1 Action Fraud had an impossible task
The Times undercover investigation at Action Fraud has led to a rash of publicity, both tabloid and professional . The only surprise is that it has taken so long to expose the mismatch between public expectations and delivery.
Action Fraud’s own website indicates what the service does not cover and thus demonstrates the need for more joined up “reporting”.
There is also the need to distinguish between “reports” that are expected to lead to action and the many thousands of “notifications” that might arise from a single criminal action. An example of the latter was the premature and untargeted elease of a piece of ransomware which, inter alia, crippled parts of the NHS. We also need to better handle the many thousands of partial reports from those have suffered loss or distress but cannot provide sufficient information to enable action, even were the resources available.
It is all very well to have a review but this needs to lead to much more than a simple change of contractors.
The Action Fraud team were set an impossible task. Loss of morale and cynicism were inevitable. But the problem goes deeper. The opportunity should be taken look at how to create honest and effective processes which also filter and distil incident notification with regard to all forms of cybercrime and abuse, into usable intelligence, actionable reports and effective victim support. That is much bigger task than Action Fraud was created to address but is essential to restore public confidence in the Internet as a safe place for voters and their children as well as the 99% of businesses with no in house security expertise.
Hence the business case for Telcos, ISPs, Social Media Companies, On-Line Retailers and Transaction Service Providers and all others who want the on-line world to flourish to co-operate with law enforcement. The need is to more effective clearing houses for information on abusive/criminal activity to enable action under both criminal and civil law to remove weaknesses, prosecute/deter perpetrators and change professional/corporate behaviour towards security by design, as opposed to afterthought. [link]
2 The reasons were identified over a decade ago
The problems were foreseen in 2004. The fifth discussion paper of the EURIM -IPPR study into Partnership Policing for the Information Society was on “The Reporting of Cybercrime” It warned that: “Easy-to-use incident reporting systems are likely to be swamped unless material is received in a form suitable for automatic collation, analysis and forwarding. That means web-forms and/or pre-validated submissions from “trusted” sources, e.g. Banks or ISPs, on behalf of customers … The UK routines for reporting suspected money laundering illustrate the paralysis likely to result if this is not available.”
There was already a need to “reduce fragmentation and duplication of effort with regard to reporting structures and improve the availability of intelligence to help focus existing resource” and “a Catch 22 situation with regard to justifying the resources necessary to create easy-to-use reporting systems that will not be swamped. Without such systems we risk confidence in the Internet being eroded by the inability of most users to report incidents to someone who will take notice of their concerns. Education and awareness campaigns could do more harm than good unless accompanied by such routines.”
3 Now we face the predicted loss of confidence
The failure to create effective processes to collect and collate information on attacks to support the business case for action, has led us to a situation where criminal behaviour is almost risk free and therefore rising sharply.
- Government cybersecurity policy is focussed on the needs of GCHQ and MoD for state security and cyberwarfare rather than to protect citizens and business.
- Telcos, ISPs and other technology suppliers are effectively discouraged (on competition grounds) from working together to collectively remove the vulnerabilities that enable their customers to be attacked and abused.
Neither group gives serious priority to working with law enforcement and victims to identify and prosecute or sue the culprits.
I recently blogged that in June 2019 there were around 370 exhibitors at Infosec, most of them promoting cloud and/or AI based threat intelligence and/or behavioural analytics services to digest the billions of “attacks” into actionable information. Much of what they collect and report overlaps with what the National Fraud Intelligence Bureau hopes to receive, at no charge, from analysing that notified via Action Fraud and its other sources.
4 We have to unpack the problem to rebuild trust
Back in 2004 the EURIM -IPPR report said: The reporting problem can be addressed in manageable chunks, but to do so will require co-operation amongst a number of players, recognising that there are three distinct, albeit overlapping, reasons for establishing reporting mechanisms:
- the need for information on the size and nature of e-crime, to plan the right levels of skills, resource and working practices and commit to appropriate levels of investment across government and industry to reduce the opportunities for e-crime;
- the need to report suspicious incidents, vulnerabilities, adversary capabilities and the like, to enable the collection of intelligence, linked to means whereby this can be fed to different constituencies to enable them to protect themselves from new threats and vulnerabilities as they emerge – and to product suppliers to address security weaknesses;
- the need to provide the means whereby individuals and business can report and support investigation of suspicious incidents.
All three might also benefit from routine bulk reporting by those running protection services for their clients, most of which include monitoring, analytical and trend analysis services.
Today the organised of bulk incident notification to enable collation and distillation into actionable intelligence in support of collective investigation and action under both civil and criminal law (as recommended in Fighting Fraud Together) will be much harder.
- Partly because of the massively increased volume of attacks.
- Partly because the private sector cybersecurity industry, geared to the needs of Government and big business is a $multi-billion industry with little incentive to provide uncharged access to law enforcement.
5 We have to change the incentives
The situation would change rapidly were those who pay for commercial cybersecurity services to require the ability to pass their incident reports, in common format, to a central clearing house akin to that recommended in 2004.
In 2008 the UK clearing banks offered such a service as a by-product of a real-time shared fraud detection services linked to payment clearing. Parts of HMG, however, wanted statutory access. I will not go into the reasons (including the position of City of London operations in the critical financial services infrastructures of overseas Governments) why statutory as opposed to voluntary access is impractical.
At present the prime incentive for cahnge is the desire of the major advertisers, who fund the Internet as we know it today, to protect them brands from piracy, stop them from being damaged by being associated with abuse and to check that thec click they pay for are genuine. Google and Facebook have little choice but to respond. The means they use could also help transform the safety and security of the Internet as a whole
6 There are many questions
The questions asked in 2004 remain pertinent:
- Who wants to report what to whom and what do they expect to happen afterwards?
- Who wants to receive what reports, on what and what are they going to do with them?
- Who should be responsible for analysing reports, producing intelligence for dissemination and information for action by which appropriate authorities and organisations?
- How should such intelligence be distributed to different constituencies, and by whom?
- What reporting already happens (private sector, law enforcement agencies, regulators etc.) and how might existing information be better processed and shared?
- What are the potential volumes? What resources would be needed to handle them?
- What governance and security processes are appropriate for which material?
7 We should be honest about Intelligence Gathering versus Reporting
Those contacting Action Fraud or abuse@ teams and others need to know whether their submissions will be treated as:
- Intelligence – to be distilled into action plans to remove vulnerabilities, disrupt criminal supply chains or enable partnership action (under a mix of civil and criminal law)
- A potential crime report – for criminal investigation, whether based on the collation of intelligence, a report by an individual victim or a rpeort by an ISP or Bank covering an attack on a number of customers
- A potential case for civil action by victims (or a group of victims) and their lawyers/insurers because there is insufficient evidence or resource to support a criminal prosecution.
However the submission is treated, there is a need to provide the victim with realistic advice. In 2005 the Culture Media and Sport Select Committee saw this a role for Citizens Advice or the Law Society (Para 25) . Citizens Advice appear happy with this recommendation, provided they are given the necessary support.
I have now handed over my project portfolio but remain on the advisory board of the Digital Policy Alliance and plan to attend the next meeting of the Cybersecurity Group. I intend to suggest convening a round table on reporting to see whether there is support for an exercise to update the exercise done in 2004 – but without the expectation that Government can and will lead a joined-up exercise. That is because the conflicting agendas across the tribes of Whitehall, let alone across those of law enforcement, make an industry-led approach more likely to succeed.
But is the loss of confidence in the on-line world such that the leading players are willing to work together?
And would Ofcom (as competition regulator for the on-line world) allow them do so?
Those are questions I leave to the next generation.
That said – the new Ministers at DCMS ARE from the next generation.
So are those at the Home Office and BEIS.
And we can see a stiff breeze of change beginning to waft through the corridors of power – beginning with demands for weekly progress reports on Brexit arrangements.
Given that we are in the foothills of the most unpredictable general elections in several decades we might even see democratic pressures over-ruling departmental agendas.
Make YOUR voice heard.
Such opportunities do not happen often.
DCMS to survey the cybersecurity labour market
DCMS has announced “a second survey of UK businesses, public sector organisations and charities to help understand the UK cyber security labour market. The research will examine how organisations approach employing and training cyber security professionals, and understand the issues they face during this process”. The result is likely to be rather more useful than last year’s unstructured survey of professional and academic opinion. I criticised the resultant report (in my review of the Initial Cybersecurity Skills Strategy) because the analysis failed to reflect the structure of UK business. It was therefore seriously flawed with regard to the likely scale and nature of demand.
This time “Businesses and public sector organisations across the UK have been selected at random from the Government’s Inter-Departmental Business Register. Charities have been selected from the Charity Commission database in England and Wales, the Office of the Scottish Charity Regulator, and the Charity Commission for Northern Ireland. Cyber sector businesses have been selected from a list compiled from various commercial business databases.
Ipsos MORI is inviting the senior person within these organisations, with the most knowledge or responsibility when it comes to cyber security to take part. In some organisations this might be a specific individual or Head of Department, while in other organisations it might be the business owner or one of the charity trustees.”
The results will be interesting. In most cases the respondent will have little or no knowledge, nor will anyone else in the organisation. I therefore very much hope that the questions for the “senior person” include Where do you get your advice and guidance?” and “Who do you go to if you have a problem?”
Why it is so important to analyse demand by size and type of employer
A month ago I met the current Chief Executive of West London Business and agreed to send him a copy of the draft report of the study into local demand for IT skills that I helped organise for West London TEC nearly 30 years ago. That was the first and (and perhaps the only) attempt to use “industry strength” market research to analyse the digital skills needs of local employers. The questions were added to the local labour market survey for which we had received funding to use a computer assisted telephone survey, with prompted and unprompted questions, to a structured (by size and sector) sample of 10% of all employers. The response rate was just over 50%. Most skills surveys, then and now, use unstructured samples and have response rates of under 2% (sometimes as low as .02%). In other words we had robust results in an area where almost none of the other data was statistically significant.
The survey found that most businesses used hardware and software regarded as obsolete by suppliers. Few had any full-time in-house IT support staff and most had received no professional training. More-over none of the publicly funded training programmes in the TEC portfolio were felt to be relevant to their needs. Those wanting skilled staff were happy to train their own, provided the TEC would help them identify recruits with the necessary aptitude and attitude. They would also have liked the TEC to create a list of reputable local organisations providing relevant modular short courses. The results were so far out of line with “accepted wisdom” that the implications, beyond the synopsis headline “The users have taken over the system”, were ignored. My draft report and recommendations were never published.
I suspect we have a similar situation today with regard to cybersecurity skills.
99.5% of businesses have no in-house digital, let alone cyber expertise
The UK has 1.4m businesses with fewer than 50 staff. Most use packaged and/or outsourced IT products, services and support. They have no-one with serious in-house IT, let alone cybersecurity, expertise. Only 42,000 have more than 50 staff and only those with more than 250 staff (7,500) are likely to have any in-house cybersecurity expertise, as opposed to knowing when they need to call in an “expert” for help because they cannot understand what is happening or how to respond. Almost none will know the training their staff might need. Few will know how to find a reputable supplier of security services who can met their needs at affordable cost.
The “answer” is almost certainly local access to services like those provided by the pilot shared skills incubator and SOC in Plymouth and/or those local ICT support suppliers who have staff competent to the level of (for example) CompTIA Security + . The lack of such access helps explain the low take up of Cyber Essentials , even among those with 50 or more staff.
The good news is that earlier this year DCMS recognised the problem and provided modest funding to help Bluescreen IT to package the Plymouth pilot for replication elsewhere and CompTIA for the Cyber Ready Programme to reach more diverse audiences (e.g. women returners).
And few cyber experts understand their Boards
At the other end of the spectrum we have the .01% of enterprise customers to whom most of the 370 exhibitors at InfoSec 2019 were seeking to sell AI and/or Cloud-based threat identification and behaviourial monitoring products and services. These are the customers large enough to employ in-house staff who understand the meaning of terms like maturity model. Such staff all agree the need to educate “the Board” because it does not “understand” and give them the authority/budgets to buy new products and services which will supposedly improve their technical ranking. Meanwhile most successful attacks involve insiders (whether malicious or ignorant) and failures in people processes: authorisation, authentication, monitoring, motivation, training etc.
It is now five years since I blogged on the views of the major financial services employers of the City of London on the security skills frameworks then being promoted. The world has changed but the communications gap has widened. “Cybersecurity” is now rated by more than half finance directors as among their top five risks but the responses being considered globally require perspectives, priorities and skills well beyond those expected from cybersecurity professionals, whether in 2015 or 2019.
I used to lecture to current and would-be main board directors on risk reduction, recommending the use of the James Bond movie Skyfall to get their colleagues attention, well before Edward Snowden demonstrated the prescience of the basic plot.
Cyber is a subset of risk management
I would begin by putting by using the quote from a former Director of CESG which prefaces the seminal EURIM/DPA report on Security by Design: “The main benefit of investing in better security technology is to force the enemy to concentrate on corruptin your people instead of trying to break your systems“. I would also remind them of the need to check the recovery plans for fire, flood, power / communications outages and digititis .
I would then rank the top six cyber-related risks (mix of probability and seriousness) as:
1. lost business because of cumbersome/intrusive security,
2. competitors using your IPR (unpatented research, customer/personnel data etc.) against you,
3. insiders (over-ambitious, malicious, disaffected or loyal but untrained),
4. contractors (IT, security, compliance, cleaners, support),
5. regulators demanding data they cannot safeguard,
6. organized and targeted attackers.
My action plan would have three main points.
1. Threat assessment and risk reduction strategies (e.g. data minimisation and access control to reduce attack surfaces)
2. Insurance backed security policies and incident response plans (with third party audit of regular exercises)
3. Active co-operation with law enforcement (to deter attackers)
Co-operation with law enforcement is critical
My conclusion would be that at least 10% of the security budget should be allocated to active co-operation with law enforcement.
This should include:
- support (and training) for the organisation’s staff and contractors to serve as expert volunteers (whether or not warranted as specialist constables) to help staff emergency response and investigation teams
- contributions to the funding of full time officers and support staff to provide independent governance and to handle co-operation with other law enforcement agencies and police forces around the world, not just within the UK or EU.
The EURIM-IPPR Study into “Partnership Policing for the Information Society” identified that the police would never have more than a fraction of the resources necessary to bring law and order to the on-line world. Today the situation is worse. On-line crime and abuse are soaring because they are almost risk -free for the criminals.
Enterprise customers divide into
- those who allow themselves to be punch bags, hoping their evolving defences are good enough to prevent serious damage and
- those who retaliate (from on-line gaming companies and Hollywood film studios to the supporters of the NCFTA programmes)
Those who retaliate commonly use the services of organisations like Brandshield to protect their brands or organisations like Duff and Phelps and the forensics teams of global accountants and law firms to sue all who do not help them identify and persecute (if not necessarily prosecute) the attackers and thus complement the work of law enforcement.
The topic of asset recovery appears, however, taboo among most groups of cybersecurity professionals.
They commonly take the view that retaliation would merely antagonise the attackers and lead to worse problems. This may be correct in the short term. Longer term, however, criminals find it safer and more cost effective to attack those who do not retaliate. Those with a reputation for effective retaliation tend to get left alone. That gives as double reward as their competitors suffer. Effective retaliation requires co-operation with insurers, the internet supply chain and law enforcement, using a mix of civil and criminal law.
It also requires investigation skills that go beyond most definitions of “cybersecurity”.
The need for joined up policy
The last Labour Government was unable to bring the tribes of Whitehall together to agree a joined-up approach, led by Home Office, to implement the recommendation of the EURIM – IPPR reports. It briefly looked as though the coalition Government might make progress, with the launch of Fighting Fraud Together This was followed by two breakfast meetings which brought together the City and Security communities at board level (several hundred decision takers in the main hall of the Chartered Accountants). But political attention was diverted to surveillance and cyberwarfare. Progress petered out.
The current Lord Mayor of London has hosted some very impressive meetings for the Global Cyber Alliance , led by the New York District Attorney and the City of London Police. The alliance uses the proceeds of crime to help remove some of the vulnerabilities that facilitate impersonation. DCMS has yet to exploit the opportunity to use such co-operation to add a low-cost multiplier to its own efforts, e.g. by making the use of such free tools and training in how to use them, mandatory on all the digital programmes it supports.
Responsbility for the coordinating cybersecurity and digital policy may now sit with DCMS instead of Cabinet Office but the decision squares for action remain spread across Home Office, Ministry of Justice, BEIS, FCO (for GCHQ), MoD and DfE. Meanwhile most of the practical experience and expertise sits with those who want their customers to buy, sell, play and learn on-line – not just in the UK but globally.
If the UK is to make a success of Brexit and become a globally trusted and trustworthy location for on-line activity we need the DCMS to lead a much larger review, leading to co-operation akin to that announced, but not subsequently delivered, at the launch of Fighting Fraud Together.
20,000 Degree-Level Police Apprenticeships should be the catalyst for change
I have now handed my portfolio of skills projects, including those on cybersecurity, to a team at the Open University. I hope they will provide a focus for providing local access to world class skills, including use of the cyber-components of the 20,000 policing apprenticeships recently announced (*) by the Prime Minister to transform the UK cyberskills scene – and make the UK the most dangerous place for cybercriminals to go on-line.
Of course policing goes well beyond cyber. But it is now estimated that 80% of crime now has a digital element, if only because of the conversations, selfies and location information on the mobile phones of the criminals. A consequence is that the justice system is drowning in data, most irrelevant other than to confuse judge and jury and enable the guilty to go free. Hence the need to address the cyberskills for justice and deterrence , not just those for cyberwarfare, protection and surveillance. And the more widespread those skills, the more dangerous the on-line world will become for criminals not just potential victims.
(*) I know that was not quite what was announced, but locally delivered police apprenticeships using OU-like delivery mechanisms to enable common standards are the only realistic way of achieved the headline objective.
The economic structures and business models of the on-line world are changing.
The day after I blogged on why shareholders would wish to break up BT we got news that the sell offs were under way, beginning with the head office and some of the overseas subsidiaries. The share price stopped sliding. Then the Vodafone share price jumped after the news it was to spin out its masts and use Cornerstone to share 5G infrastructure with O2. City Fibre is using its new found financial backing to connect fourteen more cities, part new build and party relighting “orphan” municipal fibre networks. The Wireless Internet Group recently acquired the in-building operations of Arqiva. Ofcom is following the rest of the world in opening up “shared access spectrum”. Virgin has announced plans to wind up its speeds and done a new content deal with Sky (now owned by Comcast). The processes that enabled the “platform” dominance of the current incumbents (Amazon, Facebook, Google) are under scrutiny from both anti-trust authorities and the advertisers who fund “free” social media and search engines. President Trump is also taking aim at the way their lobbyists and lawyers use Federal contracts to further increase their dominance of cloud services. Whatever his motives, he appears to be the first president since Taft to take anti-trust seriously.
The technology architectures and structures are also changing.
There has been much cover in the technical press BT’s decision to adopt an Open Stack core , akin to that used by AT&T and Deutsche Telecom, to support and knit together the communications networks and technologies of the future. Meanwhile the US has forced Huawei to exit the main international submarine cable consortium at the same time as major US players are investing in their own cables to improve the resilience of their cloud centres.
Will this mean that the technology giants wish shift their lobbying efforts to the ITU, which set almost all global inter-operability standards until the Internet Protocols replaced X25? If so how will they acquire the votes of the developing world now leapfrogging their legacy IPR? How will the boundaries with the IETF and other telecoms standards bodies “evolve”? And will the UK include funding for participation, hosting and perhaps even “leadership” into its priorities for making the UK the best place to do on-line business.
Exploiting the Brexit Policy Opportunity
Readers will know that I have come to reluctantly believe that Brexit is the only way to create a new and more constructive relationship with the protectionist kleptocracy that has condemned the youth of Europe to mass unemployment unless they come to the UK. That means building on the best of what has been achieved while extricating ourselves from the worst and a friendly divorce with joint custody of those children we acknowledge as part of the divorce. And telecoms policy is one of those areas where the EU got it right, including the constraints on BDUK which would otherwise have given its money to BT with almost no controls or clawback.
The new UK Government is said to be entering into a series of root and branch review of the policies it inherits, including to deliver on the Prime Ministers aim to expedite the transition to full fibre broadband. We have a digital minister who has built and run regional business telecoms companies. Can we, therefore, hope to see a long overdue focus on the needs of British business instead of the preservation of BT’s leased line revenues to protect the Treasury guarantee of its pension fund? Will that will translate into new priorities for Ofcom?
What polices might the new minister adopt to help ensure the UK benefits from leading the transition from the current jungle of fragile, semi-incompatible communications networks to a world of seamless, ubiquitous, resilient, secure, meshed, digital infrastructures? One of the last acts of the outgoing DCMS Secretary of State was to launch a review of the telecoms supply chain . Hopefully the new digital minister will ensure that this takes place in the context of the new world that is being created.
It is almost exactly five years since I blogged on the need to address the transition to an evolving “future proof” mesh in response to the Digital Infrastructure Consultation of 2014.
What the current questions for review?
At one level they are becoming easier.
- Change is accelerating, making attempts to predict the future in order to regulate it ever more impractical – although that does not appear to stop some regulators from trying. The task is to remove the barriers to the changes we (voters) want to see and act more rapidly, efficiently and effectively against obvious abuses of dominant power and monopoly positions.
- Policies and regulations based on fictional boundaries between the fixed, wifi and mobile, terrestrial and satellite markets are losing relevance. Most voters (alias customers), would like their service to roam over whatever is cheapest (to them) and working at the time. Some will pay (and some a lot more) for reliability and resilience. The issue is to ensure that those controlling bottlenecks (whether access, transmission, switching or inter-operability) to do not indulge in anti-competitive behaviour to exploit or prolong their monopoly positions.
- The attempts of digital infrastructure provider (however defined) to become content providers (and vice-versa) are unravelling. The fashion for convergence (alias invading or taking over players in adjacent markets) is cyclical and nearly always ends in tears. The digital content market is now seriously over-crowded with players like Amazon, Disney, Google (YouTube et al) and the latter appear to be reigning back on infrastructure investment, other than to support their cloud infrastructures. The issue is to act rapidly and robustly against predatory cross-subsidy.
At another they are becoming harder.
We have many more (and better paid) lobbyists and regulators arguing (particularly in London, Brussels and Washington) how many digital angels there are on the head of a pin.
More-over the future is now being built in the Southern Hemisphere, under the aegis of the ITU, away from the attentions of US IPR and Telecoms lawyers.
President Trump’s trade war with China has come too late to prevent them from providing cost effective, holistic infrastructure solutions for most of the world, even if they are cut off from North American markets.
How will the EU respond – almost certainly with protectionist initiatives which claim to be forward thinking?
How will the UK respond, caught between the USA, China and the EU?
Will we revert to our internationalist roots, exploiting Brexit to the full?
Remember the comment by De Gaulle’s minister of culture, Andre Malraux on why the sun never set on the British Empire. “Even God does not trust the English in the dark.”
This is a time for imaginative policy. Of course we play by the “rules” … but as interpreted in our courts … by our judges. It is their international reputation that is our “secret weapon”. It underpins the position of London as a global trading centre. Reclaiming that “weapon” is arguably the greatest Brexit dividend.
It is also a time for a cool look at how the digital world is evolving and our place within it.
The BT share price reached nearly £5 in late 2015 after the Digital Communications Infrastructure Strategy was announced and BT received clearance to buy EE. About then Patterson attacked Ofcom for suggesting that Openreach be split off and I described how DTI and Ofcom had destroyed BT’s previous investment strategy. They had brought about the collapse of its share price from £15 (2000) to under £2 (2002 – 2012). In March 2016 I suggested the fear of being broken up by Ofcom would cause BT to give better service. But then the share price had begun to slide. The rights issued planned at the time of the acquisition of EE was abandoned. The slide continued. The share price is once more under £2. This severely limits BT’s borrowing capacity and ability to invest. Its cash flows are committed to addressing a massive backlog in preventive maintenance to make its ducts and poles fit for PIA. Hence also the need to rebuild its in-house training capacity because the necessary legacy skills are no longer available elsewhere. Others are far concerned with the skills to build full fibre and mixed fibre/wireless networks.
Man from Whitehall he speak with forked tongue
For all the talk of level playing fields for investors, the Treasury, which underwrites the BT pension fund, is under pressure to preserve BT’s legacy revenues until such time as it comes up with a strategy that will convince future investors that it is a going concern, not a basket case. An example is the award of the Universal Service monopoly. As a result of its recent crowd funded community bond B4RN could offer full fibre to 5% of those who BT will be subsidised to provide with up to 10 mbs. EIS status has been refused because Inland Revenue says the B4RN business model poses no risk of loss of capital to investors. So why does BT need a subsidy?
USO or UFO?
The B4RN model may not be scalable. Community enterprises do not function well above a given size. It is, however, capable of being replicated, with many local variations, to serve those for whom the USO is intended. Indeed there are many successful variations around the world. But for the Ofcom focus on nominal rather than real competition focussed, BT would be incentivised to use B4RN as a USO subcontractor and encourage another 19 clones to deliver a USO that is out of this world. There is a great set of UFOs, universal fibre opportunities, for which BT could provide the backhaul and global connectivity. The way Telia works with the various community and municipal networks across Sweden and other parts of Scandinavia provides one model. The way Verizon and AT&T do similarly across the USA, including with the utility networks, provides another.
The sum of the BT black hole is less than the sum of the parts
Openreach is an infrastructure management and service company which owns nothing, not even its training centres. It is relatively easy for it to be spun out. But that would not lead to added investment. It would also require Treasury support for the pensions of those transferred from BT. Meanwhile the BT-owned infrastructure needs massive investment to turn it into an integrated all IP network capable of supporting EE as an ubiquitous 4/5G provider. Then there are the needs of UK business and of Smart Communities (Cities, Countryside, Energy, Transport, Utilities etc.) for resilient, reliable backhaul. Closing down BT’s surplus exchanges will enable cost savings but will not raise funds, they were sold back in 2002. It is unclear how much could be raised by selling off the high risk content and systems operations. Tis would, however, leave a communications utility that, but for regulatory uncertainty, is rather more attractive to global fund managers and institutional investors.
Until then, the BT share price looks set to drift down to a £pound or less. That leaves it unable to invest other than from cash flows and Government subsidies. It is also unsaleable because of the pensions time bomb and the dead hand of Ofcom.
The way forward is co-opetition
BT is seen by most of others in the telecoms industry as a Machiavellian bogeyman. That reputation was well earned by the tactics used to stop others obtaining BDUK funds or pillaging BT’s leased line markets. Even today BT is playing its cards close to its chest. It seeks to hold on to past business, quietly transferring customers to newer, more reliable technologies only when they are close to defecting to other suppliers.
The alternative strategy is for BT to look at the investment models of its peers around the world. Most of these are based on co-opetition – with players subcontracting to each other to share cost and/or improve resilience at the same time as competing to be lead supplier in multi-source contracts. Unfortunately where BT has set about exploring similar arrangements in the UK it has been threatened by Ofcom with action under its competition powers.
There is precedent. BT has subcontracted to those running wireless networks in parts of Cornwall where there would otherwise be no service. We need to see many more such deals. In a world where multiple routings are essential for resilience we need, for example, to see BT routinely contracting to use City Fibre backhaul for hot standby and vice versa.
We need to see all business parks served by at least three local operators with similar hot standby contracted between them – akin to the way the University science parks connected via Janet/JISC have multiple routings. It is worth noting that the Janet/JISC network uses infrastructures owned by a wide variety of players, including BT, the Electricity Utilities, Universities, Local Authorities, Defence Research Establishments and others to provide the UK’s fastest, most powerful, flexible and future proof network. Like LINX, the heart of the UK’s Internet world, it is a mutual.
Question: What is the difference between a Cartel and a Mutual?
Answer: The number of participants
It would be unrealistic to see the infrastructure heart of BT spun off as a mutual. But we should look at the way its peers in other parts of the work with each other and with a variety of infrastructure partners. This may well be the best way of pulling through investment on the scale needed. We need business and property users and owners working with local authorities to fund and expedite network construction, to international standards (including for inter-operability), using whatever business model fits the community to be served. Those meeting their needs, (City Fibre, Gigaclear, Hyperoptic, Wireless Internet Group et al) are very attractive to the City as soon as they have acquired a track record of delivery. The “real” competition is akin to that in the 19th Century when Manchester competed and/or co-operated with Liverpool and Leeds with Bradford, while Birmingham co-operated with everyone, to pull through the construction of canals and railways. It did not matter if the company went broke, provided the line was built to common standards so that some-one else could take over the operation. Over time the railways coalesced into regional and national operating networks, even before nationalisation.
The Problem is Ofcom – or rather its terms of reference
Twenty years ago I was part of the team that organised the pre-legislative scrutiny for the Office of Communications Act 2002. The world has moved on. Meanwhile Ofcom has succumbed, as feared, to many of the temptations that face regulators in times of change. The first is that of trying to predict the future in order to better regulate it. It should, instead, be focussed on acting more rapidly to uncover and address abuses of market power as they emerge.
Ofcom is also too focussed on nominal competition, as with the candy floss competition of local loop unbundling. It is blocking the voluntary co-operation that is essential for a critical infrastructure utility networks to provide hot standby. It should be helping to set and enforce standards for infrastructure and network inter-operability and quality of service, in line with those emerging across the world. These might look anti-competitive but are essential to making it easier for new entrants to attract investment, become established, reach critical mass and provide genuine competition.
Only when such matters are addressed is the UK as a whole likely to benefit when the shareholders break up BT and investors from around the world put in the funds to help turn round its struggling parts.
PS 22nd July – BT has begun its own sell offs
On the afternoon of 17th July Lord Lucas will chair a round table to launch a national debate on Digital Skills. Cconfirmed opening speakers include
- Ben Mason from Global Bridge (opening up new pathways between employers and recruits in the North east),
- David Willett, Corporate Director of the Open University (the UK’s largest degree level apprenticeship provider as well as the largest University),
- Chris Murphy of the Highways Electrical Association (whose members are already building the 5G-ready digital infrastructures of our embryonic smart cities).
Please e-mail the Digital Policy Alliance ( firstname.lastname@example.org ) for a guest place if you are serious about helping set the political agenda for a Britain that develops its own talent instead of importing from overseas. There will be no public report. The meeting is being held under the Chatham House rule and will be used identify topics for the 21st Century Skills working group to address over the year ahead. The group also looks after the project portfolio which I handed over just after Easter.
The objectives include
- stimulating discussion on meeting the demand for basic digital abilities;
- the cross sector, professional and academic evolution of skills demand;
- responding to the accelerating rates of change in the technologies available for identifying, delivering and assessing talent and
- reviewing legislative and regulatory frameworks to maximise potential in creating and implementing UK/EU education and training policies.
I blogged my own views back in February . The analysis in the discussion paper may still hold good but the pressures for change have increased since. The Augar report has pointed out the immorality (as well as inefficiency) of focussing attention on only half the population. The changes to the teachers pension scheme will more than wipe out the extra funding for schools and colleges promised this year and next.
Expediting the roll out of reliable full-fibre broadband will enable cloud-based education-as-service to make teachers workload but will not bridge the funding gap. There are many ways forward. I like the concept of the “community college”: doubling or trebling the school income by also providing a round-the-clock life-long learning and training hub and sports/games/leisure facility. But that is by no means the only way forward. The only certainty is that the pace of change, in educational techniques and technology as well as in the skills and knowledge in demand, have far outstripped the ability of centralised planning to cope.
Hence the need for a new debate.
Remember the St Trinians Motto –“get your blow in first”
I do not know how many places are left on Wednesday and I know that the DPA team will be busy with there AGM this afternoon (Monday).
You should but e-mail email@example.com and ask for an invitation to the round table and, better still, to take part in the follow up.
If you cannot attend, ask for an invitation to take part in the follow up anyway.
Three years ago I blogged on why I made the mistake of voting Remain. I would still prefer the UK to be a member of a reformed, multi-track, democratically accountable European Union. But that is not on offer. Ursula von der Leyan may be a surprise choice to replace Juncker but she is keeping Timmermans as her deputy and is a strong believer in building towards a United States of Europe.
I will be delighted if she does indeed turn out to be a reformer but until that happens I remain a reluctant believer that Brexit is the only way of bringing about the reforms to the EU that will make it worth be a member. And if that sounds “Irish” … it is. At the time of the referendum an Ulsterman who had worked as long and hard as I had on trying to make a reality of the Digital Single Market explained why had done the same analysis as I had … and decided to vote Brexit.
I have since come to realise that he was indeed right. Knowing what I know now, I would have voted leave.
I also understand much better why the different parts of the UK voted as they did.
The task ahead is not just Brexit
The new Conservative leader faces a massive task in re-building the Party round a shared set of values and visions for the future. Then comes the task of rebuilding trust in politicians, parliament, the civil service and the electoral system. No wonder the Conservative Party faithful want more hustings so that they can look the candidates in the eye and form their own judgements. And all that is before we start discussing the policies that we may, or may not, trust them to deliver.
My reasons for voting for Jeremy Hunt are based largely on his track record. I am less impressed by his claim to be one of the few entrepreneurs in politics than by the nature of the business he created: Hotcourses It is the world’s largest guide for would-be students and parents deciding where to invest their time, money and hopes when the pace of change is accelerating.
Those supporting Boris Johnson think he will be able chair a cabinet in which responsibility is delegated to them. I fear that the Civil Service, facing the post-Brexit existential threats of Devolution and Deregulation to their Whitehall Empires, will come together and run rings round them all.
After surviving his early baptism of fire at NHS, defending a badly botched junior doctor’s contract, Jeremy Hunt set about unravelling the culture of secrecy (including gagging clauses and the persecution of whistle-blowers) that had enabled those frightened of clinical responsibility to create some of the most inhumane (to both staff and patients) and inefficient working conditions in the modern world. The drop-out rate among student nurses is more than double that for students as a whole. Those doing nursing apprenticeships spend more than four times as much off-the-job because of the failure to use modern learning methodologies. I am married into a medical clan and have learned to keep quiet when the iniquities of the Royal Colleges are discussed.
My hope is that Jeremy Hunt will be able to lead a similar unravelling across the whole of central government, making it impossible for the “Empire” to strike back. The cult of “commercial confidentiality” with regard to the spending of public money, whether on in-house or outsourced services, needs to end.
My fear is that, by contrast, that Boris will go for gesture politics, as at the GLA, and will no more be able to begin the overdue reform of central Government than he could that of Transport for London or the Metropolitan Police. Both now in the hands of Sadiq Khan’t with everything blamed on “austerity”.
But it begins with delivering a constructive Brexit
I liked Hunt’s presentation at the recent Conservative Progress Conference – with rapid legislation on what has already been agreed so that it can be “banked” and the areas of uncertainty and fears of potential retaliation greatly reduced. This is the opposite to the more common approach of “nothing is agreed until everything is agreed”. It is, however, the approach adopted by some of the most successful negotiators – if one counts “success” as delivering win-win deals that build for the future. They isolate the areas of disagreement and weaken the positions of those holding out against compromise. They then praise everyone in sight as they start lining up their allies for the next deal but one. They are great fun to watch, especially because they are so under-estimated by more aggressive negotiators who make great play out of winning unnecessary battles.
And, as I said in my blog on the Golden Rules and Taboo Questions – the Irish Backstop is a McGuffin. It is there to prevent discussion on topics such as cutting our Corporation Tax rates so that Global High Tech Companies pay tax in London rather than Dublin on their UK earnings. Thus enabling tax cuts to yield higher tax takes.
I also like the clarity of Jeremy Hunt’s ten point plan
That bring me back to my due diligence.
Hunt made his money from providing usable guidance for students and parents around the world on where the invest their time and money in doing courses that would help them meet their objectives. Politely unravelling nonsense is what he is good at. And it is a very powerful negotiating tool.
1) DCMS kicks the can down the road – again
The deadline for submissions to the DCMS consultation on On Line Harms is July 1st. The NAO report politely savaging the UK failure to join up its approaches to tackling organised crime was released today. Organised crime derives much of its revenue from the On-line harms listed in the DCMS white paper. This is co-signed by the Home Secretary. No-where is there any indication in the white paper of the need to join up policy and policing. It is as though the departments still live in parallel Universes.
Meanwhile the timescale for implementing the Age Verification has been delayed again . It is well worth reading the reactions of the House of Lords to the statement . They did not believe the reasons given any more than did the technical press. When DCMS last kicked this particular can down the road they denied it would be further delayed . Pink News then interpreted “three months” in Whitehall speak as the end of the year. Techspot has more recently interpreted six months as manana . This is not a victory for “freedom of expression“. It is another own goal in the fight against organised crime and abuse. The extra time should be used to see whether a simpler solution, e.g. audits against processes which meet the BSI’s PAS 1296, would better protect the privacy of both adults and children.
2) And can expect to pay a price
The excuse given by DCMS is probably open to legal challenge from as many directions as its approach to implementing the Age Verification legislation. Those who believed the original timetable spent £millions developing the necessary “age gates” and gearing up to handle the expected volumes of traffic from July onwards. That work has now been halted amid growing scepticism that the law will ever come into force, let alone be properly regulated and/or enforced. Lay offs and cutbacks are now certain. The DCMS credibility cap, (which dates back to when it “leaked” the e-mail addresses of over 200 technical journalists at the original launch of the scheme ) has widened. We can expect those affected to seek assistance in rectifying the damage.
3) Meanwhile British Industry has produced a global solution
More significant, but unpublicised, is that British service providers have delivered on the promises made when David Cameron was persuaded to announce the original plans for legislation .
The day after Jeremy Wright announced the delay in implementation, Telemedia carried the news that not only had the UK first supplier been audited against the extension of the existing Age Check Certification Scheme to cover on-line checking using PAS 1296 . The PAS is now probably on its way to becoming a global standard. The service is fully operational and was used for the Web Portal for the Channel 4 Documentary “Mums Make Porn”.
Age Checking is not, of course, just about protecting children from accidentally accessing porn, or from having their age controlled social networks penetrated by adult predators. The members of the embryonic Age Verification Providers Association do most of their business with the suppliers of other controlled products and services, such as alcohol, gaming or tobacco. More-over this is a global business. UK-headquartered players like Experian and Lexis Nexis compete with those, like Facebook and Google, who seek to use their domination of Internet Access and Social media to invade the trusted identity market and link it to their big data business models.
4) Who is trusted by Who?
At this point it is worth looking at the annual Edelman Global Trust Barometer to add context. Last year saw a collapse in UK confidence in Government. It has not recovered. This year saw a similar collapse in trust in social media, particularly across Europe and North America. “On-line only” media are now significantly less trusted than “traditional” media. Meanwhile brands headquartered in the UK are more trusted than those headquartered in the US, but not as trusted as those with HQs in Germany, Japan or Switzerland. The global brands, on whose advertising spend the business models of Facebook and Google rely, are looking to halt “contamination” by association with the “on-line harms” listed in the White Paper. They plan to do so by taking back control of programmatic advertising.
5) Facebook and Google have no choice but to respond
There is a simple explanation for Nick Clegg’s welcome, on behalf of Facebook, for Government Regulation . Facebook has less to fear from governments than from a revolt by global advertisers. The track record of regulation in this space is deeply unimpressive. By contrast they face an existential threat if they cannot provide a credible response to the pressures from global advertisers . The latter have been so badly burned by click-bait fraud, linked to free porn at least as often as to fake news, that they will not be content with ticking a few regulatory boxes. They will demand audit that is at least equivalent to the processes of the controlled circulation media . This is likely to include using third party Age Checking, just as the main security consultancies (including the big four accountancies) have had to use third party penetration testing operations. No one trusts big players to mark their own homework.
6) So Age Verification moves centre stage globally
At this point the work of UK Age Verification providers in producing robust processes for anonymising the use of secure and authoritative third-party identity databases (from the credit, education, financial services and health industries, as well as government) come into their own. They should not be viewed as a threat to either the big data business models or the privacy paranoia industry. They complement both.
But where does that leave Government and DCMS?
They appear to have painted themselves into an embarrassing corner – seeking to sustain an idiosyncratic approach to age-checking which fits neither the relevant UK legislation nor that of the EU.
Can they use the six months delay to produce a simpler, cheaper way forward, perhaps based on using audit against PAS 1296 in the context of EU data protection requirements?
Or will they be stuck, defending the indefensible, against all comers – from the Child Protection charities to the Open Rights Group?
Positioning the UK as a globally trusted on-line hub for inter-operable authentication, authorisation, audit and quality control goes hand-in-hand with retaining our position as a world class financial services hub. It also needs privacy processes that are sufficiently robust to the protect the finances of the ruling elites of the world from their security services (as successive US Presidents failed to protect themselves from J Edgar Hoover) and their children from abuses.
I would also like to see effective protection for the rest of us – now that the Internet is used by over half the children in the world.
My new role with the local Safer Neighbourhood Board has led me to discover just how little the “other half” of society trusts either Government or Global Big Tech. The Edelman analyses also reflect the views of the inner city youth and faith groups to which I have been listening. The consequences for the advertising funded Internet are profound. I am therefore prepared to bet a pound to a penny that Facebook and Google will embrace third party audit, including for their age checking process, before Government implements effective regulation.
I would of course be delighted to be proved wrong. But money talks rather more coherently than Government.
There is an irony in the appointment by the House of Lords of a committee to explore the impact of digital technologies on democracy. The Internet is now, however, global. The majority of users live in parts of the world which had city states and empires while our ancestors were still wearing woad. They tend not to equate not to equate “democracy” with “listening to the empty vessels who make the most noise”. They believe that social cohesion is better served by a more “mature” process in which elder statesmen decide after listening to the views of all parts of society.
The formation of the Global Alliance for Responsible Media is likely to have far more impact on the way the Internet functions than the actions of politicians and regulators. The latter are in thrall to those with the biggest budgets for lobbyists and lawyers. No-one today has lobbying and legal teams bigger than the US West Coast Internet giants. Players like Facebook and Google have, however, seen the need to take action to preserve their advertising revenues from spending strikes by global brand-owners, like Diageo and Proctor and Gamble The advertisers are also looking to take back control from the intermediaries who put their brands at risk , placing them alongside content from terrorists, abusers and peddlers of click bait.
The moves to deny a voice to those who have been driving “moderates” off-line raise questions as to who should exercise editorial control over content. If the dominant players exercise their ability to block/remove content which damages the brands whose adverts they appear alongside, can they sustain the argument that they are not publishers – with the responsibilities of the latter for the content of “letters to the editor” and “classified adverts”.
1) From open debate to self-reinforcing cyberghettos
Early enthusiasm about global dialogue and “on-line town halls” morphed into disappointment that most on-line forums served to polarise opinion into self-reinforcing groups. In parallel we saw the rise of mass-market social media and advertising/trading platforms dominated by a handful of US players. That led to the collapse of the traditional channels of communication between politicians and people. National and local press and broadcast services and labour-intensive write-in and phone-in campaigns have been replaced by botnet-driven spam and twitter storms organised by who-ever has the budget and expertise.
The primitive “dictatorship of the sysadmins” (mediating on-line voting systems) has given way to the automated “dictatorship of the algorithms” with precedence to those views/stories which generate the most clicks, regardless of whether these are from humans or botnets. Now, after protests from around the world and pressure from large advertisers, players like Facebook are bringing back banks of humans to remove material which damages the image of brands alongside which it appears.
2) Mediated by the most powerful cartel the world has ever known.
The rise of on-line bring and buy services and pay-per-click programmatic advertising model have made it uneconomic for newspapers and broadcasters to employ journalists to do much more than regurgitate press releases. The cartel has thus come to dominate communications between current and would-be political leaders and their current or potential followers via advertising funded social media. It appears impossible for that dominance to be challenged by those who recognise US copyright and patent law.
It may be intellectually satisfying to discuss how this situation came about. The bigger question is what should be done to restore democracy. But that masks the question of what we mean by “democracy”.
3) What is democracy?
For over a century we equated “democracy” with universal adult suffrage based on a published electoral register and a secret physical ballot. Then with the rise of postal voting our electoral system rapidly degenerated into one that would disgrace a banana republic . Add on-line registration, the failure to prosecute election fraud and an allegedly “stolen” by election in Peterborough and we have growing scepticism that UK election results reflect “the will of the people”.
Meanwhile we have a steady flow of comment from the intellectual and business elite of the Country, as represented by the BBC, Guardian, Institute of Directors and CBI, that the people were mislead and lied to when they had the temerity to vote to leave the EU. They feel we should therefore re-run the referendum because the plebs had the temerity to disagree with the consensus of the graduate, metropolitan intelligentsia over the nature of Britain’s relationship with the European Union.
4) How did the ruling establishment of Westminster, Whitehall and Media City become so out of touch with over half the electorate?
That split between the plebs and the intelligentsia is not confined to the UK. It is reflected in debate on the supposed need to address the “democratic deficit” of the European Union as a whole. The Union uses hierarchies of consensus creating bodies to produce policies, directives and regulations for Parliamentarians elected by proportional representation to agree. Is that not a triumph of mature democratic process over the shallow populism of Farage, Le Pen and Trump?
London and Brussels have produced consultation processes which engage and satisfy those sufficiently well organised to employ professional lobbyists. These grind on until any dissidents have lost the will to live. We have similar situations in local government. E-mails to councillors protesting against decisions are blocked as spam. On-line objections to planning applications are acknowledged but not registered. But there are no longer any trainee investigative journalists on the local paper seeking to make their reputations by investigating why, how and what is accidental, careless or deliberate.
In consequence dissent can gain traction and grow to critical main using communications channels that politicians and pundits fail to monitor.
5) Leading to Government by Protest
The UK has a long and proud tradition of peaceful protest. Rhis erodes when the gulf between the political establishment and the people becomes too wide. Perhaps the most spectacular example was the UK fuel protests in September 2000 . These appeared to come out of nowhere and were supposedly resolved by firm Government action, alias capitulation followed by revenge (as with the Peasants Revolt). A better way of looking at what happened is to see it as the first and last spontaneous mass protest to be organised over CB radio.
40 years ago CB radio spread from truck and taxi drivers to farmers and teenagers, with illegal burner/relay station on urban tower blocks and rural hill tops. National “cover” was probably as ubiquitous as wifi today. Faced by crippling fuel prices rises, groups of farmers and lorry drivers discussed mounting a French style protest. Support for the idea spread nationally within a couple of days. The consequences are history. Appalled by what they had achieved and with no plan to handle the consequences, the nominal leaders called for the protests to end as soon as the Government, faced with no credible alternative, publicly gave in.
Unfortunately the lesson the Government learned was that independent lorry and taxi drivers and farmers were outside Trades Union control and had to be brought to heel, including surveillance by the security services. The Radio Communication Agency set about monitoring CB radio and shutting down relay/burner stations. No-one concluded that Government needed more sensitive consultation and communication processes in order to avoid provoking such anger.
6) Using the Social Media of the day
Over the next few years mobile phones replaced CB radio over most of the UK. The 2011 riots were “organised” via SMS, Twitter and Blackberry Messenger. Subsequently more of the rioters were caught from social media footage than from CCTV or material collected using powers under RIPA.
The effect of social media campaign and fake news on the 2016 referendum campaign is a matter of disagreement. Government, the EU and those campaigning for Remain spent many times more than those campaigning for Leave. Cambridge Analytica had little if any influence on the results and techniques it tried to sell to the Leave campaign were used extensively used by the Remain campaign – but to little effect. Those using them appear to have miscalculated either the audiences (plural) or the messages (plural).
Then came the 2017 elections which caught no-one, except Conservative Central office, by surprise. The shock result resulted largely from a short order social media campaign to encourage students to register at both home and University and vote and get their parents to vote.
More recently we have the rise of the Brexit party, based on the use of social media to communicate simple messages to the audience that came together for the referendum campaign and were increasingly tired of being patronised and told they did not understand.
Almost exactly two years ago I took part in an event organised by ISOC UK on the theme “Fake news: annoying symptom or life threatening disease” I recommend listening carefully to the comments of the Facebook speaker. What do we really want from them and their peers with regard to editing news, views and comment? I blogged my views on the question “Is fake news destroying democracy?” in advance of the meeting . I quoted Tom Standage’s excellent book “The writing on the wall“. It traces the evolution of social media from the first stirrings of literacy through the ages. The first election campaigns to be successfully distorted by fake news were those of Julius Caesar. His letters described the genocide of the Gauls (we now have archeological evidence) to steal their gold as a series of heroic fights against vast odds. I also used the opportunity to blog my paper for the 50th Anniversary of LEO under the title “Everything on-line is potentially fake and we cannot tell the difference“.
My conclusion was a question: “Can you check the sources, or are you left deciding which editor (Google, The Guardian or the Goebbels of the day) you choose to believe?”
7) The propaganda to influence “democratic decisions” is only part of the problem.
The honesty, integrity and auditability of consultation processes and voting system are critical. The public have to feel confident that results said to represent their views/wishes do indeed do so. That is being lost in the UK.
Key questions for House of Lords enquiry include how we could/should use technology to help restore confidence that our representatives are honestly elected, our “democratically accountable” institutions really are, and that their decisions are not so far out of line with the consensus of public opinion as to risk serious civil disobedience.
I f we do not find and implement answers quickly, the next General Election could be the most fractious, vicious and violent since the 19th century, when the processes for a secret ballot based on a published register of voters were developed. The candidates in the Conservative leadership debate organised by the BBC after the second leadership ballot all wanted a General Election postponed until after trust in Parliament had been restored. Others might say that a General Election is needed to help restore trust. But in the current mood would the losers have any more faith in the result than in that of the Peterborough By Election?
The report of the Independent Panel to the Review into the funding of Further and Higher Education was not just about Student loans and University Funding . But most of the 370 submissions came from Universities and their acolytes. There were only 9 from Further Education providers. “Businesses” and “Employer bodies” were a subset of “Others” alongside academic experts, institutes and organisations representing the arts and science. See Page 14 of the Annex on the Call For Evidence for details.
Those who complain that, like the recent review of Apprenticeship Standards, the report only addresses part of the problem have themselves to blame. Most employer organisations were (and still are) more concerned to be able to import talent than to help grow our own. Hence once of the reasons for the Brexit revolt of the have-nots against the Establishment.
Despite that constraint it is a thoughtful report . It makes serious and detailed proposals to reform the current system. Read carefully. But also think about the political and economic context as you do. Philip Augar is a former equities broker. He was a non-executive board member at the Department for Education while he was writing (he had a History PhD) about the cultural changes that led to the 2008 banking crisis. Now think about the current challenges to the way the century old UK FE/HE funding regime has been evolving over recent decades. Perhaps the best than can be done really is to buy time for constructive evolution as opposed to destructive change akin to the banking crisis and that which followed.
The Tectonic Plates are shifting – the 1917 Consensus is under threat
The authors of the report have done a good job in drily assessing the signs of movement in the tectonic plates that underlie the UK education system and its values. The Haldane Principle has been the basis of Government funding for HE (with FE as an increasingly poor relation) since 1917. It is now under serious threat. Even were the sixty or so recommendations in the report to be implemented in full they would probably not preserve the current system against change. They might, however, reduce the threat that the baby will be thrown out with the bathwater.
The idea that HE/FE funding and policy should be determined by councils of experts with a vested interest in the out-comes, trumping the views of employers, students or the public, will not survive exposure to the scrutiny of the Internet Age. But reaching consensus on a new and more balanced and sustainable approach will not be easy. Nor will transitioning from the present set of hierarchical processes.
That is why it is so important to read the report and the analyses on which it is built. The submissions to the review omit the views of employers or public. Those who submitted may not recognise the way the global English language education and training content and qualification industries now dwarf the UK academic world. They may be ignorant of the way commercial and/or international providers are eating the lunch of those who have not already partnered with them. But the submissions do represent the thoughts of those who dominate our current policy and funding frameworks on how best to respond to the challenges that they see. You ignore them at your peril.
The current structures cannot handle the accelerating pace of change
The evidence submitted pays little or no attention to the way libraries of on-line materials transform the dynamics and economics of global education and training markets. These enable the assembly of customised, modular, blended learning programmes which cut the time to master content or acquire new skills from years to months, months to weeks and weeks to days or even hours.
Those used to a four to five year cycle to approve a new course cannot compete.
The processes the report is attempting to reform will never be capable of handling the pace of change necessary to do more than educate students in the basic disciplines they need for their first career. But a world of accelerating career change and life-long learning will still need academic cadres trained in those disciplines and research methodologies. The issue is to reach a new consensus on the balance of priorities when it comes to using public funds.
How should the recommendations be judged?
The report begins with eight principles:
1. Post-18 education benefits society, the economy, and individuals.
2. Everyone should have the opportunity to be educated after the age of 18.
3. The decline in numbers of those getting post-18 education needs to be reversed.
4. The cost of post-18 education should be shared between taxpayers, employers and learners.
5. Organisations providing education and training must be accountable for the public subsidy they receive.
6. Government has a responsibility to ensure that its investment in tertiary education is appropriately spent and directed.
7. Post-18 education cannot be left entirely to market forces.
8. Post-18 education needs to be forward looking.
There are then nine headline proposals to address the “core problem”of the unfair and wasteful split between the 50% who supposedly benefit from HE/FE and the 50% who do not.
1. Strengthening technical education
2. Increasing opportunities for everyone
3. Reforming and refunding the FE college network
4. Bearing down on low value HE
5. Addressing higher education funding
6. Increasing flexibility and lifetime learning
7. Supporting disadvantaged students
8. Ensuring those who benefit from higher education contribute fairly
9. Improving the apprenticeship offer
We should judge the detailed recommendations against the principles and the headline recommendations.
They are not prioritised. Most of the publicity to date is for proposals 5 and 8, addressing principle 4. That is because most of the submissions were from those seeking to preserve the current funding regime, with modifications in their favour.
To quote the Annex on the call for evidence:
“Across all groups, responses focused overwhelmingly on university education, with fewer responses on the other aspects of post-18 education, including technical education or apprenticeships.
• Further Education (FE) providers considered that higher education works best for well-qualified 18- to 30-year olds and that FE needs further investment in technical education facilities.
• Higher Education (HE) providers emphasised their view that HE is not a business but provides a society-wide benefit. On funding they felt that the review should not just consider fees in isolation.
• Students, graduates and the public were mainly concerned with financial issues, with costs of HE being too high and flexibility of provision limited.
• Employees working at educational organisations particularly noted a decline in part-time, mature students and Level 4/5 course take-up, and commented that the fragmentation of post-18 policy and funding across HE, FE and apprenticeships is restrictive and prevents a joined-up approach.
• Public bodies and others emphasised value for money, choices to meet skill needs of the UK, wider participation in Level 4/5 qualifications and generally better communication with learners.”
The Augar recommendations help open the way to a new consensus.
The changes proposed are unlikely to change the erosion of public belief in value of incurring debts that will never be repaid in order to spend three years away from home acquiring a qualification that employers do not value. There is no mention of the most serious barriers to widening access for the most disadvantaged: e.g. the way DWP processes penalise a family on benefits when one of its members accepts a place on an apprenticeship programme.
If the core objective are “fairness” and economic value then the first recommendation in the Augar report is the most profound in its potential impact:
• The government should introduce a single lifelong learning loan allowance for tuition loans at Levels 4, 5 and 6, available for adults aged 18 or over, without a publicly funded degree. This should be set, as it is now, as a financial amount equivalent to four years’ full-time undergraduate degree funding.
Combine this with the 11th ,
• The careers strategy should be rolled out nationally so that every secondary school is able to be part of a careers hub, that training is available to all careers leaders and that more young people have access to meaningful careers,
and the effect could be dramatic. But only if the careers advice neutral. It must not be skewed by the way schools are penalised if they allow their brightest and best to be tempted by apprenticeships – even those which are degree-linked and offer privileged entry into world-class careers. That neutrality will only be achieved if schools earn as much from supporting apprenticeships (e.g. in parallel with T levels) as they do from keeping hold of their academically competent pupils to do A levels – whether or not the latter improve their lifestyle choices or employability.
Given such neutrality we can expect the implosion of those FE/HE courses which do not give economic value. This is likely to be the most effective way of addressing recommendation 4.
Handing over the baton of bringing education and training policy into the Internet Age
In May 1968 I accepted a job offer from STC Microwave and Line as a graduate Engineer 1st Class, alias apprentice computer programmer. I then graduated with a degree in History and within two years was a guest lecturer on one of the first Computer Science courses. I have since watched half a century of attempts to define the content of courses and qualifications intended to help students acquire the intellectual disciplines and applications skills to research and exploit digital technologies before they change.
My career, let alone thoughts on how to handle digital skills, on which I have blogged for more than a decade, would have been very different without the habits of mind that I acquired at the Devils Flamethrower The THES article with that title is now behind a pay wall. Ross Anderson’s “Alternative History of Cambridge” and my review are not. In 1971 my reward for a successful decimalisation was two years at London Business School. My education on “manpower planning” began with listening to Denis Pym and Charles Handy. The class included Peter Lampl (Sutton Trust) and David Davis MP (who has also written a review of the Augar Report). One of my MSc projects was on the economics of the commercial training market. The aim was to help ICL decide on the future of a course on business for IT professionals which was not selling. I analysed the database of UK management courses then maintained by the British Institute of Management to find out which courses were regularly repeated, over weeks, months or years. And what was different about them. In the 1980s, after the publication of Learning for Change (see here for original text ) I had responsibility for the NCC Microsystems Centre. My staff maintained similar files. I advised the High Tech Unit of Barclays Bank on requests for finance from several commercial training operations. I also had responsibility for turning found that which I inherited at the NCC as well as advising succession of ministers – although the minds of most of their officials were firmly closed to evidence that did not fit departmental policy.
Earlier this year I pulled together my most recent material in a discussion paper to help set the scene for wider discussion after the Augar review was expected to report. That time is now.
On May 8th a very impressive team at the Open University took over support for the Digital Policy Alliance Skills Group. Much of the discussion was about how to extend the OU tradition of open access to academic excellence to lifelong learning as a whole, keeping pace with the evolution of digital disciplines and the accelerating pace of change in cross-boundary research and applications skills. In other words how to deliver the wider Augar principles and headline recommendations. I was also very happy in the quality of thinking among those to who would be taking over where I left off. I am confident they will do a much better job of bringing the relevant players together across all boundaries – not just intra-UK.
The Augar report is the start of a debate.
At best the recommendations on Student Loans may buy time for sufficient students to vote with their feet to enable a more politically acceptable solution to become affordable.
You should read the analysis and the other recommendations – bearing in mind that this is the “insider” view. Then e-mail firstname.lastname@example.org or DPA-Open-University@open.ac.uk to be kept in touch with (or better still join and help) the plans of those taking over from me to widen the debate and home in on the actions needed to deliver constructive change.
This year will be the first time I visit Infosec with no agenda. Or to be more precise I will have a Community Safety rather than a Cybersecurity Skills Agenda. This has caused me to take a cool look at what has happened and what has not over the past decade. It has also caused me to consider what has changed over the past year as the pace of change has accelerated.
What has changed over the past couple of years
The main change has been the rise of the virtual CISO as all but the very largest users outsource their security operations. Unfortunately most of the providers target the 10,000 or so organisations who employ more than 250 staff. The other 1.5 million, who employ between 2 and 250 staff, are commonly left bereft of meaningful support, whether or not they are willing to pay. The Digital Policy Alliance recently held a meeting on the role of Cyber Insurance in setting the standards necessary for a business to be insurable, beginning with an externally assessed version of Cyber Essentials and a support contract. But far too few organisations are addressing this market. And who trains and updates technicians and professionals with the skills necessary? A recent ISSA survey (global but in practice mainly US) identified that training Virtual CISOs and maintaining their skills is a global need. But few employers help maintain the skills of those they have, let alone train new ones.
Who is addressing the skills standards for Virtual CISOs to support large numbers of SMEs, other than Comptia?
Meanwhile, as the recent Institute for Apprenticeship standards review identified, pen testing is not enough.
But who, other than ISACA, is looking at the skills standards to do holistic audits of security processes, including for applications which use ever more complex and vulnerable networks of IoT devices? We need to cross fertilise the work on intelligent weapons systems and integrated warfare systems with than on, for example, autonomous vehicles and mobile phones. Hence a new dimension on the way that the US – China electronics “arms race” has over-taken global co-operation.
This showed the viability of a local Cybersecurity Skills partnership, using a shared skills incubator to bring together education and training programmes (from schools to post graduate) in providing work experience running a world class security operations centre with globally recognised qualifications as part of the apprenticeship programmes. The centre is coming up for its second anniversary. In February Bluescreen IT received funding from DCMS to package its methodology for harnessing the skills of “over inquisitive” teenagers to enable others to replicate that success . Perhaps more important is that it has demonstrated the viability of an unsubsidised shared skills incubator providing virtual CISO services to the local community at affordable prices. Put this model alongside COMPTIA Cyber Ready and the growing market for boot camps and apprenticeships and there is the potential to transform the supply of the skills to secure the 99% of British businesses (employing half the private sector workforce) whose needs are left out of the current mainstream cybersecurity skills strategy. The 99% are not greatly helped by a central government strategy which subordinates their needs to those of GCHQ and MoD for cyberwarriors and of major consultancies to secure those businesses large enough to afford their fees. But we now have a viable alternative way forward.
This therefore seemed to be a good time to for me to retire (for the fourth time). On the morning of May 8th I met the team at the Open University who have taken over from me in co-ordinating the work of the Digital Policy Alliance skills group . The group’s portfolio includes the Cybersecurity Skills partnership. I very much hope that one result will be the replication of that approach wherever the Open University has a sufficient footprint. E-mail DPA for details.
My new role brings a new perspective
My new role, as an independent member of the Lambeth Safer Neighbourhood Board, “convening” a pilot Community Safety Partnership, has given me a rather different perspective of the need. The closure of the last bank in West Norwood (population 34,000 and several hundred businesses) has brought home how little the banks, for example, appreciate that as they close branches (rural or urban) they are opening their customers, including small businesses and pensioners (who control half the nation’s disposable wealth) up to on-line fraud [herding the sheep on-line to be fleeced].
The latter need a human, not a help desk, to get them get back on-line. Meanwhile local law enforcement needs a lot more than a couple of skilled investigators per force. Hence the need for many more police forces to exploit the changes made in 2011 to enable security professionals to become police service volunteers, whether warranted as special constables or not.
Meanwhile the failure of major players to act on evidence of criminal abuse using their social media and on-line marketing networks, means that a growing proportion of society (particularly those whose children, elderly relatives or vulnerable neighbours have been victimised) strongly supports holding them to account in ways that may, or may not, be rational – but will certainly destroy shareholder value.
I therefore intend to remain active in campaigning for effective change to meet the needs of users, while leaving those younger than me to do the heavy lifting of making it happen in ways that enable responsible suppliers to develop more sustainable and ethical business models.
Time has, however, run out.
Trust in the cyber security industry has been eroded by the failure to remove decades old vulnerabilities because they are still being used in the three track (AI, Big Data and Cyber) and three way (United States, China and Organised Crime) arms race. There are, of course, other players but result leaves the rest of us (from children and vulnerable adults through SMEs to big business and the critical national infrastructure) unnecessarily open to on-line abuse, attack, fraud and harm.
The focus on “awareness”, without credible action plans, is increasingly counterproductive.
Back in 2008 I had the task of doing the warm up act for Lord Errol as opening speaker for an event on the use of encryption to better secure the on-line world . The fashion of the day was for Privacy Enhancing Technologies. I referred to the industry promoting e-immodium (when the need was to identify the causes of data diarrhoea) and PETS (privacy enhancing technologies) when the need was for bloodhounds and wolf packs to hunt down those causing the mayhem.
Having failed to secure action it is time to pass the baton to those who I hope will do rather better.
But the world is changing.
On the afternoon of May 8th I attended the third annual Global Cybersecurity Alliance briefing in the Mansion House. I am a big fan of their approach, using the proceeds of crime to remove common vulnerabilities. We learned, inter alia, of their new small firms tool kit to help the 99% improve their security. We also had a very interesting briefing on how Intel has carried its end-point security offerings to the next level . What a pity our Computer Science and engineering graduates are still not routinely educated to use the hardware security facilities that have been embedded in most common chip sets for over twenty years. One might even call it criminal negligence – akin to the attitudes of those who place adult rights to privacy above children’s rights to be protected and block the use of anonymised age checking.
Afterwards I learned of Cybersmart which automates the process of compliance with Cyber Essentials. On May 9th I sat in on a global webinar with the President of ISSA on their latest survey on cybersecurity skills and careers. One of the key priorities of respondents was the need for access to training to keep up with the tools now available to remove vulnerabilities, automate response and dramatically improve security. This is particularly so since many more businesses, especially in the US, are now protected by a virtual CISO than have one in-house.
Or is it?
That week I read the Europol press cover for the latest success of an NCTFA led international investigation. We had press cover for the discovery of one of the tools used by intelligence agencies (and others) to spy on supposedly secure social media communications. We had a bout of publicity for the vulnerability of the submarine cables that carry the Internet . I first blogged on this in 2008 . Readers should, however, be aware that their local internet connection is more vulnerable and that regulatory pressures for duct sharing with BT mean it will remain so.
City centres and business parks need multiple routing to meet critical infrastructure standards. Building these will run into the construction skills shortages that I highlighted at the end of last year. I am pleased to say the DPA sub group created in February to address the problem is now under way, chaired by the CEO of the Highways Electrical Association, and has identified the points of leverage that need to be addressed. I plan to blog separately on this, which is also part of the skills partnerships portfolio for the main DPA Skills Group.
Meanwhile Ofcom is talking about setting up a group to forecast future trends so that it can regulate them. This is the very approach that was rejected when its predecessor, Oftel, was created – because it would constrain the future. Instead Ofcom should be looking at how to handle the long overdue job of regulating telecoms as a critical infrastructure utility – with multiple inter-operable routings and mutual hot standby between competitors, maintained by technicians whose competence is individually accredited.
Time to move on
Anyway time for me to move on and leave it to others to make the on-line world a safer, more secure and resilient place as I spend more time off-line – where life is safer … or is it?
The whole of society increasingly depends on the industry living up to customer expectations, not best efforts and blame avoidance. I therefore have a vested interest in ensuring that the next generation make less of hash of skills policy that the current one.