Select Committee on Science and Technology Minutes of Evidence


Memorandum by Microsoft

EXECUTIVE SUMMARY

  1.  Our submission sets out our experiences with the risks and mitigations associated with personal use of the Internet. We have considerable experience in this area: Microsoft is one of the most attacked platforms on the planet and we have learned a great deal about the risks and threats for both us and our users on the Internet.

  2.  We have worked globally to establish a three-part model to tackling many of the issues faced around online safety:

    —  consumer education—addressed through initiatives such as Get Safe Online;

    —  technological practices and improvements—such as anti-malware tools, anti-spyware, anti-phishing filter technology in Web browsers, parental controls (to limit the risks of exposure to minors of unsuitable content and/or contact with parties unknown) and the "identity metasystem" (which aims to improve the quality and consistency of identity on the Internet); and

    —  legal enforcement—including for example the Global Phishing Enforcement Initiative.

  3.  All three of these areas need to be developed in partnership to impact the problem of ensuring personal security online. Internet security and online safety require an end-to-end approach.

  4.  Against a constantly challenging and evolving threat landscape, the industry has continued to make good progress, partly as a result of placing trusted computing at the centre of software design. At Microsoft for example our Trustworthy Computing initiative has had a major impact on reducing software vulnerabilities, as evidenced in independent assessments such as UNIRAS/UNICERT. This has been particularly true since the launch of Windows XP SP2 and will be taken significantly further when Windows Vista—the next release of our operating system—is made available in the next few months.

  5.  Whilst much of the evidence from ourselves and other contributors may well be a disheartening read, we do have a passionate belief in the truly transformational and positive impacts of the Internet. From the obvious—such as e-commerce and e-government—all the way through to the pervasive computing age, which will enable us to live longer, more fulfilled lives in our own homes and communities.

  6.  This is why we believe it is important for us to work collectively on addressing the issues that threaten the Internet and its positive potential. The Internet is far more than just Web browsers and email: we need to understand, monitor and manage the risks as the Internet increasingly enables new areas, such as TV on demand and home healthcare monitoring devices.

RESPONSE TO THE INQUIRY

  7.  The Committee has highlighted several areas that it aims to consider in its current inquiry, namely:

    —  What is the nature of the security threat to private individuals and what is the scale of the problem?

    —  How well do the public understand the nature of the threat they face?

    —  What can be done to provide greater personal Internet security? How much does this depend on software and hardware manufacturers?

    —  Is the regulatory framework for Internet services adequate?

    —  How well equipped is Government to combat cyber crime? Is the legislative framework in UK criminal law adequate to meet this growing challenge?

  We will address each of these areas in turn.

What is the nature of the security threat to private individuals and what is the scale of the problem?

  8.  Threats to online safety and security continue to escalate. This can range from the innocuous but irritating. It includes the likes of spam messages (of which we block over 3 billion a day in Hotmail/Windows Live Mail), through phishing attacks (aiming to fool users into handing over important personal information, such as online banking details, that will ultimately lead to a financial fraud) to malware, spyware, trojans, viruses and bots.

  9.  Such attacks can lead to anything from release of personal information from a user's computer or online services, to destruction of all data on a computer, to the launch of denial of service (DoS) and other malevolent attacks on third parties. Building in software-based counter measures to these threats through tools such as anti-phishing filters and anti-malware protection has been a high priority. The recent release of Internet Explorer 7—which includes such features—is a step forwards in tackling these issues. But we also recognise that there will be a need to continue to innovate as the nature of online threats itself evolves and changes.

  10.  There are also more fundamental issues to consider. For example, more and more home Internet users are utilising broadband (always on) connectivity and wireless networks within the home. Configuring both the broadband and wireless links to ensure adequate security can be a demanding task for users, and presents a challenge in terms of ensuring that no third parties can access their systems. We have ensured that the firewall provided in Windows XP SP2 and in Windows Vista is on by default to help with protecting consumer's PCs in these increasingly common types of environments.

  11.  Outside of the physical infrastructure of the typical domestic network, typically protected with firewalls and encryption for wireless networks, phishing provides one of the main attack methods to fool people into handing over personal information that can then lead to an identity fraud related crime and other crimes, such as financial fraud. Some estimates concerning phishing indicate a compound annual growth rate of 1,000 per cent. This is why the latest release of Internet Explorer has built-in anti-phishing facilities and why Windows Defender (which helps protect against malware) is included in the Security Center in Windows Vista.

  12.  The scale of the problem can be seen in figures from the Association for Payment Clearing Services (APACS), which estimates direct fraud losses from online phishing scams in the UK almost doubled in 2005 alone to £23.2 million.

  13.  Gartner reported that in 2005 four major British banks delayed intra-bank payments between accounts in an attempt to combat phishing attacks. Delays ranged from several hours to one day.

  14.  One in 20 UK residents has lost money to some sort of online scam such as phishing, according to research commissioned by AOL UK. The survey of 2,000 net users by AOL found that five per cent had fallen victim to scams and had lost out financially.

  15.  Forrester Research believes security fears have prevented more than 600,000 UK internet users from banking online.

  16.  As the Internet moves increasingly into powering more and more of the services and technologies around us, we need to continually assess the threat landscape. For example, the BBC reported (2 October 2006) from the "Hack in the Box" hackers conference in Malaysia that hackers know how to subvert Internet-based telephony systems—including for example the predicted ability to intercept call centres (hence obtaining useful personal information that can assist with identity fraud)—and Internet-based television (perhaps leading to the injection of rogue broadcasts, or interference with legitimate broadcasts). With the predicted growth in home-based intelligent devices (such as telemedicine) which will also make use of the Internet, we all need to remain alert to the potential risks and how we mitigate them.

How well do the public understand the nature of the threat they face?

  17.  Education is a key cornerstone in combating some of these issues. We provide our own guidance to consumers[1] and also are very active supporters in the UK of the "Get Safe Online" campaign[2] which aims to educate consumers on the risks of the Internet and how to mitigate and manage them. According to a Get Safe Online survey:

    —  Over three quarters of the UK's population (83 per cent) do not know enough about protecting themselves online.

    —  22 per cent of people admitted to opening attachments from unknown sources—one of the most common ways of spreading computer viruses.

    —  Only 15 per cent of people felt they had a personal responsibility to protect themselves from online crime—yet almost one in five British people feel so under threat from Internet criminals they give online crime a higher fear factor than physical crimes like car theft and mugging.

  18.  To help ensure better public awareness of the risks and their mitigations, we have helped with the sponsorship and development of initiatives such as Get Safe Online and guidance on our own Websites. These resources provide a wealth of consumer education to help online users understand the risks online and better protect their identity information and related personal information. We have also engaged more directly, with our UK staff visiting schools to find ways of better communicating these important messages in ways that really connect and have an impact.

  19.  One of our most experienced colleagues in online risks, Linda Criddle, has recently published a book "Look Both Ways: help protect your family on the Internet" combined with a Web site[3] that we recommend to the Committee.

What can be done to provide greater personal internet security? How much does this depend on software and hardware manufacturers?

  20.  Consumers need to be well informed about the reality of the risks presented by the Internet. This needs to be done in practical, pragmatic ways that enable them to manage risk in such a way that they can enjoy the benefits of the Internet, but minimise its negative aspects. This requires continuing education programmes of the kind already in place, perhaps supplemented by good practice guides supplied with new equipment used for Internet access.

  21.  There is often an inherent tension between making things simple and intuitive for users and ensuring strong security and online safety measures. The industry continues to make good progress in improving the layers of protection available in both hardware and software. But the consumer is an essential part of the solution and needs to understand the options available and how best to deploy them. Neither is the threat landscape static—it constantly evolves, requiring consumer education and awareness to be an ongoing process.

  22.  Some of the measures we have taken at the technical level include making anti-malware and anti-spyware software available for consumers, adding in a firewall to our products, working with others on tackling the problem of spam and dropping support for online chatrooms. We have also added in additional features to the next release of our operating system, Windows Vista, which include User Account Control (to prevent rogue/stealth software installing) and parental controls. We have applied some of the same models to our other products, including Xbox/Xbox 360 which likewise includes parental controls. We have also focused on making it much easier for non-expert consumers to find and use and manage these functions.

  23.  Windows Defender for example is a free program that helps protect a computer against pop-ups, slow performance, and security threats caused by spyware and other unwanted software. It features a monitoring system that recommends actions against spyware when it's detected and minimises interruptions. Regular updates are made available automatically to the software enabling it to remain responsive to new threats.

  24.  The new release of our operating system, Windows Vista, has witnessed a major focus on and investment in additional security. These features to help better protect users include:

    —  Better protection against spyware—The antispyware software in Windows Vista, Windows Defender, helps prevent computer slow down, privacy loss, and unwanted pop-up advertisements caused by spyware and other potentially unwanted software.

    —  Safer browsing with Internet Explorer 7 Protected Mode—This Windows Vista-only feature limits Internet Explorer 7 to just enough permissions for a consumer to browse the Web, but not enough to modify their files or settings—which helps keep their computer safe from Web-based attacks.

    —  More safeguards from Windows Security Center—The Windows Security Center notifies consumers and helps them take action to correct a problem when their security software is not up-to-date or their security settings are potentially unsafe.

    —  In Windows Vista, the Windows Security Center is improved to include information about their antispyware software, Internet Explorer settings, and User Account Control settings.

    —  More control over what programs can do—By default, Windows Vista runs programs in a more secure mode. When most applications attempt to perform a potentially dangerous operation that requires administrator privileges, Windows Vista asks the user for their active consent before allowing that program to run. This helps reduce the impact of viruses, spyware, and other threats.

    —  An anti-phishing filter to help protect online identity—Internet Explorer 7 with Windows Vista includes a filter that advises a consumer when Web sites might be phishing in an attempt to steal their confidential information. The filter checks a list of known phishing sites that is updated several times an hour—and can also spot suspicious sites that are not in the database yet.

    —  Clear Internet history with one click—The sites visited and the information typed when you browse the Web are stored in many different places within a computer. In Internet Explorer 7 with Windows Vista users no longer need to go multiple places to remove their personal information. With the Delete Browsing History feature a user can clear all their browsing information with one click.

    —  Back up and restore settings, files and applications—Windows Vista provides a more comprehensive and easy backup tool than the basic backup utility included in Windows XP. The new Windows Backup feature gives a consumer more choices for storing their backed-up information and they no longer have to remember to regularly back up their data. Consumers can use a simple wizard to schedule when and where they want everything backed up.

    —  Parental Controls—Windows Vista introduces a rich and powerful set of parental control features to help parents monitor, manage, and administer their children's computer use—and help keep them safe.

    —  Review detailed activity reports—Windows Vista can generate a detailed activity report that shows exactly what children have been doing on the computer, including the games they played, the Web sites they visited, and the programs they used.

    —  Set Web restrictions—Users can use an online service that comes free with Windows Vista to restrict the types of Web sites a child can visit. A parent or carer can restrict Web sites by category, such as blocking all pornographic sites or all gambling sites, or they can block specific Web sites by URL. These restrictions work with most Web browsers.

    —  Help control the games a child plays—Windows Vista makes it easy for a parent or carer to designate which games their children are allowed to play. They can choose to: Allow or restrict specific games titles, limit children's play to games that are rated at or below a certain age level, block any games with certain types of content they do not want children to see or hear.

    —  Set computer time limits—With Windows Vista it is possible to set limits to when a child can use the computer and for how long.

  25.  Many of the problems facing consumers on the Internet have their origins in the fact that the Internet was built without an identity layer. It is difficult for users to establish the authenticity of remote parties that they are communicating with—and difficult to establish their own identity when challenged to do so. Microsoft has been working with a broad industry coalition to distil a proven, empirical set of principles for successful identity based on the lessons the industry has learned over the last 30 or so years. These principles are intended to help bridge the divide between policy aspirations and lower level technical implementation details—and hence provide a critical part of the overall infrastructure required to tackle the problem of the missing identity layer of the Internet. These principles are currently referenced as the `laws of identity' (laws as in scientific principles). We do not claim perfection or any uniqueness of insight in these `laws'—but do believe they provide a constructive basis for discussion and debate on ensuring the proper scope of identity systems that will prove sustainable and robust in the long term. And by tackling these issues, we will make attacks such as phishing harder to execute successfully.

  26.  These "laws" are included for reference at Annex A to this paper. In brief overview, they encapsulate the following elements of good identity system design:

    —  identity systems must only reveal information identifying a user with the user's consent;

    —  the solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution;

    —  identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship;

    —  the identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles;

    —  the identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers;

    —  the identity system must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks; and

    —  the identity system must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

  27.  A key part of our work has been ensuring a wider industry consensus in tackling the problem. We have a project known as CardSpace at Microsoft which aims to help provide the missing identity layer of the Internet and which embodies these identity principles in technology. Importantly, a project known as InfoCard is taking place across the industry (including across open source, Java, the Firefox browser and Apple Mac communities). We have been working collaboratively right across the industry to address these identity issues since they need to be solved in partnership if we are to make significant progress on providing the missing identity layer that the Internet so urgently requires. The InfoCard initiative will help remove the over-dependency on user ID and password—one of the most vulnerable problems on the Internet—and move us towards a more secure and more intuitive model.

  28.  Alongside these industry efforts to improve the online identity layer, we have also been making other technological improvements, such as a new anti-phishing filter in Internet Explorer. This helps users identify suspect Websites, enables easier reporting of suspicious sites—and uses visual cues to warn users when problems have been detected.

Is the regulatory framework for Internet services adequate?

  29.  Microsoft believes that effective regulation of security in an online world is best achieved by promoting a self-regulatory environment. We feel that consumer demand for security provides enormous market-driven incentives for innovators to work towards new solutions to security threats.

  30.  Promotion and support of a self-regulatory environment in which innovators have freedom to develop appropriate solutions to address security concerns is vital. Threats to security evolve over time. Only where there is scope for innovation will we see the development of new technological solutions to move towards secure networks. Self-regulation preserves consumer choice and ensures a progressive response to security threats, not limited by rules that may rapidly become outdated.

  31.  A good example of self-regulation is what has been achieved by Government, NGOs and the industry working together in helping to tackle child safety online. Along with other industry players and NGOs, we sit on the Home Office Child Safety on the Internet taskforce which allows for all participants to openly understand and discuss how we can best ensure child safety online. Microsoft works closely with the Internet Watch Foundation and uses its recommendations to block websites through MSN and Windows Live search.

  32.  We also joined together with a number of police forces around the world including the UK Child Exploitation and Online Protection Centre (CEOP) to deliver a new technology, the Child Exploitation Tracking Scheme (CETS), which allows police forces to share and analyse information for investigating child sex offences.

  33.  Our Vice President of Trustworthy Computing, Scott Charney, published a paper entitled "Combating Cybercrime: A Public-Private Strategy in the Digital Environment" as a result of work undertaken with the United Nations. This paper provides an overview of the inherent security and law enforcement challenges of the digital age, and outlines why neither traditional models of government protection nor a purely market-based approach to security is sufficient in the virtual world. It also discusses five elements of a sound public-private sector partnership strategy, using Microsoft's experience to illustrate the roles that industry and government can play in pursuing the strategy. We would be happy to provide copies of this paper to the Committee if it would be useful.

How well equipped is Government to combat cyber crime? Is the legislative framework in UK criminal law adequate to meet this growing challenge?

  34.  Where we do believe that Government can play a legislative role is in ensuring that they equip law enforcement agencies with a robust legal framework and resources to effectively tackle cybercrime.

  35.  In this vein, we supported the adoption of the EU Framework Decision on Cybercrime and the update to the Computer Misuse Act which changed UK law in line with this Decision. What we think is extremely important is that the police are given the resources and training to maintain the necessary technical expertise to help them successfully pursue cybercriminals.

  36.  In the UK, one issue that needs addressing is the problem that cyber crime and related fraud are not presently priority indicators for the police as set by the Home Office. With the changes around SOCA, the proposed re-structuring of police forces and the disappearance of the NHTCU it is unclear how cyber crime and reporting mechanisms are being systematically addressed. There is no single reporting mechanism in the UK (as there is in the US), thus, no reasonably supported statistics aside from anecdotal information and surveys.

  37.  What is equally as important is establishing a right of action for third parties. Individual users often lack the technical expertise and financial resources to take action against spammers and other cyber criminals. A third party right of action could protect consumers, which could include our own customers, by bringing damage claims that deter cyber criminals from continuing their activities. Companies could also recover some of the economic losses that cybercriminals cause to them in increased security costs and reputational damage.

  38.  We have developed strong partnerships with Interpol, other law enforcement agencies, government and industry to tackle the problems of online crime.

  39.  Earlier this year we launched our Global Phishing Enforcement Initiative (GPEI), which focuses on the identification and prosecution of individuals and groups involved with online phishing attacks. We have identified 104 phishing sites in 39 European countries. Of these sites, 31 are in English. We have initiated 53 separate legal actions. Of these actions, 4 are in the UK. The majority of phishers are males aged between 16 and 20. Legal actions include: criminal complaints, civil lawsuits, court orders and settlements. The four major offenders are: Spain, France the UK and the Netherlands.

CONCLUSION

  40.  It would aid consumer understanding and more consistent evidence collecting and tracking of the scale and growth of the problem if the topics were more consistently described. For example, we recommend that the phrase "identity fraud" be defined more clearly and consistently. At present, much so-called "identity fraud" can often actually be related to other issues—such as benefit claimants misrepresenting their circumstances.

  41.  We also believe it is worth considering the establishment of a UK-wide, simple streamlined system for reporting of all cyber crime and online problems such as phishing. This would enable much easier reporting by citizens and hence much better insight and analysis of the true scale of the problem. Ensure that law and enforcement agencies are appropriately resourced to track, monitor and tackle cyber crime and related identity fraud.

  42.  Both the offline world and online, digital world lack a clear identity layer. We need to work collectively to establish a clear policy framework for identity. We recommend the "Laws of Identity" (Annex A) as a starting point.

  43.  Microsoft believes criminal enforcement against those undertaking identity theft and related fraud, including for example, phishers is important to ensure that cyber criminals understand there will be consequences to illegal actions. In particular, establishing a right of action for third parties.

  44.  The UK should ensure it has not only the necessary legislation itself, but given the international nature of Internet threats, work with other countries to ensure reciprocal arrangements are in place to curtail the way in which criminals currently use international boundaries to impede the process of criminal proceedings.

  45.  It is also important the law enforcement agencies are provided with sufficient investment in their forensic analysis capability to tackle Internet-based crime.

  46.  The evolution of the computing ecosystem and malicious software threat landscape requires continual re-thinking about how to make consumer computing environments more secure. 64-bit computing is already making an impact as the next significant PC computing architecture. To support this new architecture (and to create an ecosystem that engenders trust and accountability), the security industry must continue to innovate on the development of more secure solutions.

  47.  At Microsoft, we know we can't do this alone and are committed to working with partners on ways to enhance our platform and provide greater opportunity for all software providers to build new solutions for consumers.



1   http://www.microsoft.com/athome/security/default.mspx Back

2   http://www.getsafeonline.org/ Back

3   http://look-both-ways.com/default.aspx Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007