It is time to move from focusing on the machinery of computing to the people of computing, particularly since new ways of working are beginning to emerge and disrupt the spaces we work in and the ways in which we conduct our ICT practices.
Our work is subjected to more scrutiny than ever and our outcomes are more difficult to achieve because we have failed more often than we should, more spectacularly than we thought possible and more costly than we ever imagined we would. The reasons for failure include, lack of commitment and buy in from senior management, lack of skills in the project team – managers and computing practitioners, lack of planning, inappropriate funding models, poor procurement practices and deficient or absent governance models.
This brief opinion article will put the proposition that it’s time to focus on the people, the qualities they need to succeed – professionalism, skills and entrepreneurial acumen – and how we can enable and empower them to provide trustworthy computing globally.
Trustworthy computing is not a new concept. Let’s take a journey through our attempts to come to terms with the concept over the past 50 or so years.
In the 1960s increasing dependence on computing systems by the military, research organisations, financial institutions and law enforcement, meant that computing vendors began to talk about the deficiencies in existing systems and recognised that the public and their customers would need reassurance about their growing reliance on automated systems.
By late 1967 four areas of trustworthiness were identified in one model specifically:
An ironclad operating system to provide “reliability”
Use of trustworthy personnel to assure “business integrity”
Effective access control to take account of “security”
User requested optional privacy
Around this same time a paper written for IBM spoke of a system which was hoped to be ready within 3 months of writing the report, the critical factor was software testing and it’s interesting to note how the author’s confidence in the outcome was based on behaviours:
"the objective is to have the system running by July 1 ... However, a substantial amount of debugging, shakedown and refinement will be needed before the system will be suitable for users. ... my prediction continues to be September 1. There are large problems and uncertainties, but the people doing the work are highly competent, have good esprit de corps, and are working hard and productively."
- Nathanial Rochester, consultant writing in a progress report to IBM on the conversational programming system. May 23 1966.
As good as this might have been it took another 20 years for government and industry to begin to come to grips with the trustworthy computing concept. Among the issues addressed was the need for improved software testing methods that would guarantee high level of reliability on initial software release. A further recommendation was that programmer certification was a means to guarantee the quality and integrity of software.
Fast forward another almost 10 years to 1996 and the US National Research Council recognized that the rise of the Internet increased society’s reliance on computer systems while at the same time as increasing the vulnerability of such systems to failure.
The Committee on Information System Trustworthiness was convened; producing the work, Trust in Cyberspace. This report reviewed the benefits of trustworthy systems, the cost of un-trustworthy systems and identified actions required for improvement.
Identified items to be mitigated or eliminated were:
operator errors
physical disruptions
design errors and
malicious software
The report also identified those essential elements of trustworthy systems:
encrypted authorization
fine level access control and
proactive monitoring
Another 6 years passed before Microsoft launched its own Trustworthy Computing initiative in 2002. This program was in direct response to Internet devastation caused by the Code Red and Nimda worms in 2001. Microsoft founder Bill Gates announced that the company’s software development activities would include a “by design” view of security.
And so to the most recent publication of today’s account of the journey towards trustworthy computing we move to as recent as December 2011 when the National Science and Technology Council released its TRUSTWORTHY CYBERSPACE: STRATEGIC PLAN FOR THE FEDERAL CYBERSECURITY RESEARCH AND DEVELOPMENT PROGRAM
Our history is littered with events of gross malpractice, system failures and human erros which because of our youth as a profession has never been characterised as such; radiation machine overdoses from errant programs, ambulance systems that failed to provide the address of patients in time for life saving attention, malware introduced into systems that were not properly protected from such intrusions, the safety systems software controlling a nuclear reactor so poorly programmed that they failed 50% of the time, and human error in data input not being considered or factored into systems leading to planes being jeopardized and in one case the loss of 257 lives.
Even today we cannot know to what extent we have played a part in the fate of the most recent flight disasters. What is clear is that we are a long way from being able to claim that the ICT profession is trustworthy – that is reliable in whom we can have confidence that it will always produce the expected outcome, perhaps as far from that goal as we were in 1960 at the start of the journey.
Here’s the conclusion of one Australian State Ombudsman who chose to investigate 10 large ICT enabled Government projects.
The Ombudsman in his report to the Victorian Parliament in 2011 demonstrated the abysmal standard of governance, probity and skills involved in ten major ICT-enabled projects within Victoria leading to an outcome of which he says
“Each of the 10 projects I examined failed to meet expectations; most failed to meet delivery timeframes; and all ran over budget. The original budgets for these projects totalled $1.3 billion. The latest estimated cost is $2.74 billion – an additional $1.44 billion cost to government”.
In summary the Ombudsman concluded there were five areas of weakness to be addressed in order to reach an appropriate level of ICT capability for ICT-enablement. These were:
Leadership, accountability and governance
Planning
Funding
Probity and procurement
Project management
Onora O’Neill in the Reith lectures in 2002 says:
We say that we want to end the supposed crisis of public trust, and we've tried to do so in part by making many professions and institutions more accountable so that they are trustworthier.
Unfortunately for ICT this does not appear to apply, although ACS has demonstrated that when considering total remuneration packages, those holding Certified Professional status with the Australian Computer Society earned on average 11.4% more than those holding vendor certifications alone, and 15.2% more than those without any certifications, most practitioners DO NOT belong to a professional association, they are not held to account except through a pay packet, their employers are also let off from their liability … largely … although that appears to be changing cf Queensland government suing IBM over their biggest ICT project failure in Health in recent times.
I don’t know about you, but I am sick and tired of making excuses for those who are working in ICTs creation and in banging my head against that invisible brick wall provided by indifferent governments who want nothing to do with regulation of the ICT profession; with companies mesmerized by entrepreneurial prowess, their mantra is: “innovation means jobs, more innovation means more jobs!” and with workers who only will respond to market forces and then complain bitterly when they lose their jobs and can’t find another because they have failed to act in a professional manner – managing their careers, keeping their skills current and themselves marketable.
What is to be done?
Well my view is simple; take direct action … every one of us should join our local computing society to demonstrate our commitment to ethical and professional
practice through the code of ethics that underpins professional membership and to begin to promote the profession to others they work with. If every member of a computer society convinced just one other worker of the value of a computing society membership and persuaded them to become a member, then they would double their computer society’s membership base. The promotion of one’s profession and the upholding of its integrity are critical aspects of a professional in every profession.
What good is that I hear you ask?
Governments are generally responsive to organizations with large numbers of members. The influence your professional society can wield then is directly proportional to membership numbers. More members also means more capacity to begin to exert pressure on good and best practice in companies through the development of exemplars, the production of papers and journals of best practice. Companies benefit from the collaboration with the professional society which supports Its work force.
Ok suppose I buy into this then what’s in it for me?
We come back to the beginning don’t we? We begin to be seen to be capable of producing reliable and predictable ICT services, which is the working definition of trustworthy, and from that comes what all professionals I know want – respect, recognition and reward.
