This morning the House of Commons Science and Technology Select Committee released its report on the “Digital Skills Crisis” This afternoon the House of Lords debated the government response to its “Make or Break” report last year . Last week the European Commission published a proposal for a Skills Guarantee . Meanwhile BIS is ploughing ahead with byzantine routines for a return to the type of training grant and levy scheme that was scrapped (for good reason) in 1980s. Unfortunately though dead, the idea of grants and levies, job creation schemes for bureaucrats, will not stay buried. In 1992 I helped kill an attempt to revive it with a Bow Group Paper on the theme of “Training for jobs not just jobs for trainers”. The processes proposed by BIS to fund “approved “training organisations to deliver apprenticeships which meet criteria dictated by officials not employers, make the average European “initiative” look like a model of efficiency.
I therefore applaud the recommendations by the Select Committee that
- “Government needs to work with closely with employers, higher education institutions and schools to understand the apprenticeship marketplace, to ensure that education aligns with industry’s requirements, and that apprenticeships are delivered in a flexible way to adjust to future changes in the digital sector” (Para 54)
- “Government should emphasise the need for more digital skills components in all apprenticeships … ” (Para 55)
- “should review its Trailblazer initiative, making it more streamlined and accessible … simplifying the scheme’s processes” (Para 56) and
- “… make it easier for industry to partner with universities and colleges to support student teaching … work placements … allow the cost to be written off against the Apprenticeship Levy contributions” (Para 57)
I am less happy with the recommendation that “The Government should review the qualifying requirements for the new IT roles added to the Tier 2 visa “shortage occupation list” , making it easier and more flexible for SMEs to recruit top talent from outside the EU” (Para 30). The European Commission proposal for a “Skills Guarantee” to help adults stuck in low paid jobs is more forward looking but the Committee’s recommendation is perhaps inevitable, given the 50 years of policy failure summarised in my evidence to the House of Lords report (see pages 1057 – 70) and referred to in my blog entry, describing the need to break out of groundhog day, when that report was first published.
“The crisis is over. The patient is dead” .
We failed to use the past “crises” as a catalyst for change. Things came to a head during the run up to Y2K and the “false start” of the transition to mass-market, Internet-based on-line systems. My 2001 IT Skills Trends report was about surviving the bursting of the dotcom bubble and preparing for the skills that would be in shortest supply when recovery came – in 2005 – 6. But that recovery did not come. By 2006 demand and salaries for those jobs which could easily be moved off-shore had stagnated. Much of the software and support industry had come to be staffed by a mix of overseas systems development and imported contract labour. We were facing the consequences of our inability to retrain our existing workforce, let alone our failure to educate and train our children. I stopped writing the reports. They had become too depressing and the only ones taking action were those who helped write them.
An Apprentice Levy without a credible, let alone efficient, Grant process
Today we have a curate’s egg wth unemployed computer science graduates in parallel with unprecedented shortages of competent and trustworthy recruits for Fintech and Security roles and another exercise to dig up the dodo of levies and grants – this time with the grants ring-fenced to meet the costs of “approved providers”, officials trying to dictate the requirements that employers are allowed to have and different processes for England, Wales, Scotland and Northern Ireland. Last week I attended a briefing session for employers. Those serious about training their future employees with the skills they will need were already looking at how to bypass the system, writing off the levy as a payroll tax on those jobs they could not realistically subcontract or move out of the UK. It was, as the Commons Select Committee has pointed out, not only unfit for purpose when it comes to the needs of SMEs (Para 30), it looks unlikely to meet the evolving needs of those large firms who already train their own and/or those in their supply chains.
But markets do not stand still. The Commons Select Committee call for the annual “dynamic mapping” of initiatives against demand so as to create a long term mechanism for adjusting the strategy (Para 29) is therefore particularly welcome.
The recommendation that Government should commit “to work with the Tech Partnership to develop industry-led, vocationally focused careers advice …” (Para 43) is also most welcome, but this should be extended to cover school-leavers. We can no longer afford to peddle the immoral fantasy that the majority of our children will benefit from starting their working lives saddled with student debt after spending three years to become less employable than if they had been paid to do a graduate level apprenticeship. In 1982, in “Learning for Change” I attacked both
- “the examination treadmill to which we chain our adolescent youth in a set of puberty rites crueler than those of primitive Africa, At least in Africa they do not label any of the participants as failures” and
- our confusion of “education” with taxpayer subsidy for the middle class ritual of kicking the fledglings from the nest.
The many recommendations of the Select Committee with regard to computing schools in schools are worthy but the most important boring is Paragraph 83 where it recommends working with the Tech Partnership “to raise the ambition for, and coverage of, industry led digital training, and to make it easier for business of all sizes to get involved“.
The need to “break open the educational ghettos” has been a key message since 1982, when PITCOM organised for relays of school-children (from 30 schools) to man an exhibition in the Upper Waiting Room of the House of Commons (26 computer systems, up to 14 running at any one time running off three power points, at a time when Parliament had no facilities for schools visits!). That exhibition was attended by 120 MPs: one returning six times to get a group doing Economics A Level to run variations on the Treasury Economic Model – hence my long-standing support for Donald Michie’s idea that MPs should be able to simulate the effect of the legislation, including amendments, which they are expected to approve.
That was over 30 years ago. It is therefore particularly sad that the same messages have to be repeated as though they are new. The reason is linked to the prevalence, evident in paragraphs 70 – 76, that teachers (whether in School, College, University or Industrial Training Centre) have to be expert in IT in order to educate their pupils/students. If that is correct then there is no solution – other than to rely on those (in other parts of the world) who use their limited supply of skilled educators to supervise the delivery of blended learning (mix of packaged learning materials, personal contact and supervised work experience) by mixed teams of assistants and subject experts: which is what successful digital “informal learning” groups (para 70 – 77) as well as enlightened employers, have been doing since before school computing curricula or computer science degrees were invented. Hence some of the recommendations in my own submission to the Select Committee
We need a coalition of the willing to preserve confidence in the safety of the on-line world.
I am attempting to convene a local Community Safety Partnership, using voluntary co-operation between community groups and charities to join up front-line delivery across the silos of central and local government, including health, welfare and policing. On-line abuse, bullying and crime have cut Internet usage among those we are most anxious to help: the frail, lonely and vulnerable. They do not use the on-line services of the local authority or NHS. The closure of our last local bank branch hit them and local businesses hard. Meanwhile there is growing resistance from both victims and volunteers towards providing personal information or contact details, lest these be leaked, sold and/or abused. The effects are compounded by the deletion of existing contact files because of interpretations of the General Data Protection Regulation. Cumbersome processes to get “consent” for the blanket collection of data for vague purposes and/or provision to third parties do not help.
I therefore looked into support for piloting a Cybercommunity Safety Partnership which will support local people processes for those who cannot understand/use on-line processes and no longer trust remote call centres. The idea has struck a chord. A number of industry bodies have agreed to trawl their memberships for volunteers and sponsors to support action, both nationally and locally.
Usage by vulnerable adults and the elderly has plateaued and may even be falling
We are used to data about the increasing ubiquity of Internet usage. This is being used to justify the withdrawal of physical access to banking and/or pubic services. But the 2019 ONS Analyses unpack some of the data. They reveal a less rosy picture. Half UK adults have never completed a government form on-line. Most pensioners go on-line only to read e-mails. Most over 75s have not been on-line at all in the past three months. The proportion of adults who are “lapsed” Internet users was under 4% in 2011 and is now over 6% (although the 7% peak in 2017, after the publicity for the Talk Talk breach may be over). Their fears are justified. Over half have been contacted by some-one offering to fix their computer problems for them, Details are said to be available on the dark web to impersonate most of them and/or obtain credentials in their name if they do not go on-line. Over 10% of adults have already been victims of on-line fraud. We all have difficulty reporting problems, let alone obtaining support and/or redress.
There is safety advice but not for reporting or victim support
There is much good on-line safety advice (e.g. Get Safe Online) but the processes for reporting problems (e.g. via Action Fraud ) to some-one who will take action are seriously overloaded. The Victim Support website makes no reference to this area although the Regional Organised Crime Units are supposed to provide an aftercare service. Citizens Advice does not appear to cover cyber problems. Nor does Elder Abuse, although it does have advice on how to conceal that you are consulting them . Meanwhile Facebook Google and Twitter (the links are to their respective reporting pages) are criticised both for being difficult to contact and/or for failing to respond to reports of fraud/abuse while not checking before removing those subject to malicious complaints. They can’t win!
Many victims want some-one to talk to. Hence the overload that crippled Action Fraud, one of the few services to offer this. The need is to train local health and welfare staff and volunteers to respond. But they, in turn, need to be able to call on assistance from those (including security and legal professionals) who know what can be done, how to secure action and, perhaps, submit an actionable crime report. Help desks in Dublin, Gourock, Barcelona, India or the Philippines may be able to process calls according to a script but cannot be expected to do more.
Meanwhile children are fearful and girls are being driven off-line
Between 25% and 30% of children have been bullied on-line. One in eight admit to bullying. 20% admit to meeting strangers. 10% of those who videochat have been asked to change or undress. Nearly one in six have seen something that encourages self-harm. They bottle it up. 40% have never talked to anyone about the worst that has happened to them on-line. Until recently systemic on-line misogyny as endemic in Silicon Valley, was a taboo subject which it came to discussing why there were so few women in IT. Today we can see that it is actively driving half the world off-line, from girls to journalists and politicians.
The best advice is not well publicised or used
There are many good sources of advice and on-line materials including the on-line safety websites of NSPCC , Childrens Society ,
London Grid for Learning and Childnet There is also guidance (e.g. from Womens Aid) for older women, linking on-line abuse to domestic and physical abuse.
These need to be much better publicised and also packaged for use locally by
- teachers and school support staff,
- health, welfare and youth workers and
- faith and community groups
to educate and engage both children and parents.
Every turned-round hacker is a win -win
Safety programmes should also harness the talents of those at risk, both to help protect their peers and learn about cyber related jobs and careers. It is a double bonus when a troubled child and potential hacker, often with previously undiagnosed issues on the dyslexia and/or autism spectrum, is drawn onto to a programme that will lead them into well-paid employment with an organisation that will provide clinical support as necessary.
The alphabet of concerns to be addressed include:
• Abuse – child, adult and elder (ad hoc, targeted, random, local, remote…)
• Bullying – including that linking physical and on-line, within schools or communities
• Control – e.g. gangs using social media targeted at local audiences
• Deception – impersonation, loss of identity, loss of access etc.
• Extortion – may be sexual, social and/or linked to control/grooming not “just” financial
• Fraud – all levels, including SMEs and courier fraud
• Grooming – 1/3 of the child abuse images reported to the Internet Watch Foundation last year were “selfies”
Possible Projects (and objectives/deliverables)
There are many areas where “coalitions of the willing” could improve safety, support victims, help them obtain redress and deter abuse and malpractice while Governments, Regulators and Law Enforcement agencies procrastinate in the face of lobbying and legal action.
• Guidance on GDPR for voluntary groups who have no wish to provide personal information about their themselves and their supporters, members or clients to third parties unless with explicit and well-informed consent. The need is to digest current complex and incoherent guidance into succinct, authoritative and usable material for agreement with ICO – and then to publicise it.
• Seminars to train teachers, youth and community workers, health and welfare staff in the detection of symptoms of abuse, bullying and/or grooming and in the use of existing on-line safety materials to educate target audiences. This will include working with organisations like the Grids for Learning to identify/produce/publish materials and with relevant professional bodies and trade associations to identify/train volunteers with security expertise to help with delivery.
• Finding professionals, volunteers and materials to help Victim Support and Citizens Advice with relevant technical/legal expertise to handle cyber victims, including to obtain redress where this is practical and realistic. This will include exercises to trawl security professional bodies, trade associations, training providers, law firms and employers for those with relevant expertise and experience.
• Organising/testing/delivering on-line safety material that addresses the evolving concerns of target audiences: Examples include: “How do you to protect your phone against abuse, control, key-logging, tracking etc”. “What to do if …“ This will include the identification of well informed and connected supporters and sponsors with business as well as social responsibility cases for helping.
• Identifying and promoting the services of those offering virtual CISO/SOC and/or legal services to SMEs. This will entail co-operation with professional bodies, trade associations, product and services suppliers and Internet service providers who are unable to otherwise address 95% (by number) and 50% (by value) of the cybersecurity market and/or who wish more customers to move on-line.
• Identifying those willing to act as police service volunteers (warranted or not), including to provide non-emergency back up to local community police teams as well as the national panel being created by the NCA, NCSC and NPCC to support major investigations.
This may require restarting political activity on the governance of voluntary co-operation between industry and law enforcement and use of professional trained and qualified volunteers akin to that which led to the recommendations (over a decade ago) in the EURIM-IPPR Partnership Policing study . That group also responded to David Blunkett’s Community Policing consultation. Changes were made in 2011, during the run up to Olympics, to enable medical and security professionals and military reservist to become police service volunteers and special constables.
Many forces have not yet, however, implemented those changes. The number of volunteers and specials in London fell sharply after the Olympics , when the number of special constables in the Met Police peaked at nearly 6,000, (the target for the Games had been 10,000). The number fell by 8% the following year. The fall accelerated to 20% in 2014. There are now fewer than 2,000 (a fall of 17% on 2018).
• Skills and careers out-reach programmes with a priority for turning to turn those at risk into assets. The aim would be to organise local access to the relevant national programmes, including cybersecurity apprenticeships. The successful Plymouth pilot needs a new write up now that it has been packaged for replication with help from DCMS and others. It indicates what can be achieved but also the pre-condition for success and the problems that have to be overcome.
The neurodiverse may have great talent but may also need ongoing clinical support which conventional employers cannot provide. Hence the value of linking local skills incubators to shared SOC/Virtual CISO services underpinned by joined up (across Central Government funding and procurement silos) contracts to support public sector organisations both large (e.g. Local Government, MoD and NHS) and small (e.g. Schools and GP Practices).
• Addressing the way girls are driven off-line Here the need is to work with organisations like Cybergirls First to produce video and materials package covering risks, self protection and careers advice, plus contacts and support services. The Cybergirls First model is focussed on the age group and communities where girls are at most risk of being driven off-line and appears to be very successful.
Success does, however, depend on assembling a critical mass of employers who wish to publicly position themselves as employers of choice for girls (at all levels of seniority). It has been shown to work with well known employers wishing to support and recruit from inner city schools within easy travel of their City Centre locations. Packaging it for local employers and travel to work areas across the country probably requires support from the public sector organisations who are often the largest local employer.
• To bring together best practice in the above in local geographic partnerships to show how all parts could/should fit together to hacve a transformative effect on both safety and confidence.
Variations on the project ideas above are already being implemented across the World, not just the UK but it is still more common for square wheels to be reinvented with public funding. The latter is too often focussed on “innovation” as perceived by those who do not know what has already been tried and failed.
We need support for copying what has worked elsewhere, after checking any pre-conditions for success.
Are you interested in helping creating a coalitions of the willing to make things happen?
The first organisation to like the concept was the Security Panel of WCIT, the IT Livery Company. This blog entry is based on the request for volunteers they will be sending to their members. I plan to make similar requests to most of the other members of the Alliance, led by IET, which is creating the new Cybersecurity Council.
I also intend to approach those who fund the Internet, the major advertisers whose spend is wasted if paying customers turn their backs on the Internet. Another target group is the banks and on-line retailers who will have to reverse their business models if confidence is not restored. Finally I will be seeking to engage with those security providers who are losing out because their distribution chains do not include the shared SOC/CISO services needed by the 99% of UK businesses with no in-house ICT skills. These need people, not just technology, support.
An open letter to the Chancellor
The Recruitment and Employment confederation has pulled together a coalition of business organisations, representing tens of thousands of employers and millions of employees, to write (see below for text) to the Chancellor of the Exchequer, Sajid Javid MP, urging him to enable employers to spend their levy funds more flexibly and allow millions more workers to benefit from quality training and opportunities for career progression.
Where are the High Tech Employers?
This call is far more important to the economic future of the UK than the extra Government funding for Further Education but the consortium does not appear to include the CBI and Tech UK. Do their members still give priority to retaining the ability to import supposedly skilled staff from the rest of Europe and/or India over working to create UK skills frameworks, for standards as well as funding, that are employer driven and fit for purpose? If so, one cannot really blame them. They spent over a decade after the Sector Skills Councils were created trying to get Government to allow supposedly employer-driven programmes to be driven by employers, free from the narrow constraints imposed by the academic advisory boards of national funding and standards councils, agencies and regulators.
It is time to make a public fuss
I remember a meeting in 2004 convened by the personnel director of the UK’s largest software and service employers and twenty of his peers (plus a TUC representative), where they said that unless Government started listening to them they would walk away from its skills programmes. They would not make a public fuss. They would continue to “go through the motions”. But they would do what was necessary. Officials did not tell Ministers. Government did not listen. The industries overseas recruitment and offshoring grew rapidly over the next decade. Today it is fighting to retain “freedom of movement” and visas to allow the bulk import of those for whom digital apprenticeships were supposedly intended.
The referendum vote meant Change or Die
I suspect that the members of the CBI and Tech UK still do not believe that making a public fuss to reform the UK skills system, the stranglehold of the “blob” (the term coined over twenty years ago for the hierarchies of advisory committees which make up the UK educational establishment) and enable change. I confess that until the unexpected result of referendum I too was among those working to try achieve via Brussels what we could not achieve via Whitehall. But the people spoke. The half who have not done well out of our membership of the EU, whose children do not got to University or who have returned home, unable to earn enough to live independently after paying their student debt, want change.
Time to halt the dominance of the Haldane Principle
We have been stick for far too long with education and skills processes and priorities administered by a self perpetuating oligarchy of committees following variations of the 1917 Haldane Principle . The “principle” was designed to “liberate” University research from the dictats of outside sponsors. Despite half a century of criticism and calls for it to apply only to a limited proportion of government funded research, the principle was re-enacted in 2017 for programmes co-funded with industry.
It has also dictated the shape of our education system. The UK is uniquely dominated by hierarchies of committees driving processes to select and filter for academic excellence, alias the memory, logic and mental discipline needed for “pure”, as opposed to “applied”, research. That has led to UK Universities leading the world in measures of research excellence while they fail to provide the attitudes and disciplines (e.g. team working and creativity), let alone skills, needed by employees to develop innovative products, bring them to market and/or to grow them into a competitive business.
And heal the schism
The resultant tensions came to a head, when the majority of the UK voting against the advice of the intelligentsia who had denied them and their children access to the skills of future in favour of importing them from abroad. Then the students voted in favour of a pied piper pledge to scrap student loans and robbed Theresa Mayor her majority. The report she subsequently commissioned from Philip Augur highlighted , inter alia the social injustice of the current system.
The time has come for action to remove the obstacles to creating many more apprenticeships, including degree linked, and give hope to those trapped by student debt as well as to the next generation and those whose jobs are at risk if they cannot keep abreast of changing demands for skills. We need to be able head off calls for destructive revolutionary action that would delay constructive evolutionary change.
Who signed and Why
The coalition includes the two accountancy bodies (AAT and CIMA), the Chartered Institute of Personnel and Development (CIPD), Freight Transport Association (FTA), Association of Independent Professionals & the Self-Employed (IPSE) and ScreenSkills (the body for the UK’s screen-based creative industries).
Mark Farrar, Association of Accounting Technicians (AAT) Chief Executive, said;
“AAT has campaigned for the apprenticeship levy to be renamed the “Skills Levy” and broadened to include traineeships and other forms of high quality training since 2016. Widening the remit of the levy will help address the fall in apprenticeship starts, the frustrations of many employers and the future skills needs of UK plc.” AAT has around 90,000 student members, 20% of them apprentices, although not all within the meaning of the current levy.
CIMA’s Andrew Harding FCMA CGMA, Chief Executive – Management Accounting, added;
“We must better support current workers to reskill and upskill throughout their careers. This is why it is essential that we review our national education and skills policies, especially the apprenticeship levy as it currently stands, expanding it to provide for reskilling and lifelong learning.”
The Text of the Letter
2 September 2019
Rt Hon Sajid Javid MP
Chancellor of the Exchequer
1 Horse Guards Road
As representatives of tens of thousands of businesses, representing millions of workers from every corner of the UK, across all sectors and sizes of firm, we urge you to broaden the apprenticeship levy so that funds can be spent on other forms of accredited, quality training. We believe this approach would benefit workers, employers and the wider economy.
The levy was created with the best intentions, but its complex rules and single-minded focus on just one sort of high-quality training has limited its effectiveness as a policy. As well as a slower pace of growth for apprenticeships overall, opportunities for younger people and flexible workers have been particularly affected, in both the apprenticeship system, and in other high quality qualifications.
An effective skills policy has never been more important. It underpins productivity, opportunity and innovation. Our inability to address stubbornly slow productivity growth is undermining prosperity and opportunity in the UK. This will only get more important as automation, AI and market changes have large consequences for the future of work – something you have noted yourself. Ensuring that the UK workforce has the skills they need to be able to seize the opportunities presented by the fourth industrial revolution must be a shared priority.
During the Conservative leadership contest, you acknowledged the possibility of
“broaden(ing) the apprenticeship levy into a wider skills levy, giving employers the flexibility they need to train their workforce, while ensuring they continue to back apprenticeships.” We believe this would be the right step. A levy that allows businesses greater flexibility to fund accredited, quality training that is effective for workers and employers – rather than meeting a Government target – would be ideal. It would help to fill skills shortages and enable higher pay for workers.
At present, the levy system is actively damaging skills development in the UK economy at what is a critical time. We would be delighted to work with you and the Secretary of State for Education – to whom we have copied this letter – to urgently design an approach that will work for the Government, employers and workers.
Neil Carberry, Chief Executive, Recruitment & Employment Confederation
Peter Cheese, Chief Executive, Chartered Institute of Personnel and Development
David Wells, Chief Executive, Freight Transport Association
Andrew Harding FCMA CGMA, Chief Executive – Management Accounting, The Chartered Institute of Management Accountants
Seetha Kumar, Chief Executive, ScreenSkills
Mark Farrar, Chief Executive, Association of Accounting Technicians
Simon McVicker, Director of Policy and External Affairs, The Association of Independent Professionals and the Self-Employed
As part of my retirement hand-over I looked how UK Cybersecurity Policy has evolved over the past 20 years, beginning with the IOCA debate and Y2K, then going through Y2K, Electronic Signatures, RIPA, NHTCU, the EURIM-IPPR Study, ID cards and the failure of attempts by Home Office and Cabinet Office to join-up strategy across the tribes of Whitehall and Law Enforcement. Responsibility for “co-ordinating” cybersecurity policy in the UK has now passed to DCMS but, as yet, little progress has been in reducing the fragmentation, duplication, overlap, conflicts and gaps in statutory and regulatory powers and budgets.
Government departments and Law Enforcement Agencies remain more interested in acquiring authority, budgets and cyberwarfare/surveillance capabilities or regulatory turf wars. There appears to be little or no interest in working together, let alone in co-operation with the private sector, to use a mix of criminal and civil law to change the risk-reward equations that motivate most criminals, developers and service providers. It remains almost impossible for most victims to obtain redress. A series of funding and standards barriers get in the way of creating a healthy training and support market to give access to the skills needed for effective protection, investigation or redress. Instead we have a massive spend on technologies which most do not know how to join up and use. The problems are compounded by the spin off effects of the cyberwarfare and surveillance arms races.
Meanwhile the threats, costs and losses have grown exponentially. That should come as no surprise because e-crime has been allowed to remain almost risk-free for the criminals. They co-operate in rapidly evolving consortia as new opportunities emerge. Meanwhile most developers regard security as an annoying afterthought. Few telcos, Internet or transaction service providers actively co-operate with law enforcement to protect their customers, let alone those who personal information they wish to harvest and exploit, unless compelled. The reasons vary but issues of legal liability, confidentiality and trust appear to trump other motivations
The Cyber Security & E-Crime Group of the Digital Policy Alliance, chaired by Baroness Neville Jones, has recently been looking at Cyber Insurance as a Catalyst for Best Practice and on 9th September will be looking current and emerging developments that could shape its future work.
The agenda has not yet been decided but the topics suggested in the advance calling notice included the following:
• challenges in relation to computer assisted crime for law enforcement bodies such as Action Fraud;
• the role of industry co-operation with law enforcement;
• governance structures to promote (IoT) security by design;
• incentives for responsible corporate behaviour;
• pressures on law enforcement & the judiciary resulting from large quantities of digital evidence;
• cyber security skills & the work of DPA’s Skills Group in this area.
The meeting will define the future course of the working group and is for those members and registered observers who will help deliver what is decided. Invitations are available for those who are interested in joining.
This is a unique opportunity for those who are seriously interested in exploiting the current opportunities to make UK cybersecurity policy fit for a post-Brexit world.
It is not enough to have policies that satisfy the conflicting requirements of the EU and US for data protection, including notification to attract fraudsters to the victims of a breach, like sharks to blood in the water. We need to make the UK the location of choice for trusted, secure, on-line business. That includes causing cybercriminals to avoid attacking UK resident consumers and businesses because we are harder to attack and better at organising rapid and effective international retaliation. It should be possible to reconcile those objectives with retaining one of the world’s most competent, devious and ruthless cyberwarfare operations. But the former should not be sacrificed for the hypothetical claims of the latter.
1 Action Fraud had an impossible task
The Times undercover investigation at Action Fraud has led to a rash of publicity, both tabloid and professional . The only surprise is that it has taken so long to expose the mismatch between public expectations and delivery.
Action Fraud’s own website indicates what the service does not cover and thus demonstrates the need for more joined up “reporting”.
There is also the need to distinguish between “reports” that are expected to lead to action and the many thousands of “notifications” that might arise from a single criminal action. An example of the latter was the premature and untargeted elease of a piece of ransomware which, inter alia, crippled parts of the NHS. We also need to better handle the many thousands of partial reports from those have suffered loss or distress but cannot provide sufficient information to enable action, even were the resources available.
It is all very well to have a review but this needs to lead to much more than a simple change of contractors.
The Action Fraud team were set an impossible task. Loss of morale and cynicism were inevitable. But the problem goes deeper. The opportunity should be taken look at how to create honest and effective processes which also filter and distil incident notification with regard to all forms of cybercrime and abuse, into usable intelligence, actionable reports and effective victim support. That is much bigger task than Action Fraud was created to address but is essential to restore public confidence in the Internet as a safe place for voters and their children as well as the 99% of businesses with no in house security expertise.
Hence the business case for Telcos, ISPs, Social Media Companies, On-Line Retailers and Transaction Service Providers and all others who want the on-line world to flourish to co-operate with law enforcement. The need is to more effective clearing houses for information on abusive/criminal activity to enable action under both criminal and civil law to remove weaknesses, prosecute/deter perpetrators and change professional/corporate behaviour towards security by design, as opposed to afterthought. [link]
2 The reasons were identified over a decade ago
The problems were foreseen in 2004. The fifth discussion paper of the EURIM -IPPR study into Partnership Policing for the Information Society was on “The Reporting of Cybercrime” It warned that: “Easy-to-use incident reporting systems are likely to be swamped unless material is received in a form suitable for automatic collation, analysis and forwarding. That means web-forms and/or pre-validated submissions from “trusted” sources, e.g. Banks or ISPs, on behalf of customers … The UK routines for reporting suspected money laundering illustrate the paralysis likely to result if this is not available.”
There was already a need to “reduce fragmentation and duplication of effort with regard to reporting structures and improve the availability of intelligence to help focus existing resource” and “a Catch 22 situation with regard to justifying the resources necessary to create easy-to-use reporting systems that will not be swamped. Without such systems we risk confidence in the Internet being eroded by the inability of most users to report incidents to someone who will take notice of their concerns. Education and awareness campaigns could do more harm than good unless accompanied by such routines.”
3 Now we face the predicted loss of confidence
The failure to create effective processes to collect and collate information on attacks to support the business case for action, has led us to a situation where criminal behaviour is almost risk free and therefore rising sharply.
- Government cybersecurity policy is focussed on the needs of GCHQ and MoD for state security and cyberwarfare rather than to protect citizens and business.
- Telcos, ISPs and other technology suppliers are effectively discouraged (on competition grounds) from working together to collectively remove the vulnerabilities that enable their customers to be attacked and abused.
Neither group gives serious priority to working with law enforcement and victims to identify and prosecute or sue the culprits.
I recently blogged that in June 2019 there were around 370 exhibitors at Infosec, most of them promoting cloud and/or AI based threat intelligence and/or behavioural analytics services to digest the billions of “attacks” into actionable information. Much of what they collect and report overlaps with what the National Fraud Intelligence Bureau hopes to receive, at no charge, from analysing that notified via Action Fraud and its other sources.
4 We have to unpack the problem to rebuild trust
Back in 2004 the EURIM -IPPR report said: The reporting problem can be addressed in manageable chunks, but to do so will require co-operation amongst a number of players, recognising that there are three distinct, albeit overlapping, reasons for establishing reporting mechanisms:
- the need for information on the size and nature of e-crime, to plan the right levels of skills, resource and working practices and commit to appropriate levels of investment across government and industry to reduce the opportunities for e-crime;
- the need to report suspicious incidents, vulnerabilities, adversary capabilities and the like, to enable the collection of intelligence, linked to means whereby this can be fed to different constituencies to enable them to protect themselves from new threats and vulnerabilities as they emerge – and to product suppliers to address security weaknesses;
- the need to provide the means whereby individuals and business can report and support investigation of suspicious incidents.
All three might also benefit from routine bulk reporting by those running protection services for their clients, most of which include monitoring, analytical and trend analysis services.
Today the organised of bulk incident notification to enable collation and distillation into actionable intelligence in support of collective investigation and action under both civil and criminal law (as recommended in Fighting Fraud Together) will be much harder.
- Partly because of the massively increased volume of attacks.
- Partly because the private sector cybersecurity industry, geared to the needs of Government and big business is a $multi-billion industry with little incentive to provide uncharged access to law enforcement.
5 We have to change the incentives
The situation would change rapidly were those who pay for commercial cybersecurity services to require the ability to pass their incident reports, in common format, to a central clearing house akin to that recommended in 2004.
In 2008 the UK clearing banks offered such a service as a by-product of a real-time shared fraud detection services linked to payment clearing. Parts of HMG, however, wanted statutory access. I will not go into the reasons (including the position of City of London operations in the critical financial services infrastructures of overseas Governments) why statutory as opposed to voluntary access is impractical.
At present the prime incentive for cahnge is the desire of the major advertisers, who fund the Internet as we know it today, to protect them brands from piracy, stop them from being damaged by being associated with abuse and to check that thec click they pay for are genuine. Google and Facebook have little choice but to respond. The means they use could also help transform the safety and security of the Internet as a whole
6 There are many questions
The questions asked in 2004 remain pertinent:
- Who wants to report what to whom and what do they expect to happen afterwards?
- Who wants to receive what reports, on what and what are they going to do with them?
- Who should be responsible for analysing reports, producing intelligence for dissemination and information for action by which appropriate authorities and organisations?
- How should such intelligence be distributed to different constituencies, and by whom?
- What reporting already happens (private sector, law enforcement agencies, regulators etc.) and how might existing information be better processed and shared?
- What are the potential volumes? What resources would be needed to handle them?
- What governance and security processes are appropriate for which material?
7 We should be honest about Intelligence Gathering versus Reporting
Those contacting Action Fraud or abuse@ teams and others need to know whether their submissions will be treated as:
- Intelligence – to be distilled into action plans to remove vulnerabilities, disrupt criminal supply chains or enable partnership action (under a mix of civil and criminal law)
- A potential crime report – for criminal investigation, whether based on the collation of intelligence, a report by an individual victim or a rpeort by an ISP or Bank covering an attack on a number of customers
- A potential case for civil action by victims (or a group of victims) and their lawyers/insurers because there is insufficient evidence or resource to support a criminal prosecution.
However the submission is treated, there is a need to provide the victim with realistic advice. In 2005 the Culture Media and Sport Select Committee saw this a role for Citizens Advice or the Law Society (Para 25) . Citizens Advice appear happy with this recommendation, provided they are given the necessary support.
I have now handed over my project portfolio but remain on the advisory board of the Digital Policy Alliance and plan to attend the next meeting of the Cybersecurity Group. I intend to suggest convening a round table on reporting to see whether there is support for an exercise to update the exercise done in 2004 – but without the expectation that Government can and will lead a joined-up exercise. That is because the conflicting agendas across the tribes of Whitehall, let alone across those of law enforcement, make an industry-led approach more likely to succeed.
But is the loss of confidence in the on-line world such that the leading players are willing to work together?
And would Ofcom (as competition regulator for the on-line world) allow them do so?
Those are questions I leave to the next generation.
That said – the new Ministers at DCMS ARE from the next generation.
So are those at the Home Office and BEIS.
And we can see a stiff breeze of change beginning to waft through the corridors of power – beginning with demands for weekly progress reports on Brexit arrangements.
Given that we are in the foothills of the most unpredictable general elections in several decades we might even see democratic pressures over-ruling departmental agendas.
Make YOUR voice heard.
Such opportunities do not happen often.
DCMS to survey the cybersecurity labour market
DCMS has announced “a second survey of UK businesses, public sector organisations and charities to help understand the UK cyber security labour market. The research will examine how organisations approach employing and training cyber security professionals, and understand the issues they face during this process”. The result is likely to be rather more useful than last year’s unstructured survey of professional and academic opinion. I criticised the resultant report (in my review of the Initial Cybersecurity Skills Strategy) because the analysis failed to reflect the structure of UK business. It was therefore seriously flawed with regard to the likely scale and nature of demand.
This time “Businesses and public sector organisations across the UK have been selected at random from the Government’s Inter-Departmental Business Register. Charities have been selected from the Charity Commission database in England and Wales, the Office of the Scottish Charity Regulator, and the Charity Commission for Northern Ireland. Cyber sector businesses have been selected from a list compiled from various commercial business databases.
Ipsos MORI is inviting the senior person within these organisations, with the most knowledge or responsibility when it comes to cyber security to take part. In some organisations this might be a specific individual or Head of Department, while in other organisations it might be the business owner or one of the charity trustees.”
The results will be interesting. In most cases the respondent will have little or no knowledge, nor will anyone else in the organisation. I therefore very much hope that the questions for the “senior person” include Where do you get your advice and guidance?” and “Who do you go to if you have a problem?”
Why it is so important to analyse demand by size and type of employer
A month ago I met the current Chief Executive of West London Business and agreed to send him a copy of the draft report of the study into local demand for IT skills that I helped organise for West London TEC nearly 30 years ago. That was the first and (and perhaps the only) attempt to use “industry strength” market research to analyse the digital skills needs of local employers. The questions were added to the local labour market survey for which we had received funding to use a computer assisted telephone survey, with prompted and unprompted questions, to a structured (by size and sector) sample of 10% of all employers. The response rate was just over 50%. Most skills surveys, then and now, use unstructured samples and have response rates of under 2% (sometimes as low as .02%). In other words we had robust results in an area where almost none of the other data was statistically significant.
The survey found that most businesses used hardware and software regarded as obsolete by suppliers. Few had any full-time in-house IT support staff and most had received no professional training. More-over none of the publicly funded training programmes in the TEC portfolio were felt to be relevant to their needs. Those wanting skilled staff were happy to train their own, provided the TEC would help them identify recruits with the necessary aptitude and attitude. They would also have liked the TEC to create a list of reputable local organisations providing relevant modular short courses. The results were so far out of line with “accepted wisdom” that the implications, beyond the synopsis headline “The users have taken over the system”, were ignored. My draft report and recommendations were never published.
I suspect we have a similar situation today with regard to cybersecurity skills.
99.5% of businesses have no in-house digital, let alone cyber expertise
The UK has 1.4m businesses with fewer than 50 staff. Most use packaged and/or outsourced IT products, services and support. They have no-one with serious in-house IT, let alone cybersecurity, expertise. Only 42,000 have more than 50 staff and only those with more than 250 staff (7,500) are likely to have any in-house cybersecurity expertise, as opposed to knowing when they need to call in an “expert” for help because they cannot understand what is happening or how to respond. Almost none will know the training their staff might need. Few will know how to find a reputable supplier of security services who can met their needs at affordable cost.
The “answer” is almost certainly local access to services like those provided by the pilot shared skills incubator and SOC in Plymouth and/or those local ICT support suppliers who have staff competent to the level of (for example) CompTIA Security + . The lack of such access helps explain the low take up of Cyber Essentials , even among those with 50 or more staff.
The good news is that earlier this year DCMS recognised the problem and provided modest funding to help Bluescreen IT to package the Plymouth pilot for replication elsewhere and CompTIA for the Cyber Ready Programme to reach more diverse audiences (e.g. women returners).
And few cyber experts understand their Boards
At the other end of the spectrum we have the .01% of enterprise customers to whom most of the 370 exhibitors at InfoSec 2019 were seeking to sell AI and/or Cloud-based threat identification and behaviourial monitoring products and services. These are the customers large enough to employ in-house staff who understand the meaning of terms like maturity model. Such staff all agree the need to educate “the Board” because it does not “understand” and give them the authority/budgets to buy new products and services which will supposedly improve their technical ranking. Meanwhile most successful attacks involve insiders (whether malicious or ignorant) and failures in people processes: authorisation, authentication, monitoring, motivation, training etc.
It is now five years since I blogged on the views of the major financial services employers of the City of London on the security skills frameworks then being promoted. The world has changed but the communications gap has widened. “Cybersecurity” is now rated by more than half finance directors as among their top five risks but the responses being considered globally require perspectives, priorities and skills well beyond those expected from cybersecurity professionals, whether in 2015 or 2019.
I used to lecture to current and would-be main board directors on risk reduction, recommending the use of the James Bond movie Skyfall to get their colleagues attention, well before Edward Snowden demonstrated the prescience of the basic plot.
Cyber is a subset of risk management
I would begin by putting by using the quote from a former Director of CESG which prefaces the seminal EURIM/DPA report on Security by Design: “The main benefit of investing in better security technology is to force the enemy to concentrate on corruptin your people instead of trying to break your systems“. I would also remind them of the need to check the recovery plans for fire, flood, power / communications outages and digititis .
I would then rank the top six cyber-related risks (mix of probability and seriousness) as:
1. lost business because of cumbersome/intrusive security,
2. competitors using your IPR (unpatented research, customer/personnel data etc.) against you,
3. insiders (over-ambitious, malicious, disaffected or loyal but untrained),
4. contractors (IT, security, compliance, cleaners, support),
5. regulators demanding data they cannot safeguard,
6. organized and targeted attackers.
My action plan would have three main points.
1. Threat assessment and risk reduction strategies (e.g. data minimisation and access control to reduce attack surfaces)
2. Insurance backed security policies and incident response plans (with third party audit of regular exercises)
3. Active co-operation with law enforcement (to deter attackers)
Co-operation with law enforcement is critical
My conclusion would be that at least 10% of the security budget should be allocated to active co-operation with law enforcement.
This should include:
- support (and training) for the organisation’s staff and contractors to serve as expert volunteers (whether or not warranted as specialist constables) to help staff emergency response and investigation teams
- contributions to the funding of full time officers and support staff to provide independent governance and to handle co-operation with other law enforcement agencies and police forces around the world, not just within the UK or EU.
The EURIM-IPPR Study into “Partnership Policing for the Information Society” identified that the police would never have more than a fraction of the resources necessary to bring law and order to the on-line world. Today the situation is worse. On-line crime and abuse are soaring because they are almost risk -free for the criminals.
Enterprise customers divide into
- those who allow themselves to be punch bags, hoping their evolving defences are good enough to prevent serious damage and
- those who retaliate (from on-line gaming companies and Hollywood film studios to the supporters of the NCFTA programmes)
Those who retaliate commonly use the services of organisations like Brandshield to protect their brands or organisations like Duff and Phelps and the forensics teams of global accountants and law firms to sue all who do not help them identify and persecute (if not necessarily prosecute) the attackers and thus complement the work of law enforcement.
The topic of asset recovery appears, however, taboo among most groups of cybersecurity professionals.
They commonly take the view that retaliation would merely antagonise the attackers and lead to worse problems. This may be correct in the short term. Longer term, however, criminals find it safer and more cost effective to attack those who do not retaliate. Those with a reputation for effective retaliation tend to get left alone. That gives as double reward as their competitors suffer. Effective retaliation requires co-operation with insurers, the internet supply chain and law enforcement, using a mix of civil and criminal law.
It also requires investigation skills that go beyond most definitions of “cybersecurity”.
The need for joined up policy
The last Labour Government was unable to bring the tribes of Whitehall together to agree a joined-up approach, led by Home Office, to implement the recommendation of the EURIM – IPPR reports. It briefly looked as though the coalition Government might make progress, with the launch of Fighting Fraud Together This was followed by two breakfast meetings which brought together the City and Security communities at board level (several hundred decision takers in the main hall of the Chartered Accountants). But political attention was diverted to surveillance and cyberwarfare. Progress petered out.
The current Lord Mayor of London has hosted some very impressive meetings for the Global Cyber Alliance , led by the New York District Attorney and the City of London Police. The alliance uses the proceeds of crime to help remove some of the vulnerabilities that facilitate impersonation. DCMS has yet to exploit the opportunity to use such co-operation to add a low-cost multiplier to its own efforts, e.g. by making the use of such free tools and training in how to use them, mandatory on all the digital programmes it supports.
Responsbility for the coordinating cybersecurity and digital policy may now sit with DCMS instead of Cabinet Office but the decision squares for action remain spread across Home Office, Ministry of Justice, BEIS, FCO (for GCHQ), MoD and DfE. Meanwhile most of the practical experience and expertise sits with those who want their customers to buy, sell, play and learn on-line – not just in the UK but globally.
If the UK is to make a success of Brexit and become a globally trusted and trustworthy location for on-line activity we need the DCMS to lead a much larger review, leading to co-operation akin to that announced, but not subsequently delivered, at the launch of Fighting Fraud Together.
20,000 Degree-Level Police Apprenticeships should be the catalyst for change
I have now handed my portfolio of skills projects, including those on cybersecurity, to a team at the Open University. I hope they will provide a focus for providing local access to world class skills, including use of the cyber-components of the 20,000 policing apprenticeships recently announced (*) by the Prime Minister to transform the UK cyberskills scene – and make the UK the most dangerous place for cybercriminals to go on-line.
Of course policing goes well beyond cyber. But it is now estimated that 80% of crime now has a digital element, if only because of the conversations, selfies and location information on the mobile phones of the criminals. A consequence is that the justice system is drowning in data, most irrelevant other than to confuse judge and jury and enable the guilty to go free. Hence the need to address the cyberskills for justice and deterrence , not just those for cyberwarfare, protection and surveillance. And the more widespread those skills, the more dangerous the on-line world will become for criminals not just potential victims.
(*) I know that was not quite what was announced, but locally delivered police apprenticeships using OU-like delivery mechanisms to enable common standards are the only realistic way of achieved the headline objective.
The economic structures and business models of the on-line world are changing.
The day after I blogged on why shareholders would wish to break up BT we got news that the sell offs were under way, beginning with the head office and some of the overseas subsidiaries. The share price stopped sliding. Then the Vodafone share price jumped after the news it was to spin out its masts and use Cornerstone to share 5G infrastructure with O2. City Fibre is using its new found financial backing to connect fourteen more cities, part new build and party relighting “orphan” municipal fibre networks. The Wireless Internet Group recently acquired the in-building operations of Arqiva. Ofcom is following the rest of the world in opening up “shared access spectrum”. Virgin has announced plans to wind up its speeds and done a new content deal with Sky (now owned by Comcast). The processes that enabled the “platform” dominance of the current incumbents (Amazon, Facebook, Google) are under scrutiny from both anti-trust authorities and the advertisers who fund “free” social media and search engines. President Trump is also taking aim at the way their lobbyists and lawyers use Federal contracts to further increase their dominance of cloud services. Whatever his motives, he appears to be the first president since Taft to take anti-trust seriously.
The technology architectures and structures are also changing.
There has been much cover in the technical press BT’s decision to adopt an Open Stack core , akin to that used by AT&T and Deutsche Telecom, to support and knit together the communications networks and technologies of the future. Meanwhile the US has forced Huawei to exit the main international submarine cable consortium at the same time as major US players are investing in their own cables to improve the resilience of their cloud centres.
Will this mean that the technology giants wish shift their lobbying efforts to the ITU, which set almost all global inter-operability standards until the Internet Protocols replaced X25? If so how will they acquire the votes of the developing world now leapfrogging their legacy IPR? How will the boundaries with the IETF and other telecoms standards bodies “evolve”? And will the UK include funding for participation, hosting and perhaps even “leadership” into its priorities for making the UK the best place to do on-line business.
Exploiting the Brexit Policy Opportunity
Readers will know that I have come to reluctantly believe that Brexit is the only way to create a new and more constructive relationship with the protectionist kleptocracy that has condemned the youth of Europe to mass unemployment unless they come to the UK. That means building on the best of what has been achieved while extricating ourselves from the worst and a friendly divorce with joint custody of those children we acknowledge as part of the divorce. And telecoms policy is one of those areas where the EU got it right, including the constraints on BDUK which would otherwise have given its money to BT with almost no controls or clawback.
The new UK Government is said to be entering into a series of root and branch review of the policies it inherits, including to deliver on the Prime Ministers aim to expedite the transition to full fibre broadband. We have a digital minister who has built and run regional business telecoms companies. Can we, therefore, hope to see a long overdue focus on the needs of British business instead of the preservation of BT’s leased line revenues to protect the Treasury guarantee of its pension fund? Will that will translate into new priorities for Ofcom?
What polices might the new minister adopt to help ensure the UK benefits from leading the transition from the current jungle of fragile, semi-incompatible communications networks to a world of seamless, ubiquitous, resilient, secure, meshed, digital infrastructures? One of the last acts of the outgoing DCMS Secretary of State was to launch a review of the telecoms supply chain . Hopefully the new digital minister will ensure that this takes place in the context of the new world that is being created.
It is almost exactly five years since I blogged on the need to address the transition to an evolving “future proof” mesh in response to the Digital Infrastructure Consultation of 2014.
What the current questions for review?
At one level they are becoming easier.
- Change is accelerating, making attempts to predict the future in order to regulate it ever more impractical – although that does not appear to stop some regulators from trying. The task is to remove the barriers to the changes we (voters) want to see and act more rapidly, efficiently and effectively against obvious abuses of dominant power and monopoly positions.
- Policies and regulations based on fictional boundaries between the fixed, wifi and mobile, terrestrial and satellite markets are losing relevance. Most voters (alias customers), would like their service to roam over whatever is cheapest (to them) and working at the time. Some will pay (and some a lot more) for reliability and resilience. The issue is to ensure that those controlling bottlenecks (whether access, transmission, switching or inter-operability) to do not indulge in anti-competitive behaviour to exploit or prolong their monopoly positions.
- The attempts of digital infrastructure provider (however defined) to become content providers (and vice-versa) are unravelling. The fashion for convergence (alias invading or taking over players in adjacent markets) is cyclical and nearly always ends in tears. The digital content market is now seriously over-crowded with players like Amazon, Disney, Google (YouTube et al) and the latter appear to be reigning back on infrastructure investment, other than to support their cloud infrastructures. The issue is to act rapidly and robustly against predatory cross-subsidy.
At another they are becoming harder.
We have many more (and better paid) lobbyists and regulators arguing (particularly in London, Brussels and Washington) how many digital angels there are on the head of a pin.
More-over the future is now being built in the Southern Hemisphere, under the aegis of the ITU, away from the attentions of US IPR and Telecoms lawyers.
President Trump’s trade war with China has come too late to prevent them from providing cost effective, holistic infrastructure solutions for most of the world, even if they are cut off from North American markets.
How will the EU respond – almost certainly with protectionist initiatives which claim to be forward thinking?
How will the UK respond, caught between the USA, China and the EU?
Will we revert to our internationalist roots, exploiting Brexit to the full?
Remember the comment by De Gaulle’s minister of culture, Andre Malraux on why the sun never set on the British Empire. “Even God does not trust the English in the dark.”
This is a time for imaginative policy. Of course we play by the “rules” … but as interpreted in our courts … by our judges. It is their international reputation that is our “secret weapon”. It underpins the position of London as a global trading centre. Reclaiming that “weapon” is arguably the greatest Brexit dividend.
It is also a time for a cool look at how the digital world is evolving and our place within it.
The BT share price reached nearly £5 in late 2015 after the Digital Communications Infrastructure Strategy was announced and BT received clearance to buy EE. About then Patterson attacked Ofcom for suggesting that Openreach be split off and I described how DTI and Ofcom had destroyed BT’s previous investment strategy. They had brought about the collapse of its share price from £15 (2000) to under £2 (2002 – 2012). In March 2016 I suggested the fear of being broken up by Ofcom would cause BT to give better service. But then the share price had begun to slide. The rights issued planned at the time of the acquisition of EE was abandoned. The slide continued. The share price is once more under £2. This severely limits BT’s borrowing capacity and ability to invest. Its cash flows are committed to addressing a massive backlog in preventive maintenance to make its ducts and poles fit for PIA. Hence also the need to rebuild its in-house training capacity because the necessary legacy skills are no longer available elsewhere. Others are far concerned with the skills to build full fibre and mixed fibre/wireless networks.
Man from Whitehall he speak with forked tongue
For all the talk of level playing fields for investors, the Treasury, which underwrites the BT pension fund, is under pressure to preserve BT’s legacy revenues until such time as it comes up with a strategy that will convince future investors that it is a going concern, not a basket case. An example is the award of the Universal Service monopoly. As a result of its recent crowd funded community bond B4RN could offer full fibre to 5% of those who BT will be subsidised to provide with up to 10 mbs. EIS status has been refused because Inland Revenue says the B4RN business model poses no risk of loss of capital to investors. So why does BT need a subsidy?
USO or UFO?
The B4RN model may not be scalable. Community enterprises do not function well above a given size. It is, however, capable of being replicated, with many local variations, to serve those for whom the USO is intended. Indeed there are many successful variations around the world. But for the Ofcom focus on nominal rather than real competition focussed, BT would be incentivised to use B4RN as a USO subcontractor and encourage another 19 clones to deliver a USO that is out of this world. There is a great set of UFOs, universal fibre opportunities, for which BT could provide the backhaul and global connectivity. The way Telia works with the various community and municipal networks across Sweden and other parts of Scandinavia provides one model. The way Verizon and AT&T do similarly across the USA, including with the utility networks, provides another.
The sum of the BT black hole is less than the sum of the parts
Openreach is an infrastructure management and service company which owns nothing, not even its training centres. It is relatively easy for it to be spun out. But that would not lead to added investment. It would also require Treasury support for the pensions of those transferred from BT. Meanwhile the BT-owned infrastructure needs massive investment to turn it into an integrated all IP network capable of supporting EE as an ubiquitous 4/5G provider. Then there are the needs of UK business and of Smart Communities (Cities, Countryside, Energy, Transport, Utilities etc.) for resilient, reliable backhaul. Closing down BT’s surplus exchanges will enable cost savings but will not raise funds, they were sold back in 2002. It is unclear how much could be raised by selling off the high risk content and systems operations. Tis would, however, leave a communications utility that, but for regulatory uncertainty, is rather more attractive to global fund managers and institutional investors.
Until then, the BT share price looks set to drift down to a £pound or less. That leaves it unable to invest other than from cash flows and Government subsidies. It is also unsaleable because of the pensions time bomb and the dead hand of Ofcom.
The way forward is co-opetition
BT is seen by most of others in the telecoms industry as a Machiavellian bogeyman. That reputation was well earned by the tactics used to stop others obtaining BDUK funds or pillaging BT’s leased line markets. Even today BT is playing its cards close to its chest. It seeks to hold on to past business, quietly transferring customers to newer, more reliable technologies only when they are close to defecting to other suppliers.
The alternative strategy is for BT to look at the investment models of its peers around the world. Most of these are based on co-opetition – with players subcontracting to each other to share cost and/or improve resilience at the same time as competing to be lead supplier in multi-source contracts. Unfortunately where BT has set about exploring similar arrangements in the UK it has been threatened by Ofcom with action under its competition powers.
There is precedent. BT has subcontracted to those running wireless networks in parts of Cornwall where there would otherwise be no service. We need to see many more such deals. In a world where multiple routings are essential for resilience we need, for example, to see BT routinely contracting to use City Fibre backhaul for hot standby and vice versa.
We need to see all business parks served by at least three local operators with similar hot standby contracted between them – akin to the way the University science parks connected via Janet/JISC have multiple routings. It is worth noting that the Janet/JISC network uses infrastructures owned by a wide variety of players, including BT, the Electricity Utilities, Universities, Local Authorities, Defence Research Establishments and others to provide the UK’s fastest, most powerful, flexible and future proof network. Like LINX, the heart of the UK’s Internet world, it is a mutual.
Question: What is the difference between a Cartel and a Mutual?
Answer: The number of participants
It would be unrealistic to see the infrastructure heart of BT spun off as a mutual. But we should look at the way its peers in other parts of the work with each other and with a variety of infrastructure partners. This may well be the best way of pulling through investment on the scale needed. We need business and property users and owners working with local authorities to fund and expedite network construction, to international standards (including for inter-operability), using whatever business model fits the community to be served. Those meeting their needs, (City Fibre, Gigaclear, Hyperoptic, Wireless Internet Group et al) are very attractive to the City as soon as they have acquired a track record of delivery. The “real” competition is akin to that in the 19th Century when Manchester competed and/or co-operated with Liverpool and Leeds with Bradford, while Birmingham co-operated with everyone, to pull through the construction of canals and railways. It did not matter if the company went broke, provided the line was built to common standards so that some-one else could take over the operation. Over time the railways coalesced into regional and national operating networks, even before nationalisation.
The Problem is Ofcom – or rather its terms of reference
Twenty years ago I was part of the team that organised the pre-legislative scrutiny for the Office of Communications Act 2002. The world has moved on. Meanwhile Ofcom has succumbed, as feared, to many of the temptations that face regulators in times of change. The first is that of trying to predict the future in order to better regulate it. It should, instead, be focussed on acting more rapidly to uncover and address abuses of market power as they emerge.
Ofcom is also too focussed on nominal competition, as with the candy floss competition of local loop unbundling. It is blocking the voluntary co-operation that is essential for a critical infrastructure utility networks to provide hot standby. It should be helping to set and enforce standards for infrastructure and network inter-operability and quality of service, in line with those emerging across the world. These might look anti-competitive but are essential to making it easier for new entrants to attract investment, become established, reach critical mass and provide genuine competition.
Only when such matters are addressed is the UK as a whole likely to benefit when the shareholders break up BT and investors from around the world put in the funds to help turn round its struggling parts.
PS 22nd July – BT has begun its own sell offs
On the afternoon of 17th July Lord Lucas will chair a round table to launch a national debate on Digital Skills. Cconfirmed opening speakers include
- Ben Mason from Global Bridge (opening up new pathways between employers and recruits in the North east),
- David Willett, Corporate Director of the Open University (the UK’s largest degree level apprenticeship provider as well as the largest University),
- Chris Murphy of the Highways Electrical Association (whose members are already building the 5G-ready digital infrastructures of our embryonic smart cities).
Please e-mail the Digital Policy Alliance ( email@example.com ) for a guest place if you are serious about helping set the political agenda for a Britain that develops its own talent instead of importing from overseas. There will be no public report. The meeting is being held under the Chatham House rule and will be used identify topics for the 21st Century Skills working group to address over the year ahead. The group also looks after the project portfolio which I handed over just after Easter.
The objectives include
- stimulating discussion on meeting the demand for basic digital abilities;
- the cross sector, professional and academic evolution of skills demand;
- responding to the accelerating rates of change in the technologies available for identifying, delivering and assessing talent and
- reviewing legislative and regulatory frameworks to maximise potential in creating and implementing UK/EU education and training policies.
I blogged my own views back in February . The analysis in the discussion paper may still hold good but the pressures for change have increased since. The Augar report has pointed out the immorality (as well as inefficiency) of focussing attention on only half the population. The changes to the teachers pension scheme will more than wipe out the extra funding for schools and colleges promised this year and next.
Expediting the roll out of reliable full-fibre broadband will enable cloud-based education-as-service to make teachers workload but will not bridge the funding gap. There are many ways forward. I like the concept of the “community college”: doubling or trebling the school income by also providing a round-the-clock life-long learning and training hub and sports/games/leisure facility. But that is by no means the only way forward. The only certainty is that the pace of change, in educational techniques and technology as well as in the skills and knowledge in demand, have far outstripped the ability of centralised planning to cope.
Hence the need for a new debate.
Remember the St Trinians Motto –“get your blow in first”
I do not know how many places are left on Wednesday and I know that the DPA team will be busy with there AGM this afternoon (Monday).
You should but e-mail firstname.lastname@example.org and ask for an invitation to the round table and, better still, to take part in the follow up.
If you cannot attend, ask for an invitation to take part in the follow up anyway.
Three years ago I blogged on why I made the mistake of voting Remain. I would still prefer the UK to be a member of a reformed, multi-track, democratically accountable European Union. But that is not on offer. Ursula von der Leyan may be a surprise choice to replace Juncker but she is keeping Timmermans as her deputy and is a strong believer in building towards a United States of Europe.
I will be delighted if she does indeed turn out to be a reformer but until that happens I remain a reluctant believer that Brexit is the only way of bringing about the reforms to the EU that will make it worth be a member. And if that sounds “Irish” … it is. At the time of the referendum an Ulsterman who had worked as long and hard as I had on trying to make a reality of the Digital Single Market explained why had done the same analysis as I had … and decided to vote Brexit.
I have since come to realise that he was indeed right. Knowing what I know now, I would have voted leave.
I also understand much better why the different parts of the UK voted as they did.
The task ahead is not just Brexit
The new Conservative leader faces a massive task in re-building the Party round a shared set of values and visions for the future. Then comes the task of rebuilding trust in politicians, parliament, the civil service and the electoral system. No wonder the Conservative Party faithful want more hustings so that they can look the candidates in the eye and form their own judgements. And all that is before we start discussing the policies that we may, or may not, trust them to deliver.
My reasons for voting for Jeremy Hunt are based largely on his track record. I am less impressed by his claim to be one of the few entrepreneurs in politics than by the nature of the business he created: Hotcourses It is the world’s largest guide for would-be students and parents deciding where to invest their time, money and hopes when the pace of change is accelerating.
Those supporting Boris Johnson think he will be able chair a cabinet in which responsibility is delegated to them. I fear that the Civil Service, facing the post-Brexit existential threats of Devolution and Deregulation to their Whitehall Empires, will come together and run rings round them all.
After surviving his early baptism of fire at NHS, defending a badly botched junior doctor’s contract, Jeremy Hunt set about unravelling the culture of secrecy (including gagging clauses and the persecution of whistle-blowers) that had enabled those frightened of clinical responsibility to create some of the most inhumane (to both staff and patients) and inefficient working conditions in the modern world. The drop-out rate among student nurses is more than double that for students as a whole. Those doing nursing apprenticeships spend more than four times as much off-the-job because of the failure to use modern learning methodologies. I am married into a medical clan and have learned to keep quiet when the iniquities of the Royal Colleges are discussed.
My hope is that Jeremy Hunt will be able to lead a similar unravelling across the whole of central government, making it impossible for the “Empire” to strike back. The cult of “commercial confidentiality” with regard to the spending of public money, whether on in-house or outsourced services, needs to end.
My fear is that, by contrast, that Boris will go for gesture politics, as at the GLA, and will no more be able to begin the overdue reform of central Government than he could that of Transport for London or the Metropolitan Police. Both now in the hands of Sadiq Khan’t with everything blamed on “austerity”.
But it begins with delivering a constructive Brexit
I liked Hunt’s presentation at the recent Conservative Progress Conference – with rapid legislation on what has already been agreed so that it can be “banked” and the areas of uncertainty and fears of potential retaliation greatly reduced. This is the opposite to the more common approach of “nothing is agreed until everything is agreed”. It is, however, the approach adopted by some of the most successful negotiators – if one counts “success” as delivering win-win deals that build for the future. They isolate the areas of disagreement and weaken the positions of those holding out against compromise. They then praise everyone in sight as they start lining up their allies for the next deal but one. They are great fun to watch, especially because they are so under-estimated by more aggressive negotiators who make great play out of winning unnecessary battles.
And, as I said in my blog on the Golden Rules and Taboo Questions – the Irish Backstop is a McGuffin. It is there to prevent discussion on topics such as cutting our Corporation Tax rates so that Global High Tech Companies pay tax in London rather than Dublin on their UK earnings. Thus enabling tax cuts to yield higher tax takes.
I also like the clarity of Jeremy Hunt’s ten point plan
That bring me back to my due diligence.
Hunt made his money from providing usable guidance for students and parents around the world on where the invest their time and money in doing courses that would help them meet their objectives. Politely unravelling nonsense is what he is good at. And it is a very powerful negotiating tool.
1) DCMS kicks the can down the road – again
The deadline for submissions to the DCMS consultation on On Line Harms is July 1st. The NAO report politely savaging the UK failure to join up its approaches to tackling organised crime was released today. Organised crime derives much of its revenue from the On-line harms listed in the DCMS white paper. This is co-signed by the Home Secretary. No-where is there any indication in the white paper of the need to join up policy and policing. It is as though the departments still live in parallel Universes.
Meanwhile the timescale for implementing the Age Verification has been delayed again . It is well worth reading the reactions of the House of Lords to the statement . They did not believe the reasons given any more than did the technical press. When DCMS last kicked this particular can down the road they denied it would be further delayed . Pink News then interpreted “three months” in Whitehall speak as the end of the year. Techspot has more recently interpreted six months as manana . This is not a victory for “freedom of expression“. It is another own goal in the fight against organised crime and abuse. The extra time should be used to see whether a simpler solution, e.g. audits against processes which meet the BSI’s PAS 1296, would better protect the privacy of both adults and children.
2) And can expect to pay a price
The excuse given by DCMS is probably open to legal challenge from as many directions as its approach to implementing the Age Verification legislation. Those who believed the original timetable spent £millions developing the necessary “age gates” and gearing up to handle the expected volumes of traffic from July onwards. That work has now been halted amid growing scepticism that the law will ever come into force, let alone be properly regulated and/or enforced. Lay offs and cutbacks are now certain. The DCMS credibility cap, (which dates back to when it “leaked” the e-mail addresses of over 200 technical journalists at the original launch of the scheme ) has widened. We can expect those affected to seek assistance in rectifying the damage.
3) Meanwhile British Industry has produced a global solution
More significant, but unpublicised, is that British service providers have delivered on the promises made when David Cameron was persuaded to announce the original plans for legislation .
The day after Jeremy Wright announced the delay in implementation, Telemedia carried the news that not only had the UK first supplier been audited against the extension of the existing Age Check Certification Scheme to cover on-line checking using PAS 1296 . The PAS is now probably on its way to becoming a global standard. The service is fully operational and was used for the Web Portal for the Channel 4 Documentary “Mums Make Porn”.
Age Checking is not, of course, just about protecting children from accidentally accessing porn, or from having their age controlled social networks penetrated by adult predators. The members of the embryonic Age Verification Providers Association do most of their business with the suppliers of other controlled products and services, such as alcohol, gaming or tobacco. More-over this is a global business. UK-headquartered players like Experian and Lexis Nexis compete with those, like Facebook and Google, who seek to use their domination of Internet Access and Social media to invade the trusted identity market and link it to their big data business models.
4) Who is trusted by Who?
At this point it is worth looking at the annual Edelman Global Trust Barometer to add context. Last year saw a collapse in UK confidence in Government. It has not recovered. This year saw a similar collapse in trust in social media, particularly across Europe and North America. “On-line only” media are now significantly less trusted than “traditional” media. Meanwhile brands headquartered in the UK are more trusted than those headquartered in the US, but not as trusted as those with HQs in Germany, Japan or Switzerland. The global brands, on whose advertising spend the business models of Facebook and Google rely, are looking to halt “contamination” by association with the “on-line harms” listed in the White Paper. They plan to do so by taking back control of programmatic advertising.
5) Facebook and Google have no choice but to respond
There is a simple explanation for Nick Clegg’s welcome, on behalf of Facebook, for Government Regulation . Facebook has less to fear from governments than from a revolt by global advertisers. The track record of regulation in this space is deeply unimpressive. By contrast they face an existential threat if they cannot provide a credible response to the pressures from global advertisers . The latter have been so badly burned by click-bait fraud, linked to free porn at least as often as to fake news, that they will not be content with ticking a few regulatory boxes. They will demand audit that is at least equivalent to the processes of the controlled circulation media . This is likely to include using third party Age Checking, just as the main security consultancies (including the big four accountancies) have had to use third party penetration testing operations. No one trusts big players to mark their own homework.
6) So Age Verification moves centre stage globally
At this point the work of UK Age Verification providers in producing robust processes for anonymising the use of secure and authoritative third-party identity databases (from the credit, education, financial services and health industries, as well as government) come into their own. They should not be viewed as a threat to either the big data business models or the privacy paranoia industry. They complement both.
But where does that leave Government and DCMS?
They appear to have painted themselves into an embarrassing corner – seeking to sustain an idiosyncratic approach to age-checking which fits neither the relevant UK legislation nor that of the EU.
Can they use the six months delay to produce a simpler, cheaper way forward, perhaps based on using audit against PAS 1296 in the context of EU data protection requirements?
Or will they be stuck, defending the indefensible, against all comers – from the Child Protection charities to the Open Rights Group?
Positioning the UK as a globally trusted on-line hub for inter-operable authentication, authorisation, audit and quality control goes hand-in-hand with retaining our position as a world class financial services hub. It also needs privacy processes that are sufficiently robust to the protect the finances of the ruling elites of the world from their security services (as successive US Presidents failed to protect themselves from J Edgar Hoover) and their children from abuses.
I would also like to see effective protection for the rest of us – now that the Internet is used by over half the children in the world.
My new role with the local Safer Neighbourhood Board has led me to discover just how little the “other half” of society trusts either Government or Global Big Tech. The Edelman analyses also reflect the views of the inner city youth and faith groups to which I have been listening. The consequences for the advertising funded Internet are profound. I am therefore prepared to bet a pound to a penny that Facebook and Google will embrace third party audit, including for their age checking process, before Government implements effective regulation.
I would of course be delighted to be proved wrong. But money talks rather more coherently than Government.