removing the fig-leafof “innocent carrier” status, by providing usable “actual knowledge” will help industryto take action under civil law. That raises many issues, hence the next action:
7) Task theAttorney General’s Office to support the Fighting Fraud Together team inproducing guidance on “what constitutes actual knowledge”, falling outside the “innocent carrier” defence. It should have the parallel task of helping establish credible and effective UK-basaed routines to notify Telcos, ISPs and Domain Name Registrars accordingly.
As mentioned in my last blog entry “Can you block a website“, US experience isthat 40% of current notifications are from those seeking to disrupt theoperations of commercial rivals, whether or not they have any real legal basisfor doing so. ISPs operating on small margins cannot afford the overheads ofbeing caught as piggy-in-the-middle … BUTif the UK can produce routines that cause such disputes to be routed throughthe alternative disputes resolution processes of the City of London and givecompetitive advantage to ISPs based in the UK – that might well be worthseveral £billion a year in taxable revenues moved from Ireland (or the USA) to England.
8) Progress item 21 of the Fighting Fraud TogetherAction plan and create frameworks for mixing criminal and civil proceedings totake action against malpractice and obtain redress against those who aid andabet it, whether or not there is sufficient evidence for criminal proceedings.
This is central to recovering the £billions lost in systemicfraud against both public and private sector as well as to deterring currentand would-be fraudsters. Collecting the forensic evidence necessary for acriminal prosecution in the UK, let alone one which requires co-operationacross jurisdictional boundaries, isfraught with difficulty. Civil action is far morepractical, especially if it is possible to identify which of those who added,abetted or benefitted from the malpractice has assets which can be frozen, pending a “negotiatedsettlement”.
9) Compare the address and identity information collectedand collated (as above) with that held on the files of Experian, Equifax and CallCredit, with that used to pay benefits and taxes, (whether central or local) andwith the electoral register. Whether or not the data is then used to organiseprosecutions, it should be used to support a rolling programme of home calls toall who appear to exist only on the electoral register and benefits files -i.e. they have little or no other transaction footprint.
There are mounting allegations as to the scale of fraud onthe electoral register, linked to benefit fraud as well as to local elections(to create and maintain no-go areas under the control of the local gang bossesand community leaders). The main benefitcomes from terminating payments to thosewho do not respond and who no longer reside where claimed, if they ever did. Theyshould also be deleted from the electoral register. That will, however, require physical visits.
Unless this final problem is addressed the government maycease to have a “democratic mandate” to stop the bleeding before “terrorism onthe dole” becomes as big a problem in the nogo areas of Birmingham or Brixton as it was inBelfast.
10) Cull all “challenge”, “initiative” and other competitive “support” programmeswhere the likely cost of bidding times number of expected applicants is exceeds the funds on offer.
I have focussed mainly on opportunities to cut the cost offraud but I would like to finish with a simple and way of cutting waste and frustration. “Challenge”programmes became fashionable after Michael Hesseltine used the concept to helpkick start innovative thinking about inner city regeneration at a time when hehad the funds to support most, if not all the good ideas that came forward.They have since become part of the departmental mindset of DTI/BIS, DCLG, DCMSand others with limited funds who wish to be seen to be active, giving roles toexperts to promote “best practice” and publicity platforms to ministers. The benefits are now commonly outweighed by the downside: wasted effort and frustrationon the part of those who bid and fail and delay to the implementationof good ideas which cannot be started until the adjudication is over. By all means reward and publicise good practice with awards and case studies – but do not let it get in the way of harnessing local enthusiasm andinitiatives by trying to force local initiative to comply with the latest fad of the Westminstervillage.
In my next blog I plan to cover Part 2 of “A Budget for IT-enabled recovery”. I expect to focus on removing the barriers to market led, investment driven recovery – including items like 100% capital allowances for infrastructure investment (where the net cost to Treasury could be zero and the payback immediate – but for the need to fund imported switches and generators).
In the mean time I would welcome feedback – especially from those who disagree and will give good reason why I am wrong or too simplistic. I plead guilty to being simplistic. None of the proposals is easy. If they were, the failure to have adopted them already would be unforgiveable. I also appologise to those who are progressing some of the ideas already and who have not been acknowledged. Please posta comment and I will fix the necessary cross references.