Research and data collection
2.36. The Internet is a relatively new technology,
and online security is a correspondingly new academic discipline.
The evidence from the Research Councils (RCUK) claimed that "The
UK has a very strong Information and Communications Technology
Research Community, and the underpinning research into both hardware
and software is of a high international standing." RCUK also
provided a helpful annex of major IT research projects funded
by the Engineering and Physical Sciences Research Council. However,
RCUK also conceded that "the UK does not specifically have
a leading reputation for academic research on IT Security".
It drew attention to discussions on improving collaboration between
academic researchers and industry, but gave few concrete examples.
The reality appears to be that there are only a few centres of
IT security research in the United Kingdomindeed, our evidence
reflects the views of researchers from virtually all these centres.
2.37. Despite the quality of the research undertaken
at these few centres, overall the investment in IT security research
does not appear to us commensurate to the importance of the Internet
to the economy or the seriousness of the problems affecting it.
During our visit to the United States in March we were fortunate
to be able to visit the Center for Information Technology Research
in the Interest of Society (CITRIS), at Berkeley. CITRIS receives
a small amount of funding from the State of California to cover
operating costs, but the bulk of its funding comes from partner
organisations, either within federal government or industry. It
brings together technologists, social scientists and other experts
in a range of multi-disciplinary, time-limited research projects.
While there are several research centres within the United Kingdom
working on aspects of the subject, there is a clear need for the
development of a large-scale, multi-disciplinary centre such as
CITRIS to act as a focus for academic and industry expertise.
2.38. It is notable that while the private sector
partners supporting CITRIS include major companies in the IT and
telecommunications industries, companies from manufacturing, energy
and other sectors also contribute.[10]
As computing becomes ever more pervasive, more and more private
sector companiesfor example, those providing financial
servicesrely on IT security, and will have an interest
in sponsoring research into IT security. There is therefore an
opportunity to attract a wide range of private sector partners,
with diverse interests, to support a major research initiative
in this area.
2.39. At the same time, there are new legal constraints
affecting IT security researchers. There has been a strong tradition
within the IT community of "ethical" hackersexperts,
generally unpaid enthusiasts, who test out networks and security
systems by attempting to "hack" them. We agree wholeheartedly
with the remarks of Bruce Schneier on the importance of their
work: "You learn about security by breaking things. That
is the way you learn. If you cannot break things, you cannot learn.
The criminals are always going to learn, always going to break
stuff. We need to be smarter than them. We are not going to be
smarter than them unless we can break things too" (Q 565).
2.40. However, the amendments to the Computer
Misuse Act 1990, which were introduced by means of the Police
and Justice Act 2006 and are expected to come into force in April
2008, introduced a new offence of making, supplying or obtaining
articles likely to be used to commit computer crimes; there are
also related provisions in the Fraud Act 2006. As Alan Cox told
us, these are "unfortunately the same tools that you need
to identify the security holes and test a security hole has been
fixed and so on" (Q 327). At the time of writing, Crown
Prosecution Service guidance on the application of these provisions
had yet to be publishedthe Minister, Vernon Coaker MP,
promised that they would appear "by the end of the summer"
(Q 886).
2.41. More general issues, affecting IT security
experts in many countries, were touched on in our discussions
at CITRIS in California. Vern Paxson drew attention to restrictions
on wire tapping, as well as to difficulties encountered in monitoring
the incidence of malwarethe only way to monitor, say, the
incidence of botnets, was to set up a platform that would both
receive and respond to messages from botmasters. This meant that
the researchers could find themselves guilty of negligence in
allowing their computer to be used to propagate malware or spam
to other users.
Conclusions and recommendations
2.42. The benefits, costs and dangers of the
Internet, are poorly appreciated by the general public. This is
not surprising, given the lack of reliable data, for which the
Government must bear some responsibility. The Government are not
themselves in a position directly to gather the necessary data,
but they do have a responsibility to show leadership in pulling
together the data that are available, interpreting them for the
public and setting them in context, balancing risks and benefits.
Instead of doing this, the Government have not even agreed definitions
of key concepts such as "e-crime".
2.43. We recommend that the Government establish
a cross-departmental group, bringing in experts from industry
and academia, to develop a more co-ordinated approach to data
collection in future. This should include a classification scheme
for recording the incidence of all forms of e-crime. Such a scheme
should cover not just Internet-specific crimes, such as Distributed
Denial of Service attacks, but also e-enabled crimesthat
is to say, traditional crimes committed by electronic means or
where there is a significant electronic aspect to their commission.
2.44. Research into IT security in the United
Kingdom is high in quality but limited in quantity. More support
for research is neededabove all, from industry. The development
of one or more major multi-disciplinary research centres, following
the model of CITRIS, is necessary to attract private funding and
bring together experts from different academic departments and
industry in a more integrated, multi-disciplinary research effort.
We recommend that the Research Councils take the lead in initiating
discussions with Government, universities and industry with a
view to the prompt establishment of an initial centre in this
country.
2.45. Legitimate security researchers are
at risk of being criminalised as a result of the recent amendments
to the Computer Misuse Act 1990. We welcome the Minister's assurance
that guidance on this point will appear later in the summer, but
urge the Crown Prosecution Service to publish this guidance as
soon as possible, so as to avoid undermining such research in
the interim.
2 Not published as evidence. Back
3
Although 32-bit addresses are by far the most prevalent, some
machines operate with "IPv6", a more recent version
of the Internet Protocol, which uses 128-bit addresses. Back
4
See http://www.gartner.com/it/page.jsp?id=498245. Back
5
Symantec Internet Security Threat Report, July-December
2006, http://eval.symantec.com/mktginfo/enterprise/white_papers/ent-whitepaper_internet_security_threat_report_xi_03_2007.en-us.pdf.
Back
6
MessageLabs 2006 Annual Security Report, http://www.messagelabs.com/Threat_Watch/Intelligence_Reports/2006_Annual_Security_Report#Email%20Security%20Trends%20and%20Developments%202006.
Back
7
http://www.identitytheft.org.uk/ID%20fraud%20table.pdf. Back
8
See http://www.staysafeonline.org/pdf/safety_study_2005.pdf. Back
9
The figures quoted are taken from The underground economy:
priceless, by Rob Thomas and Jerry Martin, December 2006,
available online at http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf.
Back
10
See http://www.citris-uc.org/partners/corporate. Back