INTRODUCTION

Check Point welcome the opportunity to submit evidence to the House of Lords inquiry into e-Commerce and believe that this could not come at a more appropriate time. Internet security in Europe is provided by a number of fragmented vendors in their local markets. To achieve a consistent solution to Internet security Check Point recommend a pan-European common technical standard to meet the demands from the growing number of industries that operate on a pan-European basis. European Union plans to scrap restrictions on the export of encryption technologies amongst its Member States and to other countries may well result in this development.

Who are Check Point?

  Check Point provides software products for securing the Internet, leading the world market for firewalls or network gatekeepers with a 32 per cent market share. The company currently trades on NASDAQ at a market capitalisation of around $14 billion. Check Point is at present one of the most profitable Internet companies in the world with a net income in 1999 of $95.7 million from revenues of $219 million. After the recent hacker attacks on a variety of Internet sites Check Point responded by unveiling a defence system against these denial-of-service attacks. In March this system won the support of leading ISP providers including BT's Concert and GTE Internet working of the US.

  We believe that as companies increasingly move towards conducting their business online they should feel as comfortable conducting this virtual business as they do in a bricks and mortar environment. Our aim is to assist them in doing this and believe that key will be the ability to manage trust in the online environment.

What needs to be done to create confidence and to stimulate e-commerce?

  One of the key challenges facing the EU if it is to compete globally as a region is to build confidence in the Internet by setting a pan-European standard for Internet security. According to a recent DTI report 60 per cent of UK companies connected to the Internet have suffered a security breach within the past two years. This is likely to continue as more and more European businesses put their key functions online. Check Point believe that the EU should lead a consumer education programme on the importance of Internet security given that an Internet connection opens up corporate networks to the world.

What can Government do about it?

  Regulation flies in the face of the approach that industry has been championing. But organisations report that a security breach can cost between £20k and sometimes in excess of £100k. It is not a matter that can be dismissed out of hand. Given that secure systems will stimulate growth whereas high profile failures will damage confidence in the new economy, Government needs to encourage businesses to have the appropriate systems in place and to make sure that industry abides by interoperability standards. For large corporates and SMEs to conduct their business on the Internet and have peace of mind it is essential that their security policies meet the following basic minimum requirements. These requirements should form the basis of a "vanilla" pan-European standard in Internet security.

—  data protection;

—  access control; and

—  authentication.

Data protection

  Any e-commerce business or any other data communication across a public network such as the Internet needs to ensure adequate data protection to prevent the data being intercepted and read. The data itself may have a high asset value and/or reveal private or price sensitive company information.

  Protection can be achieved by the use of encryption. The strength of encryption however needs to be such that the:

—  cost required to break it is greater than the value of the encrypted data; and

—  time required to break it is longer than the time the encrypted data must remain secret.

Access control

  Access control is required to ensure that only those expressly permitted to gain access to or through organisations perimeter defence to an application server is granted, all other "must" be denied.

  When providing remote access, there must also be sufficient and robust auditing and logging procedures in place to provide evidence as to whom, when and where users have gained or attempted to gain access.

Authentication

  Even though a remote user has gained access to an application this does not necessarily ensure the person is who they say they are. This can only be done with any degree of assurance by providing authentication. By implementing a PKI (Public Key Infrastructure) whereby digital certificates are used, it is possible to authenticate a user but we can also ensure non-repudiation, digital certificates will sign the document and if modified, will be invalid. (PKI is a system of digital signatures that allows e-mail and Internet users to verify their identity, communicate securely and carry out transactions through the use of encryption keys. These digital signatures are created using highly complex encryption algorithms.)

The solution is in technology

  For these technical issues to be provided in a consistent manner a pan-European standard for security must be created, rolled-out and abided by. This would allow users of e-business applications to have a degree of assurance and confidence that a minimum level of security and protection has been implemented. Whilst

Check Point acknowledge that there has been some progress in this area with the TrustUK hallmark and more recently an initiative with the Post Office and the Chamber of Commerce our concern is that these initiatives are fragmented and there is a low awareness among consumers.

  Check Point believe that the following two things could make a real difference and ask this inquiry to give them their consideration.

  1.  Pan-European Standard in Internet Security

  The EU should take the lead in establishing an international standard in security which takes account of the three key factors listed above (Data protection, Access control, Authentication). This should be given the same accreditation weighting as other international standards eg ISO9000.

  2.  An Internet Security Education programme

  An International Standard will not achieve its desired goal without a suitable education programme which explains its purpose and benefits. The European Union should take the lead in this regard through its national assemblies.

Small and Medium-Sized Enterprises

  With regard to the inquiry's interest in SMEs, the reality is that securing an Internet connection will often come down to question of cost. We believe that it is imperative that Internet security is made not only understandable but also affordable. The perception currently is that proper security is the last thing an SME's IT budget will get spent on. Currently only the "blue chips" give security the priority it deserves (and by no means all of them); this undoubtedly provides them with a significant competitive advantage.

  Companies like Check Point need to start to produce security products that have the clear aim of providing SMEs with quality security at a price that is not prohibitive. Not only will this have the added benefit of facilitating the economic development of a key business sector but will also go some way towards our wider aim of helping to solve the problem of managing trust in the online environment. National treasuries may like to consider tax breaks for SMEs of a certain size who secure their networks effectively.

Conclusion

  Effective security measures are the essential element for enduring and sustainable confidence in the new economy. When the business community gets security right they will begin to reap the considerable commercial benefits the Internet has to offer. The biggest challenge is educating the business audience into placing the appropriate value on Internet security and then encouraging them to make appropriate decisions about which systems suit them best. Small and medium-sized enterprises are particularly vulnerable to this, as they do not necessarily have the in-house expertise to evaluate their own security systems. In our experience it is also unlikely that they will have bought them in the first place which exposes them to reputational and commercial danger.

12 June 2000