Information Technology

Image: Getty Images
The Australian Electoral Commission (AEC) has gone to tender for an “end-to-end” digital ballot scanning solution, hoping to have something in place for the 2021/22 election.Specifically, the AEC said it requires a solution to digitise all Senate ballot papers, which includes capturing the preferences and metadata, completed in a federal election. “It is estimated this will be in the order of 16 million ballot papers for the 2021/2022 event and will grow by 5 to 10% for each federal electoral event after that,” it adds in the market notification published over the weekend. “Given the size and complexity of the project and operational phase, the AEC’s preference is to purchase an end to end solution.”Senate ballot paper digitisation must be completed by no later than 27 calendar days after election day and the first ballot papers will be available for scanning from the Tuesday after election day. The Senate ballot papers must be processed in the state for which the Senate ballot paper has been returned.”The process for the digitisation of Senate ballot papers will start once the division has finished their processing of the Senate ballot papers,” it said. “AEC is open to solutions as suggested by the provider as to the location(s) of the digitisation solution in each state and territory.”As detailed in the market notification, the successful provider must design, develop, test, build, implement, and support an accurate and secure digitisation solution for the AEC to facilitate the count of Senate ballot papers for an electoral event in compliance with the Commonwealth Electoral Act 1918.The solution must be able to process and export the data from approximately 16 million ballot papers within 27 days from election day.

As part of the end-to-end mandate, the provider will be responsible for the development and implementation of the solution, including project management, business analysis, design, and build. The digitisation solution, the AEC said, must protect all data when it is at rest and when it is in transit, and adhere to all security requirements as outlined by the Australian Cyber Security Centre (ACSC).The AEC in 2018 handed Fuji Xerox Businessforce a two-year, AU$27 million contract to provide a ballot scanning system for the then-upcoming federal election. The solution was a “very similar” solution to the one used for the 2016 federal election, which the Australian National Audit Office (ANAO) called out for lacking on the security front.In particular, the ANAO said AEC ditched compliance with Australian government IT security frameworks and said insufficient attention was paid to assuring the security and integrity of the data generated both during and after operation, as the focus was on delivering a Senate scanning system by polling day — 12 weeks out from the election.AEC commissioner Tom Rogers said he was satisfied with the risks that the AEC accepted ahead of its go-live.  One of the concerns raised with Rogers was that Fuji Xerox Businessforce was handed the contract not through conducting a public tender, but rather the AEC used an existing standing deed of offer with Fuji Xerox.During Senate Estimates in May, Rogers was questioned on the ballot scanning process.”The process is that data is manually entered, and that’s matched with the automated process,” he said. “All paper is scanned when it first arrives, and, from that image, which is an image, that data is then entered, and then the data from the scan is then compared with that to make sure that they match. Where they don’t match, we undertake further processes.”It captures an image, Rogers said, and that image is then presented to the data entry operator, who enters the data from that image.”At the same time, the data-capture process — as part of capturing the image — is then compared with that manual process. Where that matches, that’s taken to be an accurate match and it’s included in the count. Where it doesn’t match, we undertake further processes,” he continued. The AEC was asked about its security posture at the Senate Estimates prior, with Rogers dismissing the proposal to allow a non-government researcher to conduct a security audit on its systems.At the time, he said the AEC works with a range of partners, including the ACSC, and that the agency has had its internal code audited and checked to assure that its systems are running smoothly.Closing day for indication of interest is 16 August 2021.See also: Australian Electoral Commission wants VR but thankfully only for educationThe Department of Foreign Affairs and Trade (DFAT) has also approached the market this week, seeking the delivery of a threat intelligence platform and cyber threat intelligence services.”The procurement is to include strategic, operational, and tactical cyber threat intelligence products/services to be integrated into the provided Threat Intelligence Platform, to allow the department to detect and manage threats posed by malicious actors against the government sector and the department itself; enable the department to search, explore, and investigate threats and vulnerabilities, including its IP addresses, domains, brands, supply chain or technology stack; and request custom threat intelligence products on an ad hoc basis,” it wrote in the request for quote.For the threat intelligence platform, DFAT is seeking a vendor to provide a service, either cloud-based or on-premise, for the purposes of ingesting cyber threat intelligence feeds, with the intention of using it for the management of cyber threat intelligence. The tender closes 27 August 2021.LATEST FROM CANBERRA More

An NBN FttN node getting a Nokia line card installed
Image: Corinne Reichert/ZDNet
The Australian Competition and Consumer Commission (ACCC) began proceedings in Federal Court on Monday against the nation’s three biggest telcos: Telstra, Optus, and TPG. The consumer watchdog is alleging the trio made false representations to consumers over being able to test lines to determine the maximum speed on fibre-to-the-node connections, notify the customer of test results, and offer remedies if a line was performing below the speed the telco sold it as. The ACCC also said it was alleging that the trio “wrongly accepted payments” from customers for NBN plans when they could not receive promised speeds. It has put the number of impacted customers in the “hundreds of thousands” range. The watchdog said the telcos did not have “adequate systems” in place to complete the speed tests, notifications, and remedies process. “Telstra, Optus and TPG each promised to tell consumers within a specific or reasonable timeframe if the speed they were paying for could not be reached on their connection. They also promised to offer them a cheaper plan with a refund if that was the case,” ACCC chair Rod Sims said. “Instead, we allege, they failed to do these things, and as a result many consumers paid more for their NBN plans than they needed to.” The statements made by the telcos were on telco websites and emails from the start of April 2019 to the end of April 2020 for Telstra and TPG, and covering calendar year 2019 for Optus.

The investigation kicked off after Telstra self-reported parts of its conduct to the ACCC. “It is important that internet providers like Telstra, Optus and TPG give their customers accurate information so they can make an informed choice about the service that best suits their needs and budget,” Sims said. “We are pleased that Telstra, Optus and TPG have promised to compensate consumers even before the court case is finalised.” The ACCC said it would be asking the court for orders including declarations, injunctions, pecuniary penalties, publication orders, and the implementation of compliance programs. TPG said in a statement it would be “making things right” with its impacted customers who never received a maximum attainable speed notice. “For the oversight, we are sorry,” a company spokesperson said. “There were two key contributing factors to this issue. The first was failure by NBN Co to provide timely and accurate speed information to TPG Internet. The second was anomalies in TPG Internet’s legacy processes in place since 2017, and these have been fixed post-merger.” TPG added its intent was not to avoid obligations, and of its 2 million customers, “only a small percentage” did not receive information. OAIC opens investigation into Optus White Pages privacy breach The Office of the Australian Information Commissioner (OAIC) has opened an investigation into Optus, following concerns the company breached the data of individuals by publishing their information in the White Pages. The OAIC is investigating Singtel Optus Pty Ltd (Optus) under the Privacy Act 1988. It said the investigation follows preliminary inquiries by the OAIC into data breaches involving publication of Optus customer details in the White Pages, when individuals had asked for their details not to be published. “The public disclosure of personal information against the wishes of individuals may have the potential to cause harm,” it wrote. In 2019, Optus confirmed that customer details were published on Sensis White Pages. Around 50,000 customers were told by the telco that their name, address, mobile, and home phone numbers were published. Optus at the time said around 40,000 were new customers who already listed. “The majority of the affected customers’ details were already listed with Sensis prior to joining Optus,” a spokesperson told ZDNet at the time. “As a priority, Optus arranged for Sensis to remove customer details from their online website directory, operator-directory assistance, and any future printed editions of directories.”The company said it had “notified and apologised” to impacted customers.   The breach was discovered by Optus during a routine audit of 10 million customers. The OAIC accepted an enforceable undertaking from ARC Mercantile back in 2016 following a breach of personal customer data which occurred when an ARC employee posted a spreadsheet of customers owing money to Optus on Freelancer.com. “Optus takes the protection of customer data and privacy seriously,” an Optus spokeswoman told ZDNet in a statement at the time. On Friday, Australian Information Commissioner and Privacy Commissioner Angelene Falk had her post extended for another three years. “Since her appointment in 2018, Ms Falk has effectively led the Office of the Australian Information Commissioner,” a statement from Australia’s Attorney-General said. “She has worked to increase the Australian public’s trust and confidence in the protection of personal information by promoting the understanding of privacy issues and effectively resolving privacy complaints and investigations.” RELATED COVERAGE More

The Australian government has prepared a set of draft rules that requires the likes of social media companies to adhere to if they want to provide a service down under. While failure to comply with reporting requirements could see the provider slapped with a AU$555,000 fine, the draft rules also build in encryption-busting expectations.Australia’s eSafety Commissioner from January will have sweeping new powers afforded to her under the Online Safety Act 2020. Such powers include oversight of new set of Basic Online Safety Expectations (BOSE) that sets out a series of demands for big tech.These expectations [PDF] will apply to service providers including social media; “relevant electronic service of any kind”, such as messaging apps and games; and other designated internet services, such as websites.Under the proposed Draft Online Safety (Basic Online Safety Expectations) Determination 2021, it is expected the provider would have to take reasonable steps to ensure safe use. This includes the “core” expectation that the provider of the service will take reasonable steps to ensure that end-users are able to use the service in a safe manner.The provider is expected to minimise the availability of cyberbullying material targeted at an Australian child, cyber abuse material targeted at an Australian adult, a non-consensual intimate image of a person, class 1 material, material that promotes abhorrent violent conduct, material that incites abhorrent violent conduct, material that instructs in abhorrent violent conduct, and material that depicts abhorrent violent conduct.The expectations also boast additional expectations, such as that the provider of the service will take reasonable steps to proactively minimise the extent to which material or activity on the service is or may be unlawful or harmful.

Reasonable steps that could be taken, the document said, could be through the development or implementation of processes to detect, moderate, report, and remove material or activity on the service that is or may be unlawful or harmful.In the case of a service or a component of a service, such as an online app or game, that is used by children, the company must ensure the default privacy and safety settings are robust and set to the most restrictive level.The draft BOSE also designate that those involved in providing the service, such as employees or contractors, are trained in, and are expected to implement and promote, online safety. The company must also continually improve safety in its tech and ensure that assessments of safety risks and impacts are undertaken, and safety review processes are implemented, throughout the design, development, deployment, and post-deployment stages for the service.The rules, however, as currently drafted, mandate that if the service uses encryption, the provider of the service will take reasonable steps to develop and implement processes to detect and address material or activity on the service that is or may be unlawful or harmful.See also: Apple child abuse material scanning in iOS 15 draws fireThe government also wants providers to prevent anonymous accounts from being used to deal with material, or for activity, that is or may be unlawful or harmful.It proposes the service could have processes that prevent the same person from repeatedly using anonymous accounts to post material, or to engage in activity, that is unlawful or harmful, and introduce the requirements to verify identity or ownership of accounts.Australia’s eSafety Commissioner will have the power to order tech companies to report on how they are responding to these harms and issue fines of up to AU$555,000 for companies and AU$111,000 for individuals if they don’t respond.Also provided under the legislative instrument are expectations regarding reports and complaints.The provider of the service will be required to have clear and readily identifiable mechanisms that enable end-users to report and make complaints about material provided on the service. The companies will be required to keep records of complaints or reports for five years.eSafety will be backed to receive information requests from providers within 30 days around complaints it has received, removal notice compliance, and measures the provider takes to make their space safe.The provider would also be required to appoint a designated contact for the purpose of the Act.The Bill allows the responsible minister, currently Paul Fletcher, to determine the details of these expectations by legislative instrument. The minister may also determine that the expectations apply to specific services.As such, the government has prepared a consultation paper [PDF] and is accepting submissions until 15 October 2021.HERE’S MOREAustralia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.eSafety says tweeting commissioner will not qualify as a formal Online Safety Act requestThe Office of the eSafety Commissioner has said the Twitter dispute that the incumbent has found herself in this week is part of the advice the office provides and that tagging the commissioner will not qualify as a formal request under the new Online Safety Act.Protecting women in the cloud: eSafety hopes the Online Safety Act will do just thatThe commissioner said a lot of online abuse is rooted in misogyny and intended to silence women’s voices. She hopes the new Online Safety Act will go some way to prevent such abuse. More

Image: Apple
On Friday, Apple revealed plans to tackle the issue of child abuse on its operating systems within the United States via updates to iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. The most contentious component of Cupertino’s plans is its child sexual abuse material (CSAM) detection system. It will involve Apple devices matching images on the device against a list of known CSAM image hashes provided by the US National Center for Missing and Exploited Children (NCMEC) and other child safety organisations before an image is stored in iCloud. “Before an image is stored in iCloud Photos, an on-device matching process is performed for that image against the known CSAM hashes. This matching process is powered by a cryptographic technology called private set intersection, which determines if there is a match without revealing the result,” Apple said. “The device creates a cryptographic safety voucher that encodes the match result along with additional encrypted data about the image. This voucher is uploaded to iCloud Photos along with the image.” Once an unstated threshold is reached, Apple will manually look at the vouchers and review the metadata. If the company determines it is CSAM, the account will be disabled and a report sent to NCMEC. Cupertino said users will be able to appeal to have an account re-enabled. Apple is claiming its threshold will ensure “less than a one in one trillion chance per year of incorrectly flagging a given account”. The other pair of features Apple announced on Friday were having Siri and search provide warnings when a user searches for CSAM-related content, and using machine learning to warn children when they are about to view sexually explicit photos in iMessages.

“When receiving this type of content, the photo will be blurred and the child will be warned, presented with helpful resources, and reassured it is okay if they do not want to view this photo. As an additional precaution, the child can also be told that, to make sure they are safe, their parents will get a message if they do view it,” Apple said. “Similar protections are available if a child attempts to send sexually explicit photos. The child will be warned before the photo is sent, and the parents can receive a message if the child chooses to send it.”
Image: Apple
Plans labelled as a backdoor Apple’s plans drew criticism over the weekend, with Electronic Frontier Foundation labelling the features as a backdoor. “If you’ve spent any time following the Crypto Wars, you know what this means: Apple is planning to build a backdoor into its data storage system and its messaging system,” the EFF wrote. “Apple can explain at length how its technical implementation will preserve privacy and security in its proposed backdoor, but at the end of the day, even a thoroughly documented, carefully thought-out, and narrowly-scoped backdoor is still a backdoor.” EFF warned that once the CSAM system was in place, changing the system to search for other sorts of content would be the next step. “That’s not a slippery slope; that’s a fully built system just waiting for external pressure to make the slightest change,” it said. “The abuse cases are easy to imagine: governments that outlaw homosexuality might require the classifier to be trained to restrict apparent LGBTQ+ content, or an authoritarian regime might demand the classifier be able to spot popular satirical images or protest flyers.” The EFF added that with iMessage to begin scanning images sent and received, the communications platform was no longer end-to-end encrypted. “Apple and its proponents may argue that scanning before or after a message is encrypted or decrypted keeps the ‘end-to-end’ promise intact, but that would be semantic manoeuvring to cover up a tectonic shift in the company’s stance toward strong encryption,” the foundation said. Head of WhatsApp Will Cathcart said the Facebook-owned platform would not be adopting Apple’s approach and would instead rely on users reporting material. “This is an Apple built and operated surveillance system that could very easily be used to scan private content for anything they or a government decides it wants to control. Countries where iPhones are sold will have different definitions on what is acceptable,” Cathcart said. The WhatsApp chief asked how the system would work in China, and what would happen once a spyware crew figured out how to exploit the system. WhatsApp does scan unencrypted imagery — such as profile and group photos — for child abuse material. “We have additional technology to detect new, unknown CEI within this unencrypted information. We also use machine learning classifiers to both scan text surfaces, such as user profiles and group descriptions, and evaluate group information and behavior for suspected CEI sharing,” the company said. Former Facebook CSO Alex Stamos said he was happy to see Apple taking responsibility for the impacts of its platform, but questioned the approach. “They both moved the ball forward technically while hurting the overall effort to find policy balance,” Stamos said. “One of the basic problems with Apple’s approach is that they seem desperate to avoid building a real trust and safety function for their communications products. There is no mechanism to report spam, death threats, hate speech, NCII, or any other kinds of abuse on iMessage.” Instead of its “non-consensual scanning of local photos, and creating client-side ML that won’t provide a lot of real harm prevention”, Stamos said he would have preferred if Apple had robust reporting in iMessage, staffed a child safety team to investigate reports, and slowly rolled out client-side machine learning. The former Facebook security chief said he feared Apple had poisoned the well on client-side classifiers. “While the PRC has been invoked a lot, I expect that the UK Online Safety Bill and EU Digital Services Act were much more important to Apple’s considerations,” he said. Whistleblower Edward Snowden accused Apple of deploying mass surveillance around the globe. “Make no mistake: if they can scan for kiddie porn today, they can scan for anything tomorrow,” he said. “They turned a trillion dollars of devices into iNarcs—*without asking.*” Late on Friday, 9to5Mac reported on an internal memo from Apple that contained a note from NCMEC. “We know that the days to come will be filled with the screeching voices of the minority,” NCMEC reportedly said. Related Coverage More

With more companies looking towards a digital-first approach to business going forward, demand for digital skills is on a sharp upwards trajectory. Finding developers, cybersecurity professionals and cloud migration experts is top of the agenda for many hiring managers as organisations look towards long-term growth and sustainability, following a period of rapid transformation.

The extent of this demand is reflected in a booming tech jobs market. According to CompTIA’s June 2021 European Tech Hiring Trends report, employers posted just shy of 900,000 ads for new tech roles in Q1 2021, representing a 40% increase compared to the third quarter of 2021. Software developers were listed as the most in-demand occupation category, accounting for almost 250,000 job ads posted in the quarter.Developers wantedThe call for developers has been consistent throughout the pandemic, and is likely to present one of the biggest recruitment challenges for employers over the coming months. This was certainly true for 61% of respondents in a survey of 15,000 developers and HR managers by tech-hiring platform CodinGame, which offered a snapshot of the most in-demand development and programming skills among businesses in 2021.CodinGame’s 2021 Developer Survey, which was conducted between October and December 2020, found that 64% of companies were looking to hire up to 50 developers in 2021. Others had even more ambitious recruitment targets: 14.4% said they planned to hire 50 to 100 developers, while 13.5% hope to recruit over 100 new developers over the course of 2021.SEE: What is a software developer? Everything you need to know about the programmer role and how it is changingGoing hand-in-hand with the increased demand for coders, knowledge of programming languages is also being sought by businesses undergoing digital transformation and launching new apps and digital platforms.The same survey from CodinGame found that JavaScript, Java and Python were the most important programming languages for employers, with close to 60% of respondents citing high demand for JavaScript and Java in particular. This makes sense, given the explosion of mobile and web apps since the start of the pandemic, and also supports CodinGame’s findings surrounding the demand for full-stack and back-end developers – Java remains the most popular language for building web application backends, after all.
Image: CodinGame

Recruiters anticipate DevOps roles being particularly difficult to fill. The switch to remote working brought a sudden increase in demand for DevOps experts capable of managing organization’s cloud infrastructure, and helping companies migrate their services to the cloud.This trend is anticipated to continue throughout the course of the year, CodinGame found: 43% of survey respondents cited DevOps positions as their number one recruiting challenge in 2021, followed by back-end developers (41%), full-stack developers (41%), architects (33%) and software engineers (24%).Software development meets operationsAccording to GitLab’s April 2021 Upskilling Enterprise DevOps Skills Report, DevOps skills are projected to grow 122% over the next five years, making it one of the fastest-growing skills in the workforce. In the US, there were over 300,000 job openings requesting DevOps skills in the past 12 months – and this demand is spreading rapidly across roles, organizations and industries.This demand is also reflected in the UK, where employers have had to contend with a pre-existing digital skills shortage that has been made considerably worse by the combination of Brexit and COVID-19.Research published in June by recruiter Robert Half identified a 319.4% uptick in demand for DevOps skills over the 12 months to June as businesses continue to integrate software development with IT operations.Robert Half’s research, which was gathered between April and May 2021, provided a more generalised overview of the skills needed by organizations in the second half of the year, and the roles hiring managers across various departments are most eager to fill.For chief information officers (CIOs) and chief technology officers (CTOs), the top five priority hires for H2 2021 are cloud engineers, front-end developers, business transformation specialists and database administrators, Robert Half found.
Image: Robert Half
Interestingly, the results varied slightly when CIOs and CTOs were quizzed on their most important interim hires. In this instance, frontend developers topped the list, followed by cloud engineers, system security specialists, business intelligence specialists and network/system managers.Software as a service (SaaS) skills and Python were also highlighted as speciality technical skills of increased importance to employers, with demand for these growing by 143.1% and 136.5% respectively. Once again, developers find themselves in a favourable position in post-COVID jobs market. Phil Boden, senior manager at Robert Half, told ZDNet: “Across the board, we are seeing requests for candidates with demonstratable experience in Python, .NET, C# and PHP, while financial services firms are specifically looking for talent with a strong working knowledge of Java.”A mixed pictureCompTIA’s Hiring Trends Report also reports high demand for Java and PHP, with the programming languages featuring 6th and 10th in the technical skills most cited in tech job postings.
Image: CompTIA
Yet these languages come after more fundamental skills, such as “programming” (2nd), “businesses IT systems” (3rd), “IT system administration” (7th) and “[Microsoft] Office/spreadsheets”, which maintains a near-universal entry requirement for jobs and was the number-one skill required by employers.CompTIA notes that job postings “invariably align with the job roles employers are seeking to fill,” which helps explain variability in the importance placed on various skills within reports. However, it points out that nearly every technology job role shares a number of common skill threads: software, infrastructure, data and business applications are all represented, and employers “frequently expect some level of cybersecurity, data, cloud, project management, and related technical skills.”
Image: CompTIA
The report reads: “At the skills level, summary analysis across all job postings for all tech job roles suggests employers tend to seek well-rounded candidates. This also reflects the ever-expanding nature of innovation, whereby new platforms, new coding languages, new hardware and devices, new data streams and new combinations of technology building blocks (think IoT) are a de facto part of the job for any technology professional.”This also explains why cybersecurity is often not specifically listed in skills reports, despite the fact employers increasingly expect baseline IT security knowledge from workers.Take the UK, for example: according to the 2021 City and Guilds Skills Index published in June, jobs postings for “cybersecurity technician” in the country increased by a massive 19,222% between April 2020 and April 2021, whereas roles for “cybersecurity engineer” grew by 292%. This compares to 312% growth in ads for “full-stack developer” during the same period, and a 184% increase in job postings for “Azure architect”.Cybersecurity above all?Demand for cybersecurity pros is by no means localised to the UK. A report by Harvey Nash and KPMG in September 2020 identified a huge demand for cyber professionals globally, with cybersecurity skills cited as the most in-demand skill by more than a third (35%) of the 4,200 IT professionals surveyed.

This demand has continued into 2021. According to Harvey Nash’s 2021 Tech Salary and Hot Skills report, published June 2021, cybersecurity remains the number one skill for employers in the UK (31%) and the US (36%). “Demand has increased throughout the pandemic as security specialists have been required to play the key role of keeping businesses protected during the unprecedented challenges of moving to mass homeworking,” Harvey Nash CEO Bev White told ZDNet.SEE: Cybersecurity: Why a culture of silence and driving mistakes underground is bad for everyoneDrilling down into the types of roles businesses are hiring for, ethical hackers, information security analysts, chief information security officers (CISOs) and cybersecurity consultants all feature prominently, Harvey Nash found.Alongside IT security, employers also seek cloud and data/analytics expertise, again reflecting the demands of changing business needs as digital transformation accelerates and more businesses make the wholesale shift towards remote working. Among the cloud-specific roles companies are hiring for, Harvey Nash identified strong demand for “cloud architect”, “cloud engineer”, “cloud security specialist”, DevOps engineer and “Amazon Web Services specialist.”Organisations are maturing beyond simply moving software online and becoming more sophisticated in how they deploy and exploit their online assets, for instance through distributed cloud, edge computing and marketplace platforms,” Harvey Nash said.Data everywhereWithin the data and analytics realm, companies are particularly eager to fill roles including “data analyst”, “data scientist”, “data engineer” and “business intelligence analyst,” Harvey Nash found.”The skills driving transformation are the ones that are focused on the customer, as well as those that stitch together the ever-increasing array of technologies and platforms,” said White.”On the customer side we are seeing increasing demand for UX experts, as well as digital experts with strong customer-facing and product development skills. On the technical side we are seeing an increase in demand for architects with a strong focus on cloud platforms.”Demand for more niche skills is also beginning to emerge as businesses digitize, particularly those related to automation and artificial intelligence/machine learning technologies. Gathering the data businesses need to inform the next steps of their transformation journey is one thing; making sense of it and putting it to use is quite another.Organizational change management (27%), enterprise architecture (23%), technical architecture (22%) and advanced analytics (22%) were also identified as skills facing shortages in the company’s 2020 Harvey Nash/KPMG CIO Survey.OutlookThe digital skills deficit is not a new problem for businesses, but it is one that has been made significantly more urgent due to COVID-19.Digitization efforts may have put many companies in a better position to tackle the challenges of an increasingly data-driven economy, but it has also driven further demand for tech workers with the skills needed to see these plans through – as well as keep driving them forward.Employers face a problem here: at the same time as demand for technology workers is on the rise, the pool of available talent is quickly shrinking. Software developers, cloud engineers, DevOps professionals and cybersecurity technicians are all needed to build, maintain and protect businesses as they move towards the next steps of their transformation journeys, which have been accelerated by the global pandemic.In order to meet their increasingly complex technical needs, businesses will need to become experts at both attracting and retaining this talent in an increasingly competitive jobs marketplace, as well as levelling up their existing employees with the skills they need to develop at pace. While this may not completely compensate for the shortage of tech talent, it will go some way to address the issue of a widening skills gap in a time of rapid digital innovation.

Digital transformation More

Nearly half the money the UK is spending on IT goes on supporting legacy IT systems – to the tune of £2.3bn a year.That sum amounts to about half of the £4.7bn the central government spent on on tech in 2019, according to a new report from the Cabinet Office that highlights the cost of maintaining legacy systems or ‘keeping the lights on’.

“A recent analysis by government security indicates that almost 50% of current government IT spend (£2.3b out of a total central Government spend of £4.7bn in 2019) is dedicated to “keeping the lights on” activity on outdated legacy systems, with an estimated £13-22bn risk over the coming five years,” the report notes. SEE: Microsoft: Here’s how to shield your Windows servers against this credential stealing attackAs the report highlights, the technical debt that tax payers are lumbered with includes important operational services that are provided by out-of-date legacy systems often built on obsolete technical platforms or using programming languages that are no longer widely supported.Beyond costs, the report acknowledges increased cybersecurity risks and being unable to introduce new government services because “worthy but dull” is more attractive than risking spend on new IT systems. “Some departmental services fail to meet even the minimum cybersecurity standards, and the inability to extract usable data from these legacy systems,” the study notes. 

It also singles out the Home Office, which has the biggest tech budget, noting has “not been able to retire any of their twelve large operational legacy systems.”The report comes as the National Cyber Security Centre (NCSC) – a part of spy agency GCHQ – has raised alarm bells over ransomware and data breaches. Recently appointed NCSC CEO Lindy Cameron in May called on boards to promote CISOs to the same level of top legal counsel and finance officers following recent software supply chain attacks. The UK is also taking a stab at boosting government online services through the new Government Digital Service (GDS) department, which is looking to improve online tax return services. The UK still hasn’t figured out how to implement something like Sweden’s BankID system, which provides an effective nationwide web- and smartphone-based identity scheme through the nation’s banks that’s used to sign payments for and sign-in to websites of telcos, all government agencies, and even small businesses. SEE: Attacks on critical infrastructure are dangerous. Soon they could turn deadly, warn analystsThe report calls out agencies for not having a systematic way of reviewing operational metrics, such as uptime, the number of attempted cyberattacks, and system efficiency. Surveys with agency digital chiefs also turned up procurement problems and “frustration around the level of duplication” and a lack of information-sharing between departments. And the government’s efforts towards gathering data for better decision-making is basically being wasted. “Our investigations suggest that many government departments are investing significant sums in collecting and storing often very large datasets but making little use of this data to influence action of decision making,” it notes.  More

Across the globe, competition for cybersecurity IT professionals is high and salaries are competitive but demand and cost of living mean that some cities are better than others.An analysis by Techshielder found that Washington D.C. and Singapore offer the best opportunities in terms of job openings, salary, and cost of living. London was ranked number eight because of its high cost of living and relatively low salaries. Berlin ranked number three, gaining points because of a low cost of living and good salaries. Luxembourg pays the highest salaries at $154,000 but it has low job availability. London and Tokyo both pay about the same in salaries, $111,000 but Tokyo scores bottom of the list at number 10 because it has much lower job availability — despite a lower cost of living compared with London. Techshielder identified four key cybersecurity skills that are in high demand. These are: understanding how to protect networks; understanding threat intelligence; being able to apply data security regulations enforced by US and European agencies; and cloud expertise — knowing how to protect cloud-based IT systems.Lasse Walstad, cofounder at Techshielder notes that, “The cities we mentioned aren’t the only places, however, they do represent the best opportunities that await cybersecurity professionals.”More information can be found here. Salaries are in British pounds and I converted the above quoted salaries at $1.35 to one pound sterling. 
More

StarHub says personal data of its customers, including email addresses and mobile numbers, have been found on a dump site. The Singapore telco, however, insists none of its customer database or data systems has been breached. The data breach was discovered during a “proactive online surveillance” on July 6 by its cybersecurity team, StarHub said in a statement late-Friday unveiling the breach.On its website informing customers of the incident, the telco said it needed “time” to investigate the incident and assess the impact before confirming the breach publicly. The relevant authorities, however, were informed of the breach. According to its statement to local media, StarHub said an illegally uploaded file containing the leaked data was found on a third-party data dump website. It added that the information appeared to date back to 2007. 

The file contained mobile numbers, email addresses, and identity card numbers of 57,191 customers who had subscribed to StarHub’s services before 2007, it said. Apart from broadband and mobile, the telco also offers pay TV services in Singapore. All affected customers were from its consumer business, it said.When asked, a StarHub spokesperson would not say which of its customers were impacted or how many of these were existing customers. She also declined to reveal how often it conducted its online surveillance, citing “security considerations”, saying only that the telco conducted such activities “regularly”.She would not provide details when asked if the telco had determined the cause of the breach, saying only that there currently were no indications of compromise on its existing systems. 

According to StarHub, no credit card or bank account details were breached, and there currently were “no indication” the leaked data had been “maliciously misused”.It also noted that none of the company’s “information systems or customer database” was compromised. On its website, it said its investigation into the breach “verified the integrity of our network infrastructure”.The telco said an incident management team was assessing the breach and digital forensic and cybersecurity consultants were investigating the incident.The telco said it had begun “progressively notifying” affected customers via email and was offering six months of complimentary credit monitoring services through Credit Bureau Singapore, to track if any data might be used inappropriately. The service monitors subscribers’ credit report and notifies them of various predetermined activities, including when enquires are made on their credit file and if default records have been updated. StarHub said it expected to take two weeks to notify all affected customers. It also noted that it “attempted” to have the data file removed from the dump site, but did not say if it succeeded in doing so.  StarHub CEO Nikhil Eapen said in the statement: “Data security and customer privacy are serious matters for StarHub, and I apologise for the concern this incident may be causing our affected customers. We will be transparent and will keep our customers updated. “We are actively reviewing current protection measures and controls in order to implement and accelerate long-term security improvements,” Eapen said. StarHub just yesterday announced its second quarter earnings, saying it clocked a 7.3% year-on-year climb in revenue to SG$486.7 million ($360.26 million). RELATED COVERAGE More