Examination of Witnesses (Questions 360
- 379)
TUESDAY 24 FEBRUARY 2004
MR NICK
KALISPERAS, MR
GEOFF LLEWELLYN,
PROFESSOR ROSS
ANDERSON AND
PROFESSOR MARTYN
THOMAS
Q360 Mr Cameron: Can the Home Office
manage a procurement project on this scale, which I suppose is
a bit like asking can Tim Henman win Wimbledon? It is a leading
question. Let us start with Professor Thomas. In your submission
you say very clearly that technical requirements must meet real
world requirements. If not, "it is inevitable that the technical
requirements will change, leading to delays, cost escalation,
and loss of control over project risks". Given the questions
you put in your submission do you think it is possible for the
Government to get this right in terms of procurement?
Professor Thomas: Technically,
yes. Politically, no.
Q361 Mr Cameron: Why politically
no? If the person in charge of procurement was a mixture of Einstein,
Lichtenstein and Mother Theresa, all-seeing, all-knowing, why
is it still going to go wrong?
Professor Thomas: Most of the
Government procurements that have failed spectacularly have failed,
at least in part, because the requirements for the procurement
were not properly under control at the point where an attempt
was made to transfer the risk to the supply industry, and consequently
the supply industry has been very effectively trained to claim
simply to be able to deliver whatever the Government wants, knowing
that it will get off the hook when the requirements change. That
has to stop but it requires a level of discipline amongst those
who are seeking to procure systems, which does not appear to come
naturally to government departments and those procuring systems
on their behalf. There are some very hard questions which need
to be asked about exactly what the limits of using ID cards will
be, and how widespread will be the facility to update the data
on the cards and the data in the central database, for example,
is an issue which will have a dramatic effect on the underlying
security of the system that is built, and therefore the rate of
failure in the two directions of false acceptance and false rejection
that would occur. Those issues have not been addressed.
Q362 Mr Cameron: In a nutshell, is
what you are saying that if the Government set out the requirements,
got them right and left them alone, there will always be a tendency
to change because this is a developing area?
Professor Thomas: No. I suspect
that there are conflicting requirements and that those conflicts
are glossed over rather than addressed and resolved, and I think
that that happens very frequently in government procurements and
that there are hard political decisions to be taken and the assumption
is made that somehow the supply industry will solve that problem
and that ministers or officials will not need to. It has never
worked in the past and it will not work this time.
Q363 Mr Cameron: That is very clear;
thank you. Professor Anderson, you argue in your submission that
you do not believe the Home Office's costings and you think that
consolidating a lot of these systems into one system always costs
more than expected. Is it inevitable?
Professor Anderson: It is not
inevitable but that has usually been the case in the past. Economists
in the software industry have come to the conclusion that the
value of the software contract of a company is roughly equal to
the lock-in for all its customers. Suppose you have a company
with 100 people and you are paying £500 per seat for Office
for each of these people. What that is saying in effect is that
it would cost you £50,000 to retrain everybody and reconfigure
the machines to all run OpenOffice. If it would cost more to do
itlooking at the average cost across all companiesthen
Microsoft would put up their prices. This is very well understood
in the packaged software industry but I think it is only coming
to be understood in public procurement in that if you have a small
system, say we are doing national insurance numbers and something
goes wrong, you can hold ministers to ransom and say, "Give
us another £200 million to fix this or you might have significant
leakage from the social security system", etc. If you have
a larger system you have ministers over a bigger barrel.
Q364 Mr Cameron: Can you not put
penalty clauses and other things in? Once you have understood
the very clear nature of the market failing you set out, that
basically these companies have got you over a barrel, that what
they are doing for you is so valuable that you do not want to
cut them off halfway through, can you not have penalty clauses
and make it possible for ministers not to end up with egg on their
faces?
Professor Anderson: Sure, it is
possible, but it is up to the Government and I must say that some
departments are better at it than others. The Ministry of Defence,
for example, has a reasonable amount of experience in dealing
with large, complex procurements for over 20 years from single
source suppliers. The Department of Transport, who I worked on
with on tachographs, for example, are also fairly shrewd.
Q365 Mr Cameron: Where do you put
the Home Office in the list of angels and devils?
Professor Anderson: My only experience
in dealing with the Home Office so far has been my involvement
in the Regulation of Investigatory Powers Act a few years ago.
I must say they are beginning to learn about future communication
systems but how good they are at procurement is not something
on which I could safely venture an opinion.
Q366 Mr Cameron: So definitely two
sceptics at this end of the table on procurement. Let me move
to Intellect.
Professor Thomas: May I just add
one point? Penalty clauses are fine if the only risk is the risk
of financial loss. You can transfer that to a penalty clause if
you can define it well enough and manage to get it enforced. Where
the risk that you are trying to transfer is a business risk or
a political risk, loss of service or considerable public unrest
as a consequence of a government service not being available and
not being available on time, penalty clauses are meaningless in
that context. They are not even answering the right question.
Q367 Mr Cameron: Is there any other
way round it?
Professor Thomas: No.
Q368 Mr Cameron: Thank you; that
is very clear. Let me move to Intellect who I think are more optimistic.
You seem quite confident that the Office of Government Commerce
guidelines and mechanisms can deliver IT projects successfully.
Is that a fair summary of your position?
Mr Kalisperas: Essentially we
have a package of measures which we launched last year which currently
the OGC are looking atdefinition of projects, strengthening
the gateway within the process. I think we are in a better position
to take forward projects than we were two, three or four years
ago. I would disagree with Professor Thomas in that by and large
projects do not fail at the instance where risk is transferred.
By and large projects fail at the very early stages of their conception
when government decides and procurement agencies do not properly
discuss their requirements with the industry, so they do not at
those very early stages get an understanding of what the market
is capable of delivering and what capacity it has.
Q369 Mr Cameron: But when you look
at all the IT projects we have hadsocial security and the
Home Officehas not Professor Thomas got experience and
right on his side, that most of these things have had massive
cost overruns? They have taken far longer, have been hugely expensive,
often have not worked and there have been massive delays. I am
just trying to work out why you feel so optimistic.
Mr Kalisperas: If you look at
the most recent reports which have come out from the NAO as they
relate to the Criminal Records Bureau or the Inland Revenue tax
credits, some of the most basic failings that they identified
were, for example, with the Criminal Records Bureau that they
did not anticipate in the planning that there would be an increase
in applications during the summer months. For the tax credits
there was not enough give in the system to cope with three million
applications as opposed to two million applications and that sort
of thing.
Q370 Mr Cameron: If they cannot get
those simple things right how on earth are they ever going to
get identity cards for every human being in the United Kingdom
for multiple purposes?
Mr Kalisperas: Because by and
large those have been failings whereby the systems did not go
through the gateway process and those were projects which had
not been adequately scoped with the industry. We are not in the
business of trying to take money off the public sector. We are
in the business of making projects work. It is very straightforward.
What we need to do and what we have been encouraging the Government
to do is talk to industry before they write tenders, even before
they are advertised, see what industry is capable of doing, see
whether the political timescales that have been foisted upon civil
servants are realistic.
Q371 Mr Cameron: Is this what you
mean by concept viability, which "will enable public sector
organisations to use the industry as a `sounding board'".
Again, is this not a bit naïve? Are not some businesses always
going to say it is a little bit what the Government wants to hear
in order to help them have a more favoured position? Is that not
right?
Mr Kalisperas: Where we believe
the concept viability will help is that it provides a platform.
Intellect is a technology neutral trade association. We are not-for-profit.
We have no products to sell. Concept viability will enable our
members to go back to government departments and indicate to them
where scope-defined projects are unsuccessful or have the potential
to fail using Intellect and the feedback will be anonymised. Our
members feel comfortable that they will be able to use Intellect
as a vehicle for channelling their fears. Additionally, what we
would like to see is that the public sector is able to contract
skilled project and programme managers to take forward this work.
There has been in more than one case a clear shortage of skilled
staff and the public sector needs to pay to get the right people
on board in order to deliver these solutions.
Q372 Mr Cameron: Can you give an
example where a potential public sector client has ever been advised
that a project is not viable and therefore should not go ahead?
Mr Kalisperas: We have not. Concept
viability was launched at the end of last year, so we have not
run a workshop yet. We are in discussions with four or five government
departments about running workshops, so we have not actually run
a workshop yet but when we do we will feed back to the Committee.
Q373 Mr Cameron: The question I would
like to ask all of you, to which a yes or no answer is sufficient,
is: do you see the public procurement difficulties as insuperable?
Professor Thomas: Yes, I do. I
would like to tell you something that you will not believe but
which I think it is important that you hear, and that is that
almost every IT supplier in the world today is incompetent. I
have worked in the IT industry almost all my working life for
large and small organisations, and I know of what I speak. For
example, the typical rate of delivered faults after full user
acceptance testing from the maker suppliers in the industry over
many years has been steady at around 20 faults per thousand lines
of code. We know how to deliver software with a fault rate that
is down around 0.1 faults per thousand lines of code and the industry
does not adopt these techniques. We are as an industry very much
in the early stages. The industry is only 50 years old. If you
compare that with civil engineering, which is several thousand
years old, we are tackling some of the most complex engineering
designs and building some of the most complex engineering systems
that the world has ever seen, essentially using craft technology.
If you looked at the methods that are employed in most companies
you would come to the conclusion that actually IT system development
is a fashion business, not an engineering business, because they
jump from one methodology to another year after year so long as
it has a whizzy name, "Agile this" or "Intensive
that". The underlying engineering disciplines that every
mature engineering discipline has learnt it needs to use in order
to be able to show that the system it is building has the required
properties have not yet been employed in software and systems
engineering, and that is at the heart of why these things do not
work.
Mr Cameron: That is a very encouraging
answer!
David Winnick: The blood pressure is
rising on Professor Thomas's left!
Q374 Chairman: We could have a fascinating
debate about all of that but I just want to ask you an immediate
question. We have heard earlier this afternoon that there is insufficient
definition of the circumstances in which an ID card would be used
to be able to specify how often it would need to be checked against
what type of database for information. Much of the budgeting for
the ID card project is confidential from the Home Office at the
moment. Is it possible to begin the process of saying whether
the project would be achievable unless we have both complete openness
about budgeting and a greater level of definition of what the
project is intended to achieve? What is the basic information
that should be available and in the public domain to enable a
project of this sort to be given adequate scrutiny, not just by
the industry but for those like Professor Thomas who are sceptical
about some aspects of the industry's performance, if I can summarise
his position like that?
Professor Anderson: I think it
might be helpful if there were some scrutiny of the tendering
process as specifications are drawn up and put out to tender.
That sort of thing should be public. If, for example, the Home
Office has taken a narrow targeted approach in saying, "Right:
let us reform the passport systems so that they contain the new
digital photograph chip that the Americans require as phase one.
Let us get it right, and once we have got it right and got it
out there we will worry about phase two". That would be reassuring.
If, on the other hand, they want a complex system designed which
they can use to link in all other stakeholders later as a means
of creating a political momentum of a product and scope in building
an empire, that would be cause for alarm. What I think we need
to add is some clear signal of which path they are intending to
take. If the thing remains covered by Official Secrets to the
point that even Parliament does not know which path the Home Office
is intending to take, then that is bad news.
Q375 Chairman: Is this an area of
software development where it would be much better if the detailed
design of software and systems were always in the public domain
than one in which this was kept as it were under the Official
Secrets Act? This is a debate which I know goes on about software
systems all the time.
Professor Thomas: Security by
obscurity is never a good idea. If you are trying to build a system
that you do not want to be able to be attacked, then making it
possible for lots of people to look for the vulnerabilities in
it early is the way that you eliminate the vulnerabilities. Simply
crossing your legs and hoping that they will not be banned because
you have tried to keep the details obscure never works. If you
do not believe me, ask Bill Gates.
Q376 Chairman: Would the industry
be prepared to go ahead with the procurement process on that basis?
Mr Llewellyn: I think the industry
would certainly want a clear and unequivocal specification of
what is required. Referring to the earlier point, there is absolutely
no question that if there is not clarity of specification, as
with circumstances where you invite a builder into your home to
do something about it, if you have not specified what you want,
the chances are
Q377 Chairman: Could you address
the specific point about whether the software engineering should
be a public domain matter or should we give commercial confidentiality
to whoever wins the contract?
Mr Llewellyn: I think that it
would be necessary to protect some aspects of the engineering
in order to make it difficult for any potential fraudster because
if you simply set out the source code for the whole system and
the design of the security around the links between the database
and the points of registration, I think that would be absurd because
that would be giving a blueprint to potential fraudsters. I think
there is a middle course which would enable you to have sufficient
clarity for informed observers to know that the right solution
was being proposed without putting the public at risk by giving
this blueprint.
Q378 Mrs Dean: Professor Anderson,
you doubt the efficacy of biometrics: would your concerns be reduced
if the scheme were to use two biometrics, such as fingerprints
and iris scanning?
Professor Anderson: If you use
two biometrics then what you may do is shift the balance between
your false accept and false reject rates. Suppose, for example,
you decide to pay a cheque but only if someone passes an iris
scan and a fingerprint scan, then you are going to end up insulting
a lot of your customers. Fingerprints are particularly difficult
for older people and manual workers whose fingerprints wear thin
and get damaged. If, on the other hand, you decide to pay out
on a cheque if either an iris scan or a fingerprint is successful
then you will have very many fewer insulted customers but you
will have an awful lot more fraud. What the engineering problem
is about is finding the right balance point between fraud and
insult. The balance point is very different in different applications.
In banking generally we used to reckon that you needed an insult
rate of less than one in 100,000 and a fraud rate of better than
one in 100 for a biometric mechanism to be useful. At the time,
ten years ago, we found that there was no biometric that would
meet that. Nowadays iris scans might but, then again, there are
human interface aspects: how many people would be comfortable
staring into an infrared light on a cash machine? There are complex
engineering issues. My book on security engineering has a whole
chapter on the subject.
Q379 Mrs Dean: What evidence do you
have that it is practically feasible to produce contact lenses
to fake irises on a significant scale?
Professor Anderson: Well, I have
not done it myself but I have seen a photograph of one that was
produced by one of the researchers in the field and, given the
underlying mathematics, I do not think there is any difficulty
in principle with producing a contact lens that will produce a
certain iris code. The manufacturers of iris scanning equipment
will say in their defence that it is possible to measure the nictation,
the oscillation in the diameter of the pupil. I understand that
none of the equipment currently on sale does that and I would
be worried that someone might produce a well printed contact lens
with a sufficiently clear area in the middle where the movement
of the underlying eye would be taken by the scanner as indicating
that the genuine eye were present. There is room for further technological
work here. As things stand I am afraid that iris scanners, like
fingerprint scanners, are liable to be defeated by sophisticated
attack if they are used in an unattended operation. Attended operation
is different, of course, if you train the staff properly they
can feel people's fingerprints, they can look carefully at the
eye and check there is no funny business.
|