The UK government’s Digital Strategy^[i] is a “vision for harnessing digital transformation and building a more inclusive, competitive and innovative digital economy.” It implicitly assumes that the enabling conditions such as resilient digital systems are in place and therefore the Digital Strategy can be pursued on a firm basis.

We first started to think about the economic and societal risks from software failure in 2020^[ii]. The first article^[iii] in this present series, based on a BCS Working Group’s report^[iv], was about digital resilience. It identified the inability of digital systems to provide reliable ongoing service to users today.

Digital systems use physical infrastructure, algorithms, data and software. We know that physical networks underpinning the internet are vulnerable - the deliberate cutting of a single undersea cable could cripple the internet^[v]. An analogy could be the blocking of the Suez Canal by a single container ship for several days^[vi]. We know that interconnected digital systems can crash the global economy through cumulative and catalytic processes – as in sub-prime mortgages^[vii]. We know that one of the side effects of social media has been to deepen divides^[viii] as we communicate with those “like us”. We know that over half of all adults in the UK have no faith in the use of AI algorithms used to make decisions about them^[ix], and that many AI applications lock in ethnic or gender bias in recruitment^[x]. Society has created algorithms for digital systems which in many ways reflect our (pre-digital) behaviour and assumptions.

This Pamphleteer is not about the behaviour and assumptions built into algorithms, or about physical or data security. It is about the software that implements all digital services. Software, we argue, is different.

Without fanfare, software is now everywhere. Services that were based on hardware - from automotive controls to telecoms networks - are now software based^[xi]. Local Councils deliver many services via software, as do doctors’ surgeries.

Software failures are estimated to cost the UK economy at least £12BN pa. This is nearly as much as road accidents^[xii]. While there are ongoing exercises to reduce the number and cost of road accidents, there are no comparable national efforts to reduce the economic and social cost of software failures. This could be because the costs are widely dispersed across users. Whether the users are individuals or organisations or both, dispersion makes the costs difficult to measure.

Most organisations rely for their operation on software that is outside their control, as for electricity or telecoms. This means for instance they use bought in components (Commercial Off the Shelf Software, COTS), and/or Open Source software, and/or Software as a Service. There is no widely used rating system for software. So organisations are flying blind in terms of what they can expect in terms of the reliability and resilience of the digital systems that they depend on. Software has become a utility but it is not managed as such.

Technological and societal trends are making the situation worse.

The main technological trend is of complexity, arising from interactions between modules, and their frequency and intensity. This makes consequences of failure difficult to model. It leaves the software landscape open to cyber-attacks and untargeted infections. Meanwhile, the Internet of Things (IoT) is becoming the Internet of Everything (IoE) – with ubiquitous software. Smart Cities^[xiii] are highly interconnected. This makes it difficult to model the cause and effect of software failures, or the social and economic impact due to software failures. Systems are often implemented on a standard blueprint^[xiv], so that vulnerabilities are replicated. The analogy is with 2008, when similarly designed and interconnected financial systems crashed the global economy.

Societal trends are towards speed-to-business approaches^[xv] to writing software which take precedence over considerations of risk and maintenance. In applications such as gaming, there are few societal or economic effects from system failures during early use (testing) by the user community. In other applications such as booking of medical appointments or traffic control, software failure can have life-threatening effects.

The dependence of our economy and society on digitalisation has been increasing gradually. It was accelerated by the Covid-19 pandemic and has not decreased as it recedes. This dependence has not been accompanied by an understanding of the associated risks.

There is an analogy with global warming. Climate scientists warned for many years of extreme weather events which would be caused by global warming, and of their economic and social impact. Now, IT experts are warning of complexity, arising from interactions between modules, and their frequency and intensity. Most organisations now have started to think about global warming. But many organisations seem to be unaware and unprepared for software failure.

It is the elephant in the room.

The BCS (which was originally called the British Computer Society) and the National Preparedness Commission held a Roundtable on Software Risk and Resilience on 15th November in London. The authors invite expressions of interest in the ensuing report, which will discuss ways in which organisations can reduce software risk and increase their resilience.

The authors are presenting a webinar on Software Risk and Resilience in the z/yen series on 23rd November. Please sign up here to discuss these ideas further https://fsclub.zyen.com/events/all-events/the-elephant-in-the-room-software-risk-digital-resilience/.

Gill Ringland and Professor Ed Steinmueller 14th November 2022.

References

[i] UK's Digital Strategy - GOV.UK (www.gov.uk)

[ii] https://www.longfinance.net/news/pamphleteers/global-risks-is-software-the-vlieg-in-de-soep/

[iii] https://www.longfinance.net/news/pamphleteers/digitalisation-risk-and-resilience/

[iv] https://www.bcs.org/media/9679/itlf-software-risk-resilience.pdf

[v] https://www.wired.co.uk/article/submarine-internet-cables-egypt

[vi] https://www.bbc.co.uk/news/business-56559073

[vii] https://blogs.lse.ac.uk/politicsandpolicy/systemic-risk-was-the-real-culprit-in-the-2008-financial-crisis-and-with-banks-continuing-to-borrow-huge-amounts-the-dangers-are-still-there/

[viii] https://www.aspeninstitute.org/blog-posts/social-media-divides-us/

[ix] https://www.bcs.org/articles-opinion-and-research/open-letter-to-the-new-prime-minister-rishi-sunak-from-rashik-parmer-bcs-ceo/

[x] https://www.euronews.com/next/2022/03/08/gender-bias-in-recruitment-how-ai-hiring-tools-are-hindering-women-s-careers

[xi] For instance 4G networks were implemented in hardware, 5G is software based.

[xii] https://www.bcs.org/media/9679/itlf-software-risk-resilience.pdf

[xiii] https://www.idb.org/what-are-the-cybersecurity-risks-for-smart-cities/

[xiv]https://www.theiotintegrator.com/smart-city/a-blueprint-for-smart-communities-understanding-the-municipal-iot

[xv] Agile definition in https://www.bcs.org/media/9679/itlf-software-risk-resilience.pdf