Information Assurance almost by definition starts from the top of an organisation and works down. (Well, at least by my definition, which involves a board-level commitment to risk management, smooth flow of information to appropriate resources, and protection of information from those not explicitly authorised to view it).

But can this work in the public sector? Obviously, it currently does not, but is it feasible? I guess what I would like feedback on is if there is an Information Assurance briefing for those who move into senior levels of public service, get elected, change organisations, etc. Is there a Book? (a movie…?) Is there an IA Seminar 101 for those who move into positions of responsibility?

Then moving down, is there appropriate training for mid-level management? Should cover most of the same issues, but in greater depth as they will have to execute the broad strategies developed up above, right? And then, of course, the front lines. What dedicated training do they receive in information security, good data hygiene, etc.?

If it’s all there and up and running, I’d like to know.

Afterthought: On a Toyota assembly line, any production worker can stop the line if s/he suspects something is going wrong. I would wager that similar devolved authority to front line workers in government would stop a lot of these problems, especially if accompanied by appropriate training beforehand.

Last week I attended a discussion on “Galileo – is it worth it”, hosted by OpenEurope at the House of Lords committee rooms.

Lined up was:

Richard Peckham, Business Development Director (UK), EADS Astrium
Peter Brookes, Senior Fellow, National Security Affairs, The Heritage Foundation (former Deputy Assistant Defence Secretary in the George W. Bush Administration)
Dr. Stephen Ladyman MP, former Minister of State for Transport
Bernard Jenkin MP, member of the House of Commons Defence Select Committee, former Shadow Secretary of State for Defence

Not sure that I learnt much as all played to form. The industrialist took the industry line (EU should invest €2.1 billion), Tory politician (EU waste of money), Labour Politian (wanted it stopped but couldn’t quite say so), Ex US Politian (don’t undermine NATO and don’t trust the Chinese - see here)

It seems that unless there is a political carve up it’s “doomed”. The most interesting part of the discussion was on the impact of loss of GPS (failure or executive switch-off). There is general agreement that loss of GPS would be disastrous for the EU and US economies (and others presumably) and therefore the US Administration would never switch it (the open access bit) off. OK then, if it’s that important then why don’t we need a back up! I think a trick was missed here and should have been explored further.

It’s well documented that GPS is easy to jam and goes wrong and as I said in a recent post the continuity of service is possibly the only remaining defensible argument for continuing with Galileo.

As part of my job, I’ve been looking at the GPS and Galileo debate – but more of that in a later post. What I want to raise here is one aspect of GNSS (Global Navigation Satellite Systems) that I wasn’t aware of. Whilst the use of GNSS for positioning and navigational applications is obvious, less well known is its use as a timing reference in for example national power grids and telecommunications systems. Now many of you may be familiar with this, but for me it is a critical issue often overlooked in any consideration of the impact of loss of GNSS – possibly the only remaining defensible argument for continuing with Galileo.

This use of GNSS is discussed in the VOLPE report – the only detailed research I could find into the vulnerability of GPS.

To explain the blog title. This is reference to a story that was recently related to me – though probably an urban myth. Apparently the “culprit” for the US Eastern Seaboard blackout in 2003 was a trucker. He was having assignations with a lady and wanted to jam the GPS signals to his spy-in-the-cab. He purchased the jammer, turned it on, drove past a local national grid sub-station, affected the power phasing and set off a chain reaction – the rest is history.

It does seem fairly easy to jam GPS though, see here.

Here is the opening paragraph of the IEEE’s introduction to their online article ‘New Products.’

“In this issue, we cover an application that will help the deaf communicate via mobile phones using American Sign Language. We also highlight a navigation application that uses 3D images to help people better orient maps to the environment. We cover a service that helps protect users’ privacy from acquaintances and another that supports text messaging conferences. We also present a smart refrigerator, a smart shoe, and a book reader with a rollup display. Finally, we present a wireless hard disk that stores audio/video files and lets you access them from a variety of entertainment devices.”

And, from another IEEE article titled ‘Sensor-Driven Computing Comes of Age’, we read “However, it’s the mobility of a modern
platform as used today that makes this type of sensor relevant. An engineer would have no reason to design an accelerometer into a classic desktop computer because it doesn’t move. But he or she could use one in a mobile computer to determine its tilt angle, whether it’s shaken, and whether it’s moving. Furthermore, analyzing the data can provide important supplementary information—for example, a rapid acceleration to a constant speed might indicate use in a car rather than walking or at a desk—and can be used to infer a user’s activity in general. A good example of infrastructural context is location, and is typically
obtained by sensing reference points in the surrounding environment. Developers can use location knowledge to create location-based services, which have been explored in detail in research organizations, but still have many unrealized opportunities commercially. LBS can derive location information from many sources, such as a GPS receiver that relies on signals transmitted from a collection of satellites in orbit; measuring the signal strength of nearby cell phone towers; or detecting the presence
of nearby RFID tags through local interrogation. The former has been widely exploited in automobile navigation systems,
such as Hertz’s Neverlost, and in handheld navigation devices, such as Garmin’s eTrex. The latter provides an opportunity for a rich set of indoor location services that could be catalyzed in the future by the widespread use of RFID technologies employed for itemlevel tagging (see the Jan.–March 2006 IEEE Pervasive Computing special issue on RFID Technology).

As soon as these services become available in the UK, there will be demand for them. Some of the demand will be from disabled persons. They will ask for government to provide these services. This is only the beginning.

We have tended here to concentrate on protecting information flows through computer networks. This is in part because there is so much work still to be done in this area, but I think also in part because most Blindsiders are of a computer-centric generation (you may well say ’speak for yourself, Fuller’, and I’ll eat humble pie).

However, mobile computing is growing faster than just about anything that gets measured in tech terms (well, except for Larry Ellison’s ego…) and I am personally convinced that a combination of mobile computing, location-based services and pervasive computing is going to explode onto the scene, offering new possibilities and new threats. I not only believe this–the success of my private pension scheme depends on it.

I think the day is coming very fast when the fact that I sit in a room at a desktop will instantly identify me as a grumpy old man (I think women will adapt to the new paradigm without much fuss). I think mobile devices with Japanese butterfly fan screens that fold up will move computing outside the converted second bedroom and into the street, and flash memory lapel pins will hold more information than my laptop.

It’s all going to be great fun, and I’m looking forward to it. But one reason I think it’s going to be fun is the fact that I’m not charged with assuring information flows within a government organisation. I think the number of nodes in organisational networks is set to grow logarythmically and that the edges of networks are going to blur dramatically.

I think IA specialists in 10 years are going to reminisce fondly about how life was so simple in 2007, before they had to build concentric circles of protection and build data hierarchies that have to exist in different forms within each circle.

For all of us who have retirement in mind before 2017, we may breathe a sigh of relief that it won’t happen on our watch (although it still may). And it might be fair to say that a fairly large share of Blindsiders fall within this group. But I think we owe it to the next generation of information assurance professionals to set the stage for them.

When memory becomes so small and cheap that your life fits into your belt buckle, when people will normally carry four or five objects on their person that have network connectivity, when hundreds of services offer local data based on segmentation rather than aggregation, when p2p dating services sit next to real-time data flows from your banking and investment activity, when government networks imperceptibly bleed into and through a myriad of specialist networks, information assurance will take on a different meaning.

We are entering that period of time where the evolutionary explosion fills an environmental niche created by a new technology. The prelude is finished. It’s just a bit funny that it’s not just one new technology–that computer science, biology, nanotechnology and whatever else I’m forgetting are coming of age at the same time.

Who needs science fiction?

Okay, stay with me here. Lotta concern about open documents–being able to get content out of old formats no longer supported by vendors. Lotta concern about legacy applications and hardware–some of it mission critical. How are you going to get info off your floppy disk in five years?

The National Archives could have a digital division dedicated to supporting both issues, right? Their website has a section already about electronic records management, saying “The National Archives is looking to improve its processes and procedures with regard to appraisal, selection, transfer, storage, sustainability and delivery. It has instigated a programme of work under the Seamless Flow banner to bring increased automation to these areas.”

Would this be a viable solution to a pressing problem? It’d be nice to be talking about solutions instead of problems for a change.

We start again with Kable, which reports that CSIA (our sponsor) yesterday published their revision to the National Information Assurance Strategy (NIAS), the first revision since 2003.

Money quote from Sir Richard Mottram, permanent secretary, intelligence, security and resilience:”Individuals and organisations supply information to government which they rightly expect to be safeguarded,” “For government, as for all successful organisations, information assurance is now a key priority and it is important for government to give a lead on the best practice across the economy.”

Also from Kable, in the stating the obvious category, A government minister has said it has to make up ground in helping people with disabilities make proper use of technology. Anne McGuire MP conceded: “We haven’t quite caught up with how we support people with technology through government programmes.” Dear reader, Ms. McGuire just pushed every one of my buttons, and you will see another post from me discussing this at great length.

Department of Carrots: Following a successful trial in which the Department for Work and Pensions, HM Revenue and Customs and North Tyneside MBC streamlined the process through sharing data the departments are planning to roll out the system across a further six local authorities.

During the trial the time taken to pay someone their benefits after they had lost their job was halved, while the payment of tax credit was stopped more quickly, reducing the possibility of overpayments.

JISC: A new report has outlined the next steps for the long term management of data for the Joint Information Systems Committee and other higher education institutions. Dealing with data reviews the variety of data, and arrangements for its accumulation, storage and use, across disciplines. It sets out 10 key recommendations and a further 25 of lesser importance.

Ticking several boxes for us, Police at last week’s Glastonbury Festival have tested out new body worn mobile cameras, which transmitted audio and video images back to the police control room

According to Avon and Somerset Constabulary, it is the first police force in the UK to trial the system. Called the Body Worn Video Wireless system, the technology transmits encrypted digital video from cameras worn on the police officer’s shoulder. It also transmits the officer’s position to the police base via GPS receivers.

I don’t know why John Reid had to go to New York to make this point, but the outgoing home secretary has urged manufacturers of smart phones and other new consumer products to design out crime at the product development stage. Last month, a group of mobile phone manufacturers, academics and law enforcement representatives were invited to the Home Office to discuss areas of product development. Among the issues discussed were:
Is there a simple way for service providers to disable all the functions of the handset, including the camera and mp3 player, when it is reported stolen?
How could a stolen handset communicate its whereabouts to police or other phones?
Is it practical for a snatched phone to automatically shut down?
How can the relative security of different models of mobile phone be highlighted?
Should biometric access restrictions be rolled out to all mobile phones?
What can be done to prevent criminals using phones to facilitate crime?
How can the police maximise the forensic value of the handset?

The Open Rights Group (ORG) has given a vote of no confidence to the recent round of e-voting pilots. It published a report on 20 June 2007 that includes scathing criticisms of the way e-voting and e-counting proceeded at a number of sites during the local government elections last month.

From BCS, a discussion of quantum computing and cryptography (does anyone else agree with me that cryptography has become the sole raison d’etre for continued research into quantum computing?)

In the ‘just because it’s cool’ department, IBM has announced that it has tripled the speed of the world’s fastest computer through the development of a new machine. The Blue Gene/P supercomputer, the next step up from the Blue Gene/L unit, is capable of operating at speeds faster than one petaflop, equivalent to one quadrillion processes a second.

Ben Laurie points us to Stefan Brands writing about the spectrum of uses available when selective disclosure is employed.

Via the Institute For The Future, this report on pervasive computing. It focuses largely on potential impacts on health and the environment, and discusses three scenarios for take-up.

Also from the IFTF, a discussion of cybewar in the New York Times. (They get it wrong right off the bat, assuming that Tickle Me Elmo dolls won’t be turned into unstoppable killers, just because they are not currently hooked into the Internet. Sheesh.)

Light Blue Touchpaper discusses dual use tools that can be hijacked by hackers and the government’s less than delicate approach to them.

And that’s it for today–hope we filled your tea break.

Here’s our preliminary assessment of the main categories of emerging technology issues, along with an impact rating. Each is discussed in more preliminary detail on the Blindside Wiki. We will be reporting to the Cabinet Office in mid-July on those that assessed as having an impact level of 3, and need full expert descriptions by that date.

This is your chance to tell us we’re on the wrong track: to add stuff; to argue that somethings missing, over-rated or under-rated. Don’t miss it!

Category Impact (from 3/high to 1/low)
————————
CCTV 3
Convergence 3
Location-based services 3
Mobile and Pervasive Computing 3
Open Standards 3
Anonymity 3
Data breaches 3
E-Voting 3
Human rights (intersection with emerging technology) 3
Identity management 3
NHS IT 3
Non-bank payment service providers 3
People and IT 3
Mission Critical Legacy Systems 3
Rampancy: AI gone wrong 3
Surveillance society effects 3
Semantic Web 3
Self-reproducing technologies: the “GRINs” 3
- *Geno- 3
- *Robo- 3
- *Info- 3
- *Nano- 3
Social media 3
APIs 2
Bandwidth - massive wireless and cable bandwith to the home 2
Shared Service Management 2
Ultraportable devices 2
Automated number-plate recognition (ANPR) 2
Bad sysadmin procedures 2
Bad procedures - other 2
Changes to daylight saving time in the US 2
Public sector databases on children 2
Keyloggers 2
Phishing 2
Phones as bugs 2
Technologies for Non-Repudiation 2
Underground economy servers 2
Unencrypted email 2
Biometrics - unencrypted 2
Windows Vista and other operating systems 2
Government IT projects 2
DNA terrorism 2
On demand computing (ODC) 2
Grid Computing 2
Quantum Computing 2
plus in the lower impact categories (please use the search box if you want to add to these):
Aeronautical cabin services 1
OpenDocument 1
Service-oriented architecture 1
APIs that change without warning 1
Cybercrime 1
Electronic banking 1
Fraud Websites 1
Search Engine Logs 1
Spam 1
Computing Monoculture 1
DRM and its side-effects 1
Environmental side-effects 1
Exploding Batteries 1
Optical Computing 1
User-generated content 1
Virtualisation 1
Generation C - the knowledge nomads 0

Thank you for any help, comments, suggestions.

According to this blog post by Damien Mulley, IBM announced on Friday that “they’re going all Web 2.0 and social with their Enterprise offerings. Blogs, wikis, collaboration spaces for staff and customers, social bookmarking (called dogears) and a few more bits and pieces. They’ll also be releasing mash-up software for Enterprises.”

And later, “And now for the mashups: IBM is previewing an Info 2.0 suite of integrated products that enables organisations to easily catalogue, combine, transform and remix any type of data and content by drawing on the industry’s widest variety of enterprise data sources and a vast array of Web data and content.”

Do you think IBM’s version will be as free as the stuff the rest of us work with? Or will they use information security to add a few zeros to this?

The chaotic present and hopeful future of information systems exists in a microcosm about 30 minutes by tube from my flat, and I daily watch a stately procession of airliners descending to Heathrow Airport, a beautiful, if not quite silent, parade. It is at Heathrow airport that the current need for better performance on every topic covered in this blog is demonstrated. It is a non-sterile testing environment and the ultimate pilot project to test the ability of information systems and information assurance to integrate modern technology to meet the needs of a mass public. You may have noticed that I ticked every category we use in assigning this blog post its proper place in our own information hierarchy. It’s not a coincidence.

Let’s walk through the daily issues faced at Heathrow from an information standpoint:

1. About half of all tickets to fly are booked via the Internet, and that information must be completely available to several very different systems immediately and be perfectly accurate.
2. Parking systems must provide availability, administrative and financial information.
3. Public transportation systems must send and receive useful information about current operations and schedule changes, and receive and use similar information from several different airport systems.
4. The logistics of welcoming, feeding, watering and moving 67.7 million people per year (and taking care of 70,000 employees) are an interesting challenge, as is maintaining 48,000 square metres of retail space. Private security, first aid, tourist information, all of these have information issues attached.
5. Oh yes–core business–mustn’t forget–90 airlines, 186 destinations, 469,000 ‘air transport movements’ (er, would that translate to flights in English?) annually. Information requirements include weather at each destination, status of all airports and traffic, passenger information (but more on that below…)
6. On-time status of flights relating to connecting flights.
7. Correlating information from HMRC (well, more the C part than the R) with the Home Office (now with both parts of the newly divorced members of what was once one) and probably discreet communications with agencies using numbers as well as initials.
8. Communicating with the Civil Aviation Authority, National Air Transport System, HM Immigration–of course I’m sure they all use the same electronic forms that grab data smoothly from Heathrow systems… right?
9. Communicating with the media–and having the capability of communicating with international media
10. Having co-ordinated disaster preparedness programmes that are up to date as well as up to snuff.

Probably missed half a dozen supremely vital information systems there… but it’s Sunday morning, so it’s okay. (Did somebody say baggage?)

Lots of things to go wrong there. Amazingly, not much does. (Did somebody say baggage–again?) That’s why when things do go wrong it’s news.

Notice they don’t have an uber-contractor trying to integrate all systems and dictate technology standards and usage. Strange, that. And I’ll bet they often use trainer-net(where some employee puts on trainers and walks information to diverse destinations). But that’s how functional communities develop–and despite grumbling and glitches, Heathrow functions as an information community: People get to destinations, planes don’t fall out of the sky. Successful information communities do seem to develop from the ground up, not the top down.

I guess the point I’m trying to make is that information systems and information assurance issues develop in an ecosystem not a vacuum. Complexity in information management is probably a geometric rather than arithmetic function relating to the number of actors involved. And yet don’t we often see government requirements for information systems that are internally oriented and indeed self-referential? The box must be this big with holes here and here, and those holes must be guarded in this way. I think more than anything else, government’s inability to get value for money from IT investment is based on this issue.

Please feel free to contribute complaints about Heathrow in the comments–I’ve suffered there myself. My praise is directed at a higher level, at finding a community that functions. Your nominations?