When IT Meets Politics

June 20, 2013  12:12 PM

The Entries for my conspiracy theory competition are beginning to come in

Philip Virgo Profile: Philip Virgo
BDUK, Bilderberg, Birmingham, BT, Data protection, DCMS, Illuminati, outsource, PFI, Prism, Virgin

Yesterday I offered a bottle of Ledaig for the best conspiracy theories related to the mass media cover for PRISM. I have now received three more, but not as postings. Apparently the idea that I might ask “friends” to identify anonymous postings was a serious deterrent.

The first comes from some-one who does not believe in conspiracies, only cock-ups:

Google has found that being based in Ireland for tax purposes means you also get other aspects of Irish law. Now non-aligned Ireland doesn’t use intercept as evidence, so it’s never in the headlines. But relatively Draconian powers (recalling that Taoiseach is the last remaining title like Il Duce or Fűhrer) also come with the disadvantage of no money for costs for complying, unlike UK&US. That’s not a big deal if you’re just servicing Irish customers, but suddenly really hurts if policing the world.

But O’bama can’t take on the Irish interest, so the game has to be played in the only remaining non-trivial place where the criminals don’t get to see the scope of capability by sitting in court, but which the Chinese have an interest in changing: Hong Kong.”

The second is more convoluted. It links relates PRISM to supposed attempts (and not just by their own officials) to deter DCMS Ministers from requesting a Competition  Commission enquiry into the pricing of leased lines (both copper and fibre) in Birmingham, including attempts by the two dominant players, working in concert to block the threat of competition by specious legal action.

The third conspiracy theory may already have been dented by Alistair Graham’s splendid rebuttal this morning of attempts to use Data Protection to prevent regulators and civil servants involved with the Care Quality Commission from being held to account for cock-ups and cover ups.  It was that the objective of the PRISM controversy was to help create an even more convoluted UK/EU data protection regime and thus facilitate the process by which officials routinely move into regulatory positions as part of their retirement package – as an alternative to joining the ranks of those being regulated. Thus CQC was one of the alternatives to joining one of many Outsource/PFI contractors now milking the taxpayer. 

Even so, I do like the third theory. it has the Bilderberg and/or Illuminati ring about it, plus a wealth of supporting “evidence”. 

June 20, 2013  10:50 AM

A bottle of Ledaig for the best conspiracy theory related to the non-story that is PRISM

Philip Virgo Profile: Philip Virgo
Apple, Facebook, FBI, FISA, GCHG, Google, Information security, Microsoft, NSA, Prism, Yahoo

I love a good conspiracy theory.  It should have sufficient by way of checkable references to have a veneer of credibility while pandering to the prejudices of the listeners. The more that  emerges about “PRISM”, the more it appears to be a non-story. If it is correct that  under 100,000 requests a year are received by Apple, Facebook, Google, Microsoft and Yahoo, added together, that “the most commmon of these relate to fraud, homicides, kidnappings and other crminal investgations“, not to FISA and that these need to be de-duplicated (e.g. collating requests to several providers covering the on-line activities of the same individual), then the numbers actually under surveillance may be as low as 25,000 in the course of a year. For a nation with over 2 million in Jail and 800,000 missing person reports a year this seems remarkably low. I would suspect it is dwarfed by the number of requests from those seeking to hunt down music and video “pirates”.       

So why the hysteria? What is the story from which it is attention is being diverted?

Is it that the majority of Americans and Britons are like the majority of Chinese. They value security above privacy, would like both and do not understand why they have to choose?

Is it the growing pressure to take effective action against the rising tide of computer pornography, violence even more than sex, that is corrupting the young?

Is it the trial of Bradley Manning and the issues it raise with regard to the criminal insecurity of the systems whose contents he passed to Wikileaks?

Is it how major defence and security providers bidding for US and UK cybersecurity spend (including identity assurance) have had their files copied by hackers?

Is it the impossibility of securing big data systems, such as an NHS patient record database to which one in fifty of the population has access?

Or is it related to the budget spats between the NSA and the FBI, (and their UK equivalents), with the former relishing in publicity that implies they are doing more to help secure the nation against its “enemies” and should not, therefore, have their budgets cut or transferred? 

I believe in the value of competitions to help progress debate. Hence my strong personal support for the Cyber Integrity Challenge for ideas that will help rebuild genuine trust in the on-line world. I am delighted that the Rt Hon David Blunkett has agreed to be a patron and that the Earl of Erroll, whose ancestor was bodyguard to Robert the Bruce and who is the only member of either House of Parliament who is an information security professional in his own right, has agreed to chair the judging panel. Lord Erroll will also be leading discussion on how to harvest some of the best ideas via the Digital Policy Alliance and its partners. It is one thing to winge about what is wrong. It is another to find effective ways of improving reality and ensure that good ideas get traction – whether political or commercial.

In the mean time, I am offering a bottle of Ledaig (the Tobermory Distillery) for the best conspiracy theory as to why there is so much hype for a non-story about the security services doing what we pay them for. I may recently have been very sharp about whether current approaches address the challenges of today as opposed to those of the past, let alone give the best value for the funds available, but some of the current cover is just plain silly.

P.S. Entries should be posted to this blog as comments, I will accept those from pseudonyms which get pass the registration routines for posting, but if you do not separately tell me who you are I will give the bottle to who-ever helps me identify the winner, provided they say how long it took and will let me tell you. I will not say who helped or how they did it, but I would l also like to use the exercise to test some of what I being told about the security, or otherwise, of well known pseudonymisation reoutines – perhaps involving some of the students from the sixteen universities that have already signed up to the Cyber Integrity Challenge. If your organisation is serious about wanting to help rebuild the trust that has been so damaged by the disinformation around this story, then do contract Mal via the e-mail at the foot of competiton cover page or contact any of the participating Universties direct. One by one they are putting up their own web pages. The first was City . I expect those for Cranfield and de Montfort to be the next. Lancaster will be added to the list on the website shortly. 

June 17, 2013  5:43 PM

Is the EU Network and Information Security Directive a bigger threat than Al Qaeda?

Philip Virgo Profile: Philip Virgo
BIS, CERT, Cyber security, EU, Facebook, Google, Information security, NIS, Prism

The objectives of the Network and Information Security Directive are laudable but the approach does not fit with the strategy supposedly behind them. Meanwhile the impact assessment is a collection of motherhood statements not an assessment of the cost of incident reporting, let alone the legal cost of deciding what “incidents” have to be reported to those who will take no actions other than publicise your vulnerability. You have until Friday 21st June to respond to the BIS consultation . I urge you do so, even though many of the questions are impossible to answer other than with a guesstimate. I only once managed to persuade a company to do an impact assessment on a new regulatory requirement. I was then told they would never do it again because of the internal firefight that resulted from allowing the Finance Director to see the full costs (as opposed to the usual massaged reports) of operating their new call centres.

The core of the problem is a focus on reporting breaches rather than attacks, whether successful or not. It is as though the sharing of accurate information on the impact of those V1s and V2s which reached London in 1944 and 1945 would be of any value other than to those tuning the target mechanisms. The value (to HMG and to Londoners) was in publicising systemically inaccurate information (right time, wrong location, to imply overshooting) so that the Germans unwittingly changed their aiming point from Buckingham Palace to Dulwich College (largest open space in South London if you include the Park, Woods and all the other sets of playing fields in the area). 

The need is to make it very much easier to report attacks to those who will take action (e.g. the members of proposed CERT networks) and/or collate information as to their sources and nature so that action can be taken to halt them and to also “remove” the weaknesses which facilitated them, even if the perpretrators cannot be located or “deterred” (e.g. because they are state-aided or out of jurisdiction).

Experience from the United States indicates that mandatory reporting is now a significant source of weakness, facilitating futher attacks and abuses. Meanwhile the associated legal, regulatory and compliance costs are beginning to dwarf the information security budgets of many the organisations concerned and get in the way of that action which would be effective. I note that Chris Grayling, Minister of Justice, has estimated the cost of compliance with the various EU Data Protection Directives as £hundred of millions: yet for most of us our only contact is with incomprehisible waivers or the refusal of service, supposedly because of data protection. Meanwhile most on-line users have now been impersonated over the Internet by those who have got hold of our personal details, often from a public source (like the electoral register, a phone book or, in the case of Directors, Companies House).   

Another problem is the extension of the Directive to cover “market operators” well beyond  those where system failure might cause loss of life or sever economic disruption. If Facebook went down would productivity go down or up? It is rumoured that last week, after the publicity for PRISM, network traffic across Whitehall dropped sharply. If so, was it because thousands stopped using Facebook, Google and other US based services while at work?

A third is the mandatory sharing across the EU. There is serious controversy within, for example, Bulgaria over how the new head of their security services was appointed . There are enough problems within the UK over sharing between the various introverted rings of trust (which trust their members but not outsiders who may have their own “ring”). Creating mandatory pan-EU sharing may simply compound such problems.

That is enough negativity. Now for the positive side – using the opportuity to call for constructive action. The six point plan that I personally plan to put in the “other comments” section of my own submission to the BIS Consultation is:

1)     1) The Directive should define and cover critical infrastructure (e.g. telecommunications, electricity, gas, water and payment systems). it should exclude social networking, entertainment and other non-critical operations.   

2)     2) The opportunity should be used to rationalise reporting systems, including a mandatory requirement on regulators to share and forward (e.g. to other regulators) reports to them rather than require duplication.

3)     3) The mandatory reporting of breaches is counter-productive. It penalises those who have processes in place to detect breaches. It should be replaced by a focus on the reporting attacks (including the methodologies used), whether or not they are successful.

4)     4) The focus should be on making it much easier to report attacks to those who will take action against predators and those who have aided and abetted them, not to regulators who will merely penalise the messenger. The only mandatory requirements should be on those to whom attacks are reported. This should include acting as a “first stop shop”  and passing reports to those who may be in a better position to take action.

5)     5) The overall objective should be to facilitate action, not just intelligence.

6)     6) It should be recognised that many of those involved in the EU regulation and law enforcement are not themselves trusted or trustworthy and no-one should be compelled to share sensitive information with organisations who they do not trust. 

I am now only an honorary advisor to the Digital Policy Alliance but understand they have plans to not only do a submission to BIS but to work alongside the Department in helping co-ordinate inputs from their members’ peers in other EU states. If you are serious about wanting to improve the quality of what happens in Brussels, as opposed to merely winging and/or leaving, I do remind you that the DPA is now more active, and more effectively active, in this space than it ever was when it was EURIM and I was the bottleneck. Lord Erroll and his team are busy broadening the base of support and turning it into a genuine “Alliance”.

June 17, 2013  4:15 PM

What’s in a name … ? Why does DCMS wish to redefine the creative industries?

Philip Virgo Profile: Philip Virgo
Architects, Creativity, DCMS, e-skills, ICT, Programmers, Skillset, statistics, Stem, UKCES

DCMS has contacted a number of organisations to “clarify” the reasons for its exercise to redefine the creative industries as follows: 

“DCMS are  concerned that our proposals may have been misunderstood.  This consultation relates to how Creative Industries are classified and measured for the purposes of official Government statistics. DCMS can categorically state that it is not our intention to “split the ICT sector in two”, as has been reported by some, or to change how Government views or supports the ICT sector. We absolutely agree that ICT is a coherent sector in its own right, with strategic importance to the UK economy.   This consultation document does, however, seek views on the extent to which IT occupations and industries have creative elements which should also be included in the proposed Creative Industries statistical grouping to ensure that the creative aspects of these occupations and industries are reflected in official statistics. This does not mean that those IT occupations and industries will be “reclassified”, nor that that they will not also be included in official statistics relating to IT. The Government see this kind of sector crossover as one of the UK’s great economic strengths in a rapidly convergent world: the fact that the UK is seen as a global leader in digital creativity is something we should celebrate.

Inclusion of some IT components within the Creative Industries statistical classification is not new of course.  A number of IT activities have been included since the original mapping exercise in 1998 up until 2010. Changes were made for the December 2011 publication, which removed IT activities (apart from Computer Games). Concern was expressed at that time about these changes and this current consultation seek views as part of a thorough review of our approach to the Creative Industries statistical classification. 

The Government will, of course, carefully consider all responses to this consultation before finalising the Creative Industries statistical classification.

In the meantime I encourage your members to read and respond to the consultation.”

I “merely” comment that this appears, at least to me, to muddies the waters still further.

Why should those designing, for example, new software for production control systems or information security be included while those designing new hardware be excluded? I give a current example regarding efforts to improve confidence in the security of the on-line world by deploying “trusted systems” using an evolving mix of trusted software, hardware and wetware people processes) to give reasonable confidence as to who is doing a particular transaction, using which device from where.

To give another example, related to the inclusion of Architects in the Creative Industries and the exclusion of Civil Engineers. Why should those designing new software to support the complex visualisations used in computer games and films like Avatar be included, while those (Civil Engineers) who worked out how to prevent the roof of the City Opera House from collapsing are not. The same question applies to the exclusion of the Civil Engineers and Programme and Project Managers who converted  the Architects visions for the Olympic Stadium and Aquatics Centre etc, into specifications which the construction industry could turn into physical reality in the time available.

The leads back to the fundamental questions of “who wants to redefine the creative industries and why?  It still appears to me to be linked to the survival of DCMS as a department and the use of “the creative industries”, as opposed to the “STEM (science, technology and engineering”) industries when bidding for funding.  

I therefore still stand by the tenor of my first blog entry on this topic, even though my own response to the consultation was more measured and I genuinely believe that Skillset is doing excellent work with regard to the overlapping needs of the computer games and digital entertainment industries. I also believe that it would be unlikely to benefit from a merger with e-Skills unless the resultant body were to receive significantly more funding on a permanent basis so that it was no longer dependent on drip funding from the UKCES. That raises issues which I plan to explore later.

The one matter on which I do agree  with the DCMS e-mail is the need to respond.

I also remind remind readers of the need to respond to the e-Skills consultation on the update of the occupation standards for IT and to be ready to respond to that, due to be launched soon, on the Cyber Security Apprenticeship frameworks. 

June 17, 2013  11:42 AM

What questions will the NAO report on BDUK seek to answer ?

Philip Virgo Profile: Philip Virgo
BDUK, Broadband, DCMS, Defra, NAO, NTL, PSN, Public sector, Telewest, Virgin Media

I was delighted with the news that the National Audit Office will be investigating whether BDUK gives value for money. One can make a reasonable guess as to some of the questions they might address and those they will shy away from. One question that they are most unlikely to consider is whether it was all a plot to help turn BT into a Tier One Operator like Verizon  Another is whether it was correct for the Department to be so focussed on the success of the Jubilee and the Olympics that it neglected its other responsibilities, including Broadband. That priority was inevitable once the Coalition Cabinet had agreed the decision to “go for broke” with the Olympics. The KCB for the Permanent Secretary was as well deserved as his likely fate had the games had not been a triumph. The DCMS “decision” to delay broadband roll out to rural areas, until the BT had fulfilled its critical role vis a vis the Olympics, followed. Was it, however, necessary? And should not others have been informed before wasting millions on futile bids as that “decison” was expensively sonked with wandering goal posts? 

Should the need to avoid diverting scarce BT resources not have been used instead to help bring about a return to the pre-1997 policy of fostering a competitive market (including “competition in the local loop”)?  The policy of Local Loop Unbundling was brought in by New Labour to save the bondholders of NTL and Telewest from taking a “haircut”. It nearly destroyed BT by denying it a return on the £billions it had already invested to bring fibre to within a kilometre of 60% of the population. Current BDUK policy appears to be to preserve the BT – Virgin local loop infrastructure duopoly from being trashed by newcomers who might build faster, cheaper, more resilient networks to international standards.

Is that policy sustainable given the impending price wars between Sky and BT and between BT and the mobile operators ? Is it even in the best interests of BT shareholders?  I declare an interest. I have modest shareholdings in BT, Sky, Vodafone, B4RN and also some of the equipment suppliers. I want all of them, and their competitors, to make money by growing the market – not by fighting over a communications backwater, surfing the cybercrud that comes their way. 

Such policy questions are not the concern of NAO but, given that DCMS was so totally focused on the Olympics, why did it create BDUK at all?

Why did it not simply give the money direct to local authorities to pool with their own budgets and what they could raise from local businesses, including those running, or planning, business parks and property developments? Local Government has considerably more experience than Central Government with regard to pooling funds for infrastructure investment?  Most local authorities also have more experience than most of Whitehall when it comes to procuring communications networks? Why were they blocked from using, let alone sharing that expertise?  Was it necessary to provide central guidance at all, let alone use consultants with experience of neither telecommunications nor local (as opposed to central) government procurement simply because they could be hired quickly (but not cheaply) under an existing framework contract?

The consequent idiosyncratic, imploding and increasingly controversial process was probably expensively doomed from the start. However, the second most important question concerns commercial confidentiality with regard to the use of public funds. This has reverberations across the whole of the public sector and I should explain why. My father was an accounting officer in the days before the National Audit Office was created and lectured at the Civil Service College on the duties of an accounting officer under the Exchequer and Audit Acts. At about the same time (late 1970s) I did a spell as Comptroller (finance and administration) for ICL Public Corporations Sector. In those days all terms and conditions for public sector tenders and contracts (except defence and security) were a matter of public record as were the details of the winning bid after the contract had been awarded. I recently discussed the widespread use of “commercial confidentiality” as an excuse for secrecy with a former Cabinet Official. We could not work out when this became commonplace and whether it was actually legal, let alone good practice. Suffice it to say that no one appears to have challenged it in the courts. There is also the question of whether BT’s refusal to allow local authorities publish what it has told them of its forward plans, while effectively demanding that others publish theirs,  invalidates the  conditional state aid waiver given by the commission for the BDUK framework, particularly now that there is only one supplier. What Ian Grant describes as BT’s attention to detail, even with regard to the small sums on offer from DEFRA, raises serious questions as to the reasons as well as legality of such confidentiality.

Third comes the question of how the process became tailored round what BT could offer to all parts of the UK,  based on its existing infrastructure rather than on international standards that would enable local networks to be operated and maintened by others should the provider go broke, as well as enabling any-to-any connectivity and incremental upgrade paths. This goes to the heart of whether the BDUK framework will be viewed during the run-up to the next election as a cost-effective triumph or an expensive disaster . The charges to DCMS from well-known consultancies and law firms for staff with experience of neither telecoms nor local government procurement, compared to those to local authorities by consultants with experience of with experience of both, are small beer by comparison. Have they actually painted the recipients of BDUK funding into a technology dead end while claiming to do the opposite?  

Fourth comes the relationship, or not, between BDUK and those organising the DECC and  PSN frameworks, let alone those running other procurement frameworks, such as Janet and the Grids. Would not the local authorities been able to get better value for money by mixing and matching across all three, provided the result was built and operated to international standards and was also compliant with those for the PSN.  

I regret the negative tone of this blog but NAO value for money reports are often negative. The tend to be tasked to looking at expensive mistakes and identify why they happened so that we can learn for the future. The most common lessons from such reports are: 

1) When stuck in a hole stop digging
2) The cover-up commonly does more damage than the original cock-up
3) There was a much simpler, less risky way which might still be practical, provided the department can swallow its pride and does not throw the baby out with the bathwater, unless it is indeed so malformed that it cannot survive.

The NAO report should enable ministers to make that third judgement but do read the report carefully. Every attempt will be made to protect the guilty and punish the innocent while it is being circulated for comment before publication. Ministers will have to insist on the truth, if they are to turn the current predicament to advantage. That may well be best done by accepting the criticisms and seeking to draw in investment from new players, even at this late stage, to turn the UK back into a genuinely competitive, world class, on-line market place.    

June 15, 2013  9:30 AM

Public choose security over privacy: but will the Communications Bill help?

Philip Virgo Profile: Philip Virgo
Prism, privacy, Security, YouGov

I have just read the summary report of the YouGov survey which shows that twice as many UK adults support prioritising security over privacy in public policy. I am surprised that the majority is not higher. Perhaps the vote was distorted by suspicions that the security of politicians is not the same as the security of the people.

I am unashamedly among those who rate security above privacy but am also highly suspicious of activities which might take away my privacy while doing little or nothing to enhance my security. I happen to believe that the Communications Bill and the surveillance strategy behind it will do neither – but will have some very expensive side effects.

The state has enforced its ability to spy on us since James Duke of York (later James II) killed off the original penny post (a more efficient competitor to Royal Mail) because it was carrying seditious and lascivious correspondence. If the Communications Bill entails enabling BT to be treated as a Tier One operator (like Verizon) it is a similar threat to its competitors. Those who think this a price worth paying deserve to go into exile like King James. 

Do we really wish to to take effective action to address, for example, the slide from boredom and alienation, through browsing to perversion, terrorism and violence?

If so, we need to begin by making better use of the budgets and resources available to exploit existing sources of information and make it easier for all telcos and ISPs, not just BT, to provide timely, pre-digested information on a voluntary basis in time to take action – not just to agglomerate mountains of data that may or may not help track down who was responsible after the children have been abused or the bombs have gone off.

That almost certainly requires legislation, including to better protect those who provide voluntary co-operation to law enforcement and the security services, whether as individuals or on a corporate basis. Delaying such action while throwing money at additional technology, let alone throttling the creation of a globally competitive fixed and mobile broadband communications infrastructure, may not be a significant threat to my privacy, but it does not help improve my security either.      

June 14, 2013  6:08 PM

Only 4 out of 11 former Home Secretaries publicly support the Communications Bill

Philip Virgo Profile: Philip Virgo
BDUK, DCMS, GCHQ, IOCA, SA, Times, Verizon

The headline for this blog is no more misleading than most public debate on the proposals in the Communications Bill. Now that my attempt to put PRISM and the Communications Bill into context, alongside the other current threats to the Internet as we perceive it, has been quoted on national radio: “I do not see what the fuss is about. I would be dismayed if NSA and GCHQ were not doing such things”, I would like to remind readers of the next sentence in that blog entry: “However, I do not believe it is worth recreating the BT monopoly as part of a vain attempt to expensively prop up a surveillance strategy that is fast becoming obsolete”.

We tend to forget that William Whitelaw, as Home Secretary, presided over some of the key meetings that planned the termination of the Post Office monopoly, not “just” the privatisation of BT as a regulated utility. There was indeed much agonising over the security implications. The IRA was busy murdering members of the government, although the Brighton bomb was still in its earliest planning stages. I note that only one of the five surviving Home Secretaries who served during the IRA bombing campaigns has signed the letter to The Times , though Tom King who was in Downing Street when it was mortared has signed and Kenneth Clarke is in office and is barred from doing so.

When I was organising meetings on the IOCA and RIPA consultations the minister responsible was Charles Clarke, one of the former Labour Home Secretaries who has not signed either. Among those attending the meetings we were several of those who had been involved in the telephone surveillance of the IRA. They commonly had strong views on what was actually needed. I have similarly had my ear bent many times more recently on the need to make much better use of the funds and expertise available than on trying to turn BT back into the equivalent of Tier 1 provider like Verizon in the United States: whether via the thinking behind the Communications Bill or that which conspiracy theorists say is behind the systemic discouragement of investment in alternative communication infrastructures, large or small, organised via BDUK.       

Hence the also the reason why the blog entry quoted on the Today Programme concluded on the need for genuine partnership and a Communications BIll that really does address the obstacles to that partnership: not the re-creation of a mythical past.  

Enhanced by Zemanta

June 12, 2013  8:55 AM

Parliament votes to cut electricity use by 27% by 2020. How? Switch off the internet?

Philip Virgo Profile: Philip Virgo
Data Center, Data centres, Data Dynamics, Prism

On Sunday Christopher Booker commented on one of Parliament’s more bizarre decisions when an empty House of Commons agreed to cut UK electricity consumption by 27% by 2020 and  40% by 2030, Meanwhile the UK is moving into an on-line world, dependent on 24 by 7 data centres. The first estimate that I found for the electricity consumption of data centres appeared to indicate that they already account for 7% of base load on a wet December day. This was based on a power demand of 2GW. However, the Data Dynamics Global Census for 2012 indicates that UK data Centre demand is already 2.85 GW, so that would imply that the current reality is nearer 10% of base demand. More-over the power demand from data centres is rising sharply as we move into the “Cloud”.

The Data Dynamics Census indicates a global growth in demand from data centres of 60%: let us assume that the UK is half that, as data centres are moved off shore to where electicity is cheaper and regulation less onerous. That implies that data centres will be taking up over third of the current UK winter base load by the time that the House of Commons said that demand must be cut by a third.

How much of the rest of the UK base load is taken up by always-on systems and will that grow or diminish as we transition via Ubiquitous Broadband to the Internet of Things?

This looks to me linke a much bigger threat to the on-line world than PRISM, the Communications Bill or EU Data Protection Legislation, where I was delighted to see a Minister finally giving an estimate of the cost to business (even if does omit the cost to the ecnomy of business moving off-shore)
Will some-one please tell me that I have got this badly wrong.   

Or have I just uncovered the business case for off-shore and long-term investors to fund the new Severn Lagoons project, with Nuclear Power stations on the English side, to supply a consortium of data centre operators on equally long term contracts – and will they be allowed to do so, outside the constraints of the Energy Bill? 

June 11, 2013  11:28 PM

The “free market” on-line world is under attack from all directions: who wants to save what and why?

Philip Virgo Profile: Philip Virgo
BBC, BDUK, DCMS, Fraud, FSA, Google, Impersonation, Microsoft, NFA, Prism, RIPA, Which

The storm of media cover for PRISM, the NSA equivalent for what the Communications Bill was intended to support in the UK, raises many questions, including the future of competition in the provision of the infrastructures over which we access the on-line world. The ZDNET speculative article on how and why PRISM actually works and why Apple, Google, Microsoft et al may be “innocent” of collusion, also explains why those promoting the Communication Bill wish to go back to 1979 and recreate a situation whereby all UK communications are routed via BT monitoring points and it can be treated as a Tier One operator. Currently BT is a Tier 2 operator because the UK still has, (or perhaps one should say, had until Ofcom and BDUK set about helping recreate a BT monopoly), a reasonably competitive infrastructure market and might be on the verge of once again having a truly competitive market

The media cover has an additional edge because journalists from the New York Times to the BBC are now painfully aware that, even if the NSA and GCHQ have not rummaged through their files of private contacts, agencies of the Chinese, Iranian and Syrian media may well have done so.

Meanwhile the latest NFA Annual Fraud Indicator would appear to show that over 25% of us have been actively defrauded (average lost over £1,000), not just had our personal identities or information compromised. Most frauds now have an on-line component, albeit increasingly integrating voice, text and e-mail customer communications in ways well in advance of most legitimate commercial players: 20% of us according to Which have now received telephone calls from Microsoft techncial staff offering to help us fix problems they have found.

The total cost of Fraud to the UK is over £50 billion, 40% of it from the public sector. There is, therefore, mounting pressure on Government to do more to tackle fraud and money laundering as part of the deficit reduction package. That pressure now extends from tax fraud (over £10 billion), through evasion to avoidance. Hence the case for using surveillance to track the proceeds of crime and sources of terrorist funding to also identify the means used to move taxable sales and income off-shore and question their legality. PRISM, RIPA  and the Communications Bill may not cover content but there is plenty of legislation regarding the regulation of Financial Services et al that does, once the communications to be “unpacked” have been identified .  

The Internet, as perceived by the mix of Californian liberals and libertarians who created its current “governance” structures, is now under attack from all directions:

  • from perverts and terrorists seeking victims and converts,
  • through criminals impersonating and defrauding businesses and consumers,
  • to taxmen seeking to recoup the sales and property taxes they have lost as traditional retailers are put out of business by “out-of-state” or “off-shore” on-line operators
  • and lawyers seeking to enforce intellectual property rights that go way beyond those which stimulated created and growth in previous centuries.

Meanwhile most claims with regard to anonymity, neutrality, privacy, resilience and security have been shown to be false and most attempts at regulation achieve the opposite of their supposed objectives: protecting dominant incumbents by reducing competition and choice while failing to protect consumers, customers and the vulnerable from abuse.

Recent press cover in the Washington Post and Guardian has focussed on leaked “evidence” regarding long-standing trans-atlantic co-operation with regard to communications monitoring – as though the revelations are surprising, new or scandalous. Those who suffer from deja vu (Echelon et al) will not be surprised at the leak of the modern equivalent of a “D-Notice” asking journalists to refrain from doing “real” harm.

Such cover has almost buried the, far more worrying, allegations that major players, including defence and security contractors as well as major ISPs, have had their networks comprehensively penetrated and their most sensitive files copied. If such allegations were to be widely believed, whether true or not, the result could be a collapse of confidence in the expensive technical solutions the suppliers promote to supposedly protect “big data” solutions that are inherently insecure because of the number and variety of sources (hardware, software and information) and of users (with privileged access) involved.

I happen to think that such a collapse, or at least a much wider degree of well-informed scepticism, including at the political level, would be an excellent development. Those designing such systems commonly lack the necessary training in information systems and security, (people processes not just technology), to be anything other than a menace to their employers, let alone the rest of us. Worse, there have been several, as yet little publicised, cases of damning reports on the impossibility of adequately securing major applications (such as national programmes for detailed children or patient records) not being passed on or being described to Ministers as “technical problems that can be overcome during implementation”.  

The current controversies, however, also risk burying good news: such as how the takedown of the Citadel network  shows that industry and law enforcement can work together to make a real difference. The problem is to organise co-operation across well established, and  sometimes well-deserved, barriers of mistrust between networks of insiders indoctrinated with concepts of “need to know” which mean “we need to know what you are doing but we will not tell you why, let alone tell you what we already know, unless we are convinced that is in our interest that you know too”.  Progress will be limited until we have found and tested better ways of organising trustworthy (and trusted) “connections” (people not just technology) to handle communications between such networks. 

Is the current mix of assaults from all direction such that confidence in the Internet (seen in context as core part of the world’s largest machine, the global communications network) is about to collapse? Or is it about to be reborne around different conceptual models?

If so what will trigger the collapse?

And which of the players currently trying to screw each other will help conceive its successor?    

As I have said in previous postings, these are questions we should be putting to the next generation of thought leaders. What I am personally calling “the Cyber Integrity Challenge” has now had its first registrations (one of the very first was from a masters student at a post-graduate school of journalism), even though we have yet to have the first briefing event for students and employers. Students whose University is not among the initial participants should ask their supervisor to contact their University’s CPHC contact (or to e-mail the Cyber Security Challenge contact using the website link). Additional Universities can be added until shortly before the deadline for registration: thus Lancaster (which has one of the goverment funded, cross disciplinary cyber security centres of excellence) was confirmed last week as an addition to the announced list.

Employers seeking contacts with those who will help them build an on-line future in which we can have genuine confidence should make similar contact remembering that the pilot is being organised as a stream within the main Cyber Security Challenge . So too should those wishing to support entries and sponsor prizes (to show that their organisation is serious about building confidence in the on-line world) should do likewise. I am happy to pass on details to the organising team but am now only one among a growing number of cheerleaders and supporters. This is clearly an idea whose time has come.    

One of my reasons for spending so much time on getting the competition off the ground is that I believe the Internet as currently conceived cannot survive unless those who want it to do so work together – to help rebuild confidence that it is worth protecting. If it is going to have to continue to evolve, it is even more important to work together to ensure that it evolves into something better suited to the needs of the majority of law abiding citizens and businesses. As some-one whose personal “open market” politics are near to “where Tribal Tory meets Old Labour, round the bike sheds at the back”, I would also like to think that future might involve a measure of democratic accountability and personal freedom, as opposed to …  

But those who are serious about such matters often have to be ready to kill for them, not just die for them. That leads us back to PRISM. I do not see what the fuss is about. I would be dismayed if the NSA and GCHQ were not doing such things. However, I do not believe it is worth recreating the BT monopoly as part of a vain attempt to expensively prop up a surveillance strategy that is fast becoming obsolete. I would far rather we looked forward to a world of genuine partnerships in “civil defence” as well as “policing” that are genuinely fit for the on-line world.

Hence also my comments quoted by Michael Dempsey in the Financial Times on Friday  on why we need to make much better use of industry expertise as “cyber reservists” and “specialist constables” with governance frameworks which also enable those working in key roles in industry to “change hats” without necessarily leaving their desk or control console when an attack develops. Now that raises far more interesting questions of trust and accountability than PRISM et al.

June 11, 2013  9:30 PM

DCMS Consultation to put Computer Programming alongside Music and the Performing Arts

Philip Virgo Profile: Philip Virgo
e-skills, Nesta, Professionalism, SEM

Further to my acid blog on the motivation behind the consultation to change the SIC Codes rlated to ICT to transfer computer consultancy and programming to sit alongside music and the performing arts, my personal responses are below. Others may chose to be less constrained and describe it as a proposal to step back forty years with regards to professionalism. I would, however, say that Skillset and NESTA are rather good at what they do and some of the new courses to develop the skills for the computer games industry are excellent. Nonetheless changing funding boundaries, as opposed to improving co-operation across them, never did any good.

Consultation issue 1: What are your views of using the Creative Industries methodology to underpin the DCMS Creative Industries classification?

The methodology could be used to include the whole of invention and product design and development across traditional industry. The consequent inclusion of Computer Programming and Consultancy within the Creative as opposed to Engineering Industries is nonsense. It includes, for example, those who design the software control systems for power plants (often using the some disciplines as for computer games) while excluding those who design the chipsets used. In fact they often work in symbiotic teams.

It would be helpful to explicitly exclude from the definition those roles and industries which depend on extensive product testing and on engineering disciplines and not just individual creativity.

Consultation issue 2: What are your views of the list of Creative Occupations as defined in figure 1 of the consultation document? Are there occupations which have been included which you think should not be? Are there occupations which have not been included which you think should be? What evidence do you have (if any) to support your view on inclusions or exclusions?

 IT Business Analysts, Programmers and Web designers should be excluded because in modern system development environments, with hybrid skills and incremental change becoming increasingly common, the individuals concerned  cannot be readily distinguished from those operating and using the systems.

More-over the design and testing disciplines involved mean that the roles are very much more akin to engineering than the definition of creativity used in the methodology   


IT business analysts, architects and systems designers




Programmers and software development professionals




Web design and development professionals




Consultation issue 3: What are your views of the list of sectors as defined in figure 2 of the consultation document? Are there sectors which have been included which you think should not be? Are there sectors which have not been included which you think should be? What evidence do you have (if any) to support your view on inclusions or exclusions?

Computer Programming and consultancy should be excluded because they depend more on systems engineering disciplines teamwork and testing than on individual creativity. 


Computer programming activities





Computer consultancy activities





Consultation issue 4: What are your views of the list of groupings as shown in figure 3 of the consultation document? Are there other groupings which you think would be preferable, given the SIC codes available to match together in these groupings?

IT, software and computer services should be excluded because they fit better with Engineering than with the Creative  industries

IT, software and computer services





Computer programming activities





Computer consultancy activities




Consultation issue 5: Do the SIC and SOC codes adequately and accurately capture the full range of economic activity within the creative industries. If not, how would you better define the SIC and SOC codes?

The inclusion of  computer programming and consultancy extends the definition of creative industries well beyond those which depend on individual creativity and where Skillset, NESTA and DCMS have relevant expertise and experience.

Consultation issue 6: What indicators do you find to be of value in your work? Do you collect data against these indicators on a regular basis and, if so, how do you do so?

I tracked employment and demand for IT related skills to provide advice and  guidance for employers from 1982 until e-Skills set up its own monitoring operations.

The SIC Codes were of limited value save at the macro level. Changes in structure gave me serious problems with regard to putting short term fluctuations into long term context.

An example of my work, which was used to help employers and also government to plan ahead for the Y2K crisis was the 1996 IT Skills Trends Report  http://www.eurim.org.uk/activities/skills/96SKILLS.pdf

Enhanced by Zemanta

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: