TUESDAY 24 FEBRUARY 2004

MR NICK KALISPERAS, MR GEOFF LLEWELLYN, PROFESSOR ROSS ANDERSON AND PROFESSOR MARTYN THOMAS

  Q360  Mr Cameron: Can the Home Office manage a procurement project on this scale, which I suppose is a bit like asking can Tim Henman win Wimbledon? It is a leading question. Let us start with Professor Thomas. In your submission you say very clearly that technical requirements must meet real world requirements. If not, "it is inevitable that the technical requirements will change, leading to delays, cost escalation, and loss of control over project risks". Given the questions you put in your submission do you think it is possible for the Government to get this right in terms of procurement?

  Professor Thomas: Technically, yes. Politically, no.

  Q361  Mr Cameron: Why politically no? If the person in charge of procurement was a mixture of Einstein, Lichtenstein and Mother Theresa, all-seeing, all-knowing, why is it still going to go wrong?

  Professor Thomas: Most of the Government procurements that have failed spectacularly have failed, at least in part, because the requirements for the procurement were not properly under control at the point where an attempt was made to transfer the risk to the supply industry, and consequently the supply industry has been very effectively trained to claim simply to be able to deliver whatever the Government wants, knowing that it will get off the hook when the requirements change. That has to stop but it requires a level of discipline amongst those who are seeking to procure systems, which does not appear to come naturally to government departments and those procuring systems on their behalf. There are some very hard questions which need to be asked about exactly what the limits of using ID cards will be, and how widespread will be the facility to update the data on the cards and the data in the central database, for example, is an issue which will have a dramatic effect on the underlying security of the system that is built, and therefore the rate of failure in the two directions of false acceptance and false rejection that would occur. Those issues have not been addressed.

  Q362  Mr Cameron: In a nutshell, is what you are saying that if the Government set out the requirements, got them right and left them alone, there will always be a tendency to change because this is a developing area?

  Professor Thomas: No. I suspect that there are conflicting requirements and that those conflicts are glossed over rather than addressed and resolved, and I think that that happens very frequently in government procurements and that there are hard political decisions to be taken and the assumption is made that somehow the supply industry will solve that problem and that ministers or officials will not need to. It has never worked in the past and it will not work this time.

  Q363  Mr Cameron: That is very clear; thank you. Professor Anderson, you argue in your submission that you do not believe the Home Office's costings and you think that consolidating a lot of these systems into one system always costs more than expected. Is it inevitable?

  Professor Anderson: It is not inevitable but that has usually been the case in the past. Economists in the software industry have come to the conclusion that the value of the software contract of a company is roughly equal to the lock-in for all its customers. Suppose you have a company with 100 people and you are paying £500 per seat for Office for each of these people. What that is saying in effect is that it would cost you £50,000 to retrain everybody and reconfigure the machines to all run OpenOffice. If it would cost more to do it—looking at the average cost across all companies—then Microsoft would put up their prices. This is very well understood in the packaged software industry but I think it is only coming to be understood in public procurement in that if you have a small system, say we are doing national insurance numbers and something goes wrong, you can hold ministers to ransom and say, "Give us another £200 million to fix this or you might have significant leakage from the social security system", etc. If you have a larger system you have ministers over a bigger barrel.

  Q364  Mr Cameron: Can you not put penalty clauses and other things in? Once you have understood the very clear nature of the market failing you set out, that basically these companies have got you over a barrel, that what they are doing for you is so valuable that you do not want to cut them off halfway through, can you not have penalty clauses and make it possible for ministers not to end up with egg on their faces?

  Professor Anderson: Sure, it is possible, but it is up to the Government and I must say that some departments are better at it than others. The Ministry of Defence, for example, has a reasonable amount of experience in dealing with large, complex procurements for over 20 years from single source suppliers. The Department of Transport, who I worked on with on tachographs, for example, are also fairly shrewd.

  Q365  Mr Cameron: Where do you put the Home Office in the list of angels and devils?

  Professor Anderson: My only experience in dealing with the Home Office so far has been my involvement in the Regulation of Investigatory Powers Act a few years ago. I must say they are beginning to learn about future communication systems but how good they are at procurement is not something on which I could safely venture an opinion.

  Q366  Mr Cameron: So definitely two sceptics at this end of the table on procurement. Let me move to Intellect.

  Professor Thomas: May I just add one point? Penalty clauses are fine if the only risk is the risk of financial loss. You can transfer that to a penalty clause if you can define it well enough and manage to get it enforced. Where the risk that you are trying to transfer is a business risk or a political risk, loss of service or considerable public unrest as a consequence of a government service not being available and not being available on time, penalty clauses are meaningless in that context. They are not even answering the right question.

  Q367  Mr Cameron: Is there any other way round it?

  Professor Thomas: No.

  Q368  Mr Cameron: Thank you; that is very clear. Let me move to Intellect who I think are more optimistic. You seem quite confident that the Office of Government Commerce guidelines and mechanisms can deliver IT projects successfully. Is that a fair summary of your position?

  Mr Kalisperas: Essentially we have a package of measures which we launched last year which currently the OGC are looking at—definition of projects, strengthening the gateway within the process. I think we are in a better position to take forward projects than we were two, three or four years ago. I would disagree with Professor Thomas in that by and large projects do not fail at the instance where risk is transferred. By and large projects fail at the very early stages of their conception when government decides and procurement agencies do not properly discuss their requirements with the industry, so they do not at those very early stages get an understanding of what the market is capable of delivering and what capacity it has.

  Q369  Mr Cameron: But when you look at all the IT projects we have had—social security and the Home Office—has not Professor Thomas got experience and right on his side, that most of these things have had massive cost overruns? They have taken far longer, have been hugely expensive, often have not worked and there have been massive delays. I am just trying to work out why you feel so optimistic.

  Mr Kalisperas: If you look at the most recent reports which have come out from the NAO as they relate to the Criminal Records Bureau or the Inland Revenue tax credits, some of the most basic failings that they identified were, for example, with the Criminal Records Bureau that they did not anticipate in the planning that there would be an increase in applications during the summer months. For the tax credits there was not enough give in the system to cope with three million applications as opposed to two million applications and that sort of thing.

  Q370  Mr Cameron: If they cannot get those simple things right how on earth are they ever going to get identity cards for every human being in the United Kingdom for multiple purposes?

  Mr Kalisperas: Because by and large those have been failings whereby the systems did not go through the gateway process and those were projects which had not been adequately scoped with the industry. We are not in the business of trying to take money off the public sector. We are in the business of making projects work. It is very straightforward. What we need to do and what we have been encouraging the Government to do is talk to industry before they write tenders, even before they are advertised, see what industry is capable of doing, see whether the political timescales that have been foisted upon civil servants are realistic.

  Q371  Mr Cameron: Is this what you mean by concept viability, which "will enable public sector organisations to use the industry as a `sounding board'". Again, is this not a bit naïve? Are not some businesses always going to say it is a little bit what the Government wants to hear in order to help them have a more favoured position? Is that not right?

  Mr Kalisperas: Where we believe the concept viability will help is that it provides a platform. Intellect is a technology neutral trade association. We are not-for-profit. We have no products to sell. Concept viability will enable our members to go back to government departments and indicate to them where scope-defined projects are unsuccessful or have the potential to fail using Intellect and the feedback will be anonymised. Our members feel comfortable that they will be able to use Intellect as a vehicle for channelling their fears. Additionally, what we would like to see is that the public sector is able to contract skilled project and programme managers to take forward this work. There has been in more than one case a clear shortage of skilled staff and the public sector needs to pay to get the right people on board in order to deliver these solutions.

  Q372  Mr Cameron: Can you give an example where a potential public sector client has ever been advised that a project is not viable and therefore should not go ahead?

  Mr Kalisperas: We have not. Concept viability was launched at the end of last year, so we have not run a workshop yet. We are in discussions with four or five government departments about running workshops, so we have not actually run a workshop yet but when we do we will feed back to the Committee.

  Q373  Mr Cameron: The question I would like to ask all of you, to which a yes or no answer is sufficient, is: do you see the public procurement difficulties as insuperable?

  Professor Thomas: Yes, I do. I would like to tell you something that you will not believe but which I think it is important that you hear, and that is that almost every IT supplier in the world today is incompetent. I have worked in the IT industry almost all my working life for large and small organisations, and I know of what I speak. For example, the typical rate of delivered faults after full user acceptance testing from the maker suppliers in the industry over many years has been steady at around 20 faults per thousand lines of code. We know how to deliver software with a fault rate that is down around 0.1 faults per thousand lines of code and the industry does not adopt these techniques. We are as an industry very much in the early stages. The industry is only 50 years old. If you compare that with civil engineering, which is several thousand years old, we are tackling some of the most complex engineering designs and building some of the most complex engineering systems that the world has ever seen, essentially using craft technology. If you looked at the methods that are employed in most companies you would come to the conclusion that actually IT system development is a fashion business, not an engineering business, because they jump from one methodology to another year after year so long as it has a whizzy name, "Agile this" or "Intensive that". The underlying engineering disciplines that every mature engineering discipline has learnt it needs to use in order to be able to show that the system it is building has the required properties have not yet been employed in software and systems engineering, and that is at the heart of why these things do not work.

  Mr Cameron: That is a very encouraging answer!

  David Winnick: The blood pressure is rising on Professor Thomas's left!

  Q374  Chairman: We could have a fascinating debate about all of that but I just want to ask you an immediate question. We have heard earlier this afternoon that there is insufficient definition of the circumstances in which an ID card would be used to be able to specify how often it would need to be checked against what type of database for information. Much of the budgeting for the ID card project is confidential from the Home Office at the moment. Is it possible to begin the process of saying whether the project would be achievable unless we have both complete openness about budgeting and a greater level of definition of what the project is intended to achieve? What is the basic information that should be available and in the public domain to enable a project of this sort to be given adequate scrutiny, not just by the industry but for those like Professor Thomas who are sceptical about some aspects of the industry's performance, if I can summarise his position like that?

  Professor Anderson: I think it might be helpful if there were some scrutiny of the tendering process as specifications are drawn up and put out to tender. That sort of thing should be public. If, for example, the Home Office has taken a narrow targeted approach in saying, "Right: let us reform the passport systems so that they contain the new digital photograph chip that the Americans require as phase one. Let us get it right, and once we have got it right and got it out there we will worry about phase two". That would be reassuring. If, on the other hand, they want a complex system designed which they can use to link in all other stakeholders later as a means of creating a political momentum of a product and scope in building an empire, that would be cause for alarm. What I think we need to add is some clear signal of which path they are intending to take. If the thing remains covered by Official Secrets to the point that even Parliament does not know which path the Home Office is intending to take, then that is bad news.

  Q375  Chairman: Is this an area of software development where it would be much better if the detailed design of software and systems were always in the public domain than one in which this was kept as it were under the Official Secrets Act? This is a debate which I know goes on about software systems all the time.

  Professor Thomas: Security by obscurity is never a good idea. If you are trying to build a system that you do not want to be able to be attacked, then making it possible for lots of people to look for the vulnerabilities in it early is the way that you eliminate the vulnerabilities. Simply crossing your legs and hoping that they will not be banned because you have tried to keep the details obscure never works. If you do not believe me, ask Bill Gates.

  Q376  Chairman: Would the industry be prepared to go ahead with the procurement process on that basis?

  Mr Llewellyn: I think the industry would certainly want a clear and unequivocal specification of what is required. Referring to the earlier point, there is absolutely no question that if there is not clarity of specification, as with circumstances where you invite a builder into your home to do something about it, if you have not specified what you want, the chances are—

  Q377  Chairman: Could you address the specific point about whether the software engineering should be a public domain matter or should we give commercial confidentiality to whoever wins the contract?

  Mr Llewellyn: I think that it would be necessary to protect some aspects of the engineering in order to make it difficult for any potential fraudster because if you simply set out the source code for the whole system and the design of the security around the links between the database and the points of registration, I think that would be absurd because that would be giving a blueprint to potential fraudsters. I think there is a middle course which would enable you to have sufficient clarity for informed observers to know that the right solution was being proposed without putting the public at risk by giving this blueprint.

  Q378  Mrs Dean: Professor Anderson, you doubt the efficacy of biometrics: would your concerns be reduced if the scheme were to use two biometrics, such as fingerprints and iris scanning?

  Professor Anderson: If you use two biometrics then what you may do is shift the balance between your false accept and false reject rates. Suppose, for example, you decide to pay a cheque but only if someone passes an iris scan and a fingerprint scan, then you are going to end up insulting a lot of your customers. Fingerprints are particularly difficult for older people and manual workers whose fingerprints wear thin and get damaged. If, on the other hand, you decide to pay out on a cheque if either an iris scan or a fingerprint is successful then you will have very many fewer insulted customers but you will have an awful lot more fraud. What the engineering problem is about is finding the right balance point between fraud and insult. The balance point is very different in different applications. In banking generally we used to reckon that you needed an insult rate of less than one in 100,000 and a fraud rate of better than one in 100 for a biometric mechanism to be useful. At the time, ten years ago, we found that there was no biometric that would meet that. Nowadays iris scans might but, then again, there are human interface aspects: how many people would be comfortable staring into an infrared light on a cash machine? There are complex engineering issues. My book on security engineering has a whole chapter on the subject.

  Q379  Mrs Dean: What evidence do you have that it is practically feasible to produce contact lenses to fake irises on a significant scale?

  Professor Anderson: Well, I have not done it myself but I have seen a photograph of one that was produced by one of the researchers in the field and, given the underlying mathematics, I do not think there is any difficulty in principle with producing a contact lens that will produce a certain iris code. The manufacturers of iris scanning equipment will say in their defence that it is possible to measure the nictation, the oscillation in the diameter of the pupil. I understand that none of the equipment currently on sale does that and I would be worried that someone might produce a well printed contact lens with a sufficiently clear area in the middle where the movement of the underlying eye would be taken by the scanner as indicating that the genuine eye were present. There is room for further technological work here. As things stand I am afraid that iris scanners, like fingerprint scanners, are liable to be defeated by sophisticated attack if they are used in an unattended operation. Attended operation is different, of course, if you train the staff properly they can feel people's fingerprints, they can look carefully at the eye and check there is no funny business.