Digitalisation is in the news. Recent topics include whether Google’s LaMDA system shows sentience^[1], and on the legal and other issues raised when robots or AI systems have agency^[2], that is make decisions which cannot be checked by humans. There has also been a flurry of articles on the lack of physical social interaction among children and the rise in mental health issues in children during the same period^[3].

People are increasingly dependent on digital systems, and digitalisation is clearly changing many aspects of life. Legal structures and other forms of regulation are lagging, as are many systems and processes: the proposal from the European Parliament that “In the long-term, the possibility of creating a specific legal status of “electronic persons” for the most sophisticated autonomous robots, so as to clarify responsibility in cases of damage, should also be considered”^[4] reflects concern over autonomous vehicles. Risks from digital systems are a whole new ballpark: for instance, accountability concepts are difficult to transfer from pre-digital times^[5]. Traditional ways of managing those risks seem unlikely to succeed, even though some of the risks may at first seem familiar.

This is the first in a series of articles in which we examine this new digital risk landscape. This article is about digital resilience, the ability of digital systems to provide an ongoing service to users, and the risks that accompany it if our digital systems are not fit for purpose.

It is difficult to measure the resilience of individual digital systems. The ICO^[6] has defined a framework for registered data service providers to report breaches in the service they supply - it is if one or more of the following occur:

• Availability: service was unavailable for more than 750,000 user-hours.
• Integrity, authenticity, or confidentiality: loss affecting more than 15,000 users in the UK.
• Risk: to public safety, public security, or of loss of life.
• Material damage: to at least one user exceeding £850,000.

We cannot find any publicly available statistics for the UK gathered within this framework. The Consortium for Information and Software Quality^[7] – has estimated the costs of software failure to the US economy. Based on comparison of the UK economy to the US economy, we estimate that the annual cost to the UK economy of software failure could be about £30 bn. This compares with cost of road accidents of about £15 bn^[8]. How does this cost manifest itself? It is a cost borne by organisations, the public and private sector, and individuals, rather than the software or hardware supplier. It is manifested in one of three ways which are qualitatively different ^[9] e.g.

• Interruptions that cause minutes of disruption such as those that require restarting a programme with few or no effects on data integrity, but inconvenience to the end user: these would not be tracked in the ICO framework;
• System interruptions that halt operations for hours and that involve significant repair and restoration costs, with costs to the organisation and end user: these could be tracked in the ICO framework;
• System collapse that requires substantial rebuilding of data or other system elements or that create substantial harm in other systems (such as power outages on an electrical grid). These would be tracked by the ICO framework.

From our own experience, the frequency of breaks in the first category appears to be increasing. This could be because organisations that have not historically provided digital services are now doing so. For instance, in the NHS, GP’s surgeries and other providers use a range of online platforms. Schools and universities are likely to continue to use virtual teaching environments, even after pandemic fears subside. Local government has moved to online council tax collection. The railways are planning a move to close ticket offices and rely on more online purchasing. And so on. This has often been without consideration of access for those without good internet access, a recent phone or computer, and a printer, which is raising many concerns about increasing inequality. But our concern here is the level of service to those who do have adequate personal IT.

We ask whether interruptions in service of the first category are not insidiously making our lives less convenient, also less productive and less safe? We certainly would not accept from our cars the level of resilience that digital systems are currently providing to us. One example of inconvenience from an interruption in digital service: Microsoft frequently down-loads updates to its software. These are not voluntary: the end user cannot refuse them. They can take so long to download that line faults on residential phone lines cause them to hang part way through and freeze the end user’s system. The system then needs expert help to unlock. And other upgrades make printers obsolete, by not supporting them. Might the number of user hours lost in aggregate, reach the ICO totals so as requiring reporting? It is difficult to measure impacts across end users. Perhaps a Drake equation type of approach^[10] in which the numbers are large and imprecise, but provide an order of magnitude, is helpful: if 100,000 users all suffered an hour’s lost work even at, say, the minimum wage of £9.50 per hour, the total cost already exceeds the ICO £850,000 threshold for material damage – and many outages could exceed the 750,000 user-hours threshold.

Discussions of cost of service breaks on productivity are often framed in terms of the cost to the organisation operating the system^[11], as in “33% (of organisations with more than 1000 employees) reported that one hour of downtime costs their business between $1 million and $5 million”. Examples of lack of productivity for end users from an interruption in digital service^[12] were highlighted during the early stages of the Covid-19 pandemic, as one survey reported that users struggled with poor connectivity (which 34% of respondents reported) and encountered service breaks when trying to access work files from home, an issue flagged by 22% of participants: more than half of those working on personal devices (58%) said they were having to store business information on them as a result, which could potentially pose a security risk as well as reducing productivity, as data lost synchronisation across departments or teams.

A major example in the UK over this summer has been the hit to the convenience and productivity of individuals as they wrestle with the effects of broken software and hardware systems in the travel industry, particularly those operated by airlines and their ground infrastructure^[13]. While the headlines have been of holidays cancelled and drama at the airports, for many people the inability to access information has also been stressful and time consuming. Chris Yapp^[14] has discussed “whose productivity” in a service economy, using examples from his perspective as an end user.

And finally, making our lives less safe – the obvious example is the inability of many network services to scale up to meet peak demand. When there is any sort of incident, a major pile up on a motorway for instance, networks are often unable to cope with the extra traffic. This is at a time when users have urgent need to communicate. About three quarters of network failures are due to hardware or software failures rather than power outages or natural phenomena^[15]. This means that emergency services are many times more likely to be inaccessible to those in need^[16]: the cost can often be measured in loss of life.

The question we asked at the beginning – are digital systems fit for purpose – raises issues of system design, end user support as well as resilience, and increased risk. System design is the province of IT professionals. End user support is often the province of customer service or marketing. We think that resilience – the ability of digital systems to provide an ongoing service to users – will be of increasing utility to the board and owners of organisations, and to governments wishing to manage digital risks, as the economy tries to recover.

We plan to keep discussing areas of digital risk, in later Pamphleteers blogs.

References

[1] Susskind, Jamie, Rights of the robots: the new laws we need before AI takes over, Sunday Times, 19th June 2022

[2] Agency is defined as the ability to choose what action to take.

[3] Harford, Tim, The high price society pays for social media, FT Magazine, 18th June 2022.

[4]https://www.europarl.europa.eu/news/en/press-room/20170110IPR57613/robots-legal-affairs-committee-calls-for-eu-wide-rules

[5] https://www.apc.org/en/blog/inside-digital-society-digital-accountability

[6] https://ico.org.uk/for-organisations/the-guide-to-nis/incident-reporting/#Incident-4

[7] https://www.it-cisq.org/

[8]https://www.fonsecalaw.co.uk/blog/patricks-blog/2014/10/22/the-cost-of-road-traffic-accidents-in-the-uk#:~:text=The%20cost%20of%20road%20traffic%20accidents%20in%20the,and%20property%20damage%2C%20police%20costs%20and%20insurance%20costs.

[9] https://fsclub.zyen.com/events/all-events/journey-operational-resilience/

[10] https://en.wikipedia.org/wiki/Drake_equation

[11] https://www.catapultsystems.com/blogs/lost-productivity-as-a-result-of-an-outage/

[12] https://www.computerweekly.com/news/252482043/Coronavirus-Remote-workers-air-long-term-productivity-concerns-over-home-working-tech

[13] https://www.shropshirestar.com/news/uk-news/2022/05/26/software-failure-grounds-200-easyjet-flights/

[14] https://www.longfinance.net/news/pamphleteers/productivity-service-economy/

[15] https://www.enisa.europa.eu/news/enisa-news/169-telecom-incidents-reported-extreme-weather-major-factor

[16] https://www.computerworld.com/article/3412197/top-software-failures-in-recent-history.html#slide30