Home Affairs CommitteeWritten evidence submitted by Symantec [EC 11]

Given Symantec’s position as one of the world’s leaders in internet and information security we welcome the opportunity to provide the following information to the Committee in this important inquiry.

Executive Summary

Today more than ever cyber security incidents have become headline news given the increasingly complex, sophisticated and organised nature of cybercrime which is determined as crime committed using a computer, network, or hardware device.

Online attacks that were once conducted solely for fame and notoriety are now conducted by organised professionals motivated by economic gain.

Information continues to be a key target with cyber criminals seeking access to data that can be used to conduct further online attacks or sold as a commodity on the underground economy.

Cyber criminals tactics continue to evolve by increasing targeting mobile devices and social networks where users may be less aware of cyber security threats and where criminals may be able to avoid detection for as long as possible.

Recognition by the UK Government that cyber incidents are a tier one level threat is welcomed but given the rapidly changing nature and extent of the threat addressing cyber security must remain a long term overarching public policy objective.

Neither government, industry, law enforcement, individual citizens or Parliamentarian can solve the problem of cyber crime alone.

Recognition by UK law enforcement of the need to work together and in partnership with industry is a key factor in the effective leadership by the UK in this area.

But cyber crime is not just a problem for the UK but a global problem that requires a global approach. The involvement of UK law enforcement in international efforts is welcomed and should continue. The rise in data loss incidents has resulted in data protection issues become front page news.

With personal data a valuable commodity for cyber criminals a sector wider data breach notification requirement should be introduced as part of the current review of the EU data protection legal framework.

Technology has an important role to play in building and maintaining UK citizens online trust and confidence in the online world. But technology alone is not the answer.

Raising awareness initiatives that increase understanding of the online threat environment and educate individuals of all agers how to protect their information and identity from the threat of cyber criminals must continue to be supported and funded by both government and industry.

What e-crime is understood to be and how this affects crime recording?

1. To answer this question it is necessary to first define what is meant by e-crime. For Symantec e-crime is included in the term cyber crime defined as any crime that is committed using a computer, network, or hardware device. The computer or device may be the agent, facilitator, or the target of the crime.

2. The broad range of cybercrime can be divided into two categories defined as either a single event or an ongoing series of events. An example of a single event would be where a victim might receive an e-mail containing what claims to be a link to known entity but in reality is a link to a hostile website controlled by a cyber criminal. Once the victim is sent to the hostile website the criminal is in control of a users machine and may take advantage of this control to commit fraud and/or steal individual’s information.

3. The second category is an on-going series of events. This can be where there are repeated interactions between the cyber criminal and the victim. For example, the target is contacted in an online chat room by someone who, over time, attempts to establish a relationship. Eventually, by using such use tools as social engineering, the criminal exploits the relationship to commit a crime.

4. When considering what is understood by the term e-crime it may be useful for the Committee to consider the definitions of cybercrime within the Council of Europe Cybercrime Treaty. The Treaty (which the UK government has ratified) is the most comprehensive legal instrument in the fight against cyber crime. In the Treaty cybercrime refers to a number of offences perpetrated using electronic means ranging from criminal activity against data to content and copyright infringement.

5. Overall however it should be remembered that e-crime is not a new phenomenon it is simply traditional crimes conducted using electronic means. For example fraud, harassment and theft has always existed but the new technology is simply the latest tool being used by criminals to conduct their illegal activities. Although clearly depending on what type of crimes are included in the term e-crime this will affect the way in which such crimes are recorded.

The extent and nature of the threats on which e-crime policy is based and how well they are understood by policy makers

6. For the last eight years Symantec has produced its Internet Security Threat Report1 which provides an overview and analysis of worldwide internet threat activity and a review of known vulnerability and trends in areas such as phishing, botnets and spam. The report is based on the most comprehensive sources of internet threat data which is gathered from Symantec’s Global Intelligence Network. Information on the key finding of the latest Internet Security Threat Report published in May 2012, can be found at the end of this submission.

7. The findings of the latest report indicate the extent and nature of current cyber threats with Symantec blocking more than 5.5 billion malicious attacks in 2011 which is an increase of more than 81% from the previous year. The number of unique malware identified also increased by 41%. The number of web attacks blocked per day also increased dramatically by 36% as cyber attacks become increasingly complex, sophisticated and targeted.

8. The report shows an increasingly high volumes of malware2 attacks along with an increase in sophisticated targeted attacks, where the user may not know they are being attacked due to the ability of the attacker to slip under the radar and evade detection, as well as a rise in advanced persistent threats and attacks on the infrastructure of the internet itself. Also identified was an increase in the number of data breaches of individuals and business information with more than 232.4 million identities worldwide exposed overall during 2011. Information remains a key target for cyber criminals who can use personal and business information to conduct other attacks through phishing or social engineering.

9. While the volume and sophistication of cyber attacks globally increased in 2011 the overall level of spam a popular vehicle for conducting cyber crime fell from 85.5% of all email in 2010 to 75.1% in 2011. This reduction is largely seen as due to law enforcement action which shut down Rustock a massive worldwide botnet responsible for sending out large amounts of spam.

10. Cyber criminals are not only continuing to use existing vulnerability but are also increasing in their use of social networks as a propagation vector for attacks. Due to social engineering techniques and the viral nature of social networks it is unfortunately much easier for threats to spread from one person to the next.

11. The growth in viruses and malware attacking mobile devices was also seen with the 2011 report being the first year that mobile malware presented a tangible threat to users. Attacks being seen included malware that sends premium SMS text messages from a users phone. This can earn the cyber criminal $9.99 for each text sent but unfortunately costs the victim dearly when their mobile phone bill arrives. As the take up of mobile phones and tablets continue to rise Symantec expects that cyber criminals will continue to explore ways to attack mobile devices and once they find something effective and money making they will exploit it ruthlessly.

12. Individuals continue to be a key target for cyber criminals according to the findings of the latest Norton Cybercrime Report published on 5 September. One of the world’s largest consumer cybercrime studies the report is based on the findings of a survey of more than 13,000 adults across 24 countries.

13. According to the report there are 556 million victims of cyber crime per year, which is more than the entire population of the European Union. In the UK it s estimated that more than 12.5 million people fell victim to cybercrime in the past 12 months. The cost of cyber crime to the UK was £1.8 billion with an average cost of £144 per cybercrime victim. This means that cybercrime costs UK consumer more than a week’s worth of food for a family of four.

14. The 2012 report showed cyber criminals are targeting users of social networking and mobile devices which is further evidence of how the tactics of cyber criminals are changing based on the popularity of particular technologies and online platforms and networks. It is estimated that two thirds of adults use a mobile device to access the internet. One in five adults globally (21%) has been a victim of either social or mobile cyber crime. In the UK 30% of adults have fallen victim to cybercrime on social networking platforms. Although 63% of adults are accessing social network accounts and 24% access their bank accounts over free or unsecured Wi-Fi connections, around 53% of the adults surveyed were concerned about the security of these Wi-Fi connections.

15. While the 2012 report revealed that internet users are taking basic steps to protect themselves and their personal information, such as deleting suspicious emails and protecting their personal information online other precautions are still not being taken. For example 40% of UK adults don’t use complex passwords or change their passwords frequently. More than a third of adults do not check for the padlock symbol in the browser before entering sensitive personal information such a online banking details.

16. The recognition of the cyber threats as a tier one level threat to the UK in the National Security and Defence Strategy and the subsequent Cyber Security Strategy are seen by Symantec as evidence that policy makers recognise the extent and nature of the threat being faced in the UK. The focus on the economic and social impact of e-crime in the strategy document indicates an understanding of the impact of cyber threats not only to the ongoing resilience and stability of the internet but to the societal and economic stability of the UK. Going forward as the online threat environment continues to evolve there is a need to ensure policy makers up to date on the changing nature and extent of the threat to the UK from cyber crime and that cyber security remain a long term overarching public policy objective.

17. However, addressing cyber threats is not a responsibility of policy makers alone but a responsibility that is shared by all those using the Internet. The nature of the internet and IT technology is such that no single person can be held accountable and we all share a collective responsibility to protect ourselves and our customers whether they are businesses, users or citizens. Public and private sector co-operation and collaboration are a key factor to assisting not only the policy makers but also businesses and individuals to understand, assess and evaluate the level of seriousness of cyber incidents and their level of risk from cyber crime.

The effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change

18. The UK continues to be seen by Symantec as among the best placed countries in countering cybercrime; particularly in comparison to several other EU Member States. The UK’s Police e-Crime Unit and SOCA’s e-crime task force and the work of CPNI on cyber threats all play an important role in addressing cyber crime issues facing UK businesses, organisation and individuals.

19. A particular element of the effectiveness of UK law enforcement is the strong collaboration with the private sector. Coordination and cooperation between the public and private sector on addressing the spread of cyber crime are an important component to a cyber security strategy not only in the UK but also globally. The UK’s understanding that it is the private sector that has most knowledge about cyber threats and the need for law enforcement and industry to work together in collaboration, where appropriate, should be seen as a key success factor of the UK approach. However, it is also suggested that providing more training and resources to UK police , particularly at a local and regional level to fight cyber crime would be welcomed.

20. Given that the proposed organisational changes have not been implemented yet, it remains to be seen how the establishment of the National Crime Agency (NCA) will affect enforcement activities in this area. The proposals outlined by the Home Office in June 2011 point towards a continued focus on cyber crime as there currently is within SOCA and the Police e-Crime Unit. The creation of a National Cyber Crime Unit that it is understood will sit within the NCA is also welcomed as by Symantec. This step forward points the way forward for law enforcement capabilities already in place to be enhanced and bolstered going forward. Before the NCA is in place the emphasis in the Home Office document s on the importance of the continued cooperation between SOCA and the Police e-Crime Unit before the NCA is established is supported.

21. However, it should also be remembered that cyber crime is not just a local, regional or even national problem for the UK. Cyber crime is a global problem that requires a global approach particularly as threats and attacks can travel around the world at the click of a button. It is suggested that a move towards a more European wide approach by law enforcement to cybercrime issues could support and enhance the effectiveness of current UK efforts. Symantec has welcomed the recent announcement of the establishment of a Europol Cybercrime Centre. It is hoped that this initiative will continue to develop cooperation and coordination by law enforcement and that UK law enforcement will play a key role in supporting the Centre’s activities.

22. In terms of legislative capabilities the UK’s legal framework for addressing cyber crime is supported by Symantec. The Computer Misuse Act is a key legislative tool and provides the capability for prosecutions related to cyber crime offences. However, as explained above new forms of cyber crime emerge as new technologies develop. Given the rise in online threats since the Computer Misuse Act was last amended in 2007 it is suggested that the Committee should considered whether there are aspects of cyber crime seen today that remain unaddressed within UK’s legislation. For example while unauthorised access to a computer is criminalised under the CMA the actual theft of confidential information is not specifically addressed. In light of the significant number of UK citizens being affected by identity related online fraud it is suggested that a discussion is held on whether this offence should be specifically addressed within UK law. Also given the take up and use of cloud computing by both businesses and citizens increases a legislative gap currently exists in both UK and EU law given that the use and also misuse of computing resources delivered via the cloud without right is currently not covered within either UK or EU law. These offences are suggested as areas that the Committee could considered to ensure that the UK’s legislative capabilities are sufficient to address current and possible future online criminal activity.

Options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use

23. As the Committee’s question highlights the findings of Symantec’s latest internet security threat report shows that information continues to be a key target for cyber criminals as well as a rise in the use of social networks by cyber criminals to conduct attacks. With hundreds of millions of people on social networking sites it is inevitable that online criminals would look to attack users there. However according to Symantec’s findings more than half of all attacks identified on social networking Web sites were related to malware hosted on compromised blogs or communication sites rather than the theft of information from social networking sites. It appears that a key threat from social networking is where a hyperlink for a compromised website is shared to a large number of users on a social network. Users then click on the link and are sent to the website where malware, which may include threats such as key loggers that seek access to personal information such as passwords, can then attack their machines.

24. Given the rise in data breaches and the threats seen to personal information Symantec has welcomed the European Commission review of the current European data protection legal framework in place in Europe since 1995 which is proposing the introduction of a sector wide data breach notification requirement The review of the current Data Protection Directive (95/46) from which the UK Data Protection Act 1998 derives, is an opportunity to ensure the legal framework, first introduced in 1995 is appropriate and relevant today; particularly in an era where information has become the digital currency for users but, unfortunately, also a focus for e-crime.

25. Gaining and maintaining the trust and confidence of individuals that their information is protected and secured given the level of cybercrime being seen is a challenge that must be faced and addressed by organisations. Introducing a requirement to notify if data has been lost or stolen in the legal framework not only ensures data is fully protected throughout its lifecycle but also that users are informed if a serious incident occurs that may impact them, thus creating a sense of empowerment and individuals’ confidence in taking action if they want or need to. However, any breach requirements introduced needs to be appropriate and non burdensome to either organisations or citizens.

26. While ensuring the data protection legal framework in Europe is appropriate and relevant to the way information is being processed, accessed, shared and managed online, there is also a responsibly of individual users to ensure that they protect their information particularly when sharing personal information online.

27. The computer security industry has an important role to play in developing technological tools and solutions that are appropriate to deal with cyber threats and can help individuals to protect their identifies and information online. Symantec will continue to develop and offer solutions that enable users to put in place appropriate measures to protect their systems, networks and information. However it should be recognised that software companies cannot and should not be held responsible for what they do not effectively controls such as how a users may install, configure, use and update (or perhaps even chose not to update) security software. It is also difficult to see how a technology provider would measure the responsibly of the consumer in the way it has selected, installed, configured and users the software when ascertaining liability.

28. Factors that would need to be considered in measuring and determining possible liability would include whether the software being used by an individual user is fitness for the purpose it is being used. For example is the software being used in line with its intended purpose. Also whether the software being used is up to date and properly maintained by the user. For example a user may have decided to turn off the automatic software updates provided by the provider when the user configured the software. This is a decision that the provider of the software will not be aware of nevertheless this action could result in the user being left unprotected whilst online and suffer a cyber incident. In such a scenario the individual user may suffer cyber attack not because the software failed but because of a decision made by the user.

29. If such an approach was taken for it to be workable it is suggested that software vendors would need to be able to gain the necessary control over the way that users are using their technology. This could include the ability to monitor and control the behaviour and actions of people for example to ensure that the software, or tool, is being used for only the purpose for which it was supplied or sold. Moves in such a direction would not only raise political, privacy and legal questions but it is not clear whether such a evolution in the way in which technology interacts with users is a journey that users would be willing to embark on and potentially cover the costs of.

30. An approach where the liability burden is placed on the provider of software products alone could lead to a situation where companies would not be prepared to take liability for their products unless they can assume a level of control over the way it is being used in order to avoid or limit liability. This could lead providers to using more privacy invasive technological to provide the ability to monitor and control the behaviour and actions of users for example to ensure that the software is being used for only the purpose for which it was supplied or sold.

31. An approach along these lines could not only impact the control users have on their PC’s but could also stifle technological innovation and competition in the marketplace by promoting particular business models. A move towards more closed platforms or a situation where one dominant technology provider could dictate what can, or cannot, be installed on its system due to liability concerns may limit consumer choices to only sites or online content that are approved by PC providers based on a level of risk.

32. Moves towards liability in this area could not only raise political and legal questions but it is not clear whether such a evolution in the way in which technology is provided and interacts with users is a journey that users would be willing to embark on and potentially cover the costs of its development and implementation.

33. As the online threat environment continues to evolve and cyber criminals tactics adapt and change it is only right that we continue to consider options for addressing current as well as emerging issues. However in light of the rapid speed in which cyber threats and attacks evolve it is important that legislation and law makers should not try to run behind technology but rather support the market to develop the appropriate tools and solutions to current and future online threats. Also it is also important that users continue to be educated about online threats and understand the value of their personal data and the importance of having protection measures in place that are appropriate to their online activities.

The effectiveness of current initiatives to promote awareness of using the internet safely and the implications of peoples’ online behaviours for related public policy

34. Having appropriate technological solutions and tools in place can support citizens to have the confidence that their activities and information and identity online are being protected. However, Symantec believes that technology alone is not enough to address the online security challenges we all face today. An effective cyber security approach is one that combines appropriate technology, the development of policies, procedures particularly for reporting, responding and recording cyber incidents and raising awareness initiatives to ensure people have the necessary skills and knowledge to protect themselves from cyber criminals.

35. Symantec continues to be a supporter of initiatives around the world that promote awareness of internet security and safety issues to different online users from children to silver surfers. In the UK Symantec has been a long term supporter of Get Safe Online the government-industry campaign aimed at raising greater awareness amongst citizens and small businesses of the importance of online security. We are also members of the UK Council for Child Online Safety which is another example of how industry and government are working in partnership to increase understanding of online safety by both children and parents.

36. At a time when public and private sector organisations continue to look to online platforms and networks to interact and provide goods and services directly to citizens, it is important that internet security and safety remains on the public policy agenda. Initiative and activities that can raise awareness of the online threat environment and the importance of online security and safety have a key role to play not only in protecting individuals information online but also creating greater trust and confidence of internet technology. This will remain important if we are to ensure UK citizens can gain from the full opportunity and advantages offered by the internet and have confidence to enjoy the connected world safely and securely.

37. As mentioned earlier in this submission addressing cyber crime threat facing the UK is not something that industry, government, individuals or law enforcement can do alone. Users also have a responsibility to protect themselves by installing and using available internet products and tools effectively to ensure they remain secure. Education on online security and activities that raise awareness will continue to be vital to ensuring users are aware of not only the constantly evolving online threat environment but also what they can do to be safe and secure online.

38. While the current economic climate presents many resources challenges, it is important to continue to invest in ensuring individuals are aware of cyber security issues if the full social and economic opportunities and benefits offered by online networks and platforms are to be fully realised.

Symantec is a world leader in providing solutions to help individuals and enterprises assure the security, availability, and integrity of their information. Headquartered in Cupertino, Calif., Symantec has operations in more than 40 countries. Further information can be found at www.symantec.com. Symantec appreciates this opportunity to submit comments to the House of Commons Home Affairs Select Committee.

October 2012