Examination of Witnesses (Questions 480
WEDNESDAY 31 JANUARY 2007
Q480 Lord Sutherland of Houndwood:
It seems to me that we have moved beyond crime into warfare, and
if that is so are these sites vulnerable to attackto make
it not worth their while, in other words, because you keep destroying
their capacity? Do you say the solutions are technical the other
Mr Isbell: As a vendor we do not actually go
on the attack, we are in the protection business.
Q481 Lord Sutherland of Houndwood:
Sure, but that was not my question. My question was, could they
Mr Isbell: Yes, they could, is the quick and
short answer, from information that is found, but that would then
be up to law enforcement because attacking itself can be deemed
as a criminal offence.
Mr Chantzos: Also, when you are looking at dealing
with these kinds of networks a key point is taking out the command
and control centre because if the command and control centre is,
let us say, in some Eastern European country, it can within a
few hours reappear somewhere else. So it is very important that
when, if you like, you cut the head of the snake you cut it for
real and then burn it and incapacitate the rest of the body.
Mr Isbell: We have certainly been involved in
assisting to close down networks, especially the anti-phishing
type networks and using the co-operation to assist in providing
information to help law enforcement agencies actually do that.
Q482 Earl of Erroll:
Just on that last question, surely the problem is that the moment
you start attacking a "zombie" on someone's computer
without permission you are altering the contents of their computer
and you might do that inadvertently and destroy some of their
data? So it is not something, surely, you can do from outside?
Would you agree with that?
Mr Chantzos: My understanding is that the existing
legal framework does not actually allow that as a defensive mechanism
you go into a counter-attack. My understanding also is that the
role that we see for ourselves is not to police the Internet but
to protect our clients. The role of policing would for the law
enforcement authorities, who would have both the power as well
as the means to do that policing.
Q483 Earl of Erroll:
I would like to get on to that in a second, but just before I
do, is part of the problem that the virus checkers that you deploy
or have been deploying over the last two years are basically perimeter
security, in other words they check things coming in through the
perimeter of the computer, whereas once it is inside it can get
on and do what it likes? So in order to check that my computer
has not been infected, I have to have other software sitting there,
for instance Spy Watch, Search and Destroy and Adaware and things
like that, checking for internal problems, because your software
only deals with stuff as it comes in through the perimeter?
Mr Isbell: No, absolutely not. The software
that we deploy does protect at the perimeter but also protects
in depth at the centre of servers, et cetera, so it is a multi-layered
Q484 Earl of Erroll:
But on my laptop, if I have your software it is not checking for
trojans inside the whole time?
Mr Isbell: You can run full scans, et cetera.
Is that what you are looking for? I am sorry, I am not fully understanding
Q485 Earl of Erroll:
It is not continually checking against odd, aberrant behaviour
inside the laptop?
Mr Isbell: Yes, it is, but it is checking definitive
actions which the computer is actually taking, opening files and
so on. If you are looking for the answer about checking anomalous
behaviour, there are some heuristics built within the software
that we provide but it is not detailed or complex.
Mr Chantzos: In addition to that, there is the
question of controlling the outbound traffic which is taking place
also in terms of the software solutions we provide, but also if
one was to look at other even more high-end technological solutions
available in the market there is, for example, the capability
of real-time monitoring security devices whereby by doing that
you are in a position to detect anomalous behaviour either inbound
or outbound, in which case you are able to detect even unknown
pieces of code, malicious code, which you have not been able to
see before and therefore stop it from going outside. It is part
of, if you like, collection of information, analysis, correlation
and response. It is an element of predictive defence.
Mr Isbell: It is important that the software
is kept fully up to date with the latest known attacks and most
of the software which is deployed nowadays contains two or three
parts. There is the anti-virus, there is the firewall and there
are the entry detection systems.
Mr Chantzos: Forgive me, but if I may jump into
this one more time, my Lord Chairman, there is also a regulatory
aspect to it, if you like, in the sense that if one was to look,
for example, at the eCommerce directive right now as it currently
stands, the 2001 directive, which is part of UK law, my understanding
is that the directive does not require prior monitoring of their
eCommerce to provide infrastructure as part of its security technology.
There is an explicit requirement of no prior monitoring. As a
result of that, in the current trend landscape that we have just
discussed with, for example, targeted trojans perhaps that may
be an issue which I think Brussels needs to revisit.
Q486 Earl of Erroll:
That brings me on to really the point I want to raise, which is
are the UK laws on spam viruses adequate and appropriate at the
moment, or where would you see a need to change them?
Mr Chantzos: In my effort to answer the previous
question from Lord Sutherland I tried to lay out as succinctly
as I could the regulatory framework, which is rather complex.
In a nutshell, we think that the Information Commissioner could
be doing more in this area but would need to be empowered adequately
in order to be able to do that.
Q487 Earl of Erroll:
You remind me, that was one of the things I wanted to ask you.
Why have you set up yet another body doing that when we already
have the police site trying to do that and there are others at
the policing and enforcement end with powers of arrest and things
like that trying to work on this. Surely it would be more sensible
to reinforce them than to have yet another person who is going
to have to acquire investigative powers?
Mr Chantzos: To start with, I am not suggesting
that we should establish a body. The Information Commissioner,
as I am sure you know, is already there. Having said that, having
the Information Commissioner, having more powers in the area of
dealing with issues relating to information securityin
fact the European directives foresee a role in this areaI
do not see that being unreasonable. Of course, ultimately the
arresting powers and investigative powers around this should be
the police. The UK police, I believe, are doing a rather good
job in this area, but they can always do better. There can always
be more resources. There is also a challenge which has to do with
the reporting of the eCrime, that is to say whether eCrime is
actually being reported as eCrime or whether eCrime is actually
being reported as fraud, for example. We had this discussion internally
and, quite frankly, maybe it merits a wider discussion, whether
there should be a central depository for depositing eCrime or
whether that can be done at a regional level. All these are elements
which one could further review to try and see where there can
be improvements in the system, but to start with when it comes
to legislation, to things which could be changed, as I said the
issue of breach identification, which is currently under discussion
in Brussels and is already under discussion in the US, perhaps
that is a step in the right direction. As I said also, in Brussels
right now there is discussion about the role of the ISPs and in
the UK the Computer Misuse Act has been updated to address these
issues. We would like more clarity around what is in the Computer
Misuse Act, but in principle that is a good step. Giving more
tools to the law enforcement authorities to do their job effectively
would certainly be something we would welcome. So, if you like,
the UK is going in the right direction. The question is, perhaps,
going the extra mile and co-ordinating that with the other international
figures and the people whom the UK is teaming with.
Q488 Earl of Erroll:
Is part of the problemit is this cross-border, global aspect
to itthat there are people in the UK who should be prosecuted
and cannot be? Is that part of the problem?
Mr Chantzos: That is a very good question. Are
there people who should be prosecuted in the UK? My understanding
is that in the past there have been cases whereby people were
not able to be prosecuted or were able to get away relatively
lightly on offences. Having said that, as I said, the fundamental
instrument around this area, the Computer Misuse Act, has been
updated to address this issue. We would like the Computer Misuse
Act to be more clear. However, we need to see information security
as a dual approach, so there is the prevention side and there
is the detection and prosecution side. The Computer Misuse Act
and the data retention legislation, which would give a possibility
that you can trace back via the ISPs, is dealing with the suppression
and prosecution side of things. If one was to look at the prevention
side of things, for example establishing a breach notification
regime, as we have seen in places like the US, it could function
as a great enabler of information security because it creates
incentives for people to invest around this kind of technology.
It is a question also of facilitating, promoting, motivating people
to go down this path rather than just merely mandating the suppression
of the offences.
Q489 Earl of Erroll:
So you see the Information Commissioner as being on the preventative
side rather than the resource side?
Mr Chantzos: Yes. I am sorry if I did not make
Q490 Lord Sutherland of Houndwood:
You have been eloquent in saying you think the police are doing
quite a good job, which is very reassuring to hear you say that.
Do you have any system for sharing information, because a lot
of the information which has come out today I would have thought
would be of great interest to those concerned with law enforcement.
Is there any systematic way this is done? I ask both companies
to respond on that.
Mr Chantzos: Obviously the law enforcement authorities
as well as anybody else who is willing to acquire by normal commercial
means have access to the Symantec intelligence network and early
warning capabilities. That is the first aspect. As a general rule,
I would say that Symantec is a good corporate citizen and a responsible
one, so when requested by the law enforcement authorities via
the appropriate channels and within the boundaries of the law,
we will respond to a request.
Q491 Lord Sutherland of Houndwood:
But that means in effect the boot is on their foot, they must
take the initiative on this, rather than a sharing of information?
Mr Chantzos: If you look also at the way the
criminal and justice system works, there are rules of secrecy
around the way the investigation is taking place. We cannot, and
we should not know what it is the police are investigating. They
should reach out to us and tell us, again provided they do that
via the proper channels and appropriate means. Quite frankly,
there is also the question, do we have it to give to them? Sometimes
it could be that it sits on the desktop of the individual in question.
Q492 Lord Sutherland of Houndwood:
Clearly there are two different sorts of information. One concerns
a specific inquiry and what you say is absolutely right there,
you cannot have prior knowledge of where the police are going,
but there is also the more general point, the kind of information
you have presented this afternoon, both of you, about trends,
the way in which things are developing?
Mr Chantzos: The data, for example, that Mr
Isbell presented to you today regarding the Internet security
threat report. These are, I would say, publicly available for
free and I am sure that the law enforcement authorities are able
to tap into them, if you like. In addition to that, I am sure
that there would be also contacts and the possibility to ask a
question about Symantec, "We read this. What does this mean
in your report? Where do you see the future going?" So I
think that they have the resources to tap into should they want
to do that.
Mr Sunner: I want to give some positive feedback
here. We have always enjoyed a very good relationship with law
enforcement, formerly the National Hi-Tech Crime Unit, now SOCA,
and what we find is, as I think has already come up, when a threat
is taking place you will find that the marketing people, be they
the ISP, the mid-carrier or the end point, will have a bit of
information. So from our perspective in virus terms if we make
an interceptionbecause a lot of the viruses we intercept
are viruses which are broken, which do not actually work, so the
person on the end who is actually creating this is there. If they
are not very smart, when they sense that it is broken they try
and fix it, so what we sometimes see is the seeding, the deliberate
seeding, and if it is all coming from a single source that is
a very, very important piece of information. What we know is just
the source IP address. That will be from an ISP that we are probably
not connected to, but at that point we give that information to
law enforcement. They then will approach the ISP and hopefully
might be able to unlock that next stage and that kind of relationship
has worked very successfully in the past and I think it is one
of these things which will become better as cross-relations between
ISPs, as we are sharing the back-channel traffic about what came
from where, become more open.
Q493 Lord Sutherland of Houndwood:
Is there any link with the police in terms of providing support
for training, and so on, in this highly specialised world?
Mr Isbell: We do run specialist courses and
obviously the police can avail themselves of those and we do provide
them when requested.
Q494 Lord Sutherland of Houndwood:
But it is again when requested?
Mr Isbell: Yes.
Q495 Lord Sutherland of Houndwood:
Does that apply to MessageLabs also?
Mr Wood: Certainly in my experience we have
got a very skilled team of engineers who work very closely with
the new emerging threats and when they discover something new
they are in a position where they have the knowledge to be able
to understand what is going on and understand how it works very
quickly. They have very good relationships with the enforcement
authorities and exchange information both ways. It is a two-way
flow of information, so it is not always just about, "This
is where we first saw something," it is also maybe about
how it works, maybe other areas where they can look where we cannot,
things that we cannot do that they have more authority to do.
Mr Sunner: Quite often some of the intelligence
we might have actually might be about stuff which is not in this
country and that becomes harder for us. So we have again enjoyed
a good relationship where we pass that to law enforcement, who
maybe do have better, smoother contacts to another region to track
something down, and again that has been quite successful. So I
think the relationship is good from our perspective.
Q496 Lord Sutherland of Houndwood:
I find this reassuring because clearly it is a very highly technical
specialist area. Just one slight change of tack, finally. We have
a Government which is very keen on targets. Do you think it would
be good to set some targets for the police in this area? Would
that jolly things up a bit?
Mr Chantzos: In the private sector we also tend
to talk about targets, objectives, key performance indicators.
One of the key questions, however, before we set an objective
and agree to itand I am saying it as a manager myself,
I have to go through the process with my members of staffis
the question of is that target achievable? The second is, is it
adequately resourced for it to be achievable? So before we look
into the question of is it adequately resourced, I think it would
be unfair to look into the question of what the target should
Q497 Lord Sutherland of Houndwood:
I think you could give a seminar in this Palace of Westminster.
It would be very helpful! Do you think, nonetheless, the setting
of targets, if sensibly designed, would actually move things on?
Mr Sunner: Speaking personally, I think that
what we are dealing with is such a moving target that it would
potentially become difficult. We have seen the threat profile
change dramatically in terms of viruses, spam, phishing and spyware
across the board in the last six months, so if we were to try
to articulate the things we were looking for and the threat profile
six months ago, things have occurred since then that have changed
the landscape. Therefore, I think it would be very, very difficult
to set targets that flow all the way down to law enforcement that
could be policed. I just do not think it would be viable.
Lord Sutherland of Houndwood: That is
very interesting. Thank you.
Q498 Lord Mitchell:
This is for Symantec really. You claim "a competitive market
for [the] security software industry protects diversity and thereby
enhances security". Do we have a competitive market at present,
or should we be taking steps to improve things, and could you
not just refer to the UK? This is a global market so I just wondered
if you could do it from that point of view also?
Mr Chantzos: Absolutely. Where do you start?
To start with, you have MessageLabs and us, but obviously there
are more than ourselves. Right now we believe we have a very competitive
market and we think that this is the way to go. We always prefer
that we let the market operate and the market forces work at their
will. Obviously, there is a role for government to play and there
is a role for the competition authorities to ensure that there
is a level playing field in this area. It is difficult for just
one company to deal with the complete Internet security issues
as they emerge and as they form, therefore competition is necessary
in order to create the level of innovation and the level of technology
which would react quickly and efficiently to the new security
threats. Having multiple providers means that the market can deal
with the specific attack, the specific threats and the different
players who are experts in their area can then, if you like, identify
and address these threats in their niche market. That effectively
ensures a wider net of response. Finally, having a monoculture
of information security is risking to create a single point of
failure, so should this single point of failure for some reason
fail, should this single security posture fail, it has the risk
of having a knock-out effect for the rest of the infrastructure,
which is why it is important to have diversity in the system.
It is very much a biological example, if you like.
Q499 Lord Mitchell:
At one of our previous sessions on 17 January Microsoft was here,
Matt Lambert, and he was asked about the company's dispute with
the European Commission over anti-competitive behaviour, particularly
with respect to the new Vista operating system, and he defended
Microsoft's position and claim to that, and again I quote: "We
have always worked with other companies, including competitors,
to try to make our systems as inter-operable as possible."
I would like your views on that, please.
Mr Chantzos: Your question is about inter-operability,
if you like?