[Dave Birch] I very much appreciated being invited along to speak at the Cyber Security Forum 2011 in London. I’m sorry that I couldn’t get along to the first sessions (the demands of clients trumped the future security of our great nation) but I sat through most of it. When I wandered in and sat down, avoiding the temptation to go to “Iceland – New Opportunities” instead, and I loved that within the first ten minutes I had heard about Machiavelli, the scientific illiteracy of the British civil service and how to get stuff done in ancient Greece.

It wasn’t all fun though. A chap from the Institute for Security and Resilience said that the measure of strategic capacity is the capacity to innovate, and he sounded sceptical of UK plc’s abilities in this space, making an interesting point about they way in which the British system puts specialists and entrepreneurs under the control of generalists (referring to, I think, the well-meaning but amateur way in which government manages IT).

But to the point. It turns out that the UK has cybersecurity strategy. It’s available online from the Cabinet Office (revised version 25th November 2011 PDF), so I quickly downloaded it and skimmed through it in time to get to the panel on the “vision for a cyber smart economy” that featured Baroness Pauline Neville-Jones, who is the UK Government’s Special Representative to Industry on Cyber Security. She was great: amongst other things she asked why UK educational establishments are training more Chinese people in cyber security than British nationals…

I spoke on the panel on SMEs chaired by Alex van Someren with Nick Kingsbury and Mark West, and that was most enjoyable, but the highlight of the day for me was the wide-ranging discussion between Joseph Menn of the Financial Times, Caspar Bowden (no longer with Microsoft) and the writer Cory Doctorow. They are very smart and very interesting guys, so hearing them range across software patents, copyrights and privacy was genuinely fascinating. The UK Cybersecurity Strategy doesn’t actually mention copyright at all and it only mentions “intellectual property” once (on page 9), but in terms of a vision for a cyber smart economy, I would have thought that informed discussions about this were rather central to that vision.

The reason that they are not is, as was covered in the discussion, twofold. Cliff Richard and his stooges are against internet privacy for entirely sociopathic reasons to do with what economists call “rent-seeking regulatory capture”, but he finds a sympathetic ear in the government because

  1. the government don’t want privacy either – they want to be able to listen in to your internet conversations and if that means leaving them open to Chinese cyberwarriors as well as record companies then so be it – and find sobbing pop stars a useful smokescreen and
  2. because it’s more fun talking to pop stars than to dreary middle-aged “experts” (e.g., me).

At the end of the event my perspective on all of this was reinforced as essentially infrastructural. In particular, we lack national identity infrastructure, so we’re starting from a low base. In the UK, we need to accelerate the Cabinet Office’s Identity Assurance Programme to formulate something along the lines of the US Department of Commerce’s National Strategy for Trusted Identities in Cyberspace (NSTIC) and then mandate its use for public sector services: no identity, no service. If we don’t mandate it, and instead rely on citizens to protect themselves (and the rest of us) then we have no hope.

Citibank’s Rich Detura… runs global consumer fraud policies, which is an expansion from his previous similar role for Citibank’s US-specific role.

“Consumers’ use of technology is far outpacing their ability to comprehend the security implications of their actions”

[From Great quote from Citibank’s Rich Detura – Javelin Strategy & Research Blog]

If we don’t take this kind of action, we’re going to end up with two internets, as I’ve written before. With no end-to-end identity management, the rich will instead turn to secure networks that lock out undesirables (or, alternatively, lock in undesirables who know what they’re doing).

“The concept of a more secure network that customers or vendors are willing to pay for is probably the only way to provide the security that people want to have,” says Ted Schlein of Kleiner Perkins.

[From Founding father wants secure ‘Internet 2’ – FT.com]

I don’t want that, because I think an open internet is a tremendous power for creativity and innovation. Let’s have a working national and international identity infrastructure instead. As an aside, Hugh Eaton (Director Security and Intelligence) said that, as Bruce Schneier always does, that when it comes to security or dancing pigs, you always get dancing pigs. I think this should be updated for the 21st century: when it comes to security or newspaper headlines about security, you always get newspaper headlines about security.

These are personal opinions and should not be misunderstood as representing the opinions of 
Consult Hyperion or any of its clients or suppliers


Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: