Standards move to Infinity

We may applaud the rhetoric for standards enabling better joined up outcomes.  The landscape for interoperability for health and social care systems seems to have boundaries that disappear to infinity.  There’s no better illustration than the “Infinity Diagram” from a TSB publication.

Infinity Diagram

Standards are needed throughout, but most development has been focussed in the public and statutory sectors.   The crisis in state funding is forcing more care onto citizens so they must be brought into a standards framework.  This is happening via i3i, a consortium committed to designing open technical standards for the global delivery of assisted living services.

 

Who should trust “Trusted Computing”?

Most PC devices can connect to network resources, either on a public (Internet) or private network.  The Trusted Computing Group has developed standards for “Trusted Computing”, which has a specialised meaning.  With “Trusted Computing”, PC behaviour is enforced by standards and technologies that shift the root of trust from software to hardware embedded in the device.  For example, PCs with a TPM (Trusted Platform Module) could have hardware preset by the supplier:

• to restrict the operating system versions;
• to restrict software to specific versions;
• to provide encrypted access to data stores;
• to measure and report on the integrity of platform, including the BIOS, disk MBR, boot sector, operating system and application software.

In a corporate environment with a private network, it increases confidence in the integrity of the system.  Hardware identification of the end-points increases levels of information assurance is a benefit and could justify the complex processes of TPM deployment.  There is a case for extending the use of TPMs into more mobile devices.  Such reasons have led to mandation for business communications with the US DoD.

However, before anybody thinks of mandating “Trusted Computing” for the general public, let’s look at some of the implications.  Depending on how the standards are deployed, both PCs and mobile devices could lose flexibility, freedoms and privacy.  The superficial attraction of improved security on private networks could constrain the use of public networks and deter innovation.

Many areas of concern are reviewed in Wikipedia:

• In order to trust anything that is authenticated by or encrypted by a TPM … , one has to trust the company that made that chip, the company that designed the chip, those companies allowed to make software for the chip, and the ability and interest of those companies to not compromise the process;
• “Trusted Computing” (TC) would have an anti-competitive effect in the IT market;
• TC can support remote censorship;
• Software suppliers can make it much harder for to switch to competitors’ products;
• TC-protected documents may be unreadable by competitive software;
• Digital rights management technology could prevent users from freely sharing and using potentially copyrighted files without explicit permission;
• A user who wanted to switch to a competing program might find that it would be impossible for that new program to read old data;
• With remote attestation, a website could check the Internet browser being used and refuse to display on any browser other than the specified one;
• The migration section of the TPM specification requires that it be impossible to move certain kinds of files except to a computer with the identical make and model of security chip;
• Users unable to exercise legal rights, under headings such as fair use, public interest or whistle-blowing;
• Users vulnerable to vendor withdrawal of service;
• Users unable to override restrictions even if confirmed to be physically present to allow the computer to use a secure I/O path to another user;
• Loss of anonymity could have a chilling effect on political free speech, the ability of journalists to use anonymous sources, whistle blowing, political blogging and other areas where the public needs protection from retaliation through anonymity;
• TPM hardware failure creates the possibility of a user being irrevocably cut-off from access to private information.

The risk is that “Trusted Computing” becomes mandated without a full debate of these concerns before incorporation into government policy.  When you look at the list of financial supporters of “Trusted Computing”, many have a lot to gain from anti-competitive application of the standards.  Arguments for policies and regulations that might curtail current liberties should be balanced against those from less well-financed champions of Open Source, Open Rights, Open Internet and Civil Liberties.  We must avoid the scenario where honest citizens, without TPMs installed in their communications devices, could be locked out of using digital public services.

Policies need Confidence

All organisations need policy. How confident are they that policy (aka strategy) will be followed and that the desired outcomes will be achieved? Because policies are always top-down, confidence in success exudes from the top; but apathy, indifference and scepticism is the normal response from the bottom. Let’s see how Confidence Management could lead to more realistic expectations and implementations.

Here is an example     from a membership organisation of  managers working in the information domain. They have been developed, top-down:

Three core principles 

• Collaborate, share and re-use assets
• Redesign services to simplify, standardise and automate
• Innovate to empower citizens and communities

Six strategic capabilities

1. Leadership from CIOs
2.  Governance
3. Organisational change
4. Strategic commissioning and supplier management  
5. Shared services
6.  Professionalism

Six key issues around information and technology

1. Information governance
2. Information management, assurance and transparency
3. Digital access and inclusion
4. Local public services infrastructure
5. Business change
6. Central government services have been integrated with local public services delivery.

The document had a successful launch.   Stage 1, on time and on budget.   Stage2 is for the individual members to plan implementing these policies (aka strategies) back in their own organisations.    Stage 3 is to convert those plans into changed practices throughout the UK.

The Confidence Management Process  converts the lists above into fifteen questions in relation to how confident each interviewee is about the progress that  will be achieved within  5 years, by 2016.

How confident, on a scale of 0% to 100%, are you that the following targets will  be achieved?

1. The organisation and partners have  collaborated, shared and re-used information assets  with pooled budgets and staff for all services.
2. All services have been redesigned to simplify,  standardise and automate business processes.
3. Citizens and communities have been empowered by innovative methods in every service area.
4. CIOs have demonstrated leadership and delivered more efficient and fairer public service outcomes, demonstrated by KPIs.
5. ICT Governance processes have been managed by a Programme Office,   administering a portfolio of business change programmes and projects  with strong change and risk management.
6. Outcome-focused organisational change methods have been employed successfully in all services.
7. Strategic commissioning and supplier management has proved to be more effective and reduced costs by at least 25% with better service provision.
8. Shared services have been operated 25% more efficiently  by     partnership arrangements.
9. ICT Staff have been assessed under SFIA framework and improved their level of skills to  operate as  a certified professional.
10. An information governance framework has been implemented and best practice is being followed.
11. Standard information management, assurance and transparency processes have been instituted that control data throughout the lifecycle – providing a single version of the truth.
12. Multi-channel digital access has extended to  80% of service transactions, with special provision for digitally excluded citizens.
13. The infrastructure has employed the Public Sector Network for Cloud services, shared data centres and shared application.
14. Business change projects have delivered measurable outcomes and benefits across organisational boundaries.
15.    All central government departments have closely integrated ICT systems     for local public services delivery, eg Education, Health, Justice, DWP  and HMRC.

This would enable a bottom-up, and middle-out, perspective of the policy. It should help to identify the critical success factors (CSFs). In the end it is the foot soldiers who have to implement policy. They are likely to recognise similar initiatives from many years earlier, and carry on with business as usual. Leadership must focus on CSFs or lose the opportunity for another five years. Hard times calls for tough decisions.

Federalism: US solution for UK?

Public sector silos are the root cause inefficient shared information services.  It is a bold statement that needs some justification. Islands of automation can and do succeed; they have autonomy.  Local authorities and small agencies can manage any governance issues.  The real problems arise whenever attempts are made to share data outside the organisation’s sphere of control.  This is clearly the place for common understanding and cries out for standards.

Whilst these thoughts are not new, more practical technology backing is coming out of a British inspired development, which has been effectively migrated to the USA.   The Americans have a more natural affinity for federalism:

“The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people.” – Tenth Amendment, United States Constitution

So let us accept silos, don’t be ashamed of them, but also mandate interoperability enablers to a federation.  Laws that everybody has to obey are the key to success.  This could start with an agreement to understand ISO 18876.  It could continue with agreements on reference data and the limited amount of data that needs to flow between agencies.  With a bit of luck, it could finish with identity management where trust is also shared.