When IT Meets Politics

June 13, 2016  3:49 PM

Is there really a Digital Skills Crisis?

Philip Virgo Profile: Philip Virgo
Apprenticeship, apprenticeships, BIS, Digital skills, European Commission, Pitcom, Trailblazer

This morning the House of Commons Science and Technology Select Committee released its report on the “Digital Skills Crisis”  This afternoon the House of Lords debated the government response  to its “Make or Break” report last year . Last week the European Commission published a proposal for a Skills Guarantee . Meanwhile BIS is ploughing ahead with byzantine routines for a return to the type of training grant and levy scheme that was  scrapped (for good reason) in 1980s.  Unfortunately though dead, the idea of grants and levies, job creation schemes for bureaucrats, will not stay buried. In 1992 I helped kill an attempt to revive it with a Bow Group Paper on the theme of “Training for jobs not just jobs for trainers”.  The processes proposed by BIS to fund “approved “training organisations to deliver apprenticeships which meet criteria dictated by officials not employers, make the average European “initiative” look like a model of efficiency.

I therefore applaud the recommendations by the Select Committee that

  • Government needs to work with closely with employers, higher education institutions and schools to understand the apprenticeship marketplace, to ensure that education aligns with industry’s requirements, and that apprenticeships are delivered in a flexible way to adjust to future changes in the digital sector”  (Para 54)
  • Government should emphasise the need for more digital skills components in all apprenticeships … ” (Para 55)
  • should review its Trailblazer initiative, making it more streamlined and accessible … simplifying the scheme’s processes” (Para 56) and
  • … make it easier for industry to partner with universities and colleges to support student teaching … work placements … allow the cost to be written off against the Apprenticeship Levy contributions” (Para 57)

I am less happy with the recommendation that  “The Government should review the qualifying requirements for the new IT roles added to the Tier 2 visa “shortage occupation list” , making it easier and more flexible for SMEs to recruit top talent from outside the EU” (Para 30).  The European Commission proposal for a “Skills Guarantee” to help adults stuck in low paid jobs is more forward looking but the Committee’s recommendation is perhaps inevitable,  given the 50 years of policy failure summarised in my evidence to the House of Lords report (see pages 1057 – 70) and referred to in my blog entry, describing the need to break out of groundhog day, when that report was first published.

The crisis is over. The patient is dead” .

We failed to use the past “crises” as a catalyst for change. Things came to a head during the run up to Y2K and the “false start” of the transition to mass-market, Internet-based on-line systems. My 2001 IT Skills Trends report was about surviving the bursting of the dotcom bubble and preparing for the skills that would be in shortest supply when recovery came – in 2005 – 6. But that recovery did not come. By 2006 demand and salaries for those jobs which could easily be moved off-shore had stagnated. Much of the software and support industry had come to be staffed by a mix of overseas systems development and imported contract labour. We were facing the consequences of our inability to retrain our existing workforce, let alone our failure to educate and train our children.  I stopped writing the reports. They had become too depressing and the only ones taking action were those who helped write them.

An Apprentice Levy without a credible, let alone efficient, Grant process

Today we have a curate’s egg  wth unemployed computer science graduates in parallel with unprecedented shortages of competent and trustworthy recruits for Fintech and Security roles and another exercise to dig up the dodo of levies and grants – this time with the grants ring-fenced to meet the costs of “approved providers”, officials trying to dictate the requirements that employers are allowed to have and different processes for England, Wales, Scotland and Northern Ireland. Last week I attended a briefing session for employers. Those serious about training their future employees with the skills they will need were already looking at how to bypass the system, writing off the levy as a payroll tax on those jobs they could not realistically subcontract or move out of the UK. It was, as the Commons Select Committee has pointed out, not only unfit for purpose when it comes to the needs of SMEs (Para 30), it looks unlikely to meet the evolving needs of those large firms who already train their own and/or those in their supply chains.

But markets do not stand still. The Commons Select Committee call for the annual “dynamic mapping” of initiatives against demand so as to create a long term mechanism for adjusting the strategy (Para 29) is therefore particularly welcome.

The recommendation that Government should commit “to work with the Tech Partnership to develop industry-led, vocationally focused careers advice …” (Para 43) is also most welcome, but this should be extended to cover school-leavers. We can no longer afford to peddle the immoral fantasy that the majority of our children will benefit from starting their working lives saddled with student debt after spending three years to become less employable than if they had been paid to do a graduate level apprenticeship. In 1982, in “Learning for Change” I attacked both

  • “the examination treadmill to which we chain our adolescent youth in a set of puberty rites crueler than those of primitive Africa, At least in Africa they do not label any of the participants as failures” and
  • our confusion of “education” with taxpayer subsidy for the middle class ritual of kicking the fledglings from the nest.

The many recommendations of the Select Committee with regard to computing schools in schools are worthy but the most important boring is  Paragraph 83 where it recommends working with the Tech Partnership “to raise the ambition for, and coverage of, industry led digital training, and to make it easier for business of all sizes to get involved“.

The need to “break open the educational ghettos” has been a key message since  1982, when PITCOM organised for relays of school-children (from 30 schools) to man an exhibition in the Upper Waiting Room of the House of Commons (26 computer systems, up to 14 running at any one time running off three power points, at a time when Parliament had no facilities for schools visits!). That exhibition was attended by 120 MPs: one returning six times to get a group doing Economics A Level to run variations on the Treasury Economic Model – hence my long-standing support for Donald Michie’s idea that MPs should be able to simulate the effect of the legislation, including amendments, which they are expected to approve.

That was over 30 years ago. It is therefore particularly sad that the same messages have to be repeated as though they are new. The reason is linked to the prevalence, evident in paragraphs 70 – 76, that teachers (whether in School, College, University or Industrial Training Centre) have to be expert in IT in order to educate their pupils/students.  If that is correct then there is no solution – other than to rely on those (in other parts of the world) who use their limited supply of skilled educators to supervise the delivery of blended learning (mix of packaged learning materials, personal contact and supervised work experience) by mixed teams of assistants and subject experts: which is what successful digital “informal learning” groups (para 70 – 77) as well as enlightened employers, have been doing since before school computing curricula or computer science degrees were invented.  Hence some of the recommendations in my own submission to the Select Committee

November 30, 2019  8:05 PM

Your election choice: Protectionist Stagflation or Radical (Technology enabled) Change

Philip Virgo Profile: Philip Virgo
Brexit, Conservative, digital, green, Labour, Libdem, Skills, Uncategorized

Without radical change, particularly to our education and training system to give our current and future workforce the skills of the future, that future is bleak, who-over wins on December 12th.

Thec Conservative spending plans are ambitious. They require much more than the Brexit Dividend from halting the remission of tens of £billions to Brussels and from forcing Amazon, Apple, Facebook, Google etc. to pay VAT and Corporation Tax in London instead of Dublin or Luxembourg. The Libdem plans are equally ambitious, when you remember they have no Brexit dividend to spend, only a supposed Remain Dividend after the ending of uncertainty. But the unwinding of the stocks built up to handle fears of border chaos will guarantee a period of recession. Meanwhile Labour will “guarantee” a prolonged period of uncertainty, while they renegotiate Brexit. Then they have spending plans that are well above the yield from new taxes on the tech multi-nationals and increased taxes on business and on households earning more than double the national average. That is if there is any net yield after taking account of the Laffer Curve.

The world, not just the EU, faces economic uncertainty and recession, hence the core of the case for remaining inside a protectionist trade bloc, even though that bloc has collectively doomed itself to over-regulation and stagnation. Unless and until we have a period of serious, investment-led economic growth, whether inside or outside the EU, we face a period of stagflation. And the idea that we can base that growth on importing skills that are in shortage across the world is as big a fantasy as … [insert here the forecast you believe in least].

Read on … you will find my own recommendations at the end of this blog.

Debate is compartmentalised

Earlier this week I attended a local climate change hustings. Dulwich and West Norwood is a target seat for the Greens. The LibDems stood aside to give Jonathan Bartley a clean run against Helen Hayes . The Brexit candidate, Julia Stephenson was a passionate, practical and personally committed conservationist who wanted us to leave the EU so we could take climate change seriously, instead of blethering.

I was, however, struck that no-one raised the issues of technology and climate change. There was no mention of using technology to reduce carbon foot prints: e.g. broadband to telecommute to work or smart logistics/energy etc.  There was no mention of the effect of demand for the rare elements used in chip production on the African rain forests.

The Conservatives have committed to expedite  investment in full fibre and to use Brexit to escape the cruelties and waste of EU agriculture policy. But only Plaid Cymru have linked broadband and green technology. There is no mention of broadband and “smart” in Labour’s promises to spend more on windpower etc.  Debate is compartmentalised.

We are promised forests of magic money trees instead of plans to use technology to do more for less

Meanwhile all parties have promised to spend money that we have not yet earned.

In the case of the Conservatives it is the Brexit dividend. In the case of Labour it is a forest of magic money trees interspersed with black holes (e.g. compensation for WASPI women). The LibDems spending plans are more modest but depend on a Remain dividend greater than our current payments to the EU, let alone the increases to come.

It took time from Harold MacMillan’s sacking of Peter Thorneycroft (because he wanted to control Government spending) to the stagflation of the 1970s but the path was as the latter had predicted. The failure of the Coalition Government to impose austerity on Central (as opposed to Local) Government spending after the crash of 2008 has paved the way for a similar rerun of fantasy economics.

Mass immigration has so far held wages down, while increasing demand for housing, maternity, childcare and schools places well beyond previous planning forecasts. But if “austerity is over” and the intention is to control immigration, we can see the future . Brexit or not, we face a period of stagflation as Government spending roars further ahead of tax receipts.

Health and Welfare as an example of the need for radical change, not just more money.

All parties have promised increased spend and more doctors and nurses to address multiple crises – from maternity and childcare overwhelmed by immigrant communities to the multiple chronic conditions of an ageing population. At the same time we are told we must slash our carbon footprint to avoid catastrophic climate change.

To quote “No End of Jobs” (written in 1984 when there was a previous scare that AI and Robotics would lead to mass unemployment”) “If we do not make better use of technology to create more wealth and simultaneously release and equip manpower to take better care of the elderly, you and I will grow old and cold alone, in the dark.

Part of the way out is to focus “investment” on ubiquitous, secure, high reliability, resilient broadband to join up health and welfare in patients homes (including care homes) and in the local community (hence my work on a pilot community safety partnership) rather than pour funding down silo’d and separately regulated drainpipes, shuffling the elderly,infirm and/or vulnerable between departments, hospitals and nursing homes accordingly to which symptom/need is currently dominant/fashionable and beds are available.

Investment in technology needs to  focus on meeting clinical and care needs and supporting flexible development paths to develop and maintain the skills of clinicians and carers at all levels. We are more likely to see both good practice and value for money if the focus is  less on saving costs within departmental silos and more on enabling better, faster, holistic, joined-up, care for patients. Too much attention is paid to top down data collection (to aid planning and research) and too little to addressing cumbersome user interfaces which get in the way of spending time caring for patients. We need more attention on the inter-operability and linkage of bottom up systems which meet immediate clinical needs or help patients to manage their own long term conditions. That was why the NHSIA was making faster progress with smaller budgets that Tony Blair’s grandiose NPfIT. The standardised replacement systems all too often had less clinical functionality than those they replaced – and still have inter-operability problems.

The manpower planning and skills programmes for the NHS appear stuck in the 20th century.

The focus is on “excellence” and producing relatively small numbers of highly skilled graduate professionals. We need them to supervise the evolving “teams” but the volume need is for skilled carers, medical/nursing “associates” and paramedics capable of handling most common health problems/conditions/accident. They in turn need flexible apprenticeship and professional development programmes which enable them to learn while they earn and keep abreast of change,  without having to traipse round the country according to which hospital is accredited by which Royal College and/or University to offer which experience. We have long relied on immigration to fill the inevitable gaps.

We need to open up the missing vocational education and training paths from carer, through nursing, “clinical assistant” and technician to GP and Hospital Doctor. We need look at why nursing degrees have double the average student drop out rate and Nursing Degree Apprenticeship programmes have such poor take-up. The latter is said to more degree than apprenticeship with the same problems of having to live away from home studying theory, while those attracted to nursing are more often motivated to care for their fellow human beings and many have local commitments. The “off-the-job” expectation for most degree-linked apprenticeships is 20% (e.g. four days practical and Fridays at College or University). For nursing it can be 80%. This an, in practice mean 100% during the academic “term” with work-experience during week-ends and academic vacations.

Meanwhile most on-line health systems are “As user friendly as a cornered rat”

The Labour party struck a chord with its promise of no more digital only public services and to recruit 5,000 more digital advisors to offer telephone support. The problem is the public experience of trying to get through on the phone – whether to GP surgery, hospital clinic, council or Government agency. A better pledge would have been “Make government digital services usable by those who need them most“- beginning with those of the NHS. The scale and nature of the problem illustrates why such a pledge would be so popular:

Barely half of UK adults have ever filled in a Government form on-line. Barely half of UK pensioners have been on-line other than to read e-mails in the last three months. Confidence in the usability, security and efficiency of public sector on-line services is least among those who among those who should benefit most. This leads to unnecessary suffering not just the failure to realise expected savings.

The reasons include:
• Many Central Government and most local government systems do not meet the standards for disability access that are supposedly mandatory.
• Many systems are not designed for secure use by those most reliant on them, the elderly, vulnerable or disabled. Few have secure processes to enable the use of trusted (including by the recipient) intermediaries – e.g. Registered Carer, Citizens Advice Volunteers etc.
• There is a confusion of user interfaces, duplication of information collection and authentication requirements and a lack of joined up, let alone shared policies on digital design, security, identity, data sharing/protection and inter-operability.
• There is a lack of reliable, secure, supported access, especially in rural and inner city areas where physical access (e.g. local or central government offices, post offices, police stations, GP surgeries) is being reduced. Call centres are no substitute.
• The fear of on-line fraud/abuse is compounded by the difficulty of reporting this to some-one who will provide victim support or take action to prevent repetition.

The solutions require the enforcement of existing policy and good practice, not new legislation

It is ten years since “The Politicians Guide to Picking Winners“. The last Labour Government was still in power. Despite the efforts of Frances Maude at Cabinet Office a new generation is set to revert to past bad practice. The main glimmer of hope, Labour’s promise to repeal IR35 has evaporated into a vague “review” , in the face of determined opposition from an unholy alliance of Unions and Outsource providers – determined to avoid their bargaining strength being undermined by the re-creation of a world of self-employed independent contractors.

I would have liked to see a simple three point plan in at least one of the manifestos.

  1. All Government funded/mandated systems should be designed and tested for use by their target audience with a ban on going live unless the responsible Minister can use them. A similar policy under the coalition government was quietly dropped after each successive attempt by an IT literate junior minister to use the Farm Payments system failed. Usability audits to be contracted to organisations like Abilitynet, Age Concern or ACRE (at full consulting rates to enable payment to testers from the target audiences).
  2. The DCMS full – fibre broadband programme should be used to supply full-fibre broadband to every Sub-Post Office and GP Surgery to enable them to be used as supported local access points to on-line public services, including health and welfare. Given the track record of the Post Office Horizon Project and of large NHS projects the implementation should be by an extension of the SME voucher programme, including support and training, with the National Federation of Sub Postmasters and a consortium of Practice Participation Groups contracted to test the usability of the systems and services on offer.
  3. The Government Digital Service should publish a list of which digital identity and transaction systems are recognised by Government Departments for which purposes/applications – and how much they charge/cost. These currently include a wide range of NHS, Pupil, Student, DWP, HMRC, Passport, Law Enforcement, Home Office and other numbering/identity systems and an equally wide variety of electronic procurement, invoicing, payment etc. etc. This should enable rationalisation as departments realise the potential for incremental cost savings and performance improvement while recognising that there is no “one size fits all”. This will also allow the quiet termination of the Verify programme, other than as the name of the list.

The biggest disappointment is the lack of attention to vocational skills as the way to sustainable growth.

The Conservatives have pledged to begin implementing the results of the Augar report with a serious injection of funding into Vocational Education. But they appear to have given priority to a points system for immigration to address skills shortages over the need to remove the obstacles to expanding employer driven apprenticeships and training programmes. The other parties appear to think that “freedom of movement”, alias letting immigration rip, whether from the EU or elsewhere, will provide the skills for infrastructure projects, the NHS and economic recovery. All also promise more money for teachers and schools but make no reference to the many systemic problems they face.

Below is a summary of what I think needs to happen, based on the four decades of material I handed over earlier this year:

Lifelong learning for all not just student debt for 50%


1) The skills in demand and the ability of technology-assisted education and training providers to respond are both changing faster than University and Schools planning, funding, course, content and examination regimes can handle. The century old hierarchy of Haldane Style committees of experts (extended over time from research to education and training policy and implementation as a whole) is no longer fit for purpose.
2) The current UK University Funding regime is economically and politically unsustainable. Standardised fees funded via student debt are unfair and unpopular with parents as well as students and graduates (who often cannot afford home or family after the cost of repayment). They distort markets with hidden cross-subsidies. They encourage high value UK graduates to emigrate. Academic rankings and promotion put winning pure research council challenges above funding from industry to support R&D for innovative products and services.
3) The current schools and college funding systems are similarly unsustainable. Increased pension charges will absorb all the additional funding announced. Funding is linked to performance in examinations which filter for academic rather than employment potential. Schools need to draw in the revenues which will enable them to serve the diversity of pupil needs and transform their education, using the wealth of on-line customised and personalised (AI based), content, planning, assessment and delivery materials and services becoming available. That may include the revenue streams from becoming local community hubs for life-long learning and leisure (including sporting and cultural).

Six point headline action plan

  1. Change the “vision” from half the population leaving home to go to university to most of the population in flexible, modular life-long learning, at least half at graduate and post graduate-level.
  2. Clarify ministerial, departmental and agency responsibilities and streamline the processes for consultation, funding, delivery and quality control currently spread across departments, agencies and quangoes.
  3. Allow academically or professionally accredited education, training (including recruitment) and assessment to be offset against tax, whether or not relevant to current employment and allow employers to offset all professionally accredited training costs, including schools programmes, work experience, recruitment, assessment, pastoral care, supervision etc against the apprenticeship levy.
  4. Encourage local skills partnerships which bring together Councils, LEPs, Employers large and small (public sector as well as private) to create skills incubators with access to international (not just national) programmes, materials and initiatives to enable residents and their children to acquire the skills of present and future
  5. Encourage schools/libraries to become community lifelong learning hubs /skills incubators, hosting access/support for apprenticeships, homework and sports clubs, using the revenues to also improve education. DfE to work with one or most syndicates of Lloyd’s underwriters to provide guidance and insurance cover for safe-guarding, health and safety, governor/trustee liability.
  6. Create the world’s largest education and training infrastructure utility by using contracts for public sector access and delivery to help bring together the Joint Academic Network (linking Universities and Colleges), the Grids for Learning (Providing Broadband to Schools) and the Open University.

Essential small print

• Allow expedited student debt repayment by individual or employer.
• Reintroduce state, local government and employer funded scholarships linked to future employment (for e.g. doctors, nurses, teachers, engineers) with a choice between full-time and degree-linked apprenticeships
• Remove funding council obstacles to Universities earning more from industry-driven degree-linked apprenticeships and research programme and acting as hubs for networked lifelong learning programmes
• Apply industry-strength market research and simulation techniques to all education and training policy initiatives to help assess the relevance of the objectives and likelihood of success.
• Agree and publicise employer-driven processes (involving reputable professional bodies and trade associations) for recognising materials, courses, qualifications, certifications and registers for inclusion in publicly funded programmes.
• Support cross-boundary cooperation to address existing gaps and meet new needs as they emerge. Many of the skills of the future are global and will be accredited internationally. Brexit makes it critical that UK employers and training providers help set global, not just EU, standards.
• Central government should train its own staff in the skills they may need at all levels (from end-user through technical and professional to senior responsible owner).
• Use the Public Service (Social Value) Act to require those bidding for publicly funded contracts (including outsourcing, “strategic” partnerships, infrastructure construction etc.) to employ at least 10% accredited trainees and/or apprentices.

Use any opportunities at hustings or elsewhere to try to extract pledges to covering those points above with which you agree.

November 24, 2019  1:46 PM

Labour breaks an emerging consensus on Broadband Policy?

Philip Virgo Profile: Philip Virgo
Broadband, Conservative, fibre, Labour, manifesto

Unrealistic targets versus re-creating the BT Monopoly?  

Boris Johnson set the pace for the current Broadband debate back in June . His promised to pull full fibre roll-out forward to 2025 was thought by many to be too ambitious . Industry leaders responded with an open letter on what Government must do to enable them to deliver.

Jeremy Corby then promised to make broadband free but not until 2030, using a renationalised Openreach, part paid for by taxes on Amazon, Facebook, Google etc. The headline reaction was more spectacular than that to the challenges of meeting Johnson’s 2025 target.

The LibDems promised a number of actions but not targets or fibre.  Neither Brexit Party nor Greens have said much although Plaid Cymru has promised full-fibre by 2025 as part of its Green Revolution . Plaid also says neither the English nor BT can be trusted with Welsh Broadband. It had previously gone into more detail with a three point plan.   Meanwhile the SNP has yet to sign off its superfast contracts.

Broadband roll-out is a journey which determines our future opportunities. Whose map, if any, do you trust.

The arguments about how the critical communications infrastructure of the future should be delivered are complicated by a claim that BT would have rolled full fibre across the UK in the 1990s but for Mrs Thatcher’s insistence on competition from the cable companies.  Whether that delayed or expedited investment is a matter for debate. It did mean we have a greater variety of network technologies, topologies and routings. That is healthy if you believe that smart infrastructures  need diversity for security and resilience. It is unhealthy if you believe the world took a wrong turning when the Internet overtook the orderly, ITU-planned, world of X25.

But we cannot progress very far unless and until we address the network construction skills problems (quality as well as quantity that threaten to derail network construction and maintenance as they did for Cable TV in the 1990s.

Also critical is the need to put full-fibre networks into the context of the local and national infrastructures (including ubiquitous fixed and mobile wireless) for smart cities, green technologies and economic competitiveness and survival. No one size fits all needs. Every smart community (let alone City) will probably need at least one Internet Exchange to handle local inter-operability. London alone will probably need more Internet Exchanges than BT currently has “telephone” exchanges. [Note that LINX is itself helping lead the “devolution” to local exchanges].

Getting there from here is an evolutionary journey.

Hopefully the fibre “pipes” being installed today will have lifetimes comparable with the copper “pipes” they replace. The switches will not. Their upgrade cycles will be more akin to those of computer systems. Keeping them in sync will be equally complex. Hence “catastrophic” network failures with whole towns running slow, or going off air, sometimes for days on end,  when upgrades to routers/switches go wrong.

Do you want fast or free? Would you trust a monopoly, nationalised BT to deliver?   

Half of all  Conservative Policy Forum groups, the parties main consultation arm, put fibre broadband top when asked what they most wanted to see after Brexit, next came investment in skills, with a focus on high level apprenticeships. Hence Boris Johnson’s inclusion of a 2025 target in his first statement on post Brexit priorities.

Hence also the mixed reception when Jeremy Corbyn slipped the target to 2030, made it free and tied it to renationalising BT.

Free broadband is understandably popular It has support from 2/3rd of voters . But not if it comes courtesy of a renationalised monopoly BT. Here voters are split almost exactly three ways – for, against and don’t know. Less than a third believe BT knows best and that Mrs Thatcher made a mistake when she refused to reinstate the BT monopoly in 1990 (Instead she wanted it to compete with the Cable Companies to bring “full motion video to every home by 2002”).

A similar proportion, just under a third) remembers that price and quality of service only began to improve when BT was forced to compete. Like the CBI, INCA and Tech UK they fear that renationalisation will result in 5 – 10 years of delay and £tens of billions of avoidable cost. Some also think of the millions of jobs and £hundreds of billions of lost tax revenues as the UK falls further behind its overseas competitors at a time when it was just beginning to catch up.

But more than a third do not know who to believe.

That confusion is not helped by misunderstandings as to how to we got to where we are today.

The Consensus that fibre was the future goes back to before the 1979 Election

The 1980s did not see  Labour politicians calling for fibre broadband in the face of opposition from a backwards thinking Tory Government.

There was an emerging all-party consensus during the run-up to the 1979 election, that fibre optic was the way forward. I was on both the TUC Policy study for the Callaghan Government and the studies for Sir Keith Joseph.  One of Mrs Thatcher’s speechwriters helped edit my paper, “Cashing in on the Chips”. The 1979 election came earlier than expected. Instead of being used as an advance discussion document it was published by Conservative Political Centre immediately after the election in March 1979, with double the normal print run.  It quickly sold out and had to be reprinted.

A key recommendation was “to re-equip the UK telecommunications network … Crash conversion of the switching system to digital … and installation of broadband transmission – similar to the North Sea gas conversion programme of the last decade“.

The recommendations were favourably reviewed on all sides, including by my Trades Union (ASTMS) and those involved in the TUC study – because I did not mention privatisation. I also avoided technobabble so the paper was covered in the Today Programme and I appeared on the Jimmy Young Programme. I was very nervous and totally unprepared. It was all too the good. My main memory is how he soothed my nerves as each record played, before milking me again to explain the next topic in terms his listeners could understand. He had not only read the paper, he fully understood the implications and wanted his listeners to do so as well. I should perhaps add that the paper also called for a micro in every school by 1982: the programme which kick-started the UK lead in educational technology.

The 1980s debate was on Privatisation and how to make a reality of Competition – not technology

Subsequently, in the early 1980s, there was consensus on the need for “liberalisation” (alias competition).  There was even consensus on the need for some form of competitive duopoly between the telecoms operations of the Post Office and of Cable and Wireless. They had different unions and different approaches towards meeting the needs of business customers for world class international communications.  The political difference was on privatisation of the telecoms operations of the Post Office.

Telecoms did not feature in the 1983 election. There was only one question in the entire campaign. I was point man IT policy and had a single call – from Sir Geoffrey Howe. He had an interesting question from a techie in his own constituency. I cannot remember what it was. I do, however, remember that we agreed a polite non-answer rather than raise the need for a policy response.

By the time of Peter Cochrane’s proposal for BT to move from piecemeal upgrades to a complete network overhaul the Government target was to have at least two operators providing “broadcast quality video” to every home by 2002 with radio (fixed, mobile, terrestrial and/or satellite) providing a third dimension of competition/resilience.  No wonder his proposal to recreate the BT monopoly got short shrift.  He was also seeking funding for BT to manufacture in competition with STC (fibre optic technology was invented at STL Harlow) and GEC (the world leader on optical switching technology).

The failure of competition in the 1990s

The Cable Companies failed to provide the expected competition for the same reason that BT could not fund its investment programme from its own cash flow. Treasury had withdrawn the 100% capital allowances that helped turn round the economy after the stagflation of the 1970s. In consequence the market was left to US and Canadian investors who could write off their investment against tax. The franchises were also too small for viability and a series of take-overs and mergers followed. Then the shortage of competent construction workers led to the break-up and poor reinstatement of road surfaces and pavements as cables (some coax, some fibre) were laid to serve each house in the area. That plus the death of trees whose roots had been damaged led to mass complaints and delays in planning permission.

By the time of the 1997 election the Cable companies were all but bankrupt and the idea of local loop unbundling was in play as the only way of providing competition to BT. It was particularly attractive to Labour Policy advisors who feared that Rupert Murdoch would snap up the Cable Companies as he had done with Satellite TV.

But investment in fibre backbones was roaring ahead 

Meanwhile BT’s investment in fibre had gone ahead. BT issued new shares from 1991 – 94 at ever increasing price as it accelerated the pace of investment to be able to provide broadcast quality video to the home 2002. Before Y2K BT had fibre to within a mile of over 80% of UK homes. After Y2K its investment programme accelerated again. BT did not do more rights issues. Instead it borrowed to fund fibre to the cabinet. By the time Ofcom was created BT’s investment programme was at running full spend. Meanwhile NTL was in Chapter 11 and the Telewest Shareholders had taken a 98.5% “haircut”.

Then came the implementation of Local Loop Unbundling under Ofcom.

The collapse of UK fibre investment came after Local Loop Unbundling destroyed BT’s investment case and share price and left its competitors with no imperative.

LLU was followed predictably and inevitably by the regulation induced collapse of the BT share price – from a high of £15 to a low of under £1. My 2015 blog was drafted mainly to illustrate the effect of regulatory policy on investment at a time when Ofcom was doing a strategic review which assumed its impact was neutral.

The cost of LLU not, however, just the termination of BT plans for fibre to the premises. BT’s spend on preventive maintenance was cut by 50%. Hence the need today to recruit and train thousands of engineers to test the safety of ducts and poles before its local networks are upgraded, let alone opened up for “physical infrastructure access“. A decade ago this would have been a relatively simple exercise. Today, after a decade of decay, it is a major task.

We have to catch up with the rest of the world before crapband costs our economic future

Tech UK has said most of what needs to be said on the costings and practicalities of Labour’s proposal. We also need to consider the impact of five to ten years delay on the rest of the economy. The UK will not only fail to leap frog its competitors with world class, resilient, mesh, infrastructures (hot standby over three or more networks for most businesses reliant on Internet access). It will fall further behind as they power ahead. Much of the UK, including most of the countryside, will remain reliant on legacy crapband (copper, rust and aluminium and other pollutants) for the next decade or more.

And skills is the critical point of leverage

We need to look much harder at what needs to be done to expedite investment in building the infrastructure – who-ever does so.

Here I would to go back to the 1979 election manifestos and what came afterwards. “Cashing in on the Chips” did not mention privatisation. I also paid my political levy. I was therefore in good odour with my Union (ASTMS). I was invited to contribute “New Technology – some points to discuss” to their journal. The context was the points they might wish to make in their new recruitment campaign. I will quote a few:

  • ASTMS should be endeavouring to block the recruitment of skilled staff in short supply until all internal staff, particularly the older ones with no promotion prospects, have been screened for aptitude …
  • Salary under training away from home should be treated as an educational grant (i.e. tax free) with expenses additional …
  • We must rebuild the Adult Vocational Education System at a local level. If the local authorities won’t respond, then go to the government with specific parliamentary questions via our Union Sponsored MPs and concrete proposals

ASTMS is now part of Unite. I would commend these points to those now running the Union if they wish to expand their paying membership. [As a retired member I am an now inactive freebie].

Particularly network construction skills   

It is almost exactly a year since the round table which identified what needs to be done and by whom. I summarised the discussion and recommendations in a blog earlier this year   When I retired (for the fourth time) at Easter I handed over my work in this area (via the DPA Digital Infrastructure Skills Sub Group) to the Chief Executive of the Highways Electrical Association . His members build and maintain most of our fibre communications networks. They are already building and maintaining first generation 4/5G networks (e.g. for smart lighting and signalling). I know they are seeking to identify local authorities willing to expedite planning permission to enable local FE Colleges to run short courses (to existing UKAS accredited standards) in using modern construction equipment to build networks and reinstate roads/pavements afterwards. There is also a need to expedite planning permission for “pole parks” to train engineers for BT and others to tackle the backlog of overhead network maintenance.

This may look mundane but it is a critical point of leverage.

Once planning permission has been secured the full BT programme for opening/upgrading its training centres can move forward. Once planning permission has been secured others can start working with FE Colleges and Local skills programmes to give NEETs the skills to use modern construction equipment (and not just to built comms infrastructure). Until then, almost everything else is piss and wind, Those who think we can import the necessary skills should take another look. Even if this was politically acceptable, they would have to be assessed and/or retrained. It is quicker and cheaper to train our own – provided the facilities are created in advance.


November 14, 2019  12:27 PM

Has ISOC sold .Org for 30 pieces of silver? – Update 15th November

Philip Virgo Profile: Philip Virgo
digital identity, ICANN, IETF, IPv6, ISOC, ITU

Since I posted this there have been many entries on an impassioned ISOC discussion thread. So far I draw three main conclusions:

  1. Democratic accountability is alien to ISOC. It has long been structured as a top down organisation, living off the revenues from .org, , with multiple groups in which anything can be discussed, but no-one can organise a meaningful vote and absolute power resides with the trustees. I have therefore been wrong for over a decade in thinking it might ever evolve into a governance body.
  2.  The deal has not yet been consummated and the identity of the investors and their forward plans are still unknown.
  3. The way is open for the World Internet Conference and the ITU to establish a Government-led governance body unless and until the Western NGOs can enlist the support of the Internet Association for a credible alternative.

The Internet Society (ISOC) has sold the Public Interest Registry (which includes .Org) to a recently created Venture Capital firm in order to create an endowment fund. Ethos Capital was apparently created for the purpose of the acquisition with the domain name registered by an advisor to the World Internet Conference.  If so, this might be a means of helping ISOC to meet its charitable objectives in those areas where Internet usage is lowest, with Chinese co-operation. But that would raise more questions than it answers – not “just” whether the price of .org registrations will rise sharply. Over 20% of the world’s population is now on-line. They face a rising tide of abuse and crime which threatens to curtail confidence in the brave new world which the new Internet Association is trying to promote. Co-operation with the Chinese rather than the current trade war, might well be to the benefit of all of us. But at what price? to whom? Or is this “merely” a “clever” way of taking the PIR out of play.

Whatever the answers this raises the question of the current/future roles of ISOC and of the Public Interest Registry.

Domain names are at the heart of both cybersecurity and surveillance

I paid $20 dollars to join the Internet Society (not to be confused with the new Internet Association) in 1995. I had been told that it was the best hope for the Governance body that the Internet would need if the Atlanta Olympics (the test bed for the “commercial” use of internet protocols), was a success. It was – save for one highly embarrassing problem with data loss. It took two days to rework the interface between the local high speed information feeds and those used by most Western media to also cope with the slow speed feeds then used by much of the rest of the world – who had not prepared and blamed the organisers. Everything else worked. Most importantly fraud (on the unprotected booking systems) was negligible. Criminals had not discovered the opportunities.

The members of the Internet Engineering Task Force, led by IBM, EDS and CISCO then released a $2 billion war chest to “re-engineer the Internet”. It was told that they faced three main problems. Security, security and security.

They still do.

And the domain name system is at the heart of those problems. Just as it at the heart of the Internet.

Hence the critical role of the registries.

They are far more important the Governments and Regulators when it comes to creating a meaningful digital identity ecosystem.

The other point of leverage is the worlds international airports

Today the equivalent of the Atlanta Olympics is a major international airport – 24 by 7 all year round, no just a brief window every four years. All the world’s identity and authorisation systems (passengers, local contractors, security staff, airline staff, maintenance staff air freight in transit, aerospace components etc. etc.) come together … or not.

The result is de facto real-time identity arbitrage, in ways which also expose why Government will always fail to produce identity policies that are of any value to most of us. They find it hard enough (and in the case of the UK impossible) to agree policies of use to their Armed Force, Education, Health, Justice, Law Enforcement,Tax and Welfare operations.

The sale appears to open up great opportunities … but for who?

The transition to IPV6 supposedly offered an opportunity to remove many vulnerabilities in the way the domain name system is used, perhaps tying addresses to items of hardware and wetware (human biometrics and DNA).

But if the registries, including those trusted internationally, are themselves in play, to be bought and sold, this opportunity evaporates. Government will feel the need to intervene.

If so, has the time come to merge the Internet Governance Forum and the World Internet Conference and for both to work with and through the ITU. Or are abuse,confusion, fragmentation, fraud, incoherence and impersonation a price worth paying to preserve dissidents from being hunted down by oppressive regimes?

For those concerned with Internet Governance and the protection of users, whether from dominant players, government agencies or organised (or disorganised) criminals, these questions seem to be a rather more important topic than Brexit (what that will mean in practice!).

Or am I massively over-reacting

I would love to be told that I am over-reacting and that ICANN and/or the IETF members have already thought through the consequences. Or it is correct that they have only just learned of the sale?  I look out of the window and have yet to see the pigs flying past so I suspect the lawyers have only just started to read their way in

November 5, 2019  6:44 PM

Making sense of the current UK Cybersecurity Skills scene

Philip Virgo Profile: Philip Virgo

Your opportunity to catch up

Next week (12th November) I look forward to catching up with what is happening on the UK cybersecurity skills scene at the first Digital Policy Alliance review meeting since I handed over as rapporteur for the cybersecurity skills group. The members have been heavily involved with the Alliance which won the bid to plan the new UK Cybersecurity Council . I expect to hear what has happened since the contract was awarded.  I also expect to hear the current state of the other programmes under way, including apprenticeships – where there has been controversy on a variety of fronts: including over moves to better keep abreast of the accelerating pace of change with regard to the certifications and assessments (often set globally) required by major customers. I also note the intention to to take a long overdue look at operational skills and those needed to better secure critical infrastructure.

The meeting is for DPA members and registered observers only but those interested in joining are welcome to attend as a taster meeting – before joining to participate in the follow up. More details are available at: https://www.dpalliance.org.uk/join-us/

I regard participation in this group as a MUST for those who are serious about having access to the skills they need to protect themselves and their customers, particularly because the area is beset with so much myth, nonsense and conflict of interest. Some of the issues also have a surprisingly high political profile, thanks to the number of well-connected victims. And who-ever claims to know what is going to happen after the election is probably deluded. Even if the Government wins we can expect to see attempts to bring about radical change fought by those who wish to preserve current priorities.

What has been changing

After my hand over I visited InfoSec, looking at was on offer from a different perspective. I wondered how many AI-driven threat intelligence services the market needs, as opposed to co-operation with law enforcement and technology providers to collate the intelligence and “remove” both vulnerabilities and predators.

The focus of security vendors on a relatively small number of enterprise customers and the security operations centres focussed on their needs led me to take another look at the skills scene . But at the same time I was looking at the issues from the perspective of the victims, including businesses large and small, society at large and the cost of crumbling consumer confidence in the safety and security of the on-line world. Then came the DPA meeting to look at Cyber Insurance as a point of leverage. I recently blogged on my personal conclusions from the discussion , This morning, however, I thought again about the consequences if the insurers achieve their objectives.

Is nothing compared to may be to come

If they succeed in producing readable guidance on what potential victims need to do in order to be insurable the result could more than decimate both the cybercrime and cybersecurity industries. We will move towards a world in which business spends about that same on cyber insurance as it does on security products and services. We will also see insurance companies fund “risk reduction” and “asset recovery” operations in much the same way as they used to fund fire brigades and detective agencies in order to reduce the losses they had to cover.

On the way we will see a transformation in the demand for skills to run cyber protection operations as opposed to cultivating skillsets akin to those of “cyber-arsonists”.

But that is for the future.

For the here and now I strongly recommend participation in the DPA cybersecurity skill sub-group in order to make sense of what it happening and ensure that your needs, whether as an employer or training provider are met.

I remind you that the  meeting next week is for DPA members and registered observers only but those interested in joining are well to attend as a taster meeting, before joining to participate in the follow up. More details are available at: https://www.dpalliance.org.uk/join-us/

P.S. Do not ask me where the meeting is. I do not know and will not be told until shortly before, and only then if there is room for obsevers not expected to help deliver what is agreed.





November 3, 2019  5:49 PM

Insurability is the key to Cybermaturity

Philip Virgo Profile: Philip Virgo

Computer users spend over £150 billion a year on products and services that do not always protect them and their customers from on-line attack and fraud. They spend barely £7 billion on cyber insurance for when they fail.  By contrast spend on fire protection and fire insurance are about the same. Spend on theft protection and insurance are also about the same. The big difference is that we know what we have to do in order to get fire and theft insurance – i.e. precautions, alarms, fire doors, locks etc. to reduce the likelihood and limit the damage.

Underwriters have are said to have well over £20 billion available to cover more cyberinsurance. But most organisations are uninsurable. They may spend large amounts on security products and services but they do not do that which reduces the risk of a successful cyberattack,  limits the consequent damage and/or facilitates “asset recovery” (including to help track, trace and sue those responsible, if  this is likely to be cost effective).

Last week I attended a discussion on follow up to the DPA paper on “Cyberinsurance as a catalyst for good security practice“. The meeting  brought together those working on common “guidance” for cyber policies, those selling the policies and those advising on risk and/or auditing security. We also had some perceptive inputs from the head of one of the UK’s largest (in terms of organisations, networks and end-points monitored) Security Operation Centres. The discussion was crisp, candid and shorn of jargon. It covered the current state of play (including forward plans), why things are as they are, what is being done by whom and the points of leverage. There will be a report for DPA members and observers .

The discussion brought home to me why we have made so little progress in helping the average Director or Business Owner make sense of  the current cacophony of  “awareness” messages and marketing hype for security products and services –  from encryption, filtering and penetration testing to threat intelligence. Too many players benefit too much from allowing Directors to waste their organisations’ time and money to little practical effect with fragmented approaches. Too few would benefit from the expediting the rationalisation and simplification of joined-up guidance that would expedite maturity, insurability and radical risk reduction.

In the event of fire and theft there is clear guidance as to what the customer needs to do in order to obtain insurance cover and make a successful claim if things go wrong. That guidance is based on a distillation of practical experience. Consultants and vendors tailor their offerings and sales messages around what the insurers expect to see done in order to reduce/manage risks before they will cover them.

In the area of cyber risk that guidance is only now being drafted. At the current rate of progress it is likely to be agreed sometime in 2021.

But it is being drafted in the terminologies used by insurance and security professionals and their lawyers. It is likely to be unintelligible to the rest of us.  More-over the pace of agreement is determined by the priority being given to the exercises by those with necessary expertise.

Political and regulatory interest is likely to complicate and delay the process. There are too many conflicting agendas – both national and international.

Progress will be expedited as leading insurers perceive the potential for more business, and for that business to be more profitable, because risks will fall as organisations do what is necessary to become insurable.

There is obvious benefit from an exercise to produce interim “laymen’s guides” covering what is likely to be agreed – with the aim of helping provide more profitable insurance at lower cost to organisation which better manage risk and are therefore less likely to make claims.

The next meeting of the DPA cybersecurity group is expected to bring together those major insurers, security organisations and enforcers who are happy to task their staff to work together accordingly. I am now only a member of the DPA advisory board but my current work on community safety has led me into the areas of “reporting” and of “victim support” (including business victims, large and small). I look forward to seeing practical progress, led by the insurance industry – as they have led the way in the past on other areas of risk – from fire brigades and safety at sea to product liability of all kinds … but no (yet) software and cyber).

DPA Groups are driven by their members. Those wishing to join this one, perhaps using the DPA offer of a taster session before paying the subscription, should contact DPA and request an invitation.


October 5, 2019  5:43 PM

Turbocharging Full Fibre/5G Broadband

Philip Virgo Profile: Philip Virgo
Aviva, B4RN, Broadband, BT, EIS, Gigaclear, Inca, Skills

Turbocharging is the new post-Boris buzzword. It is apt for the £5 billion pound boost to broadband roll out announced at the Conservative party conference. It does not really matter how much is new money and what the details are. That is likely to emerge during this year’s INCA  conference on the 16th and 17th November . INCA could not have timed it better … it is almost as though they had advance notice!

The INCA sessions on rural broadband, investment, barrier busting and skills are likely to be particularly interesting, given the discussions, one might call them leaks, but it was more like a waterfall, at the Conservative party conference. I am intrigued by what INCA members plan to discuss in the newly added section on Brexit – unless it is the changes they want to see, e.g. to state aid rules, if Brexit does indeed go ahead. I  explain below why I expect it to have little, if any, impact on the availability of skills.

1 Restore EIS status to B4RN Clones and trigger a Rural Broadband Revolution

Before the summer, at a Westminster Forum event Barry Forde pointed out that, but for HMRC removing EIS status (because B4RN investors were not at risk) their approach could fibre up the final 5% at a fraction of the costs quoted by BT and others. He was not offering to scale up B4FRN itself – he said that community enterprise was not inherently scalable because all communities are different. He did however suggest packaging up the way it operated for others to copy, where-ever there was the necessary spirit of self-help.

He summarised the positives behind cloning the B4RN approach as below:

  • Not for Profit community Benefit Society, community owned
  • Parish based
  • 100% coverage (so USO irrelevant)
  • ~120 parishes in build (area ~2,000Km2, area inside M25 ~1,500Km2)
  • Initially 100% Funded by community
  • £6M Community Shares
  • £2M Community loans
  • £3M Community Bonds via Triodos Bank’s Crowdfunding platform
  • Full fibre delivery-average cost below £1500
  • Currently-
  • ~10,000 properties passed (about 95% meet eligibility criteria for USO)
  • ~6,000 properties connected
  • ~12,000 properties in build pipeline (over next 24 months)Additional massive demand from all over UK, but we cannot meet it
  • Need more B4RNs!
  • Now using GBVS & RGC vouchers worth average of ~65% of build costs, community raising remainder.

Then he went on to say what Government should do if it was serious about allowing community enterprise to connect the final 5% at affordable cost:

  • Government has good intentions but fragmented delivery damaging
    HMRC EIS tax relief withdrawn due to perceived low risk
    – Treasury awards funds for LFFN due to perceived high risk
    – Which is it? A stable situation which we can plan for is vital
    – Fibre infrastructure build is challenging and takes time, changing rules mid race is fatal.
  • USO for last few percent of properties that get <10%, £3400 cost cap.
    – B4RN already does 100% coverage in its builds for <£1500 and 95% of our properties are in the USO zone
    – But explicitly excluded from accessing USO funds which only BT can get.
    – USO severely damages fund raising in additional deep rural communities
    Communities will have to raise funds to overbuild whatever BT delivers as little if any of it will be full fibre.
  • OFCOM attitude to rural last 30% where competition doesn’t exist
    Propose to allow BT to lift charges in rural areas to fund more full fibre build
    This is a stealth tax levied on rural customers for the exclusive benefit of BT
    No competitive element in scheme, community projects excluded.
  • OFCOM Dark fibre proposition
    – Rural altnets need access to dark fibre for backhaul.
    OFCOM’s proposal is for exchange to exchange fibre only which benefits retailers of Open Reach products but cripples any organisation trying to build new infrastructure in competition with OR.
  • OFCOM appears too supportive of Open Reach and anti-competitive, every initiative makes the playing field less level.
  • DCMS Vouchers GBVS & RGC
    Excellent idea. Could perhaps graduate the RGC vouchers for degrees of rural reaching the USO £3400 in the most remote areas.
    But scheme only runs to 31st March 2021. That’s an almost impossible timescale to deliver complex infrastructure builds. It needs extending.
    – Also need some sanity checking around local authorities being able to flag post codes as potentially getting FTTP at some point within the next three years and hence locking out the vouchers to Community projects under State Aid Rule.
    – If community project registers a post code for their build then LAs should not be able to barge in later and block things.

It is time to go political

The LibDems and Brexit Party (if we do not “leave” on time) will be competing with the Conservatives for votes in over a hundred rural constituencies where access to on-line services ranks alongside Housing, the NHS and Policing as a priority for voters. The opposition of HMRC to EIS status for community broadband investment therefore appears to be politically unsustainable.

The case is all the stronger because of the priority the Government is giving to using greatly improved on-line access to improve the quality and cut the cost of rural services, including health and welfare.  The terms of reference given to Matt Warman to get broadband roll-out moving also imply a robust attitude towards anything else that gets in the way of community or municipal initiative.

He will, however, need sustained and public political support if he is to succeed in driving those seeking to preserve their sacred cash cows out of the way. Without it the UK will falls even further behind.

2 Opening up private sector investment

I was delighted to see the agenda and participants for the INCA Investor Workshop.

The workshop begins with the investment climate being created by Government and Regulator before giving the perspectives of investors, fund-raisers and advisors.

  • Cameron Barney have probably handled more investments in more UK broadband companies than any other merchant bank. They have also been able to exit profitably from several well known names, like Gigaclear, when these became attractive to major funds,
  • Aviva had been investing in broadband around the world for some years before deciding that Truespeed offered the kind of opportunity that was attractive for its funds.
  • Macquarie Capital had similarly been active on other continents for over a decade before taking over KCOM  and investing in Voneus.
  • The CEB Fund‘s first investment was RUNE. The video on their website is worth watching for a very different view to the Swedish Model.
  • PMP Conseil will provide a French perspective.
  • Abundance organises crowdfunding for Green infrastructures. And infrastructure does not come much greener than broadband.  Then we have the fund-raising perspectives of three very different types of operator: ITS, Voneus and Jurassic .

There are many business models for the provision of broadband. These are evolving as technologies and market change. I welcome the  “discovery” by landlords and developers of  the link between property values  and broadband  provision and by politicians of the link with jobs and economic prosperity.

It is forty years since I became active on telecoms policy. We had realised that the Wellcome research centre at Park Langley would die unless we could get local access to world-class, global  telecommunications. Hence the reason I was allowed time to be politically active on IT and Telecoms policy. I was a lonely user surrounded by the lobbyists of current and would be suppliers (both incumbents and invaders).  I still usually am. They (you) inhabit a different world to we users.

Hence also my comparisons between broadband business models and those behind the building and operation of the canals and railways:

  • build networks to international interoperability standards
  • raise the money from those who will benefit from the uplift in property prices and improved connectivity
  • then sell the networks to operating utilities
  • try to locate where you are served by at least three competing networks using different routings/technologies

Politicians are finally waking up to the linkages … and their reasons and implications. I am not so sure about telecoms community. We had a cacophony of canal operating companies opposing the building of railways. We are now beginning to hear the voices of railway operators opposing the rise of motor transport.

In the mean time, however, I applaud INCA for putting together this workshop.

3 Barriers busting needs rigorous quality control

I was disappointed to see that delegates to the INCA conference will have to choose, on the second day, between workshops on public sector support, barrier busting and skills. The three are at the same time. I hope they will be recorded for those who would like to attend all three.

The obstructionism of local authority highways departments is only partly because many have been outsourced to those who have no interest in expediting approvals. Some of the contractors used by the industry have an atrocious record for quality of service, including failure to meet reinstatement standards. The reluctance of landlords and building managers to give access to contractors of unknown provenance can similarly be based on past experience. Both link back to skills – and the common use of  East Europeans with unknown competence and poor English.

There is, nonetheless, a genuine need to address the problems that arise with absentee land-lords and with intermediaries and free-holders whose prime concern is fee income.  Earlier this year I was at a meeting that brought together freeholders (identified by a search in co-operation with the Council) and current occupants to discuss a redevelopment plan only made commercial sense if it included full fibre connectivity. It transpired that the agents employed by both groups had lied and prevaricated for years, keeping owners and tenants apart, in order to ramp up fees and progress agendas of their own.

I would like to think that most costs and delays are simply because agents and free-holders do not benefit directly from the increase in value when communications are improved but are blamed they allow contractors to cause damage to other networks, utilities or infrastructure.

“Deemed consent” and/or “mandatory” wayleaves and access should be linked to the use of individuals whose competence has been accredited – e.g. by the Highways Electrical Association or a similar body for in-building work. That leads me on to skills.

4 Using network construction skills to build a pipeline to the future

I am very pleased to see the growing co-operation  between the INCA and the Digital Policy Alliance with Carolyn Kimber chairing the session on skills and Graham Smith of the Highways Electrical Association on the panel. It is also good to see the participation of the SCTE . The John Henry Group made invaluable inputs to the round table of skills issues that I announced at INCA’s conference least year.

Most of my summary of the findings of that round table appears to hold good but some things have moved on since.  Graham Smith had already agreed to take charge of the follow up when I did an update in February  At Easter I stood back and handed my contacts, leads and ideas to the Highways Electrical Agency when he formally took over the running of the Digital Infrastructure Skills Group of the Digital Policy Alliance.

My final task was to help identify Local Authorities and FE Colleges with land and planning permission to host short courses in the use of modern network construction techniques, technologies and equipment. The classroom facilities are easy (B4RN ran courses to international standards in village halls using equipment and materials from their suppliers). The issue is practicing with construction equipment on a realistic brownfield/greenfield site.

At the Conservative Party Conference Clive Selly said that BT was now the UK’s largest employer of apprentices and had to recruit and train 12,000 “engineers” over the next two years. The contractors to City Fibre need over 5,000. There were mutterings about the need to import skills. I said that would not help because the individuals would still need to be trained and accredited in the use of modern equipment and techniques. Those already competent earn more in Germany and France. We are also-rans in a race to catch up with Spain and Portugal … let alone Scandinavia.

On Thursday I was delighted to report back to Graham with leads for thousand of trainees for his members. I was also given equally good leads for greenfield and brownfield locations for short modular courses in modern techniques when and where the skills are most likely to be needed.  At the Party Conference I had found enthusiastic support from those in a position to make things happen. Training the natives, instead of importing foreigners, clearly strikes a chord everywhere except London-based lobbyists. [I am a Londoner and I voted Remain – mea culpa]

Those who want to know what I reported to Graham should ask him during the skills session at the INCA Conference and/or join the Digital Policy Alliance and the group he is leading.

September 12, 2019  1:43 PM

A Cybercommunity Safety Partnership to address On-line Harms and Abuse

Philip Virgo Profile: Philip Virgo
abuse, cybersecurity

We need a coalition of the willing to preserve confidence in the safety of the on-line world.

I am attempting to convene a local Community Safety Partnership, using voluntary co-operation between community groups and charities to join up front-line delivery across the silos of central and local government, including health, welfare and policing. On-line abuse, bullying and crime have cut Internet usage among those we are most anxious to help: the frail, lonely and vulnerable. They do not use the on-line services of the local authority or NHS. The closure of our last local bank branch hit them and local businesses hard. Meanwhile there is growing resistance from both victims and volunteers towards providing personal information or contact details, lest these be leaked, sold and/or abused. The effects are compounded by the deletion of existing contact files because of interpretations of the General Data Protection Regulation. Cumbersome processes to get “consent” for the blanket collection of data for vague purposes and/or provision to third parties do not help.

I therefore looked into support for piloting a Cybercommunity Safety Partnership which will support local people processes for those who cannot understand/use on-line processes and no longer trust remote call centres.  The idea has struck a chord. A number of industry bodies have agreed to trawl their memberships for volunteers and sponsors to support action, both nationally and locally.

Usage by vulnerable adults and the elderly has plateaued and may even be falling

We are used to data about the increasing ubiquity of Internet usage. This is being used to justify the withdrawal of physical access to banking and/or pubic services. But the 2019 ONS Analyses unpack some of the data. They reveal a less rosy picture. Half UK adults have never completed a government form on-line. Most pensioners go on-line only to read e-mails. Most over 75s have not been on-line at all in the past three months. The proportion of adults who are “lapsed” Internet users was under 4% in 2011 and is now over 6% (although the 7% peak in 2017, after the publicity for the Talk Talk breach may be over).  Their fears are justified. Over half have been contacted by some-one offering to fix their computer problems for them, Details are said to be available on the dark web to impersonate most of them and/or obtain credentials in their name if they do not go on-line. Over 10% of adults have already been victims of on-line fraud. We all have difficulty reporting problems, let alone obtaining support and/or redress.

There is safety advice but not for reporting or victim support

There is much good on-line safety advice (e.g. Get Safe Online)  but the processes for reporting problems (e.g. via Action Fraud ) to some-one who will take action are seriously overloaded. The Victim Support  website makes no reference to this area although the Regional Organised Crime Units  are supposed to provide an aftercare service. Citizens Advice  does not appear to cover cyber problems. Nor does Elder Abuse, although it does have advice on how to conceal that you are consulting them . Meanwhile Facebook  Google  and Twitter (the links are to their respective reporting pages) are criticised both for being difficult to contact and/or for failing to respond to reports of fraud/abuse while not checking before removing those subject to malicious complaints. They can’t win!

Many victims want some-one to talk to. Hence the overload that crippled Action Fraud, one of the few services to offer this. The need is to train local health and welfare staff and volunteers to respond. But they, in turn, need to be able to call on assistance from those (including security and legal professionals) who know what can be done, how to secure action and, perhaps, submit an actionable crime report. Help desks in Dublin, Gourock, Barcelona, India or the Philippines may be able to process calls according to a script but cannot be expected to do more.

Meanwhile children are fearful and girls are being driven off-line

Between 25% and 30% of children have been bullied on-line. One in eight admit to bullying. 20% admit to meeting strangers. 10% of those who videochat have been asked to change or undress. Nearly one in six have seen something that encourages self-harm. They bottle it up. 40% have never talked to anyone about the worst that has happened to them on-line. Until recently systemic on-line misogyny as endemic in Silicon Valley, was a taboo subject which it came to discussing why there were so few women in IT. Today we can see that it is actively driving half the world off-line, from girls to journalists and politicians.

The best advice is not well publicised or used

There are many good sources of advice and on-line materials including the on-line safety websites of NSPCC , Childrens Society ,
London Grid for Learning and Childnet There is also guidance (e.g. from Womens Aid) for older women, linking on-line abuse to domestic and physical abuse.

These need to be much better publicised and also packaged for use locally by

  • teachers and school support staff,
  • health, welfare and youth workers and
  • faith and community groups

to educate and engage both children and parents.

Every turned-round hacker is a win -win

Safety programmes should also harness the talents of those at risk, both to help protect their peers and learn about cyber related jobs and careers. It is a double bonus when a troubled child and potential hacker, often with previously undiagnosed issues on the dyslexia and/or autism spectrum, is drawn onto to a programme that will lead them into well-paid employment with an organisation that will provide clinical support as necessary.

The alphabet of concerns to be addressed include:

• Abuse – child, adult and elder (ad hoc, targeted, random, local, remote…)
• Bullying – including that linking physical and on-line, within schools or communities
• Control – e.g. gangs using social media targeted at local audiences
• Deception – impersonation, loss of identity, loss of access etc.
• Extortion – may be sexual, social and/or linked to control/grooming not “just” financial
• Fraud – all levels, including SMEs and courier fraud
• Grooming – 1/3 of the child abuse images reported to the Internet Watch Foundation last year were “selfies”

Possible Projects (and objectives/deliverables)

There are many areas where “coalitions of the willing” could improve safety, support victims, help them obtain redress and deter abuse and malpractice while Governments, Regulators and Law Enforcement agencies procrastinate in the face of lobbying and legal action.

They include:

Guidance on GDPR for voluntary groups who have no wish to provide personal information about their themselves and their supporters, members or clients to third parties unless with explicit and well-informed consent. The need is to digest current complex and incoherent guidance into succinct, authoritative and usable material for agreement with ICO – and then to publicise it.

Seminars to train teachers, youth and community workers, health and welfare staff in the detection of symptoms of abuse, bullying and/or grooming and in the use of existing on-line safety materials to educate target audiences. This will include working with organisations like the Grids for Learning to identify/produce/publish materials and with relevant professional bodies and trade associations to identify/train volunteers with security expertise to help with delivery.

Finding professionals, volunteers and materials to help Victim Support and Citizens Advice with relevant technical/legal expertise to handle cyber victims, including to obtain redress where this is practical and realistic. This will include exercises to trawl security professional bodies, trade associations, training providers, law firms and employers for those with relevant expertise and experience.

Organising/testing/delivering on-line safety material that addresses the evolving concerns of target audiences: Examples include: “How do you to protect your phone against abuse, control, key-logging, tracking etc”. “What to do if …“  This will include the identification of well informed and connected supporters and sponsors with business as well as social responsibility cases for helping.

Identifying and promoting the services of those offering virtual CISO/SOC and/or legal services to SMEs. This will entail  co-operation with professional bodies, trade associations, product and services suppliers and Internet service providers who are unable to otherwise address 95% (by number) and 50% (by value) of the cybersecurity market and/or who wish more customers to move on-line.

Identifying those willing to act as police service volunteers (warranted or not), including to provide non-emergency back up to local community police teams as well as the national panel being created by the NCA, NCSC and NPCC to support major investigations.

This may require restarting political activity on the governance of voluntary co-operation between industry and law enforcement and use of professional trained and qualified volunteers akin to that which led to the recommendations (over a decade ago) in the EURIM-IPPR Partnership Policing study . That group also responded to David Blunkett’s Community Policing consultation.  Changes were made in 2011, during the run up to Olympics, to enable medical and security professionals and military reservist to become police service volunteers and  special constables.

Many forces have not yet, however, implemented those changes. The number of volunteers and specials in London  fell sharply after the Olympics , when the number of special constables in the Met Police peaked at nearly 6,000, (the target for the Games had been 10,000). The number fell by 8% the following year. The fall accelerated to 20% in 2014. There are now fewer than 2,000 (a fall of 17% on 2018).

Skills and careers out-reach programmes with a priority for turning to turn those at risk into assets. The aim would be to organise local access to the relevant national programmes, including cybersecurity apprenticeships. The successful Plymouth pilot  needs a new write up now that it has been packaged for replication with help from DCMS and others. It indicates what can be achieved but also the pre-condition for success and the problems that have to be overcome.

The neurodiverse may have great talent but may also need ongoing clinical support which conventional employers cannot provide. Hence the value of linking local skills incubators to shared SOC/Virtual CISO services underpinned by joined up (across Central Government funding and procurement silos) contracts to support public sector  organisations both large (e.g. Local Government, MoD and NHS) and small (e.g. Schools and GP Practices).

Addressing the way girls are driven off-line Here the need is to work with organisations like Cybergirls First  to produce video and materials package covering risks, self protection and careers advice, plus contacts and support services. The Cybergirls First model is focussed on the age group and communities where girls are at most risk of being driven off-line and appears to be very successful.

Success does, however, depend on assembling a critical mass of employers who wish to publicly position themselves as employers of choice for girls (at all levels of seniority). It has been shown to work with well known employers wishing to support and recruit from inner city schools within easy travel of their City Centre locations. Packaging it for local employers and travel to work areas across the country probably requires support from the public sector organisations who are often the largest local employer.

To bring together best practice in the above in local geographic partnerships to show how all parts could/should fit together to hacve a transformative effect on both safety and confidence.

Variations on  the project ideas above are already being implemented across the World, not just the UK but it is still more common for square wheels to be reinvented with public funding. The latter is too often focussed on “innovation” as perceived by those who do not know what has already been tried and failed.

We need support for copying what has worked elsewhere, after checking any pre-conditions for success.  

Are you interested in helping creating a coalitions of the willing to make things happen?

The first organisation to like the concept was the Security Panel of WCIT, the IT Livery Company. This blog entry is based on the request for volunteers they will be sending to their members. I plan to make similar requests to most of the other members of the Alliance, led by IET, which is creating the new Cybersecurity Council.

I also intend to approach those who fund the Internet, the major advertisers whose spend is wasted if paying customers turn their backs on the Internet. Another target group is the banks and on-line retailers who will have to reverse their business models if confidence is not restored. Finally I will be seeking to engage with those security providers who are losing out because their distribution chains do not include the shared SOC/CISO services needed by the 99% of UK businesses with no in-house ICT skills. These need people, not just technology, support.

September 2, 2019  4:59 AM

The UK’s leading employer bodies call for Apprenticeship Levy to be opened up

Philip Virgo Profile: Philip Virgo

An open letter to the Chancellor

The Recruitment and Employment confederation has pulled together a coalition of business organisations, representing tens of thousands of employers and millions of employees, to write (see below for text) to the Chancellor of the Exchequer, Sajid Javid MP, urging him to enable employers to spend their levy funds more flexibly and allow millions more workers to benefit from quality training and opportunities for career progression.

Where are the High Tech Employers?

This call is far more important to the economic future of the UK than the extra Government funding for Further Education but the consortium does not appear to include the CBI and Tech UK. Do their members still give priority to retaining the ability to import supposedly skilled staff from the rest of Europe and/or India over working to create UK skills frameworks, for standards as well as funding, that are employer driven and fit for purpose? If so, one cannot really blame them. They spent over a decade after the Sector Skills Councils were created trying to get Government to allow supposedly employer-driven programmes to be driven by employers, free from the narrow constraints imposed by the academic advisory boards of national funding and standards councils, agencies and regulators.

It is time to make a public fuss

I remember a meeting in 2004 convened by the personnel director of the UK’s largest software and service employers and twenty of his peers (plus a TUC representative), where they said that unless Government started listening to them they would walk away from its skills programmes. They would not make a public fuss. They would continue to “go through the motions”. But they would do what was necessary. Officials did not tell Ministers. Government did not listen. The industries overseas recruitment and offshoring grew rapidly over the next decade. Today it is fighting to retain “freedom of movement” and visas to allow the bulk import of those for whom digital apprenticeships were supposedly intended.

The referendum vote meant Change or Die

I suspect that the members of the CBI and Tech UK still do not believe that making a public fuss to reform the UK skills system, the stranglehold of the “blob” (the term coined over twenty years ago for the hierarchies of advisory committees which make up the UK educational establishment) and enable change. I confess that until the unexpected result of referendum I too was among those working to try achieve via Brussels what we could not achieve via Whitehall. But the people spoke. The half who have not done well out of our membership of the EU, whose children do not got to University or who have returned home, unable to earn enough to live independently after paying their student debt, want change.

Time to halt the dominance of the Haldane Principle

We have been stick for far too long with education and skills processes and priorities administered by a self perpetuating oligarchy of committees following variations of the 1917 Haldane Principle . The “principle” was designed to “liberate” University research from the dictats of outside sponsors.  Despite half a century of criticism and calls for it to apply only to a limited proportion of government funded research, the principle was re-enacted in 2017 for programmes co-funded with industry.

It has also dictated the shape of our education system. The UK  is uniquely dominated by hierarchies of committees driving processes to  select and filter for academic excellence, alias the memory, logic and mental discipline needed for “pure”, as opposed to “applied”, research. That has led to UK Universities leading the world in measures of research excellence while they fail to provide the attitudes and disciplines (e.g. team working and creativity), let alone skills, needed by employees to develop innovative products, bring them to market and/or to grow them into a competitive business.

And heal the schism

The resultant tensions came to a head, when the majority of the UK voting against the advice of the intelligentsia who had denied them and their children access to the skills of future in favour of importing them from abroad. Then the students voted in favour of a pied piper pledge to scrap student loans and robbed Theresa Mayor her majority. The report she subsequently commissioned from Philip Augur highlighted , inter alia the social injustice of the current system.

The time has come for action to remove the obstacles to creating many more apprenticeships, including degree linked, and give hope to those trapped by student debt as well as to the next generation and those whose jobs are at risk if they cannot keep abreast of changing demands for skills. We need to be able head off calls for destructive revolutionary action that would delay constructive evolutionary change.

Who signed and Why

The coalition includes the two accountancy bodies (AAT and CIMA),  the Chartered Institute of Personnel and Development (CIPD), Freight Transport Association (FTA), Association of Independent Professionals & the Self-Employed (IPSE) and ScreenSkills (the body for the UK’s screen-based creative industries).

Mark Farrar, Association of Accounting Technicians (AAT) Chief Executive, said;
AAT has campaigned for the apprenticeship levy to be renamed the “Skills Levy” and broadened to include traineeships and other forms of high quality training since 2016. Widening the remit of the levy will help address the fall in apprenticeship starts, the frustrations of many employers and the future skills needs of UK plc.” AAT has around 90,000 student members, 20% of them apprentices, although not all within the meaning of the current levy.

CIMA’s Andrew Harding FCMA CGMA, Chief Executive – Management Accounting, added;
We must better support current workers to reskill and upskill throughout their careers. This is why it is essential that we review our national education and skills policies, especially the apprenticeship levy as it currently stands, expanding it to provide for reskilling and lifelong learning.

The Text of the Letter

2 September 2019

Rt Hon Sajid Javid MP
Chancellor of the Exchequer
HM Treasury
1 Horse Guards Road
United Kingdom

Dear Chancellor,

As representatives of tens of thousands of businesses, representing millions of workers from every corner of the UK, across all sectors and sizes of firm, we urge you to broaden the apprenticeship levy so that funds can be spent on other forms of accredited, quality training. We believe this approach would benefit workers, employers and the wider economy.

The levy was created with the best intentions, but its complex rules and single-minded focus on just one sort of high-quality training has limited its effectiveness as a policy. As well as a slower pace of growth for apprenticeships overall, opportunities for younger people and flexible workers have been particularly affected, in both the apprenticeship system, and in other high quality qualifications.

An effective skills policy has never been more important. It underpins productivity, opportunity and innovation. Our inability to address stubbornly slow productivity growth is undermining prosperity and opportunity in the UK. This will only get more important as automation, AI and market changes have large consequences for the future of work – something you have noted yourself. Ensuring that the UK workforce has the skills they need to be able to seize the opportunities presented by the fourth industrial revolution must be a shared priority.

During the Conservative leadership contest, you acknowledged the possibility of
“broaden(ing) the apprenticeship levy into a wider skills levy, giving employers the flexibility they need to train their workforce, while ensuring they continue to back apprenticeships.” We believe this would be the right step. A levy that allows businesses greater flexibility to fund accredited, quality training that is effective for workers and employers – rather than meeting a Government target – would be ideal. It would help to fill skills shortages and enable higher pay for workers.

At present, the levy system is actively damaging skills development in the UK economy at what is a critical time. We would be delighted to work with you and the Secretary of State for Education – to whom we have copied this letter – to urgently design an approach that will work for the Government, employers and workers.

Yours sincerely,

Neil Carberry, Chief Executive, Recruitment & Employment Confederation
Peter Cheese, Chief Executive, Chartered Institute of Personnel and Development
David Wells, Chief Executive, Freight Transport Association
Andrew Harding FCMA CGMA, Chief Executive – Management Accounting, The Chartered Institute of Management Accountants
Seetha Kumar, Chief Executive, ScreenSkills
Mark Farrar, Chief Executive, Association of Accounting Technicians
Simon McVicker, Director of Policy and External Affairs, The Association of Independent Professionals and the Self-Employed

August 29, 2019  11:36 AM

Towards a joined-up Cybersecurity Policy

Philip Virgo Profile: Philip Virgo

As part of my retirement hand-over I looked how UK Cybersecurity Policy has evolved over the past 20 years, beginning with the IOCA debate and Y2K, then going through Y2K, Electronic Signatures, RIPA, NHTCU, the EURIM-IPPR Study, ID cards and the failure of attempts by Home Office and Cabinet Office to join-up strategy across the tribes of Whitehall and Law Enforcement. Responsibility for “co-ordinating” cybersecurity policy in the UK has now passed to DCMS but, as yet, little progress has been in reducing the fragmentation, duplication, overlap, conflicts and gaps in statutory and regulatory powers and budgets.

Government departments and Law Enforcement Agencies remain more interested in acquiring authority, budgets and cyberwarfare/surveillance capabilities or regulatory turf wars. There appears to be little or no interest in working together, let alone in co-operation with the private sector,  to use a mix of criminal and civil law to change the risk-reward equations that motivate most criminals,  developers and service providers. It remains almost impossible for most victims to obtain redress. A series of funding and standards barriers get in the way of creating a healthy training and support market to give access to the skills needed for effective protection, investigation or redress. Instead we have a massive spend on technologies which most do not know how to join up and use. The problems are compounded by the spin off effects of the cyberwarfare and surveillance arms races.

Meanwhile the threats, costs and losses have grown exponentially. That should come as no surprise because e-crime has been allowed to remain almost risk-free for the criminals. They co-operate in rapidly evolving consortia as new opportunities emerge. Meanwhile most developers regard security as an annoying afterthought. Few telcos, Internet or transaction service providers actively co-operate with law enforcement to protect their customers, let alone those who personal information they wish to harvest and exploit, unless compelled. The reasons vary but issues of legal liability, confidentiality and trust appear to trump other motivations

The Cyber Security & E-Crime Group of the Digital Policy Alliance, chaired by Baroness Neville Jones, has recently been looking at Cyber Insurance as a Catalyst for Best Practice and on 9th September will be looking current and emerging developments that could shape its future work.

The agenda has not yet been decided but the topics suggested in the advance calling notice included the following:

• challenges in relation to computer assisted crime for law enforcement bodies such as Action Fraud;
• the role of industry co-operation with law enforcement;
• governance structures to promote (IoT) security by design;
• incentives for responsible corporate behaviour;
• pressures on law enforcement & the judiciary resulting from large quantities of digital evidence;
• cyber security skills & the work of DPA’s Skills Group in this area.

The meeting will define the future course of the working group and is for those members and registered observers who will help deliver what is decided. Invitations are available for those who are interested in joining.

This is a unique opportunity for those who are seriously interested in exploiting the current opportunities to make UK cybersecurity policy fit for a post-Brexit world.

It is not enough to have policies that satisfy the conflicting requirements of the EU and US for data protection, including notification to attract fraudsters to the victims of a breach, like sharks to blood in the water. We need to make the UK the location of choice for trusted, secure, on-line business. That includes causing cybercriminals to avoid attacking UK resident consumers and businesses because we are harder to attack and better at organising rapid and effective international retaliation. It should be possible to reconcile those objectives with retaining one of the world’s most competent, devious and ruthless cyberwarfare operations. But the former should not be sacrificed for the hypothetical claims of the latter.

August 19, 2019  7:44 PM

From Action Fraud to Action Plans

Philip Virgo Profile: Philip Virgo
Facebook, Google

1 Action Fraud had an impossible task

The Times undercover investigation at Action Fraud  has led to a rash of publicity, both tabloid  and professional . The only surprise is that it has taken so long to expose the mismatch between public expectations  and delivery.

Action Fraud’s own website  indicates what the service does not cover and thus demonstrates the need for more joined up “reporting”.

There is also the need to distinguish between “reports” that are expected to lead to action and the many thousands of “notifications” that might arise from a single criminal action. An example of the latter was the premature and untargeted elease of a piece of ransomware which, inter alia,  crippled parts of the NHS. We also need to better handle the many thousands of partial reports from those have suffered loss or distress but cannot provide sufficient information to enable action, even were the resources available.

It is all very well to have a review but this needs to lead to much more than a simple change of contractors.

The Action Fraud team were set an impossible task. Loss of morale and cynicism were inevitable. But the problem goes deeper. The opportunity should be taken look at how to create honest and effective processes which also filter and distil incident notification with regard to all forms of cybercrime and abuse, into usable intelligence, actionable reports and effective victim support. That is much bigger task than Action Fraud was created to address but is essential to restore public confidence in the Internet as a safe place for voters and their children as well as the 99% of businesses with no in house security expertise.

Hence the business case for Telcos, ISPs, Social Media Companies, On-Line Retailers and Transaction Service Providers and all others who want the on-line world to flourish to co-operate with law enforcement. The need is to more effective clearing houses for information on abusive/criminal activity to enable action under both criminal and civil law to remove weaknesses, prosecute/deter perpetrators and change professional/corporate behaviour towards security by design, as opposed to afterthought. [link]

2 The reasons were identified over a decade ago

The problems were foreseen in 2004. The fifth discussion paper of the EURIM -IPPR study into Partnership Policing for the Information Society was on “The Reporting of Cybercrime”  It warned that: “Easy-to-use incident reporting systems are likely to be swamped unless material is received in a form suitable for automatic collation, analysis and forwarding. That means web-forms and/or pre-validated submissions from “trusted” sources, e.g. Banks or ISPs, on behalf of customers … The UK routines for reporting suspected money laundering illustrate the paralysis likely to result if this is not available.”

There was already a need to “reduce fragmentation and duplication of effort with regard to reporting structures and improve the availability of intelligence to help focus existing resource” and “a Catch 22 situation with regard to justifying the resources necessary to create easy-to-use reporting systems that will not be swamped. Without such systems we risk confidence in the Internet being eroded by the inability of most users to report incidents to someone who will take notice of their concerns. Education and awareness campaigns could do more harm than good unless accompanied by such routines.

3 Now we face the predicted loss of confidence

The failure to create effective processes to collect and collate information on attacks to support the business case for action, has led us to a situation where criminal behaviour is almost risk free and therefore rising sharply.

  • Government cybersecurity policy is focussed on the needs of GCHQ and MoD for state security and cyberwarfare rather than to protect citizens and business.
  • Telcos, ISPs and other technology suppliers are effectively discouraged (on competition grounds) from working together to collectively remove the vulnerabilities that enable their customers to be attacked and abused.

Neither group gives serious priority to working with law enforcement and victims to identify and prosecute or sue the culprits.

I recently blogged  that in June 2019 there were around 370 exhibitors at Infosec, most of them promoting cloud and/or AI based threat intelligence and/or behavioural analytics services to digest the billions of “attacks” into actionable information. Much of what they collect and report overlaps with what the National Fraud Intelligence Bureau  hopes to receive, at no charge, from analysing that notified via Action Fraud and its other sources.

4 We have to unpack the problem to rebuild trust

Back in 2004 the EURIM -IPPR report said: The reporting problem can be addressed in manageable chunks, but to do so will require co-operation amongst a number of players, recognising that there are three distinct, albeit overlapping, reasons for establishing reporting mechanisms:

  •  the need for information on the size and nature of e-crime, to plan the right levels of skills, resource and working practices and commit to appropriate levels of investment across government and industry to reduce the opportunities for e-crime;
  • the need to report suspicious incidents, vulnerabilities, adversary capabilities and the like, to enable the collection of intelligence, linked to means whereby this can be fed to different constituencies to enable them to protect themselves from new threats and vulnerabilities as they emerge – and to product suppliers to address security weaknesses;
  • the need to provide the means whereby individuals and business can report and support investigation of suspicious incidents.

All three might also benefit from routine bulk reporting by those running protection services for their clients, most of which include monitoring, analytical and trend analysis services.

Today the organised of bulk incident notification to enable collation and distillation into actionable intelligence in support of collective  investigation and action under both civil and criminal law (as recommended in Fighting Fraud Together) will be much harder.

  • Partly because of the massively increased volume of attacks.
  • Partly because the private sector cybersecurity industry, geared to the needs of Government and big business is a $multi-billion industry with little incentive to provide uncharged access to law enforcement.

5 We have to change the incentives

The situation would change rapidly were those who pay for commercial cybersecurity services to require the ability to pass their incident reports, in common format, to a central clearing house akin to that recommended in 2004.

In 2008 the UK clearing banks offered such a service as a by-product of a real-time shared fraud detection services linked to payment clearing. Parts of HMG, however, wanted statutory access. I will not go into the reasons (including the position of City of London operations in the critical financial services infrastructures of overseas Governments) why statutory as opposed to voluntary access is impractical.

At present the prime incentive for cahnge is the desire of the major advertisers, who fund the Internet as we know it today, to protect them brands from piracy, stop them from being damaged by being associated with abuse and to check that thec click they pay for are genuine. Google and Facebook have little choice but to respond. The means they use could also help transform the safety and security of the Internet as a whole

6 There are many questions

The questions asked in 2004 remain pertinent:

  • Who wants to report what to whom and what do they expect to happen afterwards?
  • Who wants to receive what reports, on what and what are they going to do with them?
  • Who should be responsible for analysing reports, producing intelligence for dissemination and information for action by which appropriate authorities and organisations?
  • How should such intelligence be distributed to different constituencies, and by whom?
  • What reporting already happens (private sector, law enforcement agencies, regulators etc.) and how might existing information be better processed and shared?
  • What are the potential volumes? What resources would be needed to handle them?
  • What governance and security processes are appropriate for which material?

7  We should be honest about Intelligence Gathering versus Reporting

Those contacting Action Fraud or abuse@ teams and others need to know whether their submissions will be treated as:

  • Intelligence – to be distilled into action plans to remove vulnerabilities, disrupt criminal supply chains or enable partnership action (under a mix of civil and criminal law)
  • A potential crime report – for criminal investigation, whether based on the collation of intelligence, a report by an individual victim or a rpeort by an ISP or Bank covering an attack on a number of customers
  • A potential case for civil action by victims (or a group of victims) and their lawyers/insurers because there is insufficient evidence or resource to support a criminal prosecution.

However the submission is  treated, there is a need to provide the victim with realistic advice. In 2005 the Culture Media and Sport Select Committee saw this a role for Citizens Advice or the Law Society (Para 25) . Citizens Advice appear happy with this recommendation, provided they are given the necessary support.

I have now handed over my project portfolio but remain on the advisory board of the Digital Policy Alliance and plan to attend the next meeting of the Cybersecurity Group. I intend to suggest convening a round table on reporting to see whether there is support for an exercise to update the exercise done in 2004 – but without the expectation that Government can and will lead a joined-up exercise. That is because the conflicting agendas across the tribes of Whitehall, let alone across those of law enforcement, make an industry-led approach more likely to succeed.

But is the loss of confidence in the on-line world such that the leading players are willing to work together?

And would Ofcom (as competition regulator for the on-line world) allow them do so?

Those are questions I leave to the next generation.

That said – the new Ministers at DCMS ARE from the next generation.

So are those at the Home Office and BEIS.

And we can see a stiff breeze of change beginning to waft through the corridors of power – beginning with demands for weekly progress reports on Brexit arrangements.

Given that we are in the foothills of the most unpredictable general elections in several decades we might even see democratic pressures over-ruling departmental agendas.

Make YOUR voice heard.

Such opportunities do not happen often.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: