This morning the House of Commons Science and Technology Select Committee released its report on the “Digital Skills Crisis” This afternoon the House of Lords debated the government response to its “Make or Break” report last year . Last week the European Commission published a proposal for a Skills Guarantee . Meanwhile BIS is ploughing ahead with byzantine routines for a return to the type of training grant and levy scheme that was scrapped (for good reason) in 1980s. Unfortunately though dead, the idea of grants and levies, job creation schemes for bureaucrats, will not stay buried. In 1992 I helped kill an attempt to revive it with a Bow Group Paper on the theme of “Training for jobs not just jobs for trainers”. The processes proposed by BIS to fund “approved “training organisations to deliver apprenticeships which meet criteria dictated by officials not employers, make the average European “initiative” look like a model of efficiency.
I therefore applaud the recommendations by the Select Committee that
- “Government needs to work with closely with employers, higher education institutions and schools to understand the apprenticeship marketplace, to ensure that education aligns with industry’s requirements, and that apprenticeships are delivered in a flexible way to adjust to future changes in the digital sector” (Para 54)
- “Government should emphasise the need for more digital skills components in all apprenticeships … ” (Para 55)
- “should review its Trailblazer initiative, making it more streamlined and accessible … simplifying the scheme’s processes” (Para 56) and
- “… make it easier for industry to partner with universities and colleges to support student teaching … work placements … allow the cost to be written off against the Apprenticeship Levy contributions” (Para 57)
I am less happy with the recommendation that “The Government should review the qualifying requirements for the new IT roles added to the Tier 2 visa “shortage occupation list” , making it easier and more flexible for SMEs to recruit top talent from outside the EU” (Para 30). The European Commission proposal for a “Skills Guarantee” to help adults stuck in low paid jobs is more forward looking but the Committee’s recommendation is perhaps inevitable, given the 50 years of policy failure summarised in my evidence to the House of Lords report (see pages 1057 – 70) and referred to in my blog entry, describing the need to break out of groundhog day, when that report was first published.
“The crisis is over. The patient is dead” .
We failed to use the past “crises” as a catalyst for change. Things came to a head during the run up to Y2K and the “false start” of the transition to mass-market, Internet-based on-line systems. My 2001 IT Skills Trends report was about surviving the bursting of the dotcom bubble and preparing for the skills that would be in shortest supply when recovery came – in 2005 – 6. But that recovery did not come. By 2006 demand and salaries for those jobs which could easily be moved off-shore had stagnated. Much of the software and support industry had come to be staffed by a mix of overseas systems development and imported contract labour. We were facing the consequences of our inability to retrain our existing workforce, let alone our failure to educate and train our children. I stopped writing the reports. They had become too depressing and the only ones taking action were those who helped write them.
An Apprentice Levy without a credible, let alone efficient, Grant process
Today we have a curate’s egg wth unemployed computer science graduates in parallel with unprecedented shortages of competent and trustworthy recruits for Fintech and Security roles and another exercise to dig up the dodo of levies and grants – this time with the grants ring-fenced to meet the costs of “approved providers”, officials trying to dictate the requirements that employers are allowed to have and different processes for England, Wales, Scotland and Northern Ireland. Last week I attended a briefing session for employers. Those serious about training their future employees with the skills they will need were already looking at how to bypass the system, writing off the levy as a payroll tax on those jobs they could not realistically subcontract or move out of the UK. It was, as the Commons Select Committee has pointed out, not only unfit for purpose when it comes to the needs of SMEs (Para 30), it looks unlikely to meet the evolving needs of those large firms who already train their own and/or those in their supply chains.
But markets do not stand still. The Commons Select Committee call for the annual “dynamic mapping” of initiatives against demand so as to create a long term mechanism for adjusting the strategy (Para 29) is therefore particularly welcome.
The recommendation that Government should commit “to work with the Tech Partnership to develop industry-led, vocationally focused careers advice …” (Para 43) is also most welcome, but this should be extended to cover school-leavers. We can no longer afford to peddle the immoral fantasy that the majority of our children will benefit from starting their working lives saddled with student debt after spending three years to become less employable than if they had been paid to do a graduate level apprenticeship. In 1982, in “Learning for Change” I attacked both
- “the examination treadmill to which we chain our adolescent youth in a set of puberty rites crueler than those of primitive Africa, At least in Africa they do not label any of the participants as failures” and
- our confusion of “education” with taxpayer subsidy for the middle class ritual of kicking the fledglings from the nest.
The many recommendations of the Select Committee with regard to computing schools in schools are worthy but the most important boring is Paragraph 83 where it recommends working with the Tech Partnership “to raise the ambition for, and coverage of, industry led digital training, and to make it easier for business of all sizes to get involved“.
The need to “break open the educational ghettos” has been a key message since 1982, when PITCOM organised for relays of school-children (from 30 schools) to man an exhibition in the Upper Waiting Room of the House of Commons (26 computer systems, up to 14 running at any one time running off three power points, at a time when Parliament had no facilities for schools visits!). That exhibition was attended by 120 MPs: one returning six times to get a group doing Economics A Level to run variations on the Treasury Economic Model – hence my long-standing support for Donald Michie’s idea that MPs should be able to simulate the effect of the legislation, including amendments, which they are expected to approve.
That was over 30 years ago. It is therefore particularly sad that the same messages have to be repeated as though they are new. The reason is linked to the prevalence, evident in paragraphs 70 – 76, that teachers (whether in School, College, University or Industrial Training Centre) have to be expert in IT in order to educate their pupils/students. If that is correct then there is no solution – other than to rely on those (in other parts of the world) who use their limited supply of skilled educators to supervise the delivery of blended learning (mix of packaged learning materials, personal contact and supervised work experience) by mixed teams of assistants and subject experts: which is what successful digital “informal learning” groups (para 70 – 77) as well as enlightened employers, have been doing since before school computing curricula or computer science degrees were invented. Hence some of the recommendations in my own submission to the Select Committee
Since I posted this there have been many entries on an impassioned ISOC discussion thread. So far I draw three main conclusions:
- Democratic accountability is alien to ISOC. It has long been structured as a top down organisation, living off the revenues from .org, , with multiple groups in which anything can be discussed, but no-one can organise a meaningful vote and absolute power resides with the trustees. I have therefore been wrong for over a decade in thinking it might ever evolve into a governance body.
- The deal has not yet been consummated and the identity of the investors and their forward plans are still unknown.
- The way is open for the World Internet Conference and the ITU to establish a Government-led governance body unless and until the Western NGOs can enlist the support of the Internet Association for a credible alternative.
The Internet Society (ISOC) has sold the Public Interest Registry (which includes .Org) to a recently created Venture Capital firm in order to create an endowment fund. Ethos Capital was apparently created for the purpose of the acquisition with the domain name registered by an advisor to the World Internet Conference. If so, this might be a means of helping ISOC to meet its charitable objectives in those areas where Internet usage is lowest, with Chinese co-operation. But that would raise more questions than it answers – not “just” whether the price of .org registrations will rise sharply. Over 20% of the world’s population is now on-line. They face a rising tide of abuse and crime which threatens to curtail confidence in the brave new world which the new Internet Association is trying to promote. Co-operation with the Chinese rather than the current trade war, might well be to the benefit of all of us. But at what price? to whom? Or is this “merely” a “clever” way of taking the PIR out of play.
Whatever the answers this raises the question of the current/future roles of ISOC and of the Public Interest Registry.
Domain names are at the heart of both cybersecurity and surveillance
I paid $20 dollars to join the Internet Society (not to be confused with the new Internet Association) in 1995. I had been told that it was the best hope for the Governance body that the Internet would need if the Atlanta Olympics (the test bed for the “commercial” use of internet protocols), was a success. It was – save for one highly embarrassing problem with data loss. It took two days to rework the interface between the local high speed information feeds and those used by most Western media to also cope with the slow speed feeds then used by much of the rest of the world – who had not prepared and blamed the organisers. Everything else worked. Most importantly fraud (on the unprotected booking systems) was negligible. Criminals had not discovered the opportunities.
The members of the Internet Engineering Task Force, led by IBM, EDS and CISCO then released a $2 billion war chest to “re-engineer the Internet”. It was told that they faced three main problems. Security, security and security.
They still do.
And the domain name system is at the heart of those problems. Just as it at the heart of the Internet.
Hence the critical role of the registries.
They are far more important the Governments and Regulators when it comes to creating a meaningful digital identity ecosystem.
The other point of leverage is the worlds international airports
Today the equivalent of the Atlanta Olympics is a major international airport – 24 by 7 all year round, no just a brief window every four years. All the world’s identity and authorisation systems (passengers, local contractors, security staff, airline staff, maintenance staff air freight in transit, aerospace components etc. etc.) come together … or not.
The result is de facto real-time identity arbitrage, in ways which also expose why Government will always fail to produce identity policies that are of any value to most of us. They find it hard enough (and in the case of the UK impossible) to agree policies of use to their Armed Force, Education, Health, Justice, Law Enforcement,Tax and Welfare operations.
The sale appears to open up great opportunities … but for who?
The transition to IPV6 supposedly offered an opportunity to remove many vulnerabilities in the way the domain name system is used, perhaps tying addresses to items of hardware and wetware (human biometrics and DNA).
But if the registries, including those trusted internationally, are themselves in play, to be bought and sold, this opportunity evaporates. Government will feel the need to intervene.
If so, has the time come to merge the Internet Governance Forum and the World Internet Conference and for both to work with and through the ITU. Or are abuse,confusion, fragmentation, fraud, incoherence and impersonation a price worth paying to preserve dissidents from being hunted down by oppressive regimes?
For those concerned with Internet Governance and the protection of users, whether from dominant players, government agencies or organised (or disorganised) criminals, these questions seem to be a rather more important topic than Brexit (what that will mean in practice!).
Or am I massively over-reacting
I would love to be told that I am over-reacting and that ICANN and/or the IETF members have already thought through the consequences. Or it is correct that they have only just learned of the sale? I look out of the window and have yet to see the pigs flying past so I suspect the lawyers have only just started to read their way in
Your opportunity to catch up
Next week (12th November) I look forward to catching up with what is happening on the UK cybersecurity skills scene at the first Digital Policy Alliance review meeting since I handed over as rapporteur for the cybersecurity skills group. The members have been heavily involved with the Alliance which won the bid to plan the new UK Cybersecurity Council . I expect to hear what has happened since the contract was awarded. I also expect to hear the current state of the other programmes under way, including apprenticeships – where there has been controversy on a variety of fronts: including over moves to better keep abreast of the accelerating pace of change with regard to the certifications and assessments (often set globally) required by major customers. I also note the intention to to take a long overdue look at operational skills and those needed to better secure critical infrastructure.
The meeting is for DPA members and registered observers only but those interested in joining are welcome to attend as a taster meeting – before joining to participate in the follow up. More details are available at: https://www.dpalliance.org.uk/join-us/
I regard participation in this group as a MUST for those who are serious about having access to the skills they need to protect themselves and their customers, particularly because the area is beset with so much myth, nonsense and conflict of interest. Some of the issues also have a surprisingly high political profile, thanks to the number of well-connected victims. And who-ever claims to know what is going to happen after the election is probably deluded. Even if the Government wins we can expect to see attempts to bring about radical change fought by those who wish to preserve current priorities.
What has been changing
After my hand over I visited InfoSec, looking at was on offer from a different perspective. I wondered how many AI-driven threat intelligence services the market needs, as opposed to co-operation with law enforcement and technology providers to collate the intelligence and “remove” both vulnerabilities and predators.
The focus of security vendors on a relatively small number of enterprise customers and the security operations centres focussed on their needs led me to take another look at the skills scene . But at the same time I was looking at the issues from the perspective of the victims, including businesses large and small, society at large and the cost of crumbling consumer confidence in the safety and security of the on-line world. Then came the DPA meeting to look at Cyber Insurance as a point of leverage. I recently blogged on my personal conclusions from the discussion , This morning, however, I thought again about the consequences if the insurers achieve their objectives.
Is nothing compared to may be to come
If they succeed in producing readable guidance on what potential victims need to do in order to be insurable the result could more than decimate both the cybercrime and cybersecurity industries. We will move towards a world in which business spends about that same on cyber insurance as it does on security products and services. We will also see insurance companies fund “risk reduction” and “asset recovery” operations in much the same way as they used to fund fire brigades and detective agencies in order to reduce the losses they had to cover.
On the way we will see a transformation in the demand for skills to run cyber protection operations as opposed to cultivating skillsets akin to those of “cyber-arsonists”.
But that is for the future.
For the here and now I strongly recommend participation in the DPA cybersecurity skill sub-group in order to make sense of what it happening and ensure that your needs, whether as an employer or training provider are met.
I remind you that the meeting next week is for DPA members and registered observers only but those interested in joining are well to attend as a taster meeting, before joining to participate in the follow up. More details are available at: https://www.dpalliance.org.uk/join-us/
P.S. Do not ask me where the meeting is. I do not know and will not be told until shortly before, and only then if there is room for obsevers not expected to help deliver what is agreed.
Computer users spend over £150 billion a year on products and services that do not always protect them and their customers from on-line attack and fraud. They spend barely £7 billion on cyber insurance for when they fail. By contrast spend on fire protection and fire insurance are about the same. Spend on theft protection and insurance are also about the same. The big difference is that we know what we have to do in order to get fire and theft insurance – i.e. precautions, alarms, fire doors, locks etc. to reduce the likelihood and limit the damage.
Underwriters have are said to have well over £20 billion available to cover more cyberinsurance. But most organisations are uninsurable. They may spend large amounts on security products and services but they do not do that which reduces the risk of a successful cyberattack, limits the consequent damage and/or facilitates “asset recovery” (including to help track, trace and sue those responsible, if this is likely to be cost effective).
Last week I attended a discussion on follow up to the DPA paper on “Cyberinsurance as a catalyst for good security practice“. The meeting brought together those working on common “guidance” for cyber policies, those selling the policies and those advising on risk and/or auditing security. We also had some perceptive inputs from the head of one of the UK’s largest (in terms of organisations, networks and end-points monitored) Security Operation Centres. The discussion was crisp, candid and shorn of jargon. It covered the current state of play (including forward plans), why things are as they are, what is being done by whom and the points of leverage. There will be a report for DPA members and observers .
The discussion brought home to me why we have made so little progress in helping the average Director or Business Owner make sense of the current cacophony of “awareness” messages and marketing hype for security products and services – from encryption, filtering and penetration testing to threat intelligence. Too many players benefit too much from allowing Directors to waste their organisations’ time and money to little practical effect with fragmented approaches. Too few would benefit from the expediting the rationalisation and simplification of joined-up guidance that would expedite maturity, insurability and radical risk reduction.
In the event of fire and theft there is clear guidance as to what the customer needs to do in order to obtain insurance cover and make a successful claim if things go wrong. That guidance is based on a distillation of practical experience. Consultants and vendors tailor their offerings and sales messages around what the insurers expect to see done in order to reduce/manage risks before they will cover them.
In the area of cyber risk that guidance is only now being drafted. At the current rate of progress it is likely to be agreed sometime in 2021.
But it is being drafted in the terminologies used by insurance and security professionals and their lawyers. It is likely to be unintelligible to the rest of us. More-over the pace of agreement is determined by the priority being given to the exercises by those with necessary expertise.
Political and regulatory interest is likely to complicate and delay the process. There are too many conflicting agendas – both national and international.
Progress will be expedited as leading insurers perceive the potential for more business, and for that business to be more profitable, because risks will fall as organisations do what is necessary to become insurable.
There is obvious benefit from an exercise to produce interim “laymen’s guides” covering what is likely to be agreed – with the aim of helping provide more profitable insurance at lower cost to organisation which better manage risk and are therefore less likely to make claims.
The next meeting of the DPA cybersecurity group is expected to bring together those major insurers, security organisations and enforcers who are happy to task their staff to work together accordingly. I am now only a member of the DPA advisory board but my current work on community safety has led me into the areas of “reporting” and of “victim support” (including business victims, large and small). I look forward to seeing practical progress, led by the insurance industry – as they have led the way in the past on other areas of risk – from fire brigades and safety at sea to product liability of all kinds … but no (yet) software and cyber).
DPA Groups are driven by their members. Those wishing to join this one, perhaps using the DPA offer of a taster session before paying the subscription, should contact DPA and request an invitation.
Turbocharging is the new post-Boris buzzword. It is apt for the £5 billion pound boost to broadband roll out announced at the Conservative party conference. It does not really matter how much is new money and what the details are. That is likely to emerge during this year’s INCA conference on the 16th and 17th November . INCA could not have timed it better … it is almost as though they had advance notice!
The INCA sessions on rural broadband, investment, barrier busting and skills are likely to be particularly interesting, given the discussions, one might call them leaks, but it was more like a waterfall, at the Conservative party conference. I am intrigued by what INCA members plan to discuss in the newly added section on Brexit – unless it is the changes they want to see, e.g. to state aid rules, if Brexit does indeed go ahead. I explain below why I expect it to have little, if any, impact on the availability of skills.
1 Restore EIS status to B4RN Clones and trigger a Rural Broadband Revolution
Before the summer, at a Westminster Forum event Barry Forde pointed out that, but for HMRC removing EIS status (because B4RN investors were not at risk) their approach could fibre up the final 5% at a fraction of the costs quoted by BT and others. He was not offering to scale up B4FRN itself – he said that community enterprise was not inherently scalable because all communities are different. He did however suggest packaging up the way it operated for others to copy, where-ever there was the necessary spirit of self-help.
He summarised the positives behind cloning the B4RN approach as below:
- Not for Profit community Benefit Society, community owned
- Parish based
- 100% coverage (so USO irrelevant)
- ~120 parishes in build (area ~2,000Km2, area inside M25 ~1,500Km2)
- Initially 100% Funded by community
- £6M Community Shares
- £2M Community loans
- £3M Community Bonds via Triodos Bank’s Crowdfunding platform
- Full fibre delivery-average cost below £1500
- ~10,000 properties passed (about 95% meet eligibility criteria for USO)
- ~6,000 properties connected
- ~12,000 properties in build pipeline (over next 24 months)Additional massive demand from all over UK, but we cannot meet it
- Need more B4RNs!
- Now using GBVS & RGC vouchers worth average of ~65% of build costs, community raising remainder.
Then he went on to say what Government should do if it was serious about allowing community enterprise to connect the final 5% at affordable cost:
- Government has good intentions but fragmented delivery damaging
– HMRC EIS tax relief withdrawn due to perceived low risk
– Treasury awards funds for LFFN due to perceived high risk
– Which is it? A stable situation which we can plan for is vital
– Fibre infrastructure build is challenging and takes time, changing rules mid race is fatal.
- USO for last few percent of properties that get <10%, £3400 cost cap.
– B4RN already does 100% coverage in its builds for <£1500 and 95% of our properties are in the USO zone
– But explicitly excluded from accessing USO funds which only BT can get.
– USO severely damages fund raising in additional deep rural communities
– Communities will have to raise funds to overbuild whatever BT delivers as little if any of it will be full fibre.
- OFCOM attitude to rural last 30% where competition doesn’t exist
– Propose to allow BT to lift charges in rural areas to fund more full fibre build
– This is a stealth tax levied on rural customers for the exclusive benefit of BT
– No competitive element in scheme, community projects excluded.
- OFCOM Dark fibre proposition
– Rural altnets need access to dark fibre for backhaul.
– OFCOM’s proposal is for exchange to exchange fibre only which benefits retailers of Open Reach products but cripples any organisation trying to build new infrastructure in competition with OR.
- OFCOM appears too supportive of Open Reach and anti-competitive, every initiative makes the playing field less level.
- DCMS Vouchers GBVS & RGC
– Excellent idea. Could perhaps graduate the RGC vouchers for degrees of rural reaching the USO £3400 in the most remote areas.
– But scheme only runs to 31st March 2021. That’s an almost impossible timescale to deliver complex infrastructure builds. It needs extending.
– Also need some sanity checking around local authorities being able to flag post codes as potentially getting FTTP at some point within the next three years and hence locking out the vouchers to Community projects under State Aid Rule.
– If community project registers a post code for their build then LAs should not be able to barge in later and block things.
It is time to go political
The LibDems and Brexit Party (if we do not “leave” on time) will be competing with the Conservatives for votes in over a hundred rural constituencies where access to on-line services ranks alongside Housing, the NHS and Policing as a priority for voters. The opposition of HMRC to EIS status for community broadband investment therefore appears to be politically unsustainable.
The case is all the stronger because of the priority the Government is giving to using greatly improved on-line access to improve the quality and cut the cost of rural services, including health and welfare. The terms of reference given to Matt Warman to get broadband roll-out moving also imply a robust attitude towards anything else that gets in the way of community or municipal initiative.
He will, however, need sustained and public political support if he is to succeed in driving those seeking to preserve their sacred cash cows out of the way. Without it the UK will falls even further behind.
2 Opening up private sector investment
I was delighted to see the agenda and participants for the INCA Investor Workshop.
The workshop begins with the investment climate being created by Government and Regulator before giving the perspectives of investors, fund-raisers and advisors.
- Cameron Barney have probably handled more investments in more UK broadband companies than any other merchant bank. They have also been able to exit profitably from several well known names, like Gigaclear, when these became attractive to major funds,
- Aviva had been investing in broadband around the world for some years before deciding that Truespeed offered the kind of opportunity that was attractive for its funds.
- Macquarie Capital had similarly been active on other continents for over a decade before taking over KCOM and investing in Voneus.
- The CEB Fund‘s first investment was RUNE. The video on their website is worth watching for a very different view to the Swedish Model.
- PMP Conseil will provide a French perspective.
- Abundance organises crowdfunding for Green infrastructures. And infrastructure does not come much greener than broadband. Then we have the fund-raising perspectives of three very different types of operator: ITS, Voneus and Jurassic .
There are many business models for the provision of broadband. These are evolving as technologies and market change. I welcome the “discovery” by landlords and developers of the link between property values and broadband provision and by politicians of the link with jobs and economic prosperity.
It is forty years since I became active on telecoms policy. We had realised that the Wellcome research centre at Park Langley would die unless we could get local access to world-class, global telecommunications. Hence the reason I was allowed time to be politically active on IT and Telecoms policy. I was a lonely user surrounded by the lobbyists of current and would be suppliers (both incumbents and invaders). I still usually am. They (you) inhabit a different world to we users.
Hence also my comparisons between broadband business models and those behind the building and operation of the canals and railways:
- build networks to international interoperability standards
- raise the money from those who will benefit from the uplift in property prices and improved connectivity
- then sell the networks to operating utilities
- try to locate where you are served by at least three competing networks using different routings/technologies
Politicians are finally waking up to the linkages … and their reasons and implications. I am not so sure about telecoms community. We had a cacophony of canal operating companies opposing the building of railways. We are now beginning to hear the voices of railway operators opposing the rise of motor transport.
In the mean time, however, I applaud INCA for putting together this workshop.
3 Barriers busting needs rigorous quality control
I was disappointed to see that delegates to the INCA conference will have to choose, on the second day, between workshops on public sector support, barrier busting and skills. The three are at the same time. I hope they will be recorded for those who would like to attend all three.
The obstructionism of local authority highways departments is only partly because many have been outsourced to those who have no interest in expediting approvals. Some of the contractors used by the industry have an atrocious record for quality of service, including failure to meet reinstatement standards. The reluctance of landlords and building managers to give access to contractors of unknown provenance can similarly be based on past experience. Both link back to skills – and the common use of East Europeans with unknown competence and poor English.
There is, nonetheless, a genuine need to address the problems that arise with absentee land-lords and with intermediaries and free-holders whose prime concern is fee income. Earlier this year I was at a meeting that brought together freeholders (identified by a search in co-operation with the Council) and current occupants to discuss a redevelopment plan only made commercial sense if it included full fibre connectivity. It transpired that the agents employed by both groups had lied and prevaricated for years, keeping owners and tenants apart, in order to ramp up fees and progress agendas of their own.
I would like to think that most costs and delays are simply because agents and free-holders do not benefit directly from the increase in value when communications are improved but are blamed they allow contractors to cause damage to other networks, utilities or infrastructure.
“Deemed consent” and/or “mandatory” wayleaves and access should be linked to the use of individuals whose competence has been accredited – e.g. by the Highways Electrical Association or a similar body for in-building work. That leads me on to skills.
4 Using network construction skills to build a pipeline to the future
I am very pleased to see the growing co-operation between the INCA and the Digital Policy Alliance with Carolyn Kimber chairing the session on skills and Graham Smith of the Highways Electrical Association on the panel. It is also good to see the participation of the SCTE . The John Henry Group made invaluable inputs to the round table of skills issues that I announced at INCA’s conference least year.
Most of my summary of the findings of that round table appears to hold good but some things have moved on since. Graham Smith had already agreed to take charge of the follow up when I did an update in February At Easter I stood back and handed my contacts, leads and ideas to the Highways Electrical Agency when he formally took over the running of the Digital Infrastructure Skills Group of the Digital Policy Alliance.
My final task was to help identify Local Authorities and FE Colleges with land and planning permission to host short courses in the use of modern network construction techniques, technologies and equipment. The classroom facilities are easy (B4RN ran courses to international standards in village halls using equipment and materials from their suppliers). The issue is practicing with construction equipment on a realistic brownfield/greenfield site.
At the Conservative Party Conference Clive Selly said that BT was now the UK’s largest employer of apprentices and had to recruit and train 12,000 “engineers” over the next two years. The contractors to City Fibre need over 5,000. There were mutterings about the need to import skills. I said that would not help because the individuals would still need to be trained and accredited in the use of modern equipment and techniques. Those already competent earn more in Germany and France. We are also-rans in a race to catch up with Spain and Portugal … let alone Scandinavia.
On Thursday I was delighted to report back to Graham with leads for thousand of trainees for his members. I was also given equally good leads for greenfield and brownfield locations for short modular courses in modern techniques when and where the skills are most likely to be needed. At the Party Conference I had found enthusiastic support from those in a position to make things happen. Training the natives, instead of importing foreigners, clearly strikes a chord everywhere except London-based lobbyists. [I am a Londoner and I voted Remain – mea culpa]
We need a coalition of the willing to preserve confidence in the safety of the on-line world.
I am attempting to convene a local Community Safety Partnership, using voluntary co-operation between community groups and charities to join up front-line delivery across the silos of central and local government, including health, welfare and policing. On-line abuse, bullying and crime have cut Internet usage among those we are most anxious to help: the frail, lonely and vulnerable. They do not use the on-line services of the local authority or NHS. The closure of our last local bank branch hit them and local businesses hard. Meanwhile there is growing resistance from both victims and volunteers towards providing personal information or contact details, lest these be leaked, sold and/or abused. The effects are compounded by the deletion of existing contact files because of interpretations of the General Data Protection Regulation. Cumbersome processes to get “consent” for the blanket collection of data for vague purposes and/or provision to third parties do not help.
I therefore looked into support for piloting a Cybercommunity Safety Partnership which will support local people processes for those who cannot understand/use on-line processes and no longer trust remote call centres. The idea has struck a chord. A number of industry bodies have agreed to trawl their memberships for volunteers and sponsors to support action, both nationally and locally.
Usage by vulnerable adults and the elderly has plateaued and may even be falling
We are used to data about the increasing ubiquity of Internet usage. This is being used to justify the withdrawal of physical access to banking and/or pubic services. But the 2019 ONS Analyses unpack some of the data. They reveal a less rosy picture. Half UK adults have never completed a government form on-line. Most pensioners go on-line only to read e-mails. Most over 75s have not been on-line at all in the past three months. The proportion of adults who are “lapsed” Internet users was under 4% in 2011 and is now over 6% (although the 7% peak in 2017, after the publicity for the Talk Talk breach may be over). Their fears are justified. Over half have been contacted by some-one offering to fix their computer problems for them, Details are said to be available on the dark web to impersonate most of them and/or obtain credentials in their name if they do not go on-line. Over 10% of adults have already been victims of on-line fraud. We all have difficulty reporting problems, let alone obtaining support and/or redress.
There is safety advice but not for reporting or victim support
There is much good on-line safety advice (e.g. Get Safe Online) but the processes for reporting problems (e.g. via Action Fraud ) to some-one who will take action are seriously overloaded. The Victim Support website makes no reference to this area although the Regional Organised Crime Units are supposed to provide an aftercare service. Citizens Advice does not appear to cover cyber problems. Nor does Elder Abuse, although it does have advice on how to conceal that you are consulting them . Meanwhile Facebook Google and Twitter (the links are to their respective reporting pages) are criticised both for being difficult to contact and/or for failing to respond to reports of fraud/abuse while not checking before removing those subject to malicious complaints. They can’t win!
Many victims want some-one to talk to. Hence the overload that crippled Action Fraud, one of the few services to offer this. The need is to train local health and welfare staff and volunteers to respond. But they, in turn, need to be able to call on assistance from those (including security and legal professionals) who know what can be done, how to secure action and, perhaps, submit an actionable crime report. Help desks in Dublin, Gourock, Barcelona, India or the Philippines may be able to process calls according to a script but cannot be expected to do more.
Meanwhile children are fearful and girls are being driven off-line
Between 25% and 30% of children have been bullied on-line. One in eight admit to bullying. 20% admit to meeting strangers. 10% of those who videochat have been asked to change or undress. Nearly one in six have seen something that encourages self-harm. They bottle it up. 40% have never talked to anyone about the worst that has happened to them on-line. Until recently systemic on-line misogyny as endemic in Silicon Valley, was a taboo subject which it came to discussing why there were so few women in IT. Today we can see that it is actively driving half the world off-line, from girls to journalists and politicians.
The best advice is not well publicised or used
There are many good sources of advice and on-line materials including the on-line safety websites of NSPCC , Childrens Society ,
London Grid for Learning and Childnet There is also guidance (e.g. from Womens Aid) for older women, linking on-line abuse to domestic and physical abuse.
These need to be much better publicised and also packaged for use locally by
- teachers and school support staff,
- health, welfare and youth workers and
- faith and community groups
to educate and engage both children and parents.
Every turned-round hacker is a win -win
Safety programmes should also harness the talents of those at risk, both to help protect their peers and learn about cyber related jobs and careers. It is a double bonus when a troubled child and potential hacker, often with previously undiagnosed issues on the dyslexia and/or autism spectrum, is drawn onto to a programme that will lead them into well-paid employment with an organisation that will provide clinical support as necessary.
The alphabet of concerns to be addressed include:
• Abuse – child, adult and elder (ad hoc, targeted, random, local, remote…)
• Bullying – including that linking physical and on-line, within schools or communities
• Control – e.g. gangs using social media targeted at local audiences
• Deception – impersonation, loss of identity, loss of access etc.
• Extortion – may be sexual, social and/or linked to control/grooming not “just” financial
• Fraud – all levels, including SMEs and courier fraud
• Grooming – 1/3 of the child abuse images reported to the Internet Watch Foundation last year were “selfies”
Possible Projects (and objectives/deliverables)
There are many areas where “coalitions of the willing” could improve safety, support victims, help them obtain redress and deter abuse and malpractice while Governments, Regulators and Law Enforcement agencies procrastinate in the face of lobbying and legal action.
• Guidance on GDPR for voluntary groups who have no wish to provide personal information about their themselves and their supporters, members or clients to third parties unless with explicit and well-informed consent. The need is to digest current complex and incoherent guidance into succinct, authoritative and usable material for agreement with ICO – and then to publicise it.
• Seminars to train teachers, youth and community workers, health and welfare staff in the detection of symptoms of abuse, bullying and/or grooming and in the use of existing on-line safety materials to educate target audiences. This will include working with organisations like the Grids for Learning to identify/produce/publish materials and with relevant professional bodies and trade associations to identify/train volunteers with security expertise to help with delivery.
• Finding professionals, volunteers and materials to help Victim Support and Citizens Advice with relevant technical/legal expertise to handle cyber victims, including to obtain redress where this is practical and realistic. This will include exercises to trawl security professional bodies, trade associations, training providers, law firms and employers for those with relevant expertise and experience.
• Organising/testing/delivering on-line safety material that addresses the evolving concerns of target audiences: Examples include: “How do you to protect your phone against abuse, control, key-logging, tracking etc”. “What to do if …“ This will include the identification of well informed and connected supporters and sponsors with business as well as social responsibility cases for helping.
• Identifying and promoting the services of those offering virtual CISO/SOC and/or legal services to SMEs. This will entail co-operation with professional bodies, trade associations, product and services suppliers and Internet service providers who are unable to otherwise address 95% (by number) and 50% (by value) of the cybersecurity market and/or who wish more customers to move on-line.
• Identifying those willing to act as police service volunteers (warranted or not), including to provide non-emergency back up to local community police teams as well as the national panel being created by the NCA, NCSC and NPCC to support major investigations.
This may require restarting political activity on the governance of voluntary co-operation between industry and law enforcement and use of professional trained and qualified volunteers akin to that which led to the recommendations (over a decade ago) in the EURIM-IPPR Partnership Policing study . That group also responded to David Blunkett’s Community Policing consultation. Changes were made in 2011, during the run up to Olympics, to enable medical and security professionals and military reservist to become police service volunteers and special constables.
Many forces have not yet, however, implemented those changes. The number of volunteers and specials in London fell sharply after the Olympics , when the number of special constables in the Met Police peaked at nearly 6,000, (the target for the Games had been 10,000). The number fell by 8% the following year. The fall accelerated to 20% in 2014. There are now fewer than 2,000 (a fall of 17% on 2018).
• Skills and careers out-reach programmes with a priority for turning to turn those at risk into assets. The aim would be to organise local access to the relevant national programmes, including cybersecurity apprenticeships. The successful Plymouth pilot needs a new write up now that it has been packaged for replication with help from DCMS and others. It indicates what can be achieved but also the pre-condition for success and the problems that have to be overcome.
The neurodiverse may have great talent but may also need ongoing clinical support which conventional employers cannot provide. Hence the value of linking local skills incubators to shared SOC/Virtual CISO services underpinned by joined up (across Central Government funding and procurement silos) contracts to support public sector organisations both large (e.g. Local Government, MoD and NHS) and small (e.g. Schools and GP Practices).
• Addressing the way girls are driven off-line Here the need is to work with organisations like Cybergirls First to produce video and materials package covering risks, self protection and careers advice, plus contacts and support services. The Cybergirls First model is focussed on the age group and communities where girls are at most risk of being driven off-line and appears to be very successful.
Success does, however, depend on assembling a critical mass of employers who wish to publicly position themselves as employers of choice for girls (at all levels of seniority). It has been shown to work with well known employers wishing to support and recruit from inner city schools within easy travel of their City Centre locations. Packaging it for local employers and travel to work areas across the country probably requires support from the public sector organisations who are often the largest local employer.
• To bring together best practice in the above in local geographic partnerships to show how all parts could/should fit together to hacve a transformative effect on both safety and confidence.
Variations on the project ideas above are already being implemented across the World, not just the UK but it is still more common for square wheels to be reinvented with public funding. The latter is too often focussed on “innovation” as perceived by those who do not know what has already been tried and failed.
We need support for copying what has worked elsewhere, after checking any pre-conditions for success.
Are you interested in helping creating a coalitions of the willing to make things happen?
The first organisation to like the concept was the Security Panel of WCIT, the IT Livery Company. This blog entry is based on the request for volunteers they will be sending to their members. I plan to make similar requests to most of the other members of the Alliance, led by IET, which is creating the new Cybersecurity Council.
I also intend to approach those who fund the Internet, the major advertisers whose spend is wasted if paying customers turn their backs on the Internet. Another target group is the banks and on-line retailers who will have to reverse their business models if confidence is not restored. Finally I will be seeking to engage with those security providers who are losing out because their distribution chains do not include the shared SOC/CISO services needed by the 99% of UK businesses with no in-house ICT skills. These need people, not just technology, support.
An open letter to the Chancellor
The Recruitment and Employment confederation has pulled together a coalition of business organisations, representing tens of thousands of employers and millions of employees, to write (see below for text) to the Chancellor of the Exchequer, Sajid Javid MP, urging him to enable employers to spend their levy funds more flexibly and allow millions more workers to benefit from quality training and opportunities for career progression.
Where are the High Tech Employers?
This call is far more important to the economic future of the UK than the extra Government funding for Further Education but the consortium does not appear to include the CBI and Tech UK. Do their members still give priority to retaining the ability to import supposedly skilled staff from the rest of Europe and/or India over working to create UK skills frameworks, for standards as well as funding, that are employer driven and fit for purpose? If so, one cannot really blame them. They spent over a decade after the Sector Skills Councils were created trying to get Government to allow supposedly employer-driven programmes to be driven by employers, free from the narrow constraints imposed by the academic advisory boards of national funding and standards councils, agencies and regulators.
It is time to make a public fuss
I remember a meeting in 2004 convened by the personnel director of the UK’s largest software and service employers and twenty of his peers (plus a TUC representative), where they said that unless Government started listening to them they would walk away from its skills programmes. They would not make a public fuss. They would continue to “go through the motions”. But they would do what was necessary. Officials did not tell Ministers. Government did not listen. The industries overseas recruitment and offshoring grew rapidly over the next decade. Today it is fighting to retain “freedom of movement” and visas to allow the bulk import of those for whom digital apprenticeships were supposedly intended.
The referendum vote meant Change or Die
I suspect that the members of the CBI and Tech UK still do not believe that making a public fuss to reform the UK skills system, the stranglehold of the “blob” (the term coined over twenty years ago for the hierarchies of advisory committees which make up the UK educational establishment) and enable change. I confess that until the unexpected result of referendum I too was among those working to try achieve via Brussels what we could not achieve via Whitehall. But the people spoke. The half who have not done well out of our membership of the EU, whose children do not got to University or who have returned home, unable to earn enough to live independently after paying their student debt, want change.
Time to halt the dominance of the Haldane Principle
We have been stick for far too long with education and skills processes and priorities administered by a self perpetuating oligarchy of committees following variations of the 1917 Haldane Principle . The “principle” was designed to “liberate” University research from the dictats of outside sponsors. Despite half a century of criticism and calls for it to apply only to a limited proportion of government funded research, the principle was re-enacted in 2017 for programmes co-funded with industry.
It has also dictated the shape of our education system. The UK is uniquely dominated by hierarchies of committees driving processes to select and filter for academic excellence, alias the memory, logic and mental discipline needed for “pure”, as opposed to “applied”, research. That has led to UK Universities leading the world in measures of research excellence while they fail to provide the attitudes and disciplines (e.g. team working and creativity), let alone skills, needed by employees to develop innovative products, bring them to market and/or to grow them into a competitive business.
And heal the schism
The resultant tensions came to a head, when the majority of the UK voting against the advice of the intelligentsia who had denied them and their children access to the skills of future in favour of importing them from abroad. Then the students voted in favour of a pied piper pledge to scrap student loans and robbed Theresa Mayor her majority. The report she subsequently commissioned from Philip Augur highlighted , inter alia the social injustice of the current system.
The time has come for action to remove the obstacles to creating many more apprenticeships, including degree linked, and give hope to those trapped by student debt as well as to the next generation and those whose jobs are at risk if they cannot keep abreast of changing demands for skills. We need to be able head off calls for destructive revolutionary action that would delay constructive evolutionary change.
Who signed and Why
The coalition includes the two accountancy bodies (AAT and CIMA), the Chartered Institute of Personnel and Development (CIPD), Freight Transport Association (FTA), Association of Independent Professionals & the Self-Employed (IPSE) and ScreenSkills (the body for the UK’s screen-based creative industries).
Mark Farrar, Association of Accounting Technicians (AAT) Chief Executive, said;
“AAT has campaigned for the apprenticeship levy to be renamed the “Skills Levy” and broadened to include traineeships and other forms of high quality training since 2016. Widening the remit of the levy will help address the fall in apprenticeship starts, the frustrations of many employers and the future skills needs of UK plc.” AAT has around 90,000 student members, 20% of them apprentices, although not all within the meaning of the current levy.
CIMA’s Andrew Harding FCMA CGMA, Chief Executive – Management Accounting, added;
“We must better support current workers to reskill and upskill throughout their careers. This is why it is essential that we review our national education and skills policies, especially the apprenticeship levy as it currently stands, expanding it to provide for reskilling and lifelong learning.”
The Text of the Letter
2 September 2019
Rt Hon Sajid Javid MP
Chancellor of the Exchequer
1 Horse Guards Road
As representatives of tens of thousands of businesses, representing millions of workers from every corner of the UK, across all sectors and sizes of firm, we urge you to broaden the apprenticeship levy so that funds can be spent on other forms of accredited, quality training. We believe this approach would benefit workers, employers and the wider economy.
The levy was created with the best intentions, but its complex rules and single-minded focus on just one sort of high-quality training has limited its effectiveness as a policy. As well as a slower pace of growth for apprenticeships overall, opportunities for younger people and flexible workers have been particularly affected, in both the apprenticeship system, and in other high quality qualifications.
An effective skills policy has never been more important. It underpins productivity, opportunity and innovation. Our inability to address stubbornly slow productivity growth is undermining prosperity and opportunity in the UK. This will only get more important as automation, AI and market changes have large consequences for the future of work – something you have noted yourself. Ensuring that the UK workforce has the skills they need to be able to seize the opportunities presented by the fourth industrial revolution must be a shared priority.
During the Conservative leadership contest, you acknowledged the possibility of
“broaden(ing) the apprenticeship levy into a wider skills levy, giving employers the flexibility they need to train their workforce, while ensuring they continue to back apprenticeships.” We believe this would be the right step. A levy that allows businesses greater flexibility to fund accredited, quality training that is effective for workers and employers – rather than meeting a Government target – would be ideal. It would help to fill skills shortages and enable higher pay for workers.
At present, the levy system is actively damaging skills development in the UK economy at what is a critical time. We would be delighted to work with you and the Secretary of State for Education – to whom we have copied this letter – to urgently design an approach that will work for the Government, employers and workers.
Neil Carberry, Chief Executive, Recruitment & Employment Confederation
Peter Cheese, Chief Executive, Chartered Institute of Personnel and Development
David Wells, Chief Executive, Freight Transport Association
Andrew Harding FCMA CGMA, Chief Executive – Management Accounting, The Chartered Institute of Management Accountants
Seetha Kumar, Chief Executive, ScreenSkills
Mark Farrar, Chief Executive, Association of Accounting Technicians
Simon McVicker, Director of Policy and External Affairs, The Association of Independent Professionals and the Self-Employed
As part of my retirement hand-over I looked how UK Cybersecurity Policy has evolved over the past 20 years, beginning with the IOCA debate and Y2K, then going through Y2K, Electronic Signatures, RIPA, NHTCU, the EURIM-IPPR Study, ID cards and the failure of attempts by Home Office and Cabinet Office to join-up strategy across the tribes of Whitehall and Law Enforcement. Responsibility for “co-ordinating” cybersecurity policy in the UK has now passed to DCMS but, as yet, little progress has been in reducing the fragmentation, duplication, overlap, conflicts and gaps in statutory and regulatory powers and budgets.
Government departments and Law Enforcement Agencies remain more interested in acquiring authority, budgets and cyberwarfare/surveillance capabilities or regulatory turf wars. There appears to be little or no interest in working together, let alone in co-operation with the private sector, to use a mix of criminal and civil law to change the risk-reward equations that motivate most criminals, developers and service providers. It remains almost impossible for most victims to obtain redress. A series of funding and standards barriers get in the way of creating a healthy training and support market to give access to the skills needed for effective protection, investigation or redress. Instead we have a massive spend on technologies which most do not know how to join up and use. The problems are compounded by the spin off effects of the cyberwarfare and surveillance arms races.
Meanwhile the threats, costs and losses have grown exponentially. That should come as no surprise because e-crime has been allowed to remain almost risk-free for the criminals. They co-operate in rapidly evolving consortia as new opportunities emerge. Meanwhile most developers regard security as an annoying afterthought. Few telcos, Internet or transaction service providers actively co-operate with law enforcement to protect their customers, let alone those who personal information they wish to harvest and exploit, unless compelled. The reasons vary but issues of legal liability, confidentiality and trust appear to trump other motivations
The Cyber Security & E-Crime Group of the Digital Policy Alliance, chaired by Baroness Neville Jones, has recently been looking at Cyber Insurance as a Catalyst for Best Practice and on 9th September will be looking current and emerging developments that could shape its future work.
The agenda has not yet been decided but the topics suggested in the advance calling notice included the following:
• challenges in relation to computer assisted crime for law enforcement bodies such as Action Fraud;
• the role of industry co-operation with law enforcement;
• governance structures to promote (IoT) security by design;
• incentives for responsible corporate behaviour;
• pressures on law enforcement & the judiciary resulting from large quantities of digital evidence;
• cyber security skills & the work of DPA’s Skills Group in this area.
The meeting will define the future course of the working group and is for those members and registered observers who will help deliver what is decided. Invitations are available for those who are interested in joining.
This is a unique opportunity for those who are seriously interested in exploiting the current opportunities to make UK cybersecurity policy fit for a post-Brexit world.
It is not enough to have policies that satisfy the conflicting requirements of the EU and US for data protection, including notification to attract fraudsters to the victims of a breach, like sharks to blood in the water. We need to make the UK the location of choice for trusted, secure, on-line business. That includes causing cybercriminals to avoid attacking UK resident consumers and businesses because we are harder to attack and better at organising rapid and effective international retaliation. It should be possible to reconcile those objectives with retaining one of the world’s most competent, devious and ruthless cyberwarfare operations. But the former should not be sacrificed for the hypothetical claims of the latter.
1 Action Fraud had an impossible task
The Times undercover investigation at Action Fraud has led to a rash of publicity, both tabloid and professional . The only surprise is that it has taken so long to expose the mismatch between public expectations and delivery.
Action Fraud’s own website indicates what the service does not cover and thus demonstrates the need for more joined up “reporting”.
There is also the need to distinguish between “reports” that are expected to lead to action and the many thousands of “notifications” that might arise from a single criminal action. An example of the latter was the premature and untargeted elease of a piece of ransomware which, inter alia, crippled parts of the NHS. We also need to better handle the many thousands of partial reports from those have suffered loss or distress but cannot provide sufficient information to enable action, even were the resources available.
It is all very well to have a review but this needs to lead to much more than a simple change of contractors.
The Action Fraud team were set an impossible task. Loss of morale and cynicism were inevitable. But the problem goes deeper. The opportunity should be taken look at how to create honest and effective processes which also filter and distil incident notification with regard to all forms of cybercrime and abuse, into usable intelligence, actionable reports and effective victim support. That is much bigger task than Action Fraud was created to address but is essential to restore public confidence in the Internet as a safe place for voters and their children as well as the 99% of businesses with no in house security expertise.
Hence the business case for Telcos, ISPs, Social Media Companies, On-Line Retailers and Transaction Service Providers and all others who want the on-line world to flourish to co-operate with law enforcement. The need is to more effective clearing houses for information on abusive/criminal activity to enable action under both criminal and civil law to remove weaknesses, prosecute/deter perpetrators and change professional/corporate behaviour towards security by design, as opposed to afterthought. [link]
2 The reasons were identified over a decade ago
The problems were foreseen in 2004. The fifth discussion paper of the EURIM -IPPR study into Partnership Policing for the Information Society was on “The Reporting of Cybercrime” It warned that: “Easy-to-use incident reporting systems are likely to be swamped unless material is received in a form suitable for automatic collation, analysis and forwarding. That means web-forms and/or pre-validated submissions from “trusted” sources, e.g. Banks or ISPs, on behalf of customers … The UK routines for reporting suspected money laundering illustrate the paralysis likely to result if this is not available.”
There was already a need to “reduce fragmentation and duplication of effort with regard to reporting structures and improve the availability of intelligence to help focus existing resource” and “a Catch 22 situation with regard to justifying the resources necessary to create easy-to-use reporting systems that will not be swamped. Without such systems we risk confidence in the Internet being eroded by the inability of most users to report incidents to someone who will take notice of their concerns. Education and awareness campaigns could do more harm than good unless accompanied by such routines.”
3 Now we face the predicted loss of confidence
The failure to create effective processes to collect and collate information on attacks to support the business case for action, has led us to a situation where criminal behaviour is almost risk free and therefore rising sharply.
- Government cybersecurity policy is focussed on the needs of GCHQ and MoD for state security and cyberwarfare rather than to protect citizens and business.
- Telcos, ISPs and other technology suppliers are effectively discouraged (on competition grounds) from working together to collectively remove the vulnerabilities that enable their customers to be attacked and abused.
Neither group gives serious priority to working with law enforcement and victims to identify and prosecute or sue the culprits.
I recently blogged that in June 2019 there were around 370 exhibitors at Infosec, most of them promoting cloud and/or AI based threat intelligence and/or behavioural analytics services to digest the billions of “attacks” into actionable information. Much of what they collect and report overlaps with what the National Fraud Intelligence Bureau hopes to receive, at no charge, from analysing that notified via Action Fraud and its other sources.
4 We have to unpack the problem to rebuild trust
Back in 2004 the EURIM -IPPR report said: The reporting problem can be addressed in manageable chunks, but to do so will require co-operation amongst a number of players, recognising that there are three distinct, albeit overlapping, reasons for establishing reporting mechanisms:
- the need for information on the size and nature of e-crime, to plan the right levels of skills, resource and working practices and commit to appropriate levels of investment across government and industry to reduce the opportunities for e-crime;
- the need to report suspicious incidents, vulnerabilities, adversary capabilities and the like, to enable the collection of intelligence, linked to means whereby this can be fed to different constituencies to enable them to protect themselves from new threats and vulnerabilities as they emerge – and to product suppliers to address security weaknesses;
- the need to provide the means whereby individuals and business can report and support investigation of suspicious incidents.
All three might also benefit from routine bulk reporting by those running protection services for their clients, most of which include monitoring, analytical and trend analysis services.
Today the organised of bulk incident notification to enable collation and distillation into actionable intelligence in support of collective investigation and action under both civil and criminal law (as recommended in Fighting Fraud Together) will be much harder.
- Partly because of the massively increased volume of attacks.
- Partly because the private sector cybersecurity industry, geared to the needs of Government and big business is a $multi-billion industry with little incentive to provide uncharged access to law enforcement.
5 We have to change the incentives
The situation would change rapidly were those who pay for commercial cybersecurity services to require the ability to pass their incident reports, in common format, to a central clearing house akin to that recommended in 2004.
In 2008 the UK clearing banks offered such a service as a by-product of a real-time shared fraud detection services linked to payment clearing. Parts of HMG, however, wanted statutory access. I will not go into the reasons (including the position of City of London operations in the critical financial services infrastructures of overseas Governments) why statutory as opposed to voluntary access is impractical.
At present the prime incentive for cahnge is the desire of the major advertisers, who fund the Internet as we know it today, to protect them brands from piracy, stop them from being damaged by being associated with abuse and to check that thec click they pay for are genuine. Google and Facebook have little choice but to respond. The means they use could also help transform the safety and security of the Internet as a whole
6 There are many questions
The questions asked in 2004 remain pertinent:
- Who wants to report what to whom and what do they expect to happen afterwards?
- Who wants to receive what reports, on what and what are they going to do with them?
- Who should be responsible for analysing reports, producing intelligence for dissemination and information for action by which appropriate authorities and organisations?
- How should such intelligence be distributed to different constituencies, and by whom?
- What reporting already happens (private sector, law enforcement agencies, regulators etc.) and how might existing information be better processed and shared?
- What are the potential volumes? What resources would be needed to handle them?
- What governance and security processes are appropriate for which material?
7 We should be honest about Intelligence Gathering versus Reporting
Those contacting Action Fraud or abuse@ teams and others need to know whether their submissions will be treated as:
- Intelligence – to be distilled into action plans to remove vulnerabilities, disrupt criminal supply chains or enable partnership action (under a mix of civil and criminal law)
- A potential crime report – for criminal investigation, whether based on the collation of intelligence, a report by an individual victim or a rpeort by an ISP or Bank covering an attack on a number of customers
- A potential case for civil action by victims (or a group of victims) and their lawyers/insurers because there is insufficient evidence or resource to support a criminal prosecution.
However the submission is treated, there is a need to provide the victim with realistic advice. In 2005 the Culture Media and Sport Select Committee saw this a role for Citizens Advice or the Law Society (Para 25) . Citizens Advice appear happy with this recommendation, provided they are given the necessary support.
I have now handed over my project portfolio but remain on the advisory board of the Digital Policy Alliance and plan to attend the next meeting of the Cybersecurity Group. I intend to suggest convening a round table on reporting to see whether there is support for an exercise to update the exercise done in 2004 – but without the expectation that Government can and will lead a joined-up exercise. That is because the conflicting agendas across the tribes of Whitehall, let alone across those of law enforcement, make an industry-led approach more likely to succeed.
But is the loss of confidence in the on-line world such that the leading players are willing to work together?
And would Ofcom (as competition regulator for the on-line world) allow them do so?
Those are questions I leave to the next generation.
That said – the new Ministers at DCMS ARE from the next generation.
So are those at the Home Office and BEIS.
And we can see a stiff breeze of change beginning to waft through the corridors of power – beginning with demands for weekly progress reports on Brexit arrangements.
Given that we are in the foothills of the most unpredictable general elections in several decades we might even see democratic pressures over-ruling departmental agendas.
Make YOUR voice heard.
Such opportunities do not happen often.
DCMS to survey the cybersecurity labour market
DCMS has announced “a second survey of UK businesses, public sector organisations and charities to help understand the UK cyber security labour market. The research will examine how organisations approach employing and training cyber security professionals, and understand the issues they face during this process”. The result is likely to be rather more useful than last year’s unstructured survey of professional and academic opinion. I criticised the resultant report (in my review of the Initial Cybersecurity Skills Strategy) because the analysis failed to reflect the structure of UK business. It was therefore seriously flawed with regard to the likely scale and nature of demand.
This time “Businesses and public sector organisations across the UK have been selected at random from the Government’s Inter-Departmental Business Register. Charities have been selected from the Charity Commission database in England and Wales, the Office of the Scottish Charity Regulator, and the Charity Commission for Northern Ireland. Cyber sector businesses have been selected from a list compiled from various commercial business databases.
Ipsos MORI is inviting the senior person within these organisations, with the most knowledge or responsibility when it comes to cyber security to take part. In some organisations this might be a specific individual or Head of Department, while in other organisations it might be the business owner or one of the charity trustees.”
The results will be interesting. In most cases the respondent will have little or no knowledge, nor will anyone else in the organisation. I therefore very much hope that the questions for the “senior person” include Where do you get your advice and guidance?” and “Who do you go to if you have a problem?”
Why it is so important to analyse demand by size and type of employer
A month ago I met the current Chief Executive of West London Business and agreed to send him a copy of the draft report of the study into local demand for IT skills that I helped organise for West London TEC nearly 30 years ago. That was the first and (and perhaps the only) attempt to use “industry strength” market research to analyse the digital skills needs of local employers. The questions were added to the local labour market survey for which we had received funding to use a computer assisted telephone survey, with prompted and unprompted questions, to a structured (by size and sector) sample of 10% of all employers. The response rate was just over 50%. Most skills surveys, then and now, use unstructured samples and have response rates of under 2% (sometimes as low as .02%). In other words we had robust results in an area where almost none of the other data was statistically significant.
The survey found that most businesses used hardware and software regarded as obsolete by suppliers. Few had any full-time in-house IT support staff and most had received no professional training. More-over none of the publicly funded training programmes in the TEC portfolio were felt to be relevant to their needs. Those wanting skilled staff were happy to train their own, provided the TEC would help them identify recruits with the necessary aptitude and attitude. They would also have liked the TEC to create a list of reputable local organisations providing relevant modular short courses. The results were so far out of line with “accepted wisdom” that the implications, beyond the synopsis headline “The users have taken over the system”, were ignored. My draft report and recommendations were never published.
I suspect we have a similar situation today with regard to cybersecurity skills.
99.5% of businesses have no in-house digital, let alone cyber expertise
The UK has 1.4m businesses with fewer than 50 staff. Most use packaged and/or outsourced IT products, services and support. They have no-one with serious in-house IT, let alone cybersecurity, expertise. Only 42,000 have more than 50 staff and only those with more than 250 staff (7,500) are likely to have any in-house cybersecurity expertise, as opposed to knowing when they need to call in an “expert” for help because they cannot understand what is happening or how to respond. Almost none will know the training their staff might need. Few will know how to find a reputable supplier of security services who can met their needs at affordable cost.
The “answer” is almost certainly local access to services like those provided by the pilot shared skills incubator and SOC in Plymouth and/or those local ICT support suppliers who have staff competent to the level of (for example) CompTIA Security + . The lack of such access helps explain the low take up of Cyber Essentials , even among those with 50 or more staff.
The good news is that earlier this year DCMS recognised the problem and provided modest funding to help Bluescreen IT to package the Plymouth pilot for replication elsewhere and CompTIA for the Cyber Ready Programme to reach more diverse audiences (e.g. women returners).
And few cyber experts understand their Boards
At the other end of the spectrum we have the .01% of enterprise customers to whom most of the 370 exhibitors at InfoSec 2019 were seeking to sell AI and/or Cloud-based threat identification and behaviourial monitoring products and services. These are the customers large enough to employ in-house staff who understand the meaning of terms like maturity model. Such staff all agree the need to educate “the Board” because it does not “understand” and give them the authority/budgets to buy new products and services which will supposedly improve their technical ranking. Meanwhile most successful attacks involve insiders (whether malicious or ignorant) and failures in people processes: authorisation, authentication, monitoring, motivation, training etc.
It is now five years since I blogged on the views of the major financial services employers of the City of London on the security skills frameworks then being promoted. The world has changed but the communications gap has widened. “Cybersecurity” is now rated by more than half finance directors as among their top five risks but the responses being considered globally require perspectives, priorities and skills well beyond those expected from cybersecurity professionals, whether in 2015 or 2019.
I used to lecture to current and would-be main board directors on risk reduction, recommending the use of the James Bond movie Skyfall to get their colleagues attention, well before Edward Snowden demonstrated the prescience of the basic plot.
Cyber is a subset of risk management
I would begin by putting by using the quote from a former Director of CESG which prefaces the seminal EURIM/DPA report on Security by Design: “The main benefit of investing in better security technology is to force the enemy to concentrate on corruptin your people instead of trying to break your systems“. I would also remind them of the need to check the recovery plans for fire, flood, power / communications outages and digititis .
I would then rank the top six cyber-related risks (mix of probability and seriousness) as:
1. lost business because of cumbersome/intrusive security,
2. competitors using your IPR (unpatented research, customer/personnel data etc.) against you,
3. insiders (over-ambitious, malicious, disaffected or loyal but untrained),
4. contractors (IT, security, compliance, cleaners, support),
5. regulators demanding data they cannot safeguard,
6. organized and targeted attackers.
My action plan would have three main points.
1. Threat assessment and risk reduction strategies (e.g. data minimisation and access control to reduce attack surfaces)
2. Insurance backed security policies and incident response plans (with third party audit of regular exercises)
3. Active co-operation with law enforcement (to deter attackers)
Co-operation with law enforcement is critical
My conclusion would be that at least 10% of the security budget should be allocated to active co-operation with law enforcement.
This should include:
- support (and training) for the organisation’s staff and contractors to serve as expert volunteers (whether or not warranted as specialist constables) to help staff emergency response and investigation teams
- contributions to the funding of full time officers and support staff to provide independent governance and to handle co-operation with other law enforcement agencies and police forces around the world, not just within the UK or EU.
The EURIM-IPPR Study into “Partnership Policing for the Information Society” identified that the police would never have more than a fraction of the resources necessary to bring law and order to the on-line world. Today the situation is worse. On-line crime and abuse are soaring because they are almost risk -free for the criminals.
Enterprise customers divide into
- those who allow themselves to be punch bags, hoping their evolving defences are good enough to prevent serious damage and
- those who retaliate (from on-line gaming companies and Hollywood film studios to the supporters of the NCFTA programmes)
Those who retaliate commonly use the services of organisations like Brandshield to protect their brands or organisations like Duff and Phelps and the forensics teams of global accountants and law firms to sue all who do not help them identify and persecute (if not necessarily prosecute) the attackers and thus complement the work of law enforcement.
The topic of asset recovery appears, however, taboo among most groups of cybersecurity professionals.
They commonly take the view that retaliation would merely antagonise the attackers and lead to worse problems. This may be correct in the short term. Longer term, however, criminals find it safer and more cost effective to attack those who do not retaliate. Those with a reputation for effective retaliation tend to get left alone. That gives as double reward as their competitors suffer. Effective retaliation requires co-operation with insurers, the internet supply chain and law enforcement, using a mix of civil and criminal law.
It also requires investigation skills that go beyond most definitions of “cybersecurity”.
The need for joined up policy
The last Labour Government was unable to bring the tribes of Whitehall together to agree a joined-up approach, led by Home Office, to implement the recommendation of the EURIM – IPPR reports. It briefly looked as though the coalition Government might make progress, with the launch of Fighting Fraud Together This was followed by two breakfast meetings which brought together the City and Security communities at board level (several hundred decision takers in the main hall of the Chartered Accountants). But political attention was diverted to surveillance and cyberwarfare. Progress petered out.
The current Lord Mayor of London has hosted some very impressive meetings for the Global Cyber Alliance , led by the New York District Attorney and the City of London Police. The alliance uses the proceeds of crime to help remove some of the vulnerabilities that facilitate impersonation. DCMS has yet to exploit the opportunity to use such co-operation to add a low-cost multiplier to its own efforts, e.g. by making the use of such free tools and training in how to use them, mandatory on all the digital programmes it supports.
Responsbility for the coordinating cybersecurity and digital policy may now sit with DCMS instead of Cabinet Office but the decision squares for action remain spread across Home Office, Ministry of Justice, BEIS, FCO (for GCHQ), MoD and DfE. Meanwhile most of the practical experience and expertise sits with those who want their customers to buy, sell, play and learn on-line – not just in the UK but globally.
If the UK is to make a success of Brexit and become a globally trusted and trustworthy location for on-line activity we need the DCMS to lead a much larger review, leading to co-operation akin to that announced, but not subsequently delivered, at the launch of Fighting Fraud Together.
20,000 Degree-Level Police Apprenticeships should be the catalyst for change
I have now handed my portfolio of skills projects, including those on cybersecurity, to a team at the Open University. I hope they will provide a focus for providing local access to world class skills, including use of the cyber-components of the 20,000 policing apprenticeships recently announced (*) by the Prime Minister to transform the UK cyberskills scene – and make the UK the most dangerous place for cybercriminals to go on-line.
Of course policing goes well beyond cyber. But it is now estimated that 80% of crime now has a digital element, if only because of the conversations, selfies and location information on the mobile phones of the criminals. A consequence is that the justice system is drowning in data, most irrelevant other than to confuse judge and jury and enable the guilty to go free. Hence the need to address the cyberskills for justice and deterrence , not just those for cyberwarfare, protection and surveillance. And the more widespread those skills, the more dangerous the on-line world will become for criminals not just potential victims.
(*) I know that was not quite what was announced, but locally delivered police apprenticeships using OU-like delivery mechanisms to enable common standards are the only realistic way of achieved the headline objective.
The economic structures and business models of the on-line world are changing.
The day after I blogged on why shareholders would wish to break up BT we got news that the sell offs were under way, beginning with the head office and some of the overseas subsidiaries. The share price stopped sliding. Then the Vodafone share price jumped after the news it was to spin out its masts and use Cornerstone to share 5G infrastructure with O2. City Fibre is using its new found financial backing to connect fourteen more cities, part new build and party relighting “orphan” municipal fibre networks. The Wireless Internet Group recently acquired the in-building operations of Arqiva. Ofcom is following the rest of the world in opening up “shared access spectrum”. Virgin has announced plans to wind up its speeds and done a new content deal with Sky (now owned by Comcast). The processes that enabled the “platform” dominance of the current incumbents (Amazon, Facebook, Google) are under scrutiny from both anti-trust authorities and the advertisers who fund “free” social media and search engines. President Trump is also taking aim at the way their lobbyists and lawyers use Federal contracts to further increase their dominance of cloud services. Whatever his motives, he appears to be the first president since Taft to take anti-trust seriously.
The technology architectures and structures are also changing.
There has been much cover in the technical press BT’s decision to adopt an Open Stack core , akin to that used by AT&T and Deutsche Telecom, to support and knit together the communications networks and technologies of the future. Meanwhile the US has forced Huawei to exit the main international submarine cable consortium at the same time as major US players are investing in their own cables to improve the resilience of their cloud centres.
Will this mean that the technology giants wish shift their lobbying efforts to the ITU, which set almost all global inter-operability standards until the Internet Protocols replaced X25? If so how will they acquire the votes of the developing world now leapfrogging their legacy IPR? How will the boundaries with the IETF and other telecoms standards bodies “evolve”? And will the UK include funding for participation, hosting and perhaps even “leadership” into its priorities for making the UK the best place to do on-line business.
Exploiting the Brexit Policy Opportunity
Readers will know that I have come to reluctantly believe that Brexit is the only way to create a new and more constructive relationship with the protectionist kleptocracy that has condemned the youth of Europe to mass unemployment unless they come to the UK. That means building on the best of what has been achieved while extricating ourselves from the worst and a friendly divorce with joint custody of those children we acknowledge as part of the divorce. And telecoms policy is one of those areas where the EU got it right, including the constraints on BDUK which would otherwise have given its money to BT with almost no controls or clawback.
The new UK Government is said to be entering into a series of root and branch review of the policies it inherits, including to deliver on the Prime Ministers aim to expedite the transition to full fibre broadband. We have a digital minister who has built and run regional business telecoms companies. Can we, therefore, hope to see a long overdue focus on the needs of British business instead of the preservation of BT’s leased line revenues to protect the Treasury guarantee of its pension fund? Will that will translate into new priorities for Ofcom?
What polices might the new minister adopt to help ensure the UK benefits from leading the transition from the current jungle of fragile, semi-incompatible communications networks to a world of seamless, ubiquitous, resilient, secure, meshed, digital infrastructures? One of the last acts of the outgoing DCMS Secretary of State was to launch a review of the telecoms supply chain . Hopefully the new digital minister will ensure that this takes place in the context of the new world that is being created.
It is almost exactly five years since I blogged on the need to address the transition to an evolving “future proof” mesh in response to the Digital Infrastructure Consultation of 2014.
What the current questions for review?
At one level they are becoming easier.
- Change is accelerating, making attempts to predict the future in order to regulate it ever more impractical – although that does not appear to stop some regulators from trying. The task is to remove the barriers to the changes we (voters) want to see and act more rapidly, efficiently and effectively against obvious abuses of dominant power and monopoly positions.
- Policies and regulations based on fictional boundaries between the fixed, wifi and mobile, terrestrial and satellite markets are losing relevance. Most voters (alias customers), would like their service to roam over whatever is cheapest (to them) and working at the time. Some will pay (and some a lot more) for reliability and resilience. The issue is to ensure that those controlling bottlenecks (whether access, transmission, switching or inter-operability) to do not indulge in anti-competitive behaviour to exploit or prolong their monopoly positions.
- The attempts of digital infrastructure provider (however defined) to become content providers (and vice-versa) are unravelling. The fashion for convergence (alias invading or taking over players in adjacent markets) is cyclical and nearly always ends in tears. The digital content market is now seriously over-crowded with players like Amazon, Disney, Google (YouTube et al) and the latter appear to be reigning back on infrastructure investment, other than to support their cloud infrastructures. The issue is to act rapidly and robustly against predatory cross-subsidy.
At another they are becoming harder.
We have many more (and better paid) lobbyists and regulators arguing (particularly in London, Brussels and Washington) how many digital angels there are on the head of a pin.
More-over the future is now being built in the Southern Hemisphere, under the aegis of the ITU, away from the attentions of US IPR and Telecoms lawyers.
President Trump’s trade war with China has come too late to prevent them from providing cost effective, holistic infrastructure solutions for most of the world, even if they are cut off from North American markets.
How will the EU respond – almost certainly with protectionist initiatives which claim to be forward thinking?
How will the UK respond, caught between the USA, China and the EU?
Will we revert to our internationalist roots, exploiting Brexit to the full?
Remember the comment by De Gaulle’s minister of culture, Andre Malraux on why the sun never set on the British Empire. “Even God does not trust the English in the dark.”
This is a time for imaginative policy. Of course we play by the “rules” … but as interpreted in our courts … by our judges. It is their international reputation that is our “secret weapon”. It underpins the position of London as a global trading centre. Reclaiming that “weapon” is arguably the greatest Brexit dividend.
It is also a time for a cool look at how the digital world is evolving and our place within it.