Select Committee on Science and Technology Fifth Report


APPENDIX 4: SEMINAR HELD AT THE INSTITUTION OF ENGINEERING AND TECHNOLOGY, SAVOY PLACE, LONDON


28 November 2006

Members of the Sub-Committee present were Lord Broers (Chairman), Lord Mitchell, Lord O'Neill of Clackmannan, Lord Patel, Baroness Sharp of Guildford, Lord Sutherland of Houndwood, Lord Young of Graffham, Dr Richard Clayton (Specialist Adviser), Christopher Johnson (Clerk) and Cathleen Schulte (Committee Specialist).

Participants were Maria Burroughs (DTI), Professor Brian Collins (Professor of Information Systems, Cranfield University), Cordella Dawson (Home Office), Robert Gruppetta (FSA), Malcolm Hutty (Head of Public Affairs, LINX), Matt Lambert (Government Affairs Director, Microsoft), Adam Laurie (The Bunker), Ben Laurie (The Bunker), Sharon Lemon (Deputy Director of e-crime, SOCA), Detective Chief Inspector Charlie McMurdie (Metropolitan Police), Philip Virgo (EURIM), Tim Wright (Home Office).

Personal Internet security - key themes (Dr Richard Clayton)

Dr Clayton gave an overview of the subject-matter for the inquiry. There was a general perception that people were unsafe on the Internet, and that things were getting worse. Whose fault was this? There was a long list of potential candidates who could take a share of responsibility:

  • Operating system vendors were shipping products before they were secure;
  • End-users weren't patching their systems to fix security holes;
  • Application programmers were paying no attention to security;
  • Businesses running applications weren't patching their systems to keep them up-to-date;
  • Retailers were selling un-patched systems and not giving users enough support in setting up a complex product;
  • ISPs were letting bad traffic reach end-user machines and not insisting their customers were secure;
  • Hardware manufacturers weren't making routers and modems "secure by default";
  • Networks weren't providing secure DNS (name services) or BGP (routing);
  • Companies were marketing VoIP as if was just as reliable as conventional telephony;
  • Regulators weren't setting minimum security standards or trying to fix market failures;
  • Criminals were doing bad things;
  • The police weren't bothering to catch them;
  • Legislators weren't enacting suitable laws;
  • The Government weren't making sure that overseas crooks were dealt with;
  • The Information Commissioner wasn't dealing with spam;
  • End-users were going to unsuitable websites and downloading pirated material;
  • Educators weren't teaching "media literacy" effectively enough;
  • Banks weren't giving customers security devices;
  • Credit card companies were dumping their risks onto merchants;
  • Web businesses weren't keeping customer records secure;
  • And perhaps it was all state-sponsored InfoWar!

In reality most of the people in the areas listed above were doing their best and improving their own little part of the puzzle. But it was not a simple problem with a simple solution. The important thing was to better align incentives so that things began to improve rather than continuing to get worse.

The nature and scale of the threat to private individuals (Mark Harris, Global Director, SophosLabs)

Mr Harris noted that viruses now tended not to replicate widely—of the over 3,000 new viruses reported each month, the majority were Trojans, installed on PCs via spam, which installed other unwanted software, but did not replicate. They were designed to make money, not to vandalise the Internet, and were targeted at un-patched machines. Machines which were patched up to date were unlikely to be infected.

Users tended to look on computers as white goods—security was the last thing on their mind. They were completely unaware of the risks of clicking on pop-ups or hyperlinks. In some cases even unopened emails could now infect machines if they were being previewed.

In answer to questions, Mr Harris said the IT security business was working round the clock to keep up with the changing threats. However, there was still uncertainty as to the policing response to cyber-crime—there was no alert system in place for reporting fraudulent websites etc.

Public education and engagement (Professor Bill Dutton, Director, Oxford Internet Institute)

Professor Dutton described the Oxford Internet surveys, based on interviews with around 2,000 people. These revealed that home was the key location for Internet use; people learnt about the Internet from friends and family rather than through formal teaching or documentation. Most users, even experienced users, had no experience of writing programmes or creating web pages. Nevertheless, people seemed to be coping somehow—not just individuals, but manufacturers and ISPs.

Regulation and legislation (Professor Ian Walden, Reader in Information and Communications Law, Queen Mary, University of London)

Professor Walden drew attention to the variety of criminal activity, from teenage hackers to organised crime. Large numbers were involved, and this created challenges for the criminal justice system, which struggled to cope with large numbers of suspects.

There were essentially three kinds of criminal conduct on the Internet:

  • Traditional crime, such as fraud, using computers as a tool (e.g. phishing), covered by existing criminal law;
  • Content-related crime, where the content (e.g. child abuse images) was illegal. Traditionally the law differentiated between supplying and possessing content, but this was harder to sustain in the computing environment;
  • Crimes against confidentiality and the integrity of computers—the Computer Misuse Act 1990 had recently been amended so as to cover denial of service attacks.

Legislation in recent years had tended to change and extend the way in which offences were investigated (online child abuse sometimes being used as a pretext) rather than creating new offences. In addition, the international dimension of cyber-crime had led to harmonisation of legal regimes at EU and Council of Europe levels. However, there was now a need to think about laws to promote security, rather than just penalising and investigating offences.

Policing the Internet (Detective Superintendent Russell Day, Metropolitan Police Specialist and Economic Crime Directorate)

DS Day, while drawing attention to the variety of criminal activities online, argued that there were few new crimes. The National e-Crime Coordination Unit was being developed as a centre of excellence in combating such crime.

Most of the Metropolitan Police's resources were currently being taken up by forensic work, analysis of hard drives etc—the resources available for investigating criminal networks such as botnets were very limited. Training was very resource-intensive—though the Met could call on some 150 special constables with IT skills to assist in particular investigations.

The security of operating systems (Ed Gibson, Chief Security Officer, Microsoft UK)

Mr Gibson drew attention to Microsoft's responsibility to ensure that anyone logging onto the Internet using a Microsoft platform was as secure as possible. Thus the new Internet Explorer 7 included a phishing filter. However, human nature was such that people would inevitably visit unsuitable sites regardless.

All Microsoft products went through a cycle of security reviews, including a "final security review", conducted in the immediate run-up to launching a new product.

Internet service provision (John Souter, CEO, LINX)

Mr Souter noted that five companies supplied 75 percent of broadband customers: BT, NTL, AOL, Tiscali and Orange. But in addition there were hundreds of smaller companies, selling mainly on price. At the same time, there was no published evidence to show that any one ISP was more secure than any other.

Asked whether ISPs could block bad traffic, Mr Souter argued that they could not. It was difficult to identify bad traffic (e.g. when it was encrypted), and it was very mobile and variable, making it very hard to maintain up-to-date filters.

Commerce over the Internet (Nicholas Bohm, Law Society)

Security was about personal and commercial relationships. "Security" in the old sense—e.g. security for a loan—was a way to offer guarantees to particular creditors. But more security for one creditor might mean less for another. Typically in an online fraud there would be two innocent parties (say, a bank and a customer), and a fraudster in the middle. The two innocent parties would be left in dispute over meeting the cost—security was about striking a balance between them.

PCs were not secure. Instead responsibility for security was shared out via contracts so as to manage the risk. With credit cards customers were in a good position—the banks met the cost of fraud in customer-not-present transactions. But where such risks were passed onto merchants the situation was less favourable.

Customers could not be held liable if their bank honoured a cheque with a forged signature—however, this did not apply online. At the moment banks' security protocols relied on shared secrets. This was no longer acceptable. The key was to create incentives to invest in improved security—this meant ensuring that risks fell where it was most expedient for the whole community that they should fall.

New technologies and emerging threats (Professor Ross Anderson, Cambridge University)

Professor Anderson outlined the subject of "security economics". The traditional view of info-security was that failures were down to a lack of technical features such as firewalls. However, in recent years it had become clear that systems were insecure whenever those who could fix them had no incentive to do so. UK banks were less liable for fraud than US banks—but suffered more fraud as a result.

The economics of the IT business were such that competition to get to the top was fierce, sidelining security. Once a company had reached the top (as Microsoft had done), the situation was different, and increased security could be used to lock out competition.

Overall, we were spending more or less the right amount on security. But spending was skewed: big companies were spending too much, Government far too much, but small companies too little.

Discussion

Discussion initially focused on policing. Police forces were focused on local crime, not on the international co-ordination needed to combat cyber-crime. SOCA had a more outward focus, inheriting good relationships with international partners from the National High-Tech Crime Unit, and targeting both the countries from which cyber-crime mostly originated and the five main target countries. At the same time SOCA aimed to identify overlaps and gaps in the work of individual police forces.

There was a perception that "level 2" crime was being overlooked. This had in fact been the case even before the absorption of the NHTCU into SOCA, and law enforcement still had not got it right. There had to be confidence that when level 2 crime was reported it would be picked up, and at the moment this was not happening. However, the police were now working with APACS to develop a reporting system from banks to the police.

It was argued that there were discrepancies between the amounts spent on law enforcement, the relatively small actual losses, and the huge amounts spent by individual users on IT security. Attempts to change behaviours were hampered by weak incentives, leading to players pushing risk up or down the chain. At the same time political moves to create specialised units to combat cyber-crime might be less productive than less visible efforts to raise skills across the board.

A particular problem was the distortion produced by child abuse cases—the pressure to devote resources to investigating child abuse was irresistible, and could compromise other policing priorities. Operation Ore had brought law enforcement services to their knees.

Discussion then turned to data protection and the security breach notification laws in some US states. It was argued that a security breach notification law would be a potent incentive to improve security. In a recent case in the UK, a major supermarket, one of whose ATMs had been compromised by a "skimmer", refused to co-operate in contacting customers who had used the ATM, and police had had to put an advertisement in the local paper to reach them. In the US the supermarket would have been obliged to write to every customer, in effect admitting negligence and warning them to check bank statements. This provided protection for customers who were subsequently victims of fraud and who could use such notification to help prove this to their bank.

In contrast, the position in the UK was that companies whose security had been compromised were under no obligation to disclose the fact, and were in fact advised to keep quiet and wait to be sued. A security breach notification law in the UK would be a major help to law enforcement, not least in helping to identify the scale of the problem. It should not be limited to telecommunications companies, but should be tied to data protection, covering all institutions holding personal data.

Finally discussion focused on emerging technologies. Increasing numbers of appliances incorporated computers, and relied on the Internet to communicate. Thus the Internet could be used to compromise an ever-widening range of technologies. For instance, information collected from airline websites could be used to compromise ID cards and e-passports. Furthermore society as a whole was increasingly reliant on the Internet to support critical services, such as hospitals. The time was rapidly approaching in which a failure of the Internet would lead directly to deaths. There was an issue over whether reliance on the Internet for critical services was prudent.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007