Malware and cyber crime - Science and Technology Committee Contents

3 Defences against cyber crime

48.  From the evidence we have received it is clear that there is no easy technological answer to cyber crime. We have also been told that hardware solutions are likely to unduly restrict computer users in their activities while software solutions require constant updating and a more advanced understanding of the technology to be truly effective. Initiatives such as digital identities could improve general security but unless there was a way of ensuring that those identities could be used universally across applications and services this would not make life easier for users of the internet. In fact, such an approach has a single point of failure, which could lead to a single security breach with a greater impact on the user.[69] Determined criminals will circumvent the strongest automatic defences.

49.  The Government 'digital by default' policy will increasingly require those in receipt of Government benefits and services to access these online. We are concerned that this policy may increase the number of users without the means to afford the best equipment or anti-virus software online or the level of knowledge to understand what is necessary to remain secure. We accept that the Government's digital identity assurance scheme, as outlined in the Minister's supplementary evidence, is designed to provide security in accessing those services. However, we also have concerns that the scheme will be of greater use in protecting the Government against welfare fraud than the individual user against crime.

50.  For individual computer users, cyber crime is most likely to occur through casual infections and unfortunate happenstance. We have been told that the best defence against this kind of crime is more knowledgeable computer users[70] and that 80% of protection against cyber-attack is routine IT hygiene.[71]

There is a balance to be struck in terms of encouraging technology usage without engendering over-reliance upon it. While users should be expected to have protection, they should not be lulled into a false belief that it will solve all their problems. Technology needs to be understood in the wider context of safe online behaviour.[72]

51.  One problem is that the technology is being approached as just another consumer appliance 'like a video machine or a Skybox' which comes with 'a series of services'.[73] There is little interest among consumers in how computers work or in understanding the principles of how those computers connect with the internet.[74]

52.  That lack of interest is reflected in poor awareness of personal online security:

findings from a 2007 survey of 378 US homes by McAfee and National Cyber Security Alliance (in which users were asked about the safeguards they believed were on their PCs, and the systems were then scanned to check the reality) revealed that while 92% believed their antivirus was up-to-date, only 51% had [updated their database] within the previous week.[75]

Meeting the need for better products and services

53.  Information submitted to us by Kaspersky and the University of Plymouth also indicated that, even when security products were installed, those products are often not easy to use without more technical knowledge than the average computer user might be expected to possess:

as illustrated by these quotes from end-users interviewed in a Plymouth University study[76]: [1] "The antivirus programs are really difficult to use, annoying because you try to access something and you get too many pop up messages, they drive you crazy, with warnings and warnings and allow or not allow"; [2] "I feel now annoyed because of the problems that (AV software) caused me. I'm a bit worried because when my laptop gets stuck my mind goes straight away maybe it's a virus, maybe it's a Trojan horse, maybe it's a worm, you know, and then I don't know what to do and sometimes I feel insecure".[77]

54.  Furthermore, internet security products struggle to keep up with the development of malware. Dr Richard Clayton monitored the performance of internet security software against a new malware variant:

It was tested at 16:54 (90 minutes after the criminals stopped deploying it) and by that time it was detected by only seven of 44 anti-virus products; and those seven did not include any of the top three products by market share. Even 24 hours later, only 11 products reported this particular malware sample to be bad.[78]

Given the enormous number of users online, a window of twenty-four hours in updating internet security software potentially exposes a huge number of users to infection by malware.

55.  Stop Badware proposed a number of ways in which the computer industry could supplement standard security software and improve consumer knowledge:

  • Web hosting providers could help protect customers' websites from becoming compromised by malware.
  • Software vendors could design sensible security defaults and automatic update mechanisms into operating systems and applications.
  • Technology industry players could collaborate on common messaging and security standards to reduce end user confusion.
  • ISPs could notify customers whose devices exhibit malware behaviour and direct those customers to educational content and support resources.[79]

56.  We note the commitments made in the Cyber Security Strategy that the Government will work, in partnership with industry, to improve consumer awareness. However, we also note that the Stop Badware recommendations would require a higher level of co-operation between various parts of the IT industry than is evident in the Strategy. The growing incidence of malware and the fact that a very high proportion of the population are online provides scope for fraud and theft on a massive scale. Just as vehicle manufacturers have been required to treat vehicle security more seriously in recent years with a huge impact on the incidence of theft of and from vehicles, there is no reason why the IT industry should not shoulder greater responsibility for the security of its property. This does not reduce the need for individuals to be properly informed so that they have greater understanding and control over the risks they face. There needs to be a partnership between industry and customer.

57.  It would be possible to impose statutory safety standards on software sold within the EU, similar to those imposed on vehicle manufacturers, but we would prefer a solution based on self-regulation. However, the industry must demonstrate that any proposed solution would be an effective way forward and that voluntary commitments would provide sufficient incentive for the industry to improve security in a fast-moving competitive marketplace. In the event that the industry cannot demonstrate an effective self-regulatory model, we recommend that the Government investigate the potential for imposing statutory safety standards.

Better informed consumer

58.  The internet is not lacking in information for computer users about internet security. However, much of that information is technical or jargon-filled. It is hard to identify reliable information and some information may actually be provided by malware producers seeking to infect more computers. Even among reputable websites there is a lack of co-ordination: Richard Clayton told us that there was 'a wide range of websites, and, if you collect all of their top 10 tips, you can get a list of 100 or more good things you should do. It shows how complicated this area is'.[80]

59.  One resource that has been repeatedly suggested has been the Get Safe Online website. However, there was a consensus among our witnesses that the general awareness of computer users about this resource could be better. Professor Sommer highlighted the problems faced by the website:

The trouble is that it is not well resourced; it is a bit of a gesture. It is run by a former police officer whom I have known for years. But it is a virtual organisation, with no premises, and it does not have people permanently in London ready to produce instant comments for the press because the website is generic and does not necessarily always reflect the latest range of risks.[81]

60.  Written evidence from the Home Office gave us an insight into how the Government intended to improve public awareness:

Much has been done to raise awareness of online threats, including through the website Get Safe Online. We will build on that initiative and others by developing a single Government portal for the provision of advice on internet safety to the public and businesses. We will ensure that the information gathered by law enforcement and the private sector which might help internet users is shared. We will drive this by making sure that every Government website, as well as DirectGov, contains a link to this safety information.[82]

The Minister indicated that this would be achieved through an upgrading of the Get Safe Online site rather than the establishment of a new site.[83]

61.  We recommend that the Government invest in the Get Safe Online site to ensure that it integrates all of the relevant organisations necessary to provide a single authoritative source on which computer users could rely. We also recommend a prolonged public awareness campaign to raise awareness of the issue of personal online security and the presence of the website to achieve the best possible information level among all computer users.

62.  We agree with the Government that effort is needed to raise awareness of the advice available on the get Safe Online website. We expect the joint action plan mentioned in the Cyber Security Strategy to provide details of what will be done to raise awareness. Moreover, the Government should persuade private industry to cross promote Get Safe Online. Television exposure is crucial to gain the widest possible exposure to the safety message. We also recommend that all government websites should point towards Get Safe Online and feature security updates from the Get Safe Online website.

63.  During our oral evidence it became apparent to us that there was a simple mechanism that could be put in place relatively quickly and easily.[84] The threat of malware and cyber crime is intrinsically linked to the acquisition of electronic goods that permit access to the internet. At this point of contact between retailer and consumer there is an opportunity to provide information on the dangers of the internet and the basic precautions that should be taken to avoid them.

64.  The Minister indicated that he would be willing to discuss, with business, efficient and effective ways of providing consumers with advice on internet safety.[85] Brick and mortar shops should be able to provide hardcopies of this advice while confirmation emails for online sales could be accompanied by a direct link to online advice. We recommend that the Government require that access to Get Safe Online advice is provided, by vendors, with every device capable of accessing the internet.

65.  Any victim of cyber crime should be able to work through the site to find the relevant authorities or trusted service providers and information they need to address the problems caused by malware and to understand what needs to be done to remedy their situation. Action Fraud, PhonepayPlus, the police e-crime unit and so on should integrate information to improve cross-fertilisation and help ensure that users do not need to understand which organisation is relevant to their problem to gain the information and assistance they require.

66.  The purchase of computers and other technology that can access the internet is rarely accompanied by information about how to remain safe online. The purchase of services from an internet service provider (ISP) is more often accompanied by a description of the delights that the internet could provide rather than a list of the housekeeping necessary to maintain personal security when online. The purchase of software is more likely to be guided by features and price rather than any consideration of how secure the product might be.

67.  We agree with the Government's aim of providing more information to the public and small businesses that might aid them in making informed decisions about hardware, software and services that lead to more secure online experiences. One option mentioned by the Minister was to launch a kitemark for such products, to indicate that they met specific security criteria.[86] However, accreditation of products and services usually require producers to pay for the analysis and awarding of that accreditation and we have concerns that kitemarks may simply lead to the most expensive software having a kitemark and smaller software houses making a business decision to avoid the costs. This would leave the consumer with a choice between expensive assured software and a range of more affordable but undifferentiated products. We recommend the Government look to investigate the potential for solutions that will lead to a less clear cut division of the market by allowing lower up front costs for smaller software developers and a range of security standards.

68.  Any kitemark and accreditation solution begs the question of who should be responsible for awarding that kitemark. There is a wealth of expertise available both within the Government and the private sector with regard to the security testing of software. GCHQ is a central plank in the Government's Cyber Security Strategy. The written evidence to the Committee from technology companies would indicate that there is a readiness among the industry to contribute to solutions to malware and cyber crime issues. Get Safe Online is a collaborative effort between Government and the industry to improve the awareness of computer users and may provide a template for collaborative work of this nature.

69.  We consider it likely that the ability and resource to produce an online testing system already exists and that such an automated system would provide an efficient method of testing software and detecting security flaws.

70.  We judge that there will be a need for an automated way to assess the security of software, even if simply to provide smaller companies with a means of testing and redesigning their software prior to spending money on kitemarks. We recommend that the Government explore whether this might best be developed by Government, for Government, in partnership with private industry or by entirely private concerns.

A healthier online community

71.  We asked the question, in our call for evidence, whether the Government had a public health style responsibility to ensure the relative health of UK machines. Many of the submissions did not think that the analogy between public health and infection by computer viruses was a good fit. However, Microsoft believed that there was some value in the analogy as it prompted consideration of several important functions common to both.

First, we should strive for a trusted system with clear roles and responsibilities just like we have for doctors, paramedics and epidemiologists in human health. Second, computer users need to know who and where to get help with a malware issue. Just as individuals can recognize a hospital or pharmacy, it must be clear to them who can be trusted to provide assistance with malware prevention and remediation. Prevention or wellness is another topic that should be adopted from human health. To do so, we must begin with an understanding of what it takes to keep a system healthy and develop the social and technical norms to encourage the healthy state of all devices. Finally, as with epidemic preparedness, industry and government must be prepared for a potential malware outbreak in a way that leverages the trusted system and roles outlined above.[87]

72.  The Government took a similar perspective:

In this respect, the approach we are taking to combating malware is similar to how the Government approaches the control of human disease, being a multi-stakeholder approach which looks at the problem holistically, resulting in a number of policy options to tackle the creation and distribution of malware in parallel to mitigating the damage caused and bolstering defences. In addition, in some circumstances infected systems may also be quarantined.[88]

73.  We are inclined to agree that there is a moral imperative for the Government and industry to support consumers in being safe and secure online. Both the industry and the Government have clear interests in greater use of technology and the internet. This interest should not be served through decreased security of consumers and the users of those services. The public need clear identification of trusted information sources and relevant authorities and clear guidelines on how to help themselves stay free of infection.

74.  The Government is clear that many government services will move to online provision either directly or through a range of providers. It is also clear that an increasing proportion of UK economic activity will be conducted through or related to the internet. We ask the Government to provide, in response to this report, details of how they intend to engender greater trust in online products and services within the UK population and an assurance that online by default will mean better and more secure, rather than merely cheaper, government services.

69   Q16 Back

70   Q6 Back

71   Q10 [Professor Sommer] Back

72   Ev w10, para 34 Back

73   Q4 [Professor Sommer] Back

74   As above Back

75   Ev w9, para 23 [David Emm and Professor Steven Furnell] Back

76   Furnell, S., Tsaganidi, V. and Phippen, A. 2008. "Security beliefs and barriers for novice Internet users", Computers & Security, vol. 27, no. 7-8, pp235-240. Back

77   Ev w9-10, para 26 Back

78   Ev 31, para 26 Back

79   Ev w12, para 10 Back

80   Q6 Back

81   Q6 Back

82   Ev 25, para 37 Back

83   Q66; see also Cabinet Office, Cyber Security Strategy, 25 November 2011 Back

84   Q56 Back

85   Q63 Back

86   Q79 Back

87   Ev w33, para 5.2 Back

88   Ev 26, para 38 Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012