The Foundation for Information Policy Research (FIPR) is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.

  FIPR's relevant expertise lies in cyber security and security economics, so we will confine our remarks to these fields.

1. The risks of cyber-attacks on national infrastructure by state opponents are currently being hyped vigorously, especially in the USA, where the NSA is pushing for budget and control aided by lobbying from a number of vendors. The risks may be smaller than these enthusiasts would have them—but they are not zero and they will increase over time. As for targets, it is often said that electric power would be a target. It may become a target eventually (especially if we all get smart meters with a remote off-switch), but at present our generation, transmission and distribution assets use such a diversity of old systems that a capable motivated opponent would be better off doing what the IRA tried to do in 1996 (blow up three Supergrid substations). As it happens there is some UK research on control system security; see for example "Who Controls the Off Switch?".[50]

2. The government's Chief Scientific Advisor John Beddington FRS has recently run a "Blackett Review" of cyber security, by an ad-hoc committee. This is supposed to feed in to national security strategy.

3. Scientific research on cyber-security is a vigorous field with a competitive research community whose results are widely disseminated. It would be helpful if researchers had access to more data; for example, very few EU member states publish bank fraud statistics. (The UK is one of the exceptions.)

4. The many problems facing government defensive efforts in cyberspace include (a) almost all critical national infrastructure assets are in private hands (b) the UK is a small player in a globalised world (c) the UK public sector is not very competent at IT and (d) departments and agencies pay little attention to research, getting their advice second-hand or third-hand through consultancies or CESG. Coordination with industry is poor; it is hampered both by tensions between ISPs and government departments (over issues from file-sharing to interception modernisation) and by the fact that the two agencies principally involved in defence (CPNI and CESG) are part of the intelligence community. Many of the real experts in academia and industry refuse to get a security clearance, because of the toxic effects on international collaboration, academic publication and the free exchange of information. The UK badly needs a cyber-security capability outside the world of defence and intelligence, as NIST provides in the USA. Two members of FIPR's Advisory Council (Richard Clayton and Ross Anderson) are involved in an EPSRC-funded project to try to establish such a capability at NPL. (This is really just re-establishing a capability that existed there in the 1980s and early 1990s.)

5. Better international cooperation is critical. We wrote a report about this for the European Network and Information Security Agency: "Security Economics and the Internal Market"[51] which we commend to the Committee. The cooperation has to start with cybercrime. This now probably accounts for the majority of acquisitive crime by number of incidents reported by victims (over two million a year versus about one million for burglaries and thefts of and from vehicles, if you believe the British Crime Survey). The police mostly consider it "too hard" to tackle high-volume low-value international offences. But so long as that swamp continues to grow, it will continue to attract national intelligence agencies. The cyber underworld provides hacking tools, proxies, botnets and other wicked services that enable targeted attacks to be carried out on key companies and individuals. Intelligence agencies can either use hacker gangs as mercenaries to carry out such attacks, thus providing some deniability, or can simply use criminal tools and methods. This is not fundamentally new; an intelligence agent wishing to bug a target's house could either engage a burglar to do the job, or pretend to be a common burglar if caught. However, the lack of effective police action against cyber-criminals makes things much easier for hostile nation states and substate groups. We made some suggestions in our report as to how police cooperation could be improved. But the intel/defence tension always remains: if it's convenient for GCHQ's offensive operations for the Internet to remain a swamp, and convenient for the defensive operations of CESG and CPNI that it should be drained, who will prevail?

  We hope that the Committee will find these remarks helpful.

Professor Ross Anderson FRS FREng

Chairman

Foundation for Information Policy Research

14 September 2010

51   http://www.cl.cam.ac.uk/~rja14/Papers/enisa-short.pdf Back