Tom has asked me to research the following hypothesis: that if the best of breed uses of technology internationally arrived in the UK in a rush the UK’s infastructure for identity management and information security would crumble under the load. (If I’ve got this slightly wrong I’m hoping Tom will correct it.) In other words, we don’t even need new technologies to emerge to be blindsided badly; the ones the world already has could do it by themselves if deployed in the UK as they are in other cultures. (Of course, part of the reason they’re *not* already deployed in the UK is that cultures differ.)

The list of best of breeds Tom suggested so far:

Korean broadband usage

Japanese mobile telephony patterns

Scandinavian financial services-anywhere (any-device banking)

US logistical supply chain tracking via RFID (actually, I believe this is about evenly spread around the world - certainly the German company I interviewed last week that supplies RFID systems to automotive companies says all the major companies use it and they sell to all of the ones outside Japan)

US Web 2.0 (as political pressure and lobbying platform - information assurance questions, but also the unintended consequences of mash-ups)

One thing not on Tom’s list but that might be worth adding is the US’s data-sharing (governments/companies) - though it seems as though the UK already wants to copy this at least wrt student debt.

Anyone have more ideas for the list?

wg

We’ve been thinking a bit about the future, but I’d like to know how UK information and information security infrastructure would cope if some of the new toys and behaviours migrated here overnight from places where they are currently used in an almost everyday manner.

What would happen here if South Korean style use of broadband showed up overnight? Specifically, increasing use of massive online multi-player games and MyNews? My thinking about MMRPG is that anti-social and asocial behaviour hides well behind an avatar, and for the other, I don’t know what would happen if the populace in the UK decided to become mass amateur journalists with their mobile phone cameras, but the activist portion would probably be considered intrusive by the military and animal researchers, not to mention journalists who actually get paid…

What would happen here if Japanese usage of mobile telephony was instantly adopted here? They have more services available and the Japanese are much more willing to use them, and some of these services have identity management issues attached. For that matter, if Japanese use of domestic robots came here in a magic flash, it would also have implications–would they be licensed as child minders? Could they work in hospitals?

Closer to home, the Scandinavian countries, and Belgium as well, can do all their banking with a mobile. What would happen here if this poppped up all of a sudden?

If German and American use of RFID was instantly adopted, would we cope? Would it integrate well with our camera-based tracking and satellite surveillance? Would the combination of the three tip us over into Orwellian nightmare land?

And if UK activists for issues such as animal rights and the environment adopted the use of social media in the same way that anti-abortionists do in America, or Al Qaeda for that matter, would we be able to adapt?

Can you think of other examples of cutting edge use of technology that would cause issues here in the UK?

Surprise surprise: memory is getting smaller, faster and better, with flash memory 100 times faster than hard drives (source: BBC). Where does this take us, and is there an end in sight?

Just as Chris Wren envisaged St Paul’s before a stone had been laid, so John Roese (Nortel CTO, also on the board of OLPC to whom I am listening as I type) sees a hyperconnected world.

[all this E&OE]Networks connect people, but he sees they will connect every thing, and every application. Consumers assume (and not because technologists offered the idea) that broadband will be everywhere. Consumer home IT and phones set the pace now, not work IT.

His word for what is coming is “hyperconnectivity”. We ship 10bns of microprocessors a year, he says, of which maybe 2% are connected to the net. But they’d all be more valuable if they were. The iPhone is not just another phone; it’s the first connected iPod, which is a lot more interesting. Speaking of OLPC he notes that the icon-driven laptop increases literacy far faster than books. So let’s connect kids everywhere.

He asks us how big the UK-wide government and IT comms ecosystem will be in 10 years? Heavens, I have no idea…3-4m nodes? (If there are 5m staff). No - if every application and entity is connected, it’ll be 10s, 100ms, even billions. Hell’s teeth. Imaging the civil service phone directory with an entry for everyone’s every openoffice application. (I cant speak right now but my blog will call you back…)

He says we’ll have to make the online communications experience as rich as the real life one. The 2-3G mobile connection won’t do it, 4g may start to feel more like it. The systems we put in place now will have to scale to accomodate everyone, everything and every application not just workforces. This isnt 10 years away; we’re entering this phase now.

His three tips are:

Simplify the transport (I take this to mean transport layer, not car v bicycles). IP is not the universal solution; it’s a mask to hide complexity. The technology, standards and costs are different. So the user experience cant be the same. Do we mask the complexity, or get rid of it? Using Ethernet-like transport, packet based, flat and hierarchical endpoint. Wifi today is the model for 4G tomorrow. from Sept 2008: 500mb from a mobile phone, and wifi as the primary access network. We think by 2010 wiring the building will be a choice, not a necessity.

All this simplification means a 40, 60, 80% reduction in capital and operating costs. The user sees a “clear pipe” when you cut out all the gateways. We should elimitate components, not add them.
We have to focus on mobilising our enterprises. We create infrastructure for LANs, but that’s not how people will work. Outlook web access is unecessary in the long term - it just dumbs own emai so it oesnt overwhelm the network. Dont optimise them to wo

Today our information and our tools to communicate are in different places. The time taken to go from one to the other is huge, and human capacity is finite capital. So we have to embed communication functioNs where the information lives: “unified communications”. This means comms functions in any appn or ecospace where comms are needed, and a network that can deal with every device, application, interface and place. He evokes the idea of skills-based routing so you only call the someone with the right skills who is actually available. (Imagine health or welfare self-help call services where you dial a number which means I want tospeak to someone who has been through the same experience, and who’s willing to help and who’s available to talk right now…

Take comple functions and make then simple: eg on a complex formula in a spreadsheet or a cluase in a contract “click to collaborate” and set upa conference call.

Our unified workplace comms strategies have to extend home, across boundaries, have to federate. Not just inside hyour organisation, but the peope you need to communicate with across boundaries. This determines the size of your comms ecosystem: not the number of staff, but the number of nodes, consulmers, and all their applications.

On that scale, complexity is our enemy. We cant continue to build disconnected technology that is made whole by human capital. So his prescription is:

Simplify the transport layer

Mobilize the enterprise

Comms-enable your applications

Phew. Why did I never learn shorthand?

I think a key Blindside issue is communications breakdown. You know, the one party in a marriage who thinks they’re communicating fine until the day the other party walks out the door.

Anyway, in the wake of the DTI/TSB privacy and consent event Ideal Gov is testing the waters on how good a conversation people in NGOs, other bits of government and industry feel they’ve had with IPS. It’s a one-question survey - do take it. Just click here.

I don’t think it’s been noted here, but on Wednesday the LSE is hosting a significant event on constitutional reform/writing. I’ve done today’s net.wars about this, readable here or here. The event is being organized by our usual suspects, Simon Davies and Gus Hosein. You need to RSVP if you want to go to it.

wg

Hi all, sorry I haven’t been here to bother you for the past two days.

I’m giving a 20-minute talk at an event tomorrow on IT Security Implications for Network Convergence. Here are my notes–what did I miss?

Implications of Network Convergence

Have we had the right conversations about the right issues?

 Convergence is enabled by technological change, but is not driven by it. The drivers of convergence are mainly commercial.
 Convergence affects not just telecommunications and broadcasting. The scope of convergence is the entire knowledge and transaction-intensive services sector;
 Convergence is structural in nature, but changes to industry structure are the most profound changes associated with it
 Would anybody here wager that all of the commercial sponsors of this event will all have the same corporate governance in 2 years’ time?

Real World Effects of Network Convergence

Lesser Effects
• Fewer network owners (oligopoly), less responsive?
• May require more regulation as a result
• May decrease options for network users
I call these lesser effects because in many countries the regulatory framework exists to effectively deal with these issues—we don’t have to invent ways of treating oligopolies or organisations to protect consumers.
Greater Effects
• Currently, the Internet treats all traffic equally. In future, converged networks will be able to pick and choose messages and send them to recipients more quickly and efficiently based on their value to network owners. It is possible that network owners will make perfect decisions regarding priorities, and that those decisions will align with their commercial needs. Possible, but not too likely
• Convergence on IP networks may render other networks redundant. Sky may not need as many billion pound satellites, choosing to use IPTV to distribute content. BT may finally be able to offload their very expensive business of maintaining copper connections to home and business, and just provide wireless connections to all. Bear in mind that BT would love this, in terms of reducing costs. Television and radio broadcasters may choose to cease terrestrial broadcasting in favour of using the Internet.
o The Internet was invented to be a back-up system to radio and telephone communications in case of a disaster. If the back-up system becomes the only system, what do we do if the network goes down?

IT Security Issues

Network Failure and Degradation
One problem with converged networks and the service-oriented architecture that tends to support them is that the majority of large networks are poorly understood. Traffic has typically been added piecemeal over a long period and much data communication does not require particularly high standards of service.

This is especially true of service-oriented architectures (SOA). Ambitious developments in this area have led to a situation where the precise communications flows are not well known. As this kind of architecture is often built to be tolerant of high latency and lost packets, nobody is aware of issues until the network is subjected to new stresses. Services such as VoIP, Citrix-style thin clients or video are not at all tolerant of low quality networks.

Question 1: Have we designed a ‘Fail and Fix’ into our approach to network problems?

When it comes to security, there are three main areas of focus: Unauthorized access to data and resources (which is where access control and encryption come in); Malware (such as viruses, spam.); Compliance with government and industry regulations.

Question 2: Are these the right areas of focus in 2007, and will they be the right areas to focus on in 2009?

Typically, security is controlled by PINs and access numbers, which, depending on the vendor, can often be customized to a wide degree, and SSL 128‐bit encryption. Organisations can add more layers, depending on their needs and the ability of the applications to accept it. Convergence applications require security in three key areas: user access, data protection, and delivery security.

Those components have been turned into a new discipline, or field of endeavour, called Identity Management. It is new. Standards and agreements on interoperability are still under discussion.

Question 3: Is Identity Management as a concept and practice robust enough to be the linchpin for converged networks?

Those are my 3 questions. What are yours?

Before I dive back into the report due TUESDAY (!) I’d like some advice from an application developer or some such type.

How hard would it be to develop a software application to run on PCs, notebooks, etc., etc., whose sole purpose in life would be for me to manage my identity? (Er, why would I trust anybody else to do this?)

1. I enter the details I want one time (except when they have to change)
2. I mark the details as public, semi-public and private
3. It outputs the data (after I have explicitly given permission) in a published XML schema
4. It is encrypted (or encryptable)
5. The schema is published publicly
6. Organisations can apply to the application developer for a daily key
7. Organisations can validate my identity with a rating following transactions (maybe stars, the way Amazon rates books with a place for automated comments. ‘We delivered books to this individual’s address on this date with no identity problems encountered.’)
8. Comes with tamper alarm
9. I may choose to save at developer’s secure website as a backup

You may say it’s a lot of bother to do it this way. I would retort that it would save a lot of bother for organisations and they would fall all over themselves to adapt to it.

It could be packaged into an existing computer protection package, ala Norton… or it could be an Open Source project developed by those concerned with related issues.

Why would I trust someone else with managing my identity?

Hi all. The third of our three featured areas in our upcoming report to the CSIA regarding nanotechnology. Here are excerpts, and the entire section is here on the wiki.

Are you comfortable with what we are telling government? Yesterday’s presentation on Convergence got exactly 1 comment. Is it that non-controversial? Here we are telling government ‘don’t worry about grey goo or evil artificial intelligence.’ Is that okay with you?

Nanotechnology

The subject is discussed in more detail here: http://www.blindside.org.uk/wiki/Nano-
The Royal Society uses this definition of nanotechnology: “Nanotechnologies are the design, characterization, production and application of structures, devices and systems by controlling shape and size at nanometer scale.”

Longer term, (and it must be emphasized this list is at the conservative end of possible applications), the Institute forecasts use of nanotechnology in the following ways:
• Miniaturised data storage systems with capacities comparable to whole libraries’ stocks
• PCs with the power of today’s computer centres
• Chips that contain movies with more than 1,000 hours of playing time
• Replacements for human tissues and organs
• Cheap hydrogen storage possibilities for a regenerative energy economy
• Lightweight plastic windows with hard transparent protective layers

Detailing possible applications moves very quickly into a realm that seems like science fiction. But other nanotechnology enthusiasts foresee the enabling of quantum computing, artificial intelligence and a complete re-ordering of economies and political systems. Currently in the U.S. there are 450 consumer products using nanotechnology approved by the EPA and 600 nano-based materials licensed for use in manufacturing products. The number of products and services used in industry is not known, but believed to exceed 1,000. Lux Research, a consultancy specializing in nanotechnology, estimates that, worldwide, nanotechnology was incorporated in $30 billion (USD) of manufactured goods in 2005, which more than doubled the amount in the previous year. It estimates that by 2014 the figure will be $2.6 trillion, a more-than-85-fold increase (Lux Research 2006, p. iii).
There are respected scientists, technologists and philosophers that fear nanotechnology, including Bill Joy, a former senior executive at Sun MicroSystems, who wrote the article ‘Why the Future Doesn’t Need Us’ for Wired magazine two years ago.

Key Findings

• The impact on information assurance issues may be dramatic, involving a redefinition of information, cryptography, memory (both human and computer) and system. If a young person wearing a tongue stud can carry in it the contents of the British Library, what physical security measures can prevent data theft? If nanotechnology enables neural networking and computer enhancement of human memory, what are the implications for identity management, or indeed for identity itself?
• Nanotechnology receives a lot of attention in the media, with a search on Google returning 1,846 newspaper articles and magazine stories for one day in June 2007. Because of the potential impact and because of its treatment in books and films, take-up of nanotechnology has the potential to be as controversial as genetically modified organisms, if not more so.
• Nanotechnology is essentially a cross-disciplinary enabler that will impact healthcare, manufacturing, information systems, transportation, computer science and micro-electro- mechanical devices (MEMS) and probably much more. Advances in the use of nanotechnology in one field will often be of immediate relevance to its use in other fields. Progress in nanotechnology is rapid, and is expected to increase. Patent filings have increased 40% annually for over a decade.
• Nanotechnology has the potential to be disruptive as well as beneficial. In addition to substituting current manufacturing and agricultural processes that employ large numbers of people, some speculative thinkers envisage what they call the Singularity, where nanotechnology enables artificial intelligence that can be tasked with self-improvement, which would happen extremely quickly. This will not happen soon, if at all. Should it actually occur, it would have a very high impact on society, and would probably render information assurance useless or redundant. Blindside covers this in a special topic called Rampancy: AI Gone Wrong, found at http://www.blindside.org.uk/wiki/Rampancy:_AI_gone_wrong.

Citizen Centric

Some of the questions citizens will be asking are already being posed by advocacy groups in the UK :
• Is nanotechnology safe?
• Will ‘grey goo’ (self-replicating nano-robots, or ‘nanobots’) destroy the world?
• Will the benefits of nanotechnology be available to all?
• Why isn’t government regulating this more?
• Why is government regulating this at all?

Implications for UK Government

Because nanotechnology is most frequently seen in healthcare and materials coating, the current interest in nanotechnology revolves around toxicity and tolerance.
The Royal Society of Chemistry wrote in 2003 that “The potential health, safety and environmental impacts of nanotechnology are comparable to the impact of the existing chemical, electronics and biotechnology industries and the potential hazards should be judged in the same way. Our understanding is that current legislation should be sufficient to control the risks from nanoparticles, however research into their potential toxicity should be funded, as it may differ from that of larger particles with respect to respiratory and genetic damage. Until we develop ‘self replicating machines’- artificial life, there are no issues of substance not covered by existing regulatory practices. The ethical and social issues raised are also not unique to nanotechnology and are comparable to issues raised by many existing technologies, such as the differential access to costly technology in the developed and developing worlds and issues of privacy and security. “ (Nanotechnology – The issues, The Royal Society of Chemistry, July 2003). We concur with the RSC recommendation and see nothing that has happened since 2003 that requires rethinking of current legislation.
However, it may serve government well to begin planning for the disruptive economic effects of nanotechnology used in manufacturing, agriculture and healthcare. Indeed, there may be political and social ramifications resulting from nanotechnology.
Lastly, regarding the possibility of the creation of self-replicating artificial intelligence, even the most enthusiastic proponents of ‘The Singularity,’ as it is known, do not see it happening before 2045. Government bodies can afford to take a ‘wait and see’ approach for now.

Yesterday’s post on Identity Management got quite a few good responses–thanks. Here’s a lengthy excerpt of the draft version of what we will submit to the CSIA regarding convergence. The entire section is here on our wiki. Please take the time to read and comment–any howlers in here?

Convergence represents both the greatest opportunity for service delivery and the greatest potential threat to information assurance in our broad basket of subject areas.
Our information gathering exercise identified five different areas of convergence. Broadly, they include:
• General: Convergence (converged environments/networks) defines a multi-media environment and/or network where signals regardless of type (i.e. voice, quality audio, video, data, etc.) and encoding methodology may be seamlessly exchanged between independent endpoints with similar characteristics.
• Media: A theory in communications where every mass medium eventually merges to the point where they become one medium due to the advent of new communication technologies
• IP: The migration of multiple legacy networks of data, voice, images and video into a singe integrated IP based network which facilitates higher efficiency in operational management and utilization of a network.
• Technological: The modern presence of a vast array of different types of technology to perform very similar tasks. Also included in this topic is the basis of computer networks, wherein many different operating systems are able to communicate via different protocols.
• Fixed Mobile: Fixed and mobile telephony convergence aims to provide both services with a single phone, which could switch between networks ad hoc.
Each of these different areas are moving quickly and several impact upon each other.

Key Findings

Each of the above contributes to a broadly similar set of issues relating to information assurance
1. Physical security of information: The increasing capabilities and smaller size of devices with access to networks and sensitive information (miniaturization is discussed elsewhere) makes theft, hacking or corruption easier and hence more likely.
2. Non-physical security issues: Attacks against one network using IP may degrade performance of other networks sharing the same infrastructure, due to:
3. Network dependence: The Internet was famously designed as a back-up communications system for use in case of catastrophic failure of traditional communications via telephone and radio. As more information flows migrate to the Internet, capacity issues are already evident. In future, if satellite broadcasting is abandoned for IPTV or wireless access to telecommunications services makes copper connection to homes redundant, an over-reliance on the infrastructure of the Internet introduces vulnerability to attack. What will be the back-up for the Internet?
4. As services converge, some of them will be life-critical to citizens: IP 999 services, telemetrics for those with chronic diseases, etc. As more devices converge around a single physical platform and single network, the number and importance of services will increase, as will their vulnerability to network failure. (This relates to identity management, as access denial can have health consequences.)
5. Although in one sense convergence provides new and exciting opportunities, dealing with convergence issues may impose unforeseen costs on government services. To give just one example, as technical capabilities make it possible to offer more services to the disabled and elderly, political pressure to provide these services may be strong. Adapting service delivery to account for convergence may be expensive. Certainly, dealing with threat to information assurance programmes will not be trivial.
6. As convergence will evolve over time, and may include divergence (see below), dealing with related issues will in all probability take time and effort.

Divergence

A related concept involving emerging technology is Divergence. Following the combination of diverse tools into single devices and migration to the most appropriate delivery platform, a new set of innovation involving single purpose tools for more efficient delivery is sure to follow. Some of these will present particular opportunities for public service delivery, notably for disabled citizens, but also for field workers of government agencies.

Implications for UK Government

Our recommendations regarding convergence might seem schizophrenic, on the one hand urging a bunker mentality towards information security, and on the other hand recommending greater openness and flexibility in insuring government’s ability to deliver services capable of meeting users’ needs. However, convergence issues will present a significant challenge to government, and will likely require cross-departmental co-operation to manage. The key will be to keep services open and flexible, but information secure and redundant.
• Mothball programme. Preparations should begin now for the preservation of non-electronic service delivery mechanisms that might be abandoned by public and private sector organisations, including:
o Broadcasting capabilities
o Physical connections to home and business (or transition to utility companies)
o Switching networks for telephony
• Agreement amongst all network users on prioritized cut-out list in case of emergency, with automatic cascading cut-offs with pre-agreed triggers and a named individual or organisation responsible for initiating a cut-off sequence and notification of affected parties when cut-off occurs.
• Security protocols should be strengthened in advance of the introduction of converged devices with new capabilities:
o Suppression of wireless communications capabilities in locations with access to sensitive data or systems
o Disabling access to internal networks from unauthorized devices
o Disabling auxiliary ports on computing devices with access to sensitive information, including floppy disc drives, CD-ROM, DVD and USB ports.
o Removing Bluetooth and other low-power radio access capabilities from devices with access to sensitive information
o Packet-sniffing on utility connections

Citizen Centric

From the citizen’s point of view, as more services are delivered online and more citizens elect to use electronic transactions, they (we) will have different expectations due to convergence:
• Will I be able to access and transact with government using non-computing devices?
• Will all government services converge on online delivery? What if we don’t want that?
• Can I get 24/7 availability of all government services as reliably as provided by the best companies?
• Can convergence help us to deal with access issues for the disabled?