I trust on-line banking as far as I can throw it – which is not very far. It is not that I do not trust the security of the systems of the banks I use. I do not trust the security of the equipment I use to access their systems or of the mail service via which I receive their authentication devices and pins. I live barely a hundred yards from a busy high street in which Tesco, Sainbury’s, Iceland and the Co-op, plus over fifty small shops compete for my business. When I moved in, fifteen years ago, it had four busy bank branches (counting building societies as banks) and one pawnbroker. Today it has one bank branch and three pawnbrokers (including payday loan, cheque changers and gold buying operations). It also has over a dozen small shops offering Western Union and other global money transmission services.
We had choice and I had accounts with all four of the banks/building societies – moving balances according to the interest paid. Then Abbey National closed what had been called “the most robbed bank in Britain” (it apparently overtook the RBS Branch next to Barlinnie after they spent a large amount making it open plan with no security). I closed my last (postal) account when Santander took over and the interest rate vanished even before the Banking Crisis. Then Nationwide closed its cosy little fortress. Rather than use their branches miles away in shopping centres I never visit, I now time pay-ins and anything complex for when I am in Central London.
Then two days ago I discovered that the local Nat West Branch had not only been closed, permanently, “for health and safety reasons” with no notice to customers, but the cash machines had been removed. I contacted the local councillors and was told that the only information available was the report in one of the local free sheets which also contained their comments and those of the local MP. That means I will have to adjust my next visit into Central London to include an opportunity to pay my VAT into a Nat West branch, because HMRC will not accept a cheque.
We complain of the difficulty of reporting electronic crime but Lambeth Police have long had a simple policy for cutting reported physial crime – shut down the means of reporting it. That allows them to report success against their crime reduction targets. I had not previously appreciated how efficient this is at also moving elderly victims online so that they can be fleeced more efficiently than mugging them in the street. However, help may be at hand. I do hope that Tescobank reads this and takes note. Their local store is in that part of the High Street where their security guard (and those of the other supermarkets) provide mutual assistance. I also hope that Barclays, also in the “secure” area, next to the busiest bus stop, reads this and does a short order marketing blitz for local small firms business.
It would be even better if we also had a regular physical police presence, with PACE paperwork done on the spot by Blackberry or Android and a ferry service to take those arrested back to fortress Brixton for same day trial and sentencing (or at least overnight detention and next day trial – as in the days of Peelite policing). Now that would be a good use of technology to support people processes.
The idea of a competition on the means of enhancing trust in the on-line world has struck a number of chords. Some respondents focus on the need for behaviour change and I will blog on this later. Others have questioned of why so many services rely on “trust” products and services which many believe are damaged goods. Thus I have been asked why .gov.uk relies on SSL certificates provided from Utah by Comodo (Usertrust). That reader asked whether these were the cheapest, the only ones that assert they come under UK law (the policy say’s it is Manchester-based), did DigiNotar eclipse the Comodo saga last year, or “is everyone so new they do not remember 2011”. It may be, of course, that CESG has checked the scale and nature of the breach and been reassured. But have they? And how is trust, once lost, regained?
One of the points of leverage in improving the trust of your board, let alone your customers, in the organisations systems is the use of internal or independent audit to see who and what you are actually trusting and whether they really are trustworthy. In the private sector the most common qualifications required by organisations who are serious abour information security are those from ISACA (orginally the Information Systems Audit and Control Association, now extended to cover IT governance as a whole). This has over 100,000 members world wide and six chapters in the UK. The London chapter has over 2,500 members. Below is the response from Professor John Walker, who sits on the ISACA international practice guidance committee. He highlights how just one major weakness in practice (including on the part of some well known brand names) undermines much of the theory of “trusted” internet services. It is chilling – do not let an Internet savvy director read on unless accompanied by ….
Is it a coincidence that I received a website reference to a DWP paper on identity fraud dated last February on the same day as the announcement of the departure of the programme director for the Universal Credit – with added speculation with regard to further changes?
The successful implementation of major programmes correlates almost exactly with the continuity of senior responsible owner from inception to live running. The DWP implementation strategy appears to have consistantly broken rules one (the centralised storage of vunerable and sensitive data), two (network vulnerability) and three (creation of large numbers of disaffected staff) of the Skyfall guide for Ministers and Directors .
I find it interesting that none of the alternative, lower risk, ways of implementing the ministerial “vision” were ever seriously considered. I have always favoured devolving as much responsbility as practical to front line staff and giving them the tools to take a genuinely integrated view of the customers needs. In the context of DWP that would mean given them access to data matching systems that would mean enabling them to join up the care and benefits packages available to the human with whom they are dealing (idealy face to face) and also to record why they have decided not to abide by the recommendations of computer files that may well be weeks or months out of date with regard to the circumstances of those in most need of the flexible help with is supposedly integral to the vision. Another implication of this is to greatly remove vulnerabilities to the current £billions of “systemic” on-line fraud based on ID crime.
I will not bore you with my previous blogs such as “Is DWP herding the vulnerable online to be fleeced?” , “What is the difference between the National plan for IT and the Universal Credit?” and “A train crash waiting to happen … ” . I will just say that I too like the “vision” very much and hope that it is not too late to separate benefit from risk in the implementation. But doing so almost certainly requires changing from grandiose big bang to incremental change.
Yesterday morning, at the awards ceremony for the Cyber Security Challenge “Can you talk security” competition, our BT host described Skyfall as a blockbuster careers advice film for the brightest and best of the younger generation. He quoted the new “Q” describing James Bond as a dinosaur “I can do more damage on my lap top in my pajamas before my first cup of Earl Grey than you do in a whole year.”
Visit the Skyfall website and watch the clip of James Bond meeting his new Quartermaster. Those who bleat about the lack of realistic careers guidance should focus on joining up the dots on how Q got his job. They should also watch his chagrin when he learns that an old-time hacker (same vintage as James Bond) breaks his network security wide open. One of the supposed teenage hackers arrested during the investagation described in Misha Glenny’s Dark Market was in his 60s, waiting for a hip replacement and asked to put his teeth in before he was taken to the police station.
But Skyfall does much more. It is also covers the three top tips that are missing from the CESG Executive Guidance on Cyber Security (and all other guides produced by mainstream security experts):
1) Do not put all the crown jewels in one database: whatever the claimed security etc.
2) Do not link all your networks together: whatever the claimed security etc.
3) Take good care of potentially disaffected former employees. They are your biggest weakness
CISOs who claim their Board does not understand the importance of cybersecurity should tell them to watch Skyfall with their grandchildren. The CISO should then be ready to lead a discussion on what “M” should have done in order to go out of office with pride – instead of seeing her reputation for competance trashed and having to retreat to a communications not spot to die in the arms of her favourite, but now ageing, toyboy.
The collapse of the Internet and of mobile phone networks as Hurricane Sandy hit New York and New Jersey mirrors that when Katrina hit New Orleans. Trust is earned by those who deliver whatever the circumstances. The struggles of those who sought to keep their New York services going last week illustrate what that can mean. But how many “best efforts” services fall well short – and what are the implications as we move towards the always-on world of ubiquitous computing and the Internet of Things.
Widespread publicity for security compromises and the scale of on-line impersonation and fraud have led to a crisis of confidence in the on-line world in parallel with that in financial institutions as a result of the banking crisis and the scandals that have accompanied it. The financial crisis can be seen as a failure of information governance. The systemic weaknesses which enable criminals to organise computer assisted fraud arise from similar failures of technology governance. Such failures cross professional, cultural and regulatory boundaries. Now add the effects of the collapse of on-line banking and transaction systems, mobile phone networks, search engines or cloud services for hours, or even day on end when faced by fire, flood , severed cables or even simple digititis (finger trouble) let alone major denial of service attacks .
Back in August I blogged on plans for a competition on “the meaning of trust in the on-line world” . The Ethical and Security panels of the IT Livery Company have now held two linked round tables (one each)
By the end of the second meeting we had turned the question on its head: how do we enhance trust in the online world, given that we cannot (and probably will never) agree what trust actually or how it is gained across a truly multi-cultural and socially inclusive Internet – where most users do not accept the values of the Starship Enterprise
We also agreed that this is not a one off exercise and had turned our plans into a pilot for a three year project – which might well be extended if successful. The draft definition of “success” for the pilot being:
- Universities enhancing industry partnerships with participating employers
- Students earning apprenticeships/internships/posts with employers they would not have considered
- Good ideas for helping enhance the competitiveness of the UK/EU (we should not neglect the need to bring about attitudinal change among those who set the EU regulatory frameworks within which we operate) as a base of choice for globally trusted on-line products and services
- Participants ready and willing to work together to build on what has been learned.
We are now galloping to get the pilot under way in time for the thousand or so masters students likely to produce relevant dissertations to attract support from potential employers. The first stage includes rephrasing and publicising the high level “question” because Masters students are expected to set their own questions and the issues can be addressed from a variety of perspectives, technical, behavioural, legal, ethical and cultural. More-over the supporters of the exercise have different objectives and the key to “success” will be to exploit the overlap so that these can be achieved at the same time as generating research and recommendations that will help bring about changes in attitudes and priorities and lead to effective action.
The framework below is therefore intended to stimulate discussion and thought. It is not intended to be the list of questions that the entrants agree with their supervisors and supporters.
The core question (dodged by almost all who look at the issues) is:
How do we bring about attitudinal and behavioural change: including by using technology to make it easier to follow good practice and harder to follow bad practice etc.?
Awareness and education programmes? Regulatory or compliance regimes? Civil or criminal law? Publicity? What are the roles of industry players, professional bodies, trade associations, self-regulators, statutory regulators, governments, auditors. Insurers? What are the roles of the technology and people processes in facilitating security, privacy, good practice, trust, by design/default?
The second question, at the heart of the original motivation for the competition is:
How do we enhance trust in the London, the UK as a location for globally trusted services and reap the rewards.
What is the role, if any, of the EU? How does improving on-line trust fit into the overarching objective of improving trust in the City/UK plc? Who (Financial Institutions, Government, Regulator, Professional Bodies, Trade Associations, Interest Groups) should do what?
Other high level questions might include:
How do you produce meaningful testing that deals with the claims made for the product or services i.e. not just tick box compliance with an “accreditation”?
Is improving trust that services will not fail (e.g. fire, flood, power or “failed upgrade” bringing down a system or network) more important than routines for reducing the risk of incidents (e.g. known or suspected security breaches)?
How could/should trade-offs between cost, privacy, resilience, reliability and security be handled?
How could/should “trust” be “arbitraged” across identity and transaction systems run by different organisations, in different ways and to different standards?
What is informed choice and informed consent? Does this change according to time/circumstance? Who can be trusted to ensure/record that choice was given, changed or revoked? Can consent be revoked?
There are, however, many subsidiary questions that also need to be addressed,
What is the meaning of Trust?
What are the determinants and components of trust – both on-line and off-line? Is there a difference and if so why? What is the current state of trust “ecosystems”, including who trusts whom with their identity and/or personal information. How do we distinguish between exercising trust and being trustworthy. How do you build trust online? How do you rebuild trust after a failure? What about trusted technologies/devices? Is there a difference between trust at the wholesale level (institution to institution) and retail (institution to individual customer)?
What is the meaning of “My word is my bond” in the on-line world?
Who am I? – Issues of identity (personal, legal, etc.), registration, reliance, liability, authorisation, impersonation and anonymity: not only is identification irrelevant to many transactions but some market transactions require anonymity in order to avoid distortion.
What is my word? – Issues of authentication, translation, in a contractual, cultural and legal context. How is trust in “my word” affected by complex and conflicting product and service terms and conditions? Are these meaningful or enforceable? Would standard terms, streamlining, standardisation and harmonisation improve trust?
What is my bond? Issues of responsibility, liability, governance etc. Does civil law, adjudicated in London, provide a better recourse against abuse than criminal law? Legislation covering the City of London Police is different to the rest of the UK. This enables cooperation across legal boundaries which cannot not organised elsewhere. How could/should better use be made of the consequent potential? What about the differences between common, roman, jewish and shariah law (bearing in mind that all are used in London) and their attitudes towards on-line transactions?
What, if anything, is different about the on-line world and why? Multi-cultural, multi-lingual centres like London have been handling transactions between people who never physically meet for centuries. So what really is different: problems, threats and opportunities?
I will not go into the judging criteria in detail save that for round one they are those for a Masters Dissertation: a mix of information collection and analysis in support of an innovative answer to an interesting question. For round two is for presentations by those producing innovative answers which help the competitiveness of UK plc. There may be cash prizes in both rounds but “real” prizes in are the degree and contact with potential employers and/or research sponsors (in Round One) and publicity for student, university and industry supporters in addressing issues of concern to sponsors in (Round Two).
I welcome e-mails (to email@example.com) from employers wishing to enhance their university and identify and support potential recruits. I also welcome e-mails from on-line banking, retailing, transaction, service and security providers who would like to use publicity for their participation to demonstrate that they take the protection of their customers and those in their supply chains seriously and also wish to ensure that the UK is a globally competitive base for themselves and their most reputable competitors.
I should perhaps add that I personally hope that most of the latter will also decide to join the Digital Policy Alliance with a view to using the material and ideas that emerge to help bulldoze out of the way the UK/EU regulatory overheads that do nothing to enhance trust and drive on-line transactions off-shore and out of the EU.
When I heard that Andy Smith’s eminently sensible comments at the Parliament and the Internet conference yesterday had gone viral I feared he had suffered a Ratner moment. I have just taken a look at the comments responding to the BBC news cover of the story and how they hjave been rated by those reading them: a massive vote of confidence in Andy. I had long known that the strange age profiles on many social networking and e-commerce sites were commonly because of false ages but had not previously appreciated how many users simply give April 1st as their birthday.
Last January, when I blogged on the great LinkedIn leak, I commended the East European approach to Internet Security: “never tell the truth on-line unless there is a good reason to do so” – sooner or later what you have posted on-line will be collated and used against you. The big differnce between them and us is that they fear a new Stasi. We fear organised crime impersonating us and stealing our savings or destroying our credit ratings and leaving us stranded with our cards blocked. Our children have more fear of on-line bullies or the copyright police.
I have also described why it is that new neterati discover before puberty that they need at least three on-line IDs: one their parents and teachers can read, one for their friends and one for their best friends. Around puberty they discover the need to be able to trash any or all of them: when they fall prey to bullies or their best friends become their worst enemies. Shortly after Facebook introduced its timeline I listened to a group of under-graduates discussing whether it was easier to trash their Facebook profiles and start again, or to work out how to use the new privacy routines, with the risk they might have missed something.
This morning I was received yet another e-mail covering the latest nonsenses in the ongoing saga of expensive displacement activity that passes for Government (US, EU, HMG etc.) electronic ID policy. This evening I have just received the draft minutes of a meeting on Monday on how to enhance trust in the on-line world. First we have to consider the meaning of trust, how it is earned and how it can be restored once lost. The comments in reply to the BBC news cover for yesterday’s comments reveal just how comprehensively it has been lost.
Hence the importance of going back to basics – for example using the opportunity of the transition to IPV6 to clean up Internet addressing routines (splitting as far as possible between those which are verifiable and those which are intended to genuinely anonymous). Hence my comments on the importance of the current Nominet consultation.
BIS has just announced a “Foresight” report saying that “computer trading shows benefits to financial markets but calls for joint action to manage risks.” For “Foresight” read “Hindsight”. I remember an event on “Envisioning the Future” organised by Nortel almost twenty years ago when the means of monitoring markets based on computer trading systems was one of the themes for discussion.
This is a salutary reminder of just how far BIS (Westminster) is behind the City (London/Canary Wharf) – not much over a mile or two but at least a decade or two. The difference in mindset is similar to that between Shanghai and Beijing – five hundred miles and five hundred years (the Chinese think long term). New Yorkers have a similar view of Washington. I also remember the Silicon Valley view of Europe – those other side of the planet, at the far far end of the red-eye, even more out of touch than the Federal Government in Washington.
Last night I was at a meeting discussing the meaning of trust in the on-line world and some-one mentioned the Edelman Global Trust Survey. This has now been running for over a decade and is full of interesting material. Among other things it shows how, even after the collapse in trust in financial services, they are still more trusted than the politicians who seek to regulate them.
Today sees the launch of Get Safe On-line Week. Do get involved – the most public events in London will be at Waterloo Station to intercept those on their way into the City and at Canary Wharf (hosted by HSBC) for the other high net worth risk-takers who are at most serious risk from the impersonation and fraud that increasingly follow successful phishing attacks and database compromises.
I would also, however, like to draw attention to a dirty little secret that the on-line enthusiasts and cyber security industry are anxious to hide: the reason why barely 30% of small firms are willing to transact on-line (other than for local takeaways). The National Fraud Authority analysis of Small Firms as victims of fraud is truly chilling. Chris Yiu revealed the 30% figure at a Policy Exchange Fringe meeting on broadband policy at the Conservative Party conference but had no analysis of the causes. I had, however, seen similar data from small firms organisations – which gave clear analyses of the reasons.
Is it the Irish Tax rates, which enable Apple, Facebook and Google to pay negligible taxes on their multi-billion revenues in the UK and other EU member states? Or it is the Irish implementation of the privacy, data protection and other directives? Will an Austrian student succeed in raising the funding necessary to challenge the latter? What will be the consequences if he does?
Will HMG really entrust our personal identities and data collected under statutory authority to those who base their ID governance in Dublin, their IT and security staff in India or their files on the west coast of the US? You could not make up the idea that the Home Office might seriously consider outsourcing the running of our immigration and criminal records to an India software company – but this is allegedly about to happen.
Does the Home Secretary’s refusal to allow Gary McKinnon to the US mark a sea change in attitudes to national sovereignty over matters of national security – or is it a fig leaf to cover a much bigger retreat?
A surprisingly proportion of the UK tax base depends on the way that the rest of world still trusts London, more than Dublin let alone Dubai, Mumbai or New York, as a global trading centre. The plans of Apple, Google and Microsoft to base people (if not necessarily tax and data governance) operations in London show that we still have an edge. Their plans to support educational activities (at all levels from schools to post-graduate) show they would like to see that edge continue.
Were we to adopt an Irish approach to industrial strategy and economic policy we would almost certainly see inward investment and tax revenues rise sharply and an earlier investment led recovery. Hence my repeated call for 100% tax relief on capital investment to make it attractive for Apple, Facebook, Google, Vodafone and others to plough their UK profits into the UK infrastructure investment (including power supplies and communications) that is necessary to support the trusted data centres and global on-line operations that should naturally be based in the UK – alongside the development (and production not merely research) of products and services for the smart, green world of the Internet of Things.
On Monday evening I will be doing my bit, planning a competition on the meaning of trust in the on-line world, to help position London, not Dublin, as the on-line capital of Europe. My partners believe that government has no role in this process. I fear they are wrong. Government has to get out of the way and actively remove both the regulatory overheads that get in the way of trust and reduce the taxes which cost more (including by driving profit centres out of the UK) than they raise. That will not happen without concerted political effort. More-over that effort should include the Trade Unions – whose members (and members’ children and grandchildren) are losing out on the jobs of the future while the Westminster Village and political idealogues of right and left obsess over the egalitarian battles of the past.
Next Thursday, at the Parliament and the Internet Conference, the Digital Policy Alliance (EURIM) has organised a session (14.10 – 15.00) to discuss the role that the UK could and should play in that brave new world. Will HMG (especially Treasury, BIS, DCMS, DECC and Home Office) allow the UK to do so?
Next week is Get Safe On-line Week and I have been busy trying to persuade those who are serious about protecting their organisations, their staff, their customers and the families of their staff and customers to get involved. I am, however, struck by how many pay lip service to the need for “awareness” but are unwilling to link to practical advice on on-line safety and incident reporting form their own websites.
The reasons vary but I am struck by those in the public sector where there is also a srong reluctance to admit to the scale, nature, causes and consequences of fraud and impersonation and the value of using tried and tested, twenty year-old. technology-supported (but not technology-driven) approaches to the reduction of fraud and impersonation. Thus we see displacement activity regarding new UK goverment electronic ID policies or the EU “harmonisation” of IDs instead of using electronic invoicing against agreed purchase orders to slash £2 billion of procurement fraud. We see an equal reluctance to use credit reference checks to fast track benefit claims and transactions that are unlikely to be fraudulent – so that effort can be focussed on those who really do need support because they drift in and out of employment and temporary accommodation and no-one will provide them with credit, whether or not their current claim is valid.
Hence my rants on ID Policy and the potential problems with the grandiose plans for the computer systems to handle Universal Credit. However, next week I will be focussing on the positive and have helped organise a couple of meetings to look at alternative ways of improving confidence in the on-line world: the first (on Monday) is to progress the competition on the meaning of trust in the on-line world. The second is on the use of civil law to improve redress and deterence. But first we have to see what the current situation is really costing those who believe they need do no more than mouth platitudes.
At a Policy Exchange Fringe Meeting at the Conservative Party Conference one of the speakers, Chris Yiu, used data from a recent survey which showed that almost all SMEs now have websites but barely a third transact on-line. I asked whether that was because they could not get the symmetric broadband access that is necessary to run an inter-active website or because they were scared of not getting paid. Dido Harding of Talk Talk spoke of 10 mb leased lines available for £1000 (although the lowest quote I can get in West Norwood is well above that and I am told the choice available to me is not available in, for example Wapping, let alone across most of the UK). Chris had not yet unpacked his data but it gelled with that from other sources where the cost of compliance and the liability to fraudulent charge were blamed for take up of under 30%. Meanwhile the National Fraud Authority Segmentation Analysis of the vulnerabilties of small firms to fraud is chilling.
So who really does want to win new business from SMEs by not only helping them go more confidently and securely on line – but also helping them get redress when (not if) they are successfully attacked? And how are they going to go about it?
Ross Andreson has regularly exposed some of the economic nonsenses in this area and raised the value of using old fashioned civil law to obtain redress. On Tuesday evening the Conservative Technology Forum has a meeting to look at the practicalities and implications of swtiching political focus from criminal to civil law. It greatly reduces the burden of proof: balance of probability v. beyond reasonable doubt and brings in the potential for action under tort etc. against those who aid and abet by negligence not just design. It allows the use of well-established routines for cross-border legal action and avoids law enforcement politics over jursidaction etc. But quite apart from all those international law firms and forensic accounting practices eager to help trace and retrieve the money (less their fees), there are also issues of accountability and of predatory action by copyright and patent trolls.
Hence I stop with the question.
Perhaps on Wednesday I will be a little wiser.