When IT Meets Politics

August 9, 2016  8:09 PM

Did Ofcom bottle it against the Premier league? Or did it have its priorities right?

Philip Virgo Profile: Philip Virgo
backhaul, Brexit, Broadband, BT, DPA, Ofcom, PIA, Sky

Ofcom has ended its investigation into the Premier League contracts. It has been widely accused of bottling it. The termination can, however, be viewed more calmly . Ofcom does not have the resources to simultaneously wrestle with the BT, the BBC and the Premier league any more than BT can afford to run a world class communications utility at the same time as subsidising the incomes of premier league footballers and their agents.

Both have to prioritise. It is far more important, for the economic well-being of the UK as a whole, for Ofcom to hold BT’s feet to the fire on its quality of service and its competitive behaviour in those markets which it dominates.

Far better for both Ofcom and BT to focus on Broadband

The consequences will be positive for all concerned when BT spins out its content activities before they lose value in the face of growing competition from Amazon, Netflix and all those whose traffic BT/EE would make better/safer returns from carrying. The scale of communications infrastructure investment needed, including to provide the necessary security and resilience for a society that is increasingly critically dependent (life and limb not just entertainment) on ubiquitous Internet Access, is well beyond that which BT alone can afford. In order to meet the needs of its customers (Wholesale not just Openreach) BT needs to adopt a positive attitude towards shared access, wayleaves and physical infrastructure access and to move towards partnership deals based on global inter-operability standards (at all levels).

Sky has made clear that its priority is to get better quality of service from BT rather that compete by building its own infrastructure. Although Sky is in trials with City Fibre in York, it is Talk Talk that is making the running with regard to providing consumers with fibre to the home. Does that imply tht Sky might be ready to open up access to the wayleaves it acquired when it took over Easynet? Perhaps. But more important is to get National Grid and National Rail to open access to their wayleaves, poles and ducts using the new standard agreements.

Towards a Post Brexit Broadband Plan 

On Thursday I am due to chair a meeting to discuss inputs to a six point plan for a UK post Brexit communications infrastructure strategy. The objective is deceptively simple – to identify the actions necessary to reduce the risk of post-Brexit recession by pulling forward “future-proof” investment. Today that includes fibre network/wireless networks(including ducting, chambers, masts etc.) built, maintained and operated to global inter-operability standards that are capable of being readily upgraded to handle foreseeable needs (including 5G, small cells, smart buildings, transport, shopping malls,telecare etc.) over at least the next 10 – 15 years.

Avoiding recession entails cutting 12 – 18 months of current investment timescales

The ideas currently on the table to help cut 12 to 18 months off current investment timescales, reduce risk and improve payback include:

  1. Spreading the use of Standard Access and Wayleaves, building on the work to date;
  2. Brokering agreements between landlord and network providers on good practice to ensure that mutually beneficial reform of the electronic communications code leads to a rapid improvement in the number and location of the wayleaves, masts and aerial sites on offer and/or co-investment in infrastructure to meet the known/expected needs of business tenants as well as of consumers and their children;
  3. Ensuring support and publicity for local authority best practice planning and regulatory processes and securing active support from planning inspectors for those copying them;
  4. Business rates based on a proportion of actual revenues rather than a tone list based on historic fictions contributed by those who have been able to bypass its use for their own networks; [Others want a “holiday” or wholesale scrapping but my father, who had started his civil service career in the Valuation Office, drove a successful campaign to reform the application of business rates to voluntary sports clubs and playing fields by demonstrating that a reversion to the basic principles of the rating system can produce better, fairer and faster results than trying to over-turn it].
  5. The creation of shared services to map the availability of backhaul and help turn PIA (physical infrastructure access) into a well informed, service driven, customer oriented, competitive market.
  6. Publicity for case studies of the use of fixed and mobile broadband to help local authorities deliver better services at lower costs without the need for up-front investment which they cannot afford. [Local authorities are almost totally focused on a mix of cost reduction and revenue generation. We need to harness that focus not piss in the wind trying to change it].

The list may change by the time I come to blog on what comes out of the meeting.

What will happen next?

I have a two main roles in this exercise.

  1. To identify which participants are willing to present which plans to a meeting with Conservative MPs on 6th September, in the knowledge that they will expected to help deliver on the implementation.
  2. To identify which channels they wish to use to organise co-operation on delivery, including liaison with officials and politicians.

How can you get involved?

I am pleased that a couple of those expected to participate are already working on plans to use Digital Policy Alliance sub-groups to handle all-party co-operation and to provide a neutral umbrella for professional/commercial co-operation. Those sub-groups will be open to all members of the Digital  Policy Alliance. Please e-mail them, not me, for an invitation to join.

If you wish to be active at the political  level via the Digital Infrastructure Group of the  Conservative Technology Forum, please join before contacting me because  I will be handing the follow up to others to progress after the party conference. I will then be focused on Skills, and particularly Cyber Security skills until my term of office comes to an end next year.

August 5, 2016  6:51 PM

Lifting the Brexit recession with Full Fibre Broadband

Philip Virgo Profile: Philip Virgo
Brexit, BT, DPA, FCS, Openreach, Socitm

This week has seen a variety of calls to use infrastructure investment prevent the UK from sliding into a post Brexit recession. Most of the suggestions, (except possibly for an extra runway at Gatwick and restarting the electrification of the Northern railways), are unlikely to produce any results, whether spend or benefits, before the Brexit negotiations are complete.

The exception is investment in upgrading the UK’s Broadband infrastructure. Results could be almost immediate, provided the confused situations on access and wayleaves and on building regulation and planning processes can be rapidly sorted – removing 12 -18 months delay (on average) from almost any project (however modest).

Voluntary co-operation will achieve more, faster than coercion

The most obvious way of achieving this is not, however, government action. It is voluntary co-operation between a critical mass of property owners  (wanting a choice of world class access services for themselves and their tenants), network operators (willing not only to be good tenants but to ensure they are not let down by their subcontractors) and local authorities (willing to ensure co-operation between their departmental silos as well as with their peers). Hence the  programme of “co-operation between the willing” that I am trying to promote via the Digital Policy Alliance  and members like the Federation of Communications Services, SOCITM, JISC and the Grids for Learning as well as those with direct commercial interests as users or network or technology suppliers.

Why not use the “system” to address business rates?

There is a similar case for addressing the disproportionate impact of business rates on small projects. More-over, were the costs and uncertainties of delay and of rates to be removed, the business case is commonly such that there is no need for public funding.  Ensuring rapid action on business rates, for example a “de minimis” exemption until there is evidence of income on which a valuation can be based using a predictable formula. The process would, however, be so much simpler if more network operators would supply actual costs and revenues instead of historic fictions. The last attempt at reform failed because so few were willing to do so, despite my attempt to publicise the opportunity in this blog.

Who benefits most from the current confusopoly?

Why is the situation on access and wayleaves, the electronic communications code and business rates and what service can actually be offered where (given the state of the local networks and backhaul available) – so confused?

Partly because, until recently, it was irrational for the largest player to cannibalise its captive leased line and reseller markets or to do anything other that use all means possible to delay investment in rival networks. Supporting the creation and prolongation of a consultant driven “confusopoly” was therefore in its interests.

That may have changed.

What is the evidence for a change in BT’s motivation?

The evidence is not in the BT statements made in response to threats to separate Openreach. The process of separation could be used to paralyse investment for years. More-over much of the BT  backhaul infrastructure, critical to both fixed and mobile communications, is not part of Openreach anyway.

The evidence is in BT’s appointment of their top engineer to run Openreach in place of the previous accountants and marketing men.

The evidence is in the doubling of his preventive maintenance budget

The evidence is in  the BT programme to reskill its engineers to handle fibre technology and the expansion of its apprenticeship programmes.

Above all the evidence is in the restarting of a fibre roll-out programme that was cut back as unaffordable at the time of the original negotiation of the BDUK state aid programme.

The competitors to BT are, however, highly suspicious as to how far its behaviour really has changed. 

The exclusion of public networks from the common access and wayleaves package negotiated so painfully over the past year or so with London’s main property owners is seen by some as a telling sign. More-over few will believe it is serious about allowing others to access its physical infrastructure on equal terms unless and until it has processes in place that enable it to make serious money from doing so – and its staff are motivated and rewarded for helping it do so.

How do we ensure BT has a good business case for to help bring forward investment to bridge the Brexit Gap?

I have been organising meetings to produce a six point plan to present to ministers to use the opportunity of Brexit to transform the climate for investment in full fibre broadband and help reduce the risk of a post Brexit recession. Success requires that BT has a good business case (i.e. not just regulatory pressure) to offer partnership deals to its competitors that enable all sides to improve shareholder return by growing revenues faster than costs and prices are falling.

The need for resilience and security (and therefore multiple sourcing without single points of failure) for a “smart society” should provide a wide choice of business models for achieving this.

Its about culture and motivation not “mere” regulation

My views on the Openreach debate were summarised 280 years ago by Alexander Pope “For forms of government let fools contest, what’s best administered is best”.  The form of any separation arrangement is less important that the vigour and rigour with which Ofcom polices the behaviour of BT as whole – particularly the converged infrastructure operations supporting EE and the , yet to be created, local internet exchanges that will be needed by every would-be smart city.

If you would like to contribute for the Conservative Technology Forum “Six Point Plan” exercise why not post a public comment to this blog to help stimulate public debate. I should warn readers that those who e-mail me direct (or contact me via Linked In) are likely to be asked how they will help implement their suggestions.


July 30, 2016  11:15 AM

Which is more important to the future of BT? Quadplay or a Converged Utility with EE?

Philip Virgo Profile: Philip Virgo
Broadband, BT, convergence, EE, fibre, fttc, G.fast, LINX, Ofcom, Openreach, Uncategorized

BT may be resisting the forced separation of Openreach but its wider business strategy is unclear and it is unlikely to be able to fund both its quadplay ambitions and the investment needed to provide the reliability, resilience and security, not just response times, its customers are increasingly demanding.   Its content advertising has begun to converge with that of EE  while its largest shareholder, Deutsche Telekom is planning for a similarly converged 5G world.

DT has a market capitalisation of around £71 billion. Vodafone has one of around £61. Telefonica (parent of O2) has one of £43 billion (and is seeking to merge with Three, who backers are capitalised at over $1,150 billion). All are looking to provide converged services for a 5G (and beyond) world. None is trying to grow an in-house content operation, as opposed to providing access to content provided by others. The only other Telco trying to do both is Verizon, which has a capitalisation of  £224 billion: although there are allegations that its content play is “merely” to strengthen its bargaining position vis a vis Amazon, Google, Microsoft, Netflix and the “Net Neutrality” lobby.

BT with a capitalisation of £41 billion is planning to restart investment in its utility operations (not just Openreach, but also Wholesale), at the same time as continuing to take on Sky, Liberty, Netflix and the new content operations of Amazon. That restart, to head off a forced break-up at the hands of Ofcom, can also be seen to have been triggered by complaints from Sky, Talk Talk and its other resellers over the quality of service they and their customers receive from Openreach. It is not just consumers who are having a summer of discontent. Information from the performance monitoring services of, for example, Sky or Virgin, remains confidential. But the threat of legal, not just regulatory, action almost certainly lies behind BT’s appointment of  its top engineer to turn round Openreach, the subsequent doubling of his preventive maintenance budgets and the restoration of capital spend to levels not seen since before the original appointment of Tony Chanmugan as finance director to cut Capex and Opex by 25% and save BT from bleeding to death after Local Loop unbundling.

Bryan Glick has recently repeated his belief that BT secretly wants rid of Openreach, a low risk, low reward, “boring”, regulated utility. I suspect its largest shareholder would rather get rid of content operations which have failed to deliver targeted profits and are running into increasing competition from its largest customers – some of whom are now looking elsewhere for more reliable, cheaper, all-fibre service. Either way, the difference between what Ofcom has demanded, a separate Broad for a wholly owned subsidiary, and what BT has offered, a sub-committee of the main Board is significant.

Recent events (e.g. service failures taking the customers of other ISPs, not just its own, off air for hours on end) have shown the importance of resilience and competition in the backhaul and Internet services provided by BT wholesale – not “just” the local loop services provided by Openreach.  But BT is, in turn, reliant on its own subcontractors and partners and their failures (from the power supplies for the former telephone exchanges in no longer owns to internet exchange and hosting  operations it never did) reveal just how vulnerable our access to the Internet really is. Running Openreach at arms length will not help address such failures. Returning both Openreach and BT wholesale to pre-2008 levels of investment may also not be enough.

History lessons are boring – but before taking some of the most recent statements from the CEO of BT, a marketing man, at face value it would be as well to compare the analyses in the CMS Select Committee Broadband Connectivity Report report  with Mike Keily’s most recent analyses and the summary of the reasons for BT’s past strategies contained in the Dirty Digest I blogged at the time Ofcom was calling for inputs to its strategic review.

Sir Michael Rake and Ian Livingston“stopped the bleeding” and saved BT from going broke after Local Loop unbundling and a series of Ofcom decisions had rescued the Cable Companies but destroyed the business case behind Ben Vervaayen‘s investment strategy. BT lived off the back of those investments for a decade and persuaded the coalition government to co-fund some of the gaps. But the consequences of the failure to complete the programme (e.g halting the replacement of 1970s cabling whose aluminum content means FTTC and G-Fast do not work) are now becoming apparent.

The quality of service problems with a “monopoly” are not, however, confined to BT. Internet peering, alias connectivity, is uniquely centralised  in the UK.  France , for example has 24 peering exchanges and most of its traffic routed through large regional centres – not Paris. The UK has only 9, including the new startup Internet exchanges in Manchester, Edinburgh, Cardiff and Leeds. Almost all traffic is still routed through the London operations of LINX.  But LINX is a mutual, owned by members who are not happy with vulnerability that results from such centralisation. It is helping lead the drive for devolution to local Internet exchanges and I have promised to help provide political platforms for its Chief Executive to brief politicians on why and how they should support plans for every aspiring “smart city” to have at least one exchange of its own.

Meanwhile the rest of the world, and Ofcom, have moved on. Hence Clive Selley‘s most recent comments on restarting investment in “pure fibre” and “fibre by default” for new connections, while trying to wind up speeds over those parts of the copper network where FTTC and G-Fast will work. Hence also BT’s support for some of the new local Internet exchanges, including to reduce latency (signal delay) for its largest customers.

So what will the new BT strategy be?

One obvious component will be an increased willingness to enter into local partnership with new build operators where it is uneconomic to upgrade its own network without public subsidies. Another, announced but not fully appreciated by analysts, is a massive investment (staff retraining and apprenticeships not just recruitment) in growing its security operations, including to serve its partners and customers. Similarly the scale, impact and consequences of BT plans to retrain and multi-skill its engineers, take on many more apprentices and bring functions (particularly those where it has experienced embarrassing leaks and other service and quality problems) back in-house have been largely ignored. In short, BT may already have decided that  rebuilding a boringly efficient utility operation is more attractive to more shareholders than trying to “eat the lunch” of “customers” like Sky, Netflix and Amazon. I am holding on to my shares accordingly – although I expect those in some of the “fibre infrastructure pureplays” to do rather better over the next few years.

July 19, 2016  8:46 AM

BT must put house in order or face split, says Commons Select Committee

Philip Virgo Profile: Philip Virgo
CMS, investment, Openreach, Uncategorized

“In a report published today, Tuesday 19 July 2016, the Culture, Media and Sport Select Committee says BT is “significantly under-investing” in Openreach, its infrastructure subsidiary. Based on a report commissioned from a panel of independent experts, the Committee concluded the shortfall in investment could potentially be hundreds of millions of pounds a year.”

I was not involved in this report, having given evidence, alongside over a hundred others. I had not seen it before receiving the press release. I therefore I reproduce the release verbatim before making a few quick comments:

“The Committee says BT has exploited its position to make strategic decisions that “favour the Group’s priorities and interests”—and is likely to have sacrificed shareholder value and customer benefit as a result. Capital investment in Openreach has been broadly flat since 2009 until this year, and quality of service remains poor.

The Committee is demanding that BT invest significantly more in Openreach, and allows Openreach much more autonomy over what it invests, when and where. It supports Ofcom’s plans for establishing greater separation between Openreach and BT Group, but makes clear that if BT fails to “offer the reforms and investment assurances necessary to satisfy our concerns”, Ofcom should move to enforce full separation of Openreach.

In the Committee’s judgment, Ofcom has not placed enough emphasis in the past on improving Openreach’s quality of service: it says the prospect of stiffer penalties should also encourage BT to voluntarily invest more in infrastructure.

The Committee convened a panel of expert advisers for the inquiry, including nationally recognised specialists in finance, regulation, communications and infrastructure provision, whose expert report is also published today with our own report.

The report concludes:

— The lack of transparency in BT Openreach’s costs and deployment plans in relation to the BDUK programme has stifled local competition and thwarted other network providers’ planning.

— BT has allowed service quality levels to remain low at Openreach in recent years—from an arguably low base—while investment in Openreach has been flat. Ofcom was slow to introduce minimum service standards with financial penalties for Openreach, some nine years after its creation.

— The shortfall in investment in Openreach could potentially be hundreds of millions of pounds a year.  It arises because BT appears to be deliberately investing in higher-risk, higher-return assets such as media properties, and not investing in profitable lower risk infrastructure and services through Openreach.

— BT Group is exploiting the position of vertical integration to make strategic decisions that favour the Group’s priorities and interests, at the expense of its access infrastructure business.  Its current structure allows it to use Openreach’s utility-type assets to cross-subsidise riskier activities elsewhere in the Group, while significantly under-investing in the access infrastructure and services on which a large part of the public rely.

— Ofcom’s charge control regime has kept a downward pressure on prices, so that the UK’s communications prices are among the lowest compared with similar EU countries. But this mechanism has not been successful in holding Openreach to an adequate quality of service; and it is an open question how effective overall it has been in stimulating investment in Openreach’s infrastructure.

— For those households and businesses in the “final five per cent” there will need to be judicious deployments of interim technology solutions to provide improved connectivity to those households and businesses which currently have little or no coverage.

— The challenge of reaching the “final five per cent” is likely to demand the active and willing co-operation of local communities wherever possible. BDUK will need to offer guidance and support in key areas such as: choosing the right technology solutions, raising finance, stimulating demand and minimising other costs of provision.

— That there is a compelling case for expanding the current USO for telephony and dial-up internet to cover broadband, given the vital role it plays in people’s lives.

— Ideally, the USO must be designed so as not to impose too great a burden on industry: to incentivise investment, without creating consumer detriment or overly inhibiting take-up.”

After reading the press release I do recommend you read the summary and take a look at the list of advisors at the start of the appendix on regulation, competition and cost of capital  before setting aside time to read the report in full – as I will. My first reaction is 10 out of 10 for the quality of the analysis accuracy the accuracy of the diagnosis.  A few sections particuarly caught my eye during my first reading of the summary of the report

“Openreach. Openreach, local bodies and BDUK are to be congratulated for hitting their 90% coverage target for superfast broadband. But one consequence of this rapid rollout has been that the programme appears to have tackled the easier-to-reach premises within the interventions areas first and has not delivered coverage to whole areas. Instead, it has left a patchwork of premises that have not been reached, and created much uncertainty among local residents as to whether or not they will be connected or receive improved speeds.

A further downside of the BDUK programme has been the lack of transparency in Openreach’s costs and deployment plans, the apparent effect of which has been to stifle local competition and thwart other network providers’ planning. At the same time, Openreach’s historically poor service record has failed to improve in the face of escalating demands on the network.”

Although standards of service, specifically customer service, are also problematic in the wider industry, Ofcom has in particular identified the quality of Openreach’s wholesale service to communications providers, including to BT’s businesses, as being highly unsatisfactory …  Openreach has been “over-earning” substantially in relation to its cost of capital while Openreach’s investments, including in fibre, have until this year barely increased since 2009.

“there appears to be compelling evidence that BT Group is exploiting the position of vertical integration to make strategic decisions that favour the Group’s priorities and interests, at the expense of its access infrastructure business. BT does not lack access to capital. Its current structure allows it to use Openreach’s utility-type assets to cross-subsidise riskier activities elsewhere in the Group, while significantly under-investing in the access infrastructure and services on which a large part of the public rely.”

“It came as a surprise to us that BT employs an investment hurdle rate significantly above Openreach’s actual cost of capital, as estimated and allowed for by Ofcom. This means that a potentially very significant amount of annual investment in broadband access and services, investment that would likely add to shareholder value, is not at present being made.”


“it is not clear how the presence of a utility-style operator would be compatible with promoting competition, or would work successfully alongside current market players such as Virgin Media, to say nothing of the many other smaller providers of broadband access infrastructure, without stifling competition and the growth of alternative networks.”


“We believe Ofcom has been right not to rule out full separation; that option should be kept firmly on the table … If the regulator were to place more emphasis on Openreach’s quality of service, BT would voluntarily invest more in the infrastructure to avoid significant penalties. Should BT fail to offer the reforms and investment assurances necessary to satisfy Ofcom’s and our own concerns, then the regulator will need to set in train the steps to enforce full separation of the Openreach business.

… Should Openreach remain part of the BT Group under a strengthened model of functional separation, BT should be obliged to allow Openreach to raise finance independently in the capital markets in its own right, and to make investments that meet the business’s own cost of capital. We have every reason to believe that Openreach would be a very attractive investment vehicle to longer-term institutional investors, which could in turn facilitate increased investment in infrastructure.”

July 17, 2016  5:49 PM

How will Digital Policy change under Brexit, Karen Bradley and Matt Hancock?

Philip Virgo Profile: Philip Virgo

David Davis was the only politicians ready with plans for when the English and Welsh voted for Brexit. I would have been surprised if he had not. We met at London Business School and ran its Conservative Association for two years (It was pre-facebook and my lips are sealed but there are no scandals to emerge). Our teachers included Charles Handy, in his first year at LBS, taking over from Denis Pym.  A consequence was that, as well as an exhausting introduction to all the normal business disciplines, we learned the need to mix capitalism with compassion, using clear, not wishful, thinking. I suspect I was not the only one who also learned that  concealing careful preparation can be even more useful than concealing the lack of it.

Perhaps David began preparing his plans while he was John Major’s Minister for Europe, nicknamed the charming bastard by one of those he negotiated with. His pieces in Conservative Home on the case for Brexit  and our negotiating strategy should be read at face value. Those wondering what else to expect should read his 1988 IoD book, “How to turn round a Company” as well as looking at his political track record.

I have already blogged on why the effect of Brexit will be what we want it to be . Of itself, it makes little difference to UK Digital or Broadband policy. Most of the relevant Directives and Regulations were drafted by UK lobbyists and regulators working through Brussels to achieve what they wished to impose on the UK. Whether or not they were right, the result should not be blamed on those who wanted “ever closer union”.  Any changes desired by those who voted to leave consequently require them to overcome the desires of the most of the tech establishment, (a couple of dozen dominant players, mostly controlled from the US, plus an army of policy lobbyists, consultants and professional fund seekers), to maintain the status quo they have fought so hard to achieve. And I support most of what they did.

We can, however, expect a few significant changes of priority from the new ministerial team. In particular it is likely to follow public (rather than “expert”) opinion in questioning the current meaning of “net neutrality” and in questioning the honesty and probity of  those promoting a world of privacy-free, big data clouds in which we are the product not the customer.

The first changes likely as the result of the change of Ministers include:

1. Restoration of the Manifesto Commitment to protect children from on-line pornography

Karen Bradley’s responsibilities at the Home Office included child protection and on-line abuse. We can therefore reasonably expect an end to the watering down in the draft Digital Economy Bill to cover only sites whose “main” business is pornography and to ignore the value of mandatory filtering (alias blocking) when sites fail to use effective age checking.  I look forward to  Ministers giving short shrift to the argument of internet service providers and on-line retailers that blocking should not be used for child protection while they use it for copyright protection and to support their commercial business models. We can expect determined rearguard actions by some of those who do not want effective legislation (for a variety of reasons) but the denial of service to those who use ad-blockers and removal of access to content that competes with the providers own services greatly weakens their case.

Those who want realistic age checking (to control access by adults to networks designed for children as well as under-age access to alcohol, knives, tobacco and adult content) should therefore help educate MPs and Peers as to the scale and nature of the existing use of filtering (alias blocking) in support of current on-line business models. They should  encourage their constituency MPs to help ensure the passage of agreed and practical amendments during the passage of the digital economy bill.

2. A Universal Service Obligation based on reliable access to Digital by Default public services

Those who see Matt Hancock as a champion for the digital age should remember he is also MP for a rural constituency with a more than average global outlook: Newmarket, Lakenheath and the would-be new Cambridge International Airport (with science park, housing and rebuilt rail connection!). He bears the scars of both the failed GDS attempt to turn round the rural payments system and the expectations raised by the partially successful “Better Broadband for Suffolk“. I have blogged several times on the need for the Universal Service Obligation to be based on a service that is fit for purpose, including latency, reliability and resilience, not a nominal speed or technology from a single supplier. I have also commented on the need for it to be for an evolving purpose as the expectations for “digital by default” public services evolve from access to information websites and booking services to include active and always-on telecare and telemedicine.

3. Priority for training over immigration

The UK IT industry has a long track record of weeping crocodile tears over skills shortages while failing to take on trainees and exporting jobs or importing contractors. The consequences range from the lack of opportunities for computer science graduates for Britons from ethnic minorities through the difficulties faced by mature staff seeking to refresh their skills to illiterate peasants picked up with documentation describing them as skilled systems analysts when their escorts failed to collect them at Heathrow.

Matt Hancock launched the long overdue extension of apprenticeship programmes to the Civil Service   while serving on David Cameron’s “Earn or Learn” Task Force. Now that the ICT and Creative industries are beginning to set their own house in order with the Tech Partnership and Creative Skillset programmes, they have the credibility, and responsibility to also help him ensure that the new Digital Apprenticeships really do address the needs of employers and students not just the vested interests that dominate our century old hierarchies of funding agencies

There will be other changes but this blog is already long enough.

July 2, 2016  1:44 PM

Putting the IT into BrexIT: what do we (and they) really want?

Philip Virgo Profile: Philip Virgo
Brexit, Data protection, IPR, privacy, Skills, TTIP

We have heard much regurgitation of pre-referendum positions, interspersed with “firing from the hip” from those determined to preserve the past from the future. “Business as usual” is not, however, an option.  All players (including trade associations and professional bodies, not just politicians and bureaucrats) need to consult their supposed supporters before making claims as to what they want. They should also consult experienced diplomats as well as constitutional lawyers as to what is, or is not, possible when it comes to negotiation.

The “possible” ways forward range from EEA status, (alias capitulation), to “raw” WTO status, (alias turning the UK into the world’s largest free trade zone). The EU Trade Commissioner, Cecilia Malmstrom, has said “First you exit, then you negotiate” while the House Speaker, Paul Ryan, has called for the discussions on a free trade agreement with the US in parallel with the stalled discussions on TTIP. There were high level trade discussions between the UK and China, Indian and Japan during the run up to the referendum. No wonder the EU Trade Commissioner is seeking to continue “project fear” – the attempt to frighten the UK into premature capitulation.

Those who think that a UK reversion to raw WTO rules would be a disaster for the UK should read them. For example – rules to protect health and animal and plant welfare are permissible. A reversion to WTO rules would undoubtedly be a disaster for French, Belgian and Dutch farmers and for Danish and Spanish fishermen but for Britain … it would depend on whether we used the next two years to create an alternative regime based on the audit of hygiene and husbandry instead of subsidies and tariffs. Now let us look at IPR … and the potential for co-operation with India and  China on global reform.  Our negotiating position vis a vis any forward trade agreement with the EU is much stronger than we might think – provided we are seen to be taking Plan B seriously.

But this blog is about the IT industry response to Brexit. Perhaps the best start point is the five point Plan A from Julian David of TechUK.  My quibble is that the “primary objective”, as worded, is not sufficiently ambitious. The primary objective should not be continued access to a market where most digital transactions are routed via wholly owned and integrated operations running under US law. It should be to use the Brexit negotiations to help our European neighbours complete the creation of an outward facing, globally competitive, digital single market. While I personally “held my nose and voted remain”, I was struck by the view of one of our former top negotiators that a Brexit vote was the only way to achieve the necessary concentration of minds to succeed where we have so far failed. In doing so we will earn the right to stay in the single market we are continuing to help create, while no longer getting in the way of those who really do want “ever closer union”.   

I agree that “retaining and attracting talent is vital to the success and growth of UK tech” but would give priority to developing our own. I would also say that this is now even more important. That said, I thoroughly agree the need for a “smart immigration” policy. We need, however, to spend effort working out what that means, given that the horlicks of recent years has helped destroy the once vibrant UK independent ICT contractor market as well as depressed indigenous salaries and diverted corporate attention away from career development programmes.

I also agree that work should start now on securing international data flows and data protection and liked the comment on the need to look at the relative merits of maintaining, adapting or completely re-legislating UK laws, including the UK Investigatory Powers Bill. The aim should indeed be to position the UK as a global leader so that those based in the UK would have no problem in complying with EU (or Global) best practice. In this context the Government should move rapidly to announce its acceptance of the recommendations of the House of Common Culture Media and Sport Select Committee on cyber security – including for all the reasons given in my blog on their implications.

I also completely agree with the call for business as usual with regard to digital infrastructure.  I was greatly encouraged to hear John Whittingdale say the same at the All-Party Media Group reception on Wednesday. Like Julian David, I look forward to seeing the necessary reforms fast-tracked. But we also need to move equally fast to defuse the unnecessary conflict between network operators and landlords over the reform of the Electronic Communications Code. Where-ever possible it should be compatible with existing landlord-tenant legislation. The burden of proof should be on those wanting it to be different.

I also support the idea of publishing the postponed Digital Strategy as a draft to aid consultation.

June 29, 2016  3:27 PM

What do YOU want the impact of Brexit to be? Juncker is right to call for clarity

Philip Virgo Profile: Philip Virgo

In my previous blog I took a look at the likely short to medium term effect of Brexit on the ICT industry. I should have asked what readers WANT the impact of Brexit to be. I should then have asked who is willing to work together to ensure that is what happens.  Juncker’s call for “immediate clarity”  as to what Britain wants may have been unreasonable and unrealistic but a similar call for long term-clarity is not.

The tensions that led, over time, to the pressure for a referendum were caused by “confusion” as to the nature of the relationship with the rest of Europe to which the British electorate thought it had signed up. We have seen the failure of the attempt to conflate the Benelux  one-way drive for “ever closer union” with the Anglo-Saxon and Nordic desire for an open, globally competitive, “single market”. The underlying psychological agendas are different but should not be totally incompatible.

Instead of a hasty and bitter divorce, resulting in the worst of all worlds for both sides, we should therefore seek to agree an amicable separation which enables both agendas to be progressed in parallel – while recognizing and accepting the differences and tensions between them. Those who want the UK to “pay a price” for having the temerity to hold a referendum which showed that the majority of the population did not want “ever closer union” without reform, should note that the French and German stock markets went down by more than London. The “confusion” over objectives is not combined to the UK. All parts of Europe will pay a price if we do not work together towards a more constructive solution.

Yesterday the Digital Single Market group of the Digital Policy Alliance rapidly agreed the final draft of its submission to the Commission on Cloud Computing policy (one of the main points being the need for clarity of terminology). It then moved on to discuss the implications of the Brexit vote and the way forward. I will not attempt to reprise the discussion, let alone Malcolm Harbour’s  summing up. The meeting report will shortly be available to DPA members  and observers. The main action was to agree to organize a round table on 20th July to discuss what the members really want and how to achieve it.

In the meantime, the most important themes that I personally took away from the meeting were:

  • Triage – we need to identify:
    1. those areas where Brexit may be used to excuse delay but which are outside the purlieu of the EU or where the problems are to do with UK implementation not the EU agreements,
    2. those which are within the purlieu of the EU where members do not want change, because they are happy with what has happened or is planned, and
    3. those where change is desirable.
  • Business as usual: we should continue to constructively input to relevant consultations and discussions via current channels, in “ever closer co-operation” with those in other member states who share the objective of creating a globally competitive single market.
  • Those serious about wanting a truly symbiotic, ongoing relationship between the UK and the EU should be encouraged to join DPA, ideally in time to participate in the round table which Malcolm will be chairing on 20th  July to discuss and agree action plans.

Triage is not as difficult as it first appears. The bulk of the preparation necessary was done in support of the Competences review . Unfortunately the results were ignored by all sides during the referendum debate. They did not fit comfortably with the cases either side was making. The results should, however, give a head start to the new Whitehall team working on exit strategy   It will help greatly that team if industry players help identify the areas where they believe action is not needed.

“Business as usual” may be harder– given the number of headless chickens creating chaos in the farmyard, running round the sacred cows, some of which have been lying in the path of progress for decades. It might be helpful, to give one example, were IT industry players to define what they mean by “freedom of movement”. Do they really mean “freedom to move to take up a job or contract with a reputable employer”. If so this fits with the Treaty of Rome and the Commission red line. It is also compatible with the demands of those who want to deter immigration by blocking access to publicly funded education, healthcare, housing and welfare to those who have not paid local taxes for a given period and/or do not have an employer who will under-write their application. It does, however, imply the slaughter of some British sacred cows – such as “universal access” to the type of benefits which, in other member states (and other parts of the world), are based on local or regional “residency”. In short, “business as usual” requires an intellectual discipline and attention to detail that has so far been missing.

Hence the headline for this blog and the call for those who are serious about using the opportunity of Brexit to build a more coherent relationship with the EU to join the Digital Policy Alliance and help the Digital Single Market Group do so.


June 25, 2016  3:57 PM

What effect will Brexit have on the ICT industries and professions?

Philip Virgo Profile: Philip Virgo
Banks, Brexit, Broadband, Data centres, Data protection, fibre, Fintech, investment, Legacy systems, privacy, reform, Security, Skills, Smart phones, Switzerland

After the meeting of the European Council next week we will have a clearer idea of whether the Brexit vote will lead to a positive relationship with a reformed European Confederation. If Juncker’s public statements are to be taken at face  value, we face an acrimonious quicky divorce to stop the contagion spreading. By contrast Cameron’s measured timetable should facilitate a friendly separation, reducing the risks to ALL, not just the UK. We should note that the French (7.9%), German (7.9%) and Spanish (12.7%) stock markets all fell by more than London (FTSE 100 2% and FTSE 250 7.2%). In both London and the US the biggest losers were the Banks. This may indicate an expectation of turmoil. But it could also reflect the perceived opportunities for UK Fintech to leapfrog into the world of accelerating global dis-intermediation, shredding the business models assumed by inward-looking Pan-EU regulation. There is much to play for. It should be noted that while Lord Hill has resigned, like the Prime Minister’s resignation, his is also the rapid announcement of a phased hand-over.

The President of Luxembourg became the improbable “President” of Europe because the leaders of the member states did not make the effort to bring him to heel at the time of the Lisbon Treaty . They did not believe he could do much damage. He has proved them wrong. His firm and vocal opposition to reform if the UK had voted to remain pulled the rug on the “hold your nose and vote remain” strategy which caused me to vote remain. According to one analysis, it was deliberately designed to tip the balance in the referendum. Last week I listened to a former senior civil servant with twenty years of experience negotiating in Brussels. He believed that a vote for Brexit, followed by constructive negotiation, was now the only way of getting the reforms necessary to stop the decline and death of the European “project”. In a post-Brexit tweet that ended “reform or die”, the French Ambassador to Washington was clearly of a similar opinion. He said it was now up to the leaders of the member states to seize the initiative and stop the Union falling apart.

Short term we can expect a delay before the many financial services legacy system re-write projects put on hold, pending the outcome of the referendum, go ahead. These will now be designed for “regulatory neutrality”, as opposed to intra-EU demands. The length of that delay will depend on how long UK regulators take to get their heads round the new world. It should, however, be remembered that global banks like HSBC and Standard Chartered have long had to live with semi-incompatible national regulations around the world. London’s expertise in doing so is one of the reasons the US Banks tend to base their international operation in London not New York or San Francisco. London’s competitors are Hong Kong, Singapore and Zurich, not Amsterdam, Frankfurt and Paris.

A bigger problem will be improving the supply of indigenous skills, if we erect barriers against attracting the brightest and best of talent from across the EU as part of the attempt to stop low skilled immigrants depressing UK wages and adding to the pressures on hospitals, housing and schools. Hence the importance of projects like the London Cyber Security Skills Partnership so that when demand picks up we have the skills pipeline to meet it.

Action on public sector IT skills will be equally important because of the massive load in unraveling regulation and re-writing systems, unless we are going to tamely accept EEA status (thus losing all the putative benefits that Brexit is supposed to bring) as opposed to negotiating bilateral agreements as Switzerland has done. All this will have to done in the context of another, and more stringent, round of budget cuts because UK borrowing costs will rise sharply in the short term. The key will be to train existing staff, including users, to undertake incremental change, particularly with regard to using smart phones to strip out overheads and enable front-line staff, from careworkers to policemen, community nurses to housing officers, to spend more time with public and less on paperwork and reporting.

The impact on investment in broadband and data centres, will again depend on how Government responds to the opportunities, not just challenges. BT is right to be worried about the impact on its investment plans because Deutsche Telekom is by far its largest shareholder and it has yet to organise the rights issue to help fund its take-over of EE. As evidenced in a recent article in Computer Weekly, its rivals are, however, far more sanguine. The increased pressure on public sector finances will put pressure on making the best use of new technologies to cut operating, not just investment, costs when it comes to supporting broadband roll out. Fibre networks not only cost less to build they cost far less to operate and maintain. Well over half the cost is now access and wayleave charges.  This puts a premium on co-operation between landlords and network builders to agree the provision of  future (and flood) proof fibre to their tenants at a fraction of the cost currently being quoted by incumbents saddled with national, “arms length” agreements as well as pensions and football rights to fund.

Brexit could also lead to a boom in investment in shared data centres. It is often forgotten that the UK already has over 200 of these, over 70 in London alone – where growth to date has been limited mainly by the cost and fragility of the capital’s power suppliers.  Whether it does so or not will be determined by whether the UK is willing to take the actions necessary to become a globally trusted data haven where the privacy and security of personal data (including against organised crime and big data resellers) is taken as seriously as in Switzerland.  One of the areas where action is indeed urgent will be to organise informed debate what those actions should be. I was already collecting speaking engagements to brief audiences on the implications of the DCMS Select Committee report . I now anticipate questions as to whether we should to drop implementation of the GDPR because data breach notification is now part of the problem, helping phishermen more than victims. There is, of course, more to it than that but too much of the directive is to do with liability avoidance, the ability to ignore consumer choice and exemptions for those who most of the public do not trust.

The agenda for next Tuesday’s meeting of the Digital Policy Alliance Digital Single Market Group, chaired by Malcolm Harbour CBE, former chairman of the Internal Market Committee of the European Parliament, has been changed to look at the implications of the referendum vote and the opportunities it should present to help accelerate reform. Whatever our precise relationship with the Union, (in or out, EEA, EFTA or otherwise), the future of the UK, like its past, is bound up with its role as an entrepot between Europe and the rest of the world. Our prosperity therefore depends in no small part on the peace and prosperity of the rest of the continent. We should not give up on the necessary reform programme just because we have been temporarily manoeuvred out by the enemies of transparency, reform and democratic accountability. We must also, however, make good use of the opportunities given by Brexit in our own interest. I look forward to meeting those who agree at future DPA meetings – so that I can enjoy my retirement (it is now nearly five years since I stood down and become only an unpaid advisor) knowing that the future is indeed in better hands than mine.

June 20, 2016  10:44 AM

CMS Select Committee turns Cybersecurity reporting focus from breaches to performance

Philip Virgo Profile: Philip Virgo
.ico, BCS, Big Data, Cyber security, FCC, IASME, IET

The press release  for the Culture Media and Sport Select Committee Cybersecurity report  headlines the recommendation to jail abusers not just fine their employers.  The change of reporting emphasis from notifying breaches to, inter alia, the processes for enabling customers and staff to check for impersonation, with fines linked to failure to do so, should, however, also change the way boards monitor the performance of their security teams.

The recommendations from the committee, which I have been privileged to serve as specialist advisor, should help turn the corporate priority from data breach notification to enabling staff and customers to report attempts at impersonation, whether or not there is evidence of an actual breach.  Such a change is essential in a world where there may be weeks or months between a breach and its discovery and publicity for a breach will trigger a wave of phishing e-mails and phone calls.

The rules for specialist advisors are strict but I was delighted to be given permission to speak after the report is published, spelling out the implications for those responsible for cyber security, if the recommendations are adopted. In this review I have therefore focused on the sections of the report most relevant to those planning the cyber security activities of their own organizations, as opposed to regulatory or national policy.  I strongly recommend, however, that you read the full report.  It is only 21 pages.

Then consider your corporate action plan for when, not if, the recommendations become law.  

My own recommendations to any Board that asks me for an elevator pitch would include:

  • have clear chains of responsibility for security processes, training, reporting and incident management and ensure they are practiced and updated at least annually.
  • use staff and customer education programmes to reduce the damage when breaches occur and report the results to the board and outside world.
  • report who audits your systems, to what standards, whether you have an incident management plan and when you last exercised, to the board, your customers, your suppliers and the outside world.
  • check the processes of current and potential subcontractors: because you will be held liable and may not be able to get who-ever sold your information jailed, especially if they are off-shore.
  • prepare for when losses from impersonation replace whiplash and PPI as the target income stream of ambulance-chasing lawyers, so that you can rapidly sort the genuine claims from the rest.
  • Watch your trust ratings rise, on-line business increase and complaints and costs fall: as customers and suppliers gain confidence that their information is safer with you.

The background to the enquiry (Para 5 – 10)

The enquiry was triggered by what happened immediately after Talk Talk decided to go high profile after an attack. The evidence showed this was the tip of an iceberg. More-over calls for faster, “better” data breach notification have come to be part of the problem, not the solution. There is a real risk that the focus on breach notification helps phishermen and would-be fraudsters more than potential victims. This is particularly so given that the Information Commissioners office is snowed under with incidents: over 200,000 a year with only 30 staff to respond, handling about 1,000 of the most serious cases at any given time.

Attack and Response

The committee found a need for a step change in customer awareness and education, not just a Government campaign but that: “All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine.  This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.” (Para 14)

[Those with long memories might say that the e-Commerce Directive mandates such information from all trading on-one within the European Union. One of my personal concerns has been the failure, until very recently, to talk seriously about enforcement. It helps that the FCC has pulled the rug from under the position of some of the dominant lobbyists in Brussels .]

Then came some recommendations regarding the very tricky issue of responsibility for handling major incidents within large organisations (Para 16) before a very polite bombshell:

We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps.  We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.” (Para 18)

Those in the industry will know that BCS and IET have finally been able to agree to mandate security components in the agree courses they mandate but the new rules will not come into force until 2017. They will therefore only apply to those graduating from 2020 onwards. Hence the importance of the London Cyber Security Skills partnership on which I blogged recently – including to re-educate all those “Digital Marketing” specialists producing the egregiously leaky “apps” harvesting data from the smart phones of the younger generation.

After summarizing some of the evidence on business continuity exercises and scenario planning and the importance of communication with customers to reduce the risk of spoofing, the Committee recommended that “where the risks of attack are significant, the person responsible for cyber security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.(Para 20).  This will hopefully make life a little less difficult for those in the hot seat.

 Customer compensation

The report considered the vexed question of compensation and made some substantive points before concluding: “We believe it should be easier for consumers to claim compensation if they have been the victim of a data breach. There are a number of entities (for example the Citizens Advice Bureau, ICO and police victim support units) that could in principle provide further advice to consumers on seeking redress through the small claims process.  It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach.  The ICO should assess if adequate redress is being provided by the small claims process. (Para 25)

The Law Society might be unable to agree an actual “practice note” for its members (the issues are indeed complex) but the attempt to do so should produce material that will make it much easier for its members, including those who work with Citizens Advice and Victim Support, to give practical advice on how to obtain redress.

Cyber essentials, supply chains and other guidance

Many breaches, however, occur along supply chain in suppliers or outsourcing contractors. The committee therefore recommends that “All telecommunications companies and on-line retailers, and other cyber-vulnerable organisations, should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers.” (Para 26).

The committee also received evidence on the need to regularly update government advice and added that Cyber Essentials should be regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber ransom demands.” (Para 30)

I know that many readers have views on the changes needed and look forward to an interesting but constructive debate on what those changes should be.

There follows a section entitled ”The tensions between informing the authorities, criminal investigation and informing those potentially affected”.  The title says it all. The Committee concluded that there was a need for guidance on how and when to publicly report incidents: “The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisations, not just telecommunications companies and ISPs.(Para 33)

I have great sympathy for those who may be tasked with producing that guidance. I can fully understand why it does not exist. That does not, however, remove the need.

The role of the information Commissioner

In Para 18 the committee suggested the Commissioner “introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”. This will hopefully ratchet up the pressure on the relevant professional bodies to ensure that their members know how to address these. In Para 34 the committee  adds  “an incentive structure that inhibits delays, for example escalating fines for delays in reporting a breach.” and “scope to levy higher fines if the organisation has not already provided guidance to all customers on how to verify communications.

The report discusses the impact of escalating the sizes of fine, including when the GDPR comes into force (if we do not Brexit) and makes the important point that “the attention of individuals within the organisation may be better engaged by the threat of a custodial sentence, rather than a fine for their employer.”  (Para 36) The committee then supports “the ICO’s call to bring into force Sections 77 and 78 of the Criminal Justice and Immigration Act 2008, which would allow a maximum custodial sentence of two years for those convicted of unlawfully obtaining and selling personal data.” (Para 37)

Then come the recommendations referred to at the start of this blog as a Corporate Action plan. I believe these could not only help transform corporate attitudes towards data protection and security but also greatly improve the effectiveness of the actions they take:

Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:

  • Staff cyber awareness training;
  •  When their security processes were last audited, by whom and to what standard(s);
  •  Whether they have an incident management plan in place and when it was last tested;
  •  What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
  •  The number of enquiries they process from customers to verify authenticity of communications;
  •  The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).

 Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened.  Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place. (Para 38)

 I very much look forward to seeing those currently planning programmes to brief customers on the impact of the GDPR  re-writing their scripts. It was clear that the members of the committee know what is needed to catch the attention of main board directors suffering the same information overload as themselves. They also know that such reports will need interpretive guidance from the in-house security teams – but the process should help ensure that security is taken seriously at least once a year by the board, whether or not there have been any serious problems. Among the points I would like to add are:

  • Staff education and awareness programmes which are not supported by advice services which answer a steady flow of questions are ineffective.
  • “No reported problems” equals a dead system and a ticking time bomb.
  • The same is true of the systems available to customers to report phishing attempts and other problems.
  • Those running the protection systems to be able to talk about the volume of attacks they have detected and foiled.
  • Reports in the annual report and accounts, whether or not the ICO staff read what is reported to them, provide the necessary discipline to ensure the content is actually be read by the board.
  • Such reports, in turn, provide marketing and PR staff with the ammunition to tell the world that their employers really do take the security of their customers’ personal data more seriously than the competition.

The general public will, however, need something easier to help them understand who is trustworthy. The committee therefore supported “the ICO’s plan to create a privacy seal, to be launched later this year, which would be awarded to entities which demonstrate good privacy practice and high data protection compliance standards. It would be useful if the privacy seal could also incorporate a traffic light system to help consumers understand which companies are compliant, which are making progress, and which have yet to take the issue seriously.” (Para 39)

Investigatory Powers and Big Data

Finally comes the “haystack of potential problems” that is the Investigatory Powers Bill with the “huge pools of personal data that it would create and their vulnerability to attack and theft leading to personal data breaches”.  In interpreting the recommendation at the end of Para 41, “The vulnerability of additional pooled data is an important concern that needs to be addressed urgently by the Government.  Part of the response could be to require enhanced security requirements and background checks for those with access to large pools of personal data.” it should, however, be remembered that the problems with Big Data go that already in the hands of the security services or law enforcement.

The Vodafone Survey on which I blogged a few weeks ago came too late to influence the enquiry but it should influence organizations thinking how to respond to the recommendations.


Do read the full report, you will miss much if you merely read my thoughts above. Also remember that policy is made by those who give evidence and respond to consultations.

The “motto” of this blog, announced in the very first entry back in 2008 is “The silent majority gets what it deserves … ignored”. Don’t be.

June 17, 2016  11:21 AM

Lack of co-operation on cyber skills costs London more than membership of the EU costs the UK

Philip Virgo Profile: Philip Virgo
BCS, Brexit, Cisco, CompTIA, CREST, IBM, IET, ISACA, London, NCA

I have been asked to change the headline of my blog yesterday on the case for supporting a London Cyber Security Skills Partnership. It was said to be as misleading as the headline arguments for Brexit or Remain. Instead I should have begun by saying that the amounts lost by Londoners and London-based businesses as a result of cyber crime, whether actually stolen or including business lost as result of intrusive security or lack of customer confidence, are greater than the UK contribution to the EU, whether gross or net. And the main reason for those losses is our failure to take effective action on training, to develop, maintain and use systems that are secure by design rather than attempt to rely on awareness, education and layers of re-active security.  Hence also the reason we need a London Cyber Security Skills Partnership which looks locally and globally – as opposed to a national partnership oriented towards the needs of cyberwarfare and the state.  The skills overlap but the perspective, mix and priorities are different.

Therefore, I will begin again, under a corrected heading.

I have blogged before on my position on the referendum: the result matters less than what we do afterwards, whether in or out. I have also blogged on the cost of our failure to help Europe unravel the toxic politics of privacy, security and choice.  Today I would like to put forward the plan for creating a London Cyber Security Skills partnership to move from bleating about the problems of information security to taking world leadership in implementing the solutions – whether from inside or outside the European Union.

London has over 50 Universities and Colleges, some world class, but its employers regularly complain of skills shortages and contract or recruit overseas while many Londoners cannot get on the jobs ladder. “Blended learning” (technology assisted on-the-job training, mixed with off-the-job motivation modules, supervised work experience and mentoring), makes it quicker and cheaper to train raw talent or existing staff than expensively trawl for some of the skills in shortest supply, such as that those to secure on-line operations. But the skills to organise such programmes are in even shorter supply than most other high tech skills. More employers are currently looking for experienced security trainers than for experienced security architects! London has a kaleidoscope of skills programmes: from mentoring, work experience and careers advice in schools through apprenticeships (including both pre- and post- graduate) to conversion and returner programmes. But these are fragmented and rarely have promotion or marketing budgets.

The needs of Londoners, whether employers or those looking for work, vary by sector and geography, from where employers compete to attract talent into known career paths, such as the City, through technology clusters which need fast-changing, innovative skills, such as Shoreditch, to insular, sink estates, where hope is gone (and there is a win win if recruit the talent before it turns to the dark side). The all-party Digital Policy Alliance is therefore working on the concept of local, partnerships, led by employers (seeking to meet their own skills needs), professional bodies and trades unions (seeking to place their members into work) and parents (wanting better informed choices and opportunities for their children) with a particular aim of engaging with networks of FE Colleges, who are all-to-often left out of mainstream digital skills programmes because large employers and national bodies lack the bandwidth to engage with them.

Success will depend on the cost-effective use of this with blended learning skills to mobilise “subject experts” to help students acquire the industry recognised qualifications and certifications currently expected by employers and recruiters (e.g. Comptia, CISCO, IBM, ISACA) in the course of their apprenticeship. The necessary materials are often available, at no charge, to the participating colleges, along with subject experts competent to support delivery and assessment: a common problem with programmes start from scratch as opposed to building on what already exists. That will enable the scarcest resources to be focused on modules to meet emerging needs such as “security by design in digital marketing“: i.e. securing the now ubiquitous but notoriously vulnerable on-line apps.

It just so happens that security by design in digital marketing is the core technical skill for rebuilding confidence in the on-line world. It is also a black hole when it comes to finding training on how to do it. BCS and IET has just got round to mandating security components in the degree courses they accredit (from 2017 onwards). But most app developers do not have computer science degrees and those already practicing … Plugging that gap, including by supporting a proposal for a co-operation between a group of London FE Colleges and the Tech Partnership for a new generation of collaborative degree level apprenticeships will be one of “starter” projects for the new London Cyber Security Skills Partnership.

The other “starter project” is expected to an exercise to address another black hole, the skills to help London’s 900,000 SMEs to secure their systems to at least the level of IASME: the best known of the certifications being mandated for those in the supply chains of central government, telcos, financial services and on-line retailers. Most of London’s SMEs are one man bands who really need to learn only how to secure their smart phone. But some, for example those in Fintech supply chains, may be honeypots for access to ten or hundreds of millions of pounds worth of transactions. And many well known data breaches involved entry via a supplier or partner.

The aim is to use such “starter projects” to test the practicality of creating trusted co-operation across boundaries to build on what is already being done or planned. The ambition is, of course, much greater. But we are following “Internet Rules” – think big but start small small and either fail fast or scale on success.

There is a worldwide cybersecurity skills crisis with employers trying to recruit ten times as many “professionals” (usually they really mean competent technicians) as are being trained. There is lots of talk and a plethora of initiatives but none are on the scale needed and most of those affected have no idea who to work with and how to help them address the consequences.  This hits London particularly hard, as a global financial services centre, under sustained and serious attack at all levels from script kiddies through sophisticated and organised crime to nation states.

The concept is to bring together those who are serious about working together to achieve results, beginning with a basic project, to achieve specific objectives in an area of common concern:

  1. To package existing material (Get Safe On-line, Action Fraud, Operation Falcon, IASME, Cyber Essentials, CIFAS, CISCO, IBM, Intel, Microsoft, Symantec, Trend Micro, ISC2, ISACA, Comptia, City & Guilds, OU etc.) for delivery via FE colleges to SMEs, using information security professionals, suggested and supervised by law enforcement, skills partnerships and professional bodies.
  2. To use success to open up the large scale delivery of relevant professional qualifications, including via apprenticeship, cross-training and staff update programmes via partnerships with Universities and Commercial Providers, including those recruitment and staffing agencies who are already helping clients organise training and staff development, both in-house and external.
  3. To also use the exercise to help SMEs identify those who can help them achieve, for example IASME accreditation and otherwise meet the requirements of their customers, suppliers and insurers

It is the context that makes the proposal so “interesting:

  1. SMEs (under 250 staff) in London may have multi-million (billion) turnovers or be in the supply chains of those who do. Their needs, timescales and priorities are different to those of GCHQ, MoD and Central Government (e.g. they may not only employ staff from, but have to work in close co-operation with customers and counterparts in, Brazil, China, India, Nigeria and Russia not just the EU) but co-operation and cross-fertilisation with the various UK Government programmes is highly desirable.
  2. The Falcon team has good material and case studies and is charged to run seminars for business (all levels)  but is fully stretched with operational needs. The FE colleges all want to deliver cyber/security courses but have few (if any) staff with the necessary expertise or experience. Both like the idea of working with each other, using pre-vetted industry experts who will not only put flesh on the packaged material but may also be available to professionally help those attending to implement what they have learned.
  3. The problems are acute among Fintech companies in the “graveyard slot” (with staff and finances fully stretched during the gap between start-up and venture capital funding).
  4. Competent security trainers of known provenance (e.g Security vetted or CIFAS cleared) are in even greater demand and shorter supply than, for example, Security Architects.

This will fail if it is just another bid for OPM (other people’s money).

The aim is bring together those who have good business reasons for working together – outside government funding frameworks as necessary. Those who want to contribute, either because they have staff or customers they wish to train or retrain or are planning to take on trainees or apprenticeships, or because they have products and services for which they want to organise training, or because they have training courses, materials or facilities should contact the Digital Policy Alliance with details of what they would like to bring to the table.

Please put 21st Century Skills Group in the subject line. By all means copy me but I am now only an advisor – the invitation lists are being maintained via the DPA until the partnership is ready to have an existence of its own.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: