APPENDIX 4: SEMINAR HELD AT THE INSTITUTION
OF ENGINEERING AND TECHNOLOGY, SAVOY PLACE, LONDON |
28 November 2006
Members of the Sub-Committee present were Lord Broers
(Chairman), Lord Mitchell, Lord O'Neill of Clackmannan, Lord Patel,
Baroness Sharp of Guildford, Lord Sutherland of Houndwood, Lord
Young of Graffham, Dr Richard Clayton (Specialist Adviser), Christopher
Johnson (Clerk) and Cathleen Schulte (Committee Specialist).
Participants were Maria Burroughs (DTI), Professor
Brian Collins (Professor of Information Systems, Cranfield University),
Cordella Dawson (Home Office), Robert Gruppetta (FSA), Malcolm
Hutty (Head of Public Affairs, LINX), Matt Lambert (Government
Affairs Director, Microsoft), Adam Laurie (The Bunker), Ben Laurie
(The Bunker), Sharon Lemon (Deputy Director of e-crime, SOCA),
Detective Chief Inspector Charlie McMurdie (Metropolitan Police),
Philip Virgo (EURIM), Tim Wright (Home Office).
Personal Internet security - key themes (Dr Richard
Dr Clayton gave an overview of the subject-matter
for the inquiry. There was a general perception that people were
unsafe on the Internet, and that things were getting worse. Whose
fault was this? There was a long list of potential candidates
who could take a share of responsibility:
- Operating system vendors were
shipping products before they were secure;
- End-users weren't patching their systems to fix
- Application programmers were paying no attention
- Businesses running applications weren't patching
their systems to keep them up-to-date;
- Retailers were selling un-patched systems and
not giving users enough support in setting up a complex product;
- ISPs were letting bad traffic reach end-user
machines and not insisting their customers were secure;
- Hardware manufacturers weren't making routers
and modems "secure by default";
- Networks weren't providing secure DNS (name services)
or BGP (routing);
- Companies were marketing VoIP as if was just
as reliable as conventional telephony;
- Regulators weren't setting minimum security standards
or trying to fix market failures;
- Criminals were doing bad things;
- The police weren't bothering to catch them;
- Legislators weren't enacting suitable laws;
- The Government weren't making sure that overseas
crooks were dealt with;
- The Information Commissioner wasn't dealing with
- End-users were going to unsuitable websites and
downloading pirated material;
- Educators weren't teaching "media literacy"
- Banks weren't giving customers security devices;
- Credit card companies were dumping their risks
- Web businesses weren't keeping customer records
- And perhaps it was all state-sponsored InfoWar!
In reality most of the people in the areas listed
above were doing their best and improving their own little part
of the puzzle. But it was not a simple problem with a simple solution.
The important thing was to better align incentives so that things
began to improve rather than continuing to get worse.
The nature and scale of the threat to private
individuals (Mark Harris, Global Director, SophosLabs)
Mr Harris noted that viruses now tended not to replicate
widelyof the over 3,000 new viruses reported each month,
the majority were Trojans, installed on PCs via spam, which installed
other unwanted software, but did not replicate. They were designed
to make money, not to vandalise the Internet, and were targeted
at un-patched machines. Machines which were patched up to date
were unlikely to be infected.
Users tended to look on computers as white goodssecurity
was the last thing on their mind. They were completely unaware
of the risks of clicking on pop-ups or hyperlinks. In some cases
even unopened emails could now infect machines if they were being
In answer to questions, Mr Harris said the IT security
business was working round the clock to keep up with the changing
threats. However, there was still uncertainty as to the policing
response to cyber-crimethere was no alert system in place
for reporting fraudulent websites etc.
Public education and engagement (Professor Bill
Dutton, Director, Oxford Internet Institute)
Professor Dutton described the Oxford Internet surveys,
based on interviews with around 2,000 people. These revealed that
home was the key location for Internet use; people learnt about
the Internet from friends and family rather than through formal
teaching or documentation. Most users, even experienced users,
had no experience of writing programmes or creating web pages.
Nevertheless, people seemed to be coping somehownot just
individuals, but manufacturers and ISPs.
Regulation and legislation (Professor Ian Walden,
Reader in Information and Communications Law, Queen Mary, University
Professor Walden drew attention to the variety of
criminal activity, from teenage hackers to organised crime. Large
numbers were involved, and this created challenges for the criminal
justice system, which struggled to cope with large numbers of
There were essentially three kinds of criminal conduct
on the Internet:
- Traditional crime, such as fraud,
using computers as a tool (e.g. phishing), covered by existing
- Content-related crime, where the content (e.g.
child abuse images) was illegal. Traditionally the law differentiated
between supplying and possessing content, but this was harder
to sustain in the computing environment;
- Crimes against confidentiality and the integrity
of computersthe Computer Misuse Act 1990 had recently been
amended so as to cover denial of service attacks.
Legislation in recent years had tended to change
and extend the way in which offences were investigated (online
child abuse sometimes being used as a pretext) rather than creating
new offences. In addition, the international dimension of cyber-crime
had led to harmonisation of legal regimes at EU and Council of
Europe levels. However, there was now a need to think about laws
to promote security, rather than just penalising and investigating
Policing the Internet (Detective Superintendent
Russell Day, Metropolitan Police Specialist and Economic Crime
DS Day, while drawing attention to the variety of
criminal activities online, argued that there were few new crimes.
The National e-Crime Coordination Unit was being developed as
a centre of excellence in combating such crime.
Most of the Metropolitan Police's resources were
currently being taken up by forensic work, analysis of hard drives
etcthe resources available for investigating criminal networks
such as botnets were very limited. Training was very resource-intensivethough
the Met could call on some 150 special constables with IT skills
to assist in particular investigations.
The security of operating systems (Ed Gibson,
Chief Security Officer, Microsoft UK)
Mr Gibson drew attention to Microsoft's responsibility
to ensure that anyone logging onto the Internet using a Microsoft
platform was as secure as possible. Thus the new Internet Explorer
7 included a phishing filter. However, human nature was such that
people would inevitably visit unsuitable sites regardless.
All Microsoft products went through a cycle of security
reviews, including a "final security review", conducted
in the immediate run-up to launching a new product.
Internet service provision (John Souter, CEO,
Mr Souter noted that five companies supplied 75 percent
of broadband customers: BT, NTL, AOL, Tiscali and Orange. But
in addition there were hundreds of smaller companies, selling
mainly on price. At the same time, there was no published evidence
to show that any one ISP was more secure than any other.
Asked whether ISPs could block bad traffic, Mr Souter
argued that they could not. It was difficult to identify bad traffic
(e.g. when it was encrypted), and it was very mobile and variable,
making it very hard to maintain up-to-date filters.
Commerce over the Internet (Nicholas Bohm, Law
Security was about personal and commercial relationships.
"Security" in the old sensee.g. security for
a loanwas a way to offer guarantees to particular creditors.
But more security for one creditor might mean less for another.
Typically in an online fraud there would be two innocent parties
(say, a bank and a customer), and a fraudster in the middle. The
two innocent parties would be left in dispute over meeting the
costsecurity was about striking a balance between them.
PCs were not secure. Instead responsibility for security
was shared out via contracts so as to manage the risk. With credit
cards customers were in a good positionthe banks met the
cost of fraud in customer-not-present transactions. But where
such risks were passed onto merchants the situation was less favourable.
Customers could not be held liable if their bank
honoured a cheque with a forged signaturehowever, this
did not apply online. At the moment banks' security protocols
relied on shared secrets. This was no longer acceptable. The key
was to create incentives to invest in improved securitythis
meant ensuring that risks fell where it was most expedient for
the whole community that they should fall.
New technologies and emerging threats (Professor
Ross Anderson, Cambridge University)
Professor Anderson outlined the subject of "security
economics". The traditional view of info-security was that
failures were down to a lack of technical features such as firewalls.
However, in recent years it had become clear that systems were
insecure whenever those who could fix them had no incentive to
do so. UK banks were less liable for fraud than US banksbut
suffered more fraud as a result.
The economics of the IT business were such that competition
to get to the top was fierce, sidelining security. Once a company
had reached the top (as Microsoft had done), the situation was
different, and increased security could be used to lock out competition.
Overall, we were spending more or less the right
amount on security. But spending was skewed: big companies were
spending too much, Government far too much, but small companies
Discussion initially focused on policing. Police
forces were focused on local crime, not on the international co-ordination
needed to combat cyber-crime. SOCA had a more outward focus, inheriting
good relationships with international partners from the National
High-Tech Crime Unit, and targeting both the countries from which
cyber-crime mostly originated and the five main target countries.
At the same time SOCA aimed to identify overlaps and gaps in the
work of individual police forces.
There was a perception that "level 2" crime
was being overlooked. This had in fact been the case even before
the absorption of the NHTCU into SOCA, and law enforcement still
had not got it right. There had to be confidence that when level
2 crime was reported it would be picked up, and at the moment
this was not happening. However, the police were now working with
APACS to develop a reporting system from banks to the police.
It was argued that there were discrepancies between
the amounts spent on law enforcement, the relatively small actual
losses, and the huge amounts spent by individual users on IT security.
Attempts to change behaviours were hampered by weak incentives,
leading to players pushing risk up or down the chain. At the same
time political moves to create specialised units to combat cyber-crime
might be less productive than less visible efforts to raise skills
across the board.
A particular problem was the distortion produced
by child abuse casesthe pressure to devote resources to
investigating child abuse was irresistible, and could compromise
other policing priorities. Operation Ore had brought law enforcement
services to their knees.
Discussion then turned to data protection and the
security breach notification laws in some US states. It was argued
that a security breach notification law would be a potent incentive
to improve security. In a recent case in the UK, a major supermarket,
one of whose ATMs had been compromised by a "skimmer",
refused to co-operate in contacting customers who had used the
ATM, and police had had to put an advertisement in the local paper
to reach them. In the US the supermarket would have been obliged
to write to every customer, in effect admitting negligence and
warning them to check bank statements. This provided protection
for customers who were subsequently victims of fraud and who could
use such notification to help prove this to their bank.
In contrast, the position in the UK was that companies
whose security had been compromised were under no obligation to
disclose the fact, and were in fact advised to keep quiet and
wait to be sued. A security breach notification law in the UK
would be a major help to law enforcement, not least in helping
to identify the scale of the problem. It should not be limited
to telecommunications companies, but should be tied to data protection,
covering all institutions holding personal data.
Finally discussion focused on emerging technologies.
Increasing numbers of appliances incorporated computers, and relied
on the Internet to communicate. Thus the Internet could be used
to compromise an ever-widening range of technologies. For instance,
information collected from airline websites could be used to compromise
ID cards and e-passports. Furthermore society as a whole was increasingly
reliant on the Internet to support critical services, such as
hospitals. The time was rapidly approaching in which a failure
of the Internet would lead directly to deaths. There was an issue
over whether reliance on the Internet for critical services was