Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 480 - 499)

WEDNESDAY 31 JANUARY 2007

MR ROY ISBELL, MR ILIAS CHANTZOS, MR MARK SUNNER AND MR PAUL WOOD

  Q480  Lord Sutherland of Houndwood: It seems to me that we have moved beyond crime into warfare, and if that is so are these sites vulnerable to attack—to make it not worth their while, in other words, because you keep destroying their capacity? Do you say the solutions are technical the other way round?

  Mr Isbell: As a vendor we do not actually go on the attack, we are in the protection business.

  Q481  Lord Sutherland of Houndwood: Sure, but that was not my question. My question was, could they be attacked?

  Mr Isbell: Yes, they could, is the quick and short answer, from information that is found, but that would then be up to law enforcement because attacking itself can be deemed as a criminal offence.

  Mr Chantzos: Also, when you are looking at dealing with these kinds of networks a key point is taking out the command and control centre because if the command and control centre is, let us say, in some Eastern European country, it can within a few hours reappear somewhere else. So it is very important that when, if you like, you cut the head of the snake you cut it for real and then burn it and incapacitate the rest of the body.

  Mr Isbell: We have certainly been involved in assisting to close down networks, especially the anti-phishing type networks and using the co-operation to assist in providing information to help law enforcement agencies actually do that.

  Q482  Earl of Erroll: Just on that last question, surely the problem is that the moment you start attacking a "zombie" on someone's computer without permission you are altering the contents of their computer and you might do that inadvertently and destroy some of their data? So it is not something, surely, you can do from outside? Would you agree with that?

  Mr Chantzos: My understanding is that the existing legal framework does not actually allow that as a defensive mechanism you go into a counter-attack. My understanding also is that the role that we see for ourselves is not to police the Internet but to protect our clients. The role of policing would for the law enforcement authorities, who would have both the power as well as the means to do that policing.

  Q483  Earl of Erroll: I would like to get on to that in a second, but just before I do, is part of the problem that the virus checkers that you deploy or have been deploying over the last two years are basically perimeter security, in other words they check things coming in through the perimeter of the computer, whereas once it is inside it can get on and do what it likes? So in order to check that my computer has not been infected, I have to have other software sitting there, for instance Spy Watch, Search and Destroy and Adaware and things like that, checking for internal problems, because your software only deals with stuff as it comes in through the perimeter?

  Mr Isbell: No, absolutely not. The software that we deploy does protect at the perimeter but also protects in depth at the centre of servers, et cetera, so it is a multi-layered defence approach.

  Q484  Earl of Erroll: But on my laptop, if I have your software it is not checking for trojans inside the whole time?

  Mr Isbell: You can run full scans, et cetera. Is that what you are looking for? I am sorry, I am not fully understanding your question.

  Q485  Earl of Erroll: It is not continually checking against odd, aberrant behaviour inside the laptop?

  Mr Isbell: Yes, it is, but it is checking definitive actions which the computer is actually taking, opening files and so on. If you are looking for the answer about checking anomalous behaviour, there are some heuristics built within the software that we provide but it is not detailed or complex.

  Mr Chantzos: In addition to that, there is the question of controlling the outbound traffic which is taking place also in terms of the software solutions we provide, but also if one was to look at other even more high-end technological solutions available in the market there is, for example, the capability of real-time monitoring security devices whereby by doing that you are in a position to detect anomalous behaviour either inbound or outbound, in which case you are able to detect even unknown pieces of code, malicious code, which you have not been able to see before and therefore stop it from going outside. It is part of, if you like, collection of information, analysis, correlation and response. It is an element of predictive defence.

  Mr Isbell: It is important that the software is kept fully up to date with the latest known attacks and most of the software which is deployed nowadays contains two or three parts. There is the anti-virus, there is the firewall and there are the entry detection systems.

  Mr Chantzos: Forgive me, but if I may jump into this one more time, my Lord Chairman, there is also a regulatory aspect to it, if you like, in the sense that if one was to look, for example, at the eCommerce directive right now as it currently stands, the 2001 directive, which is part of UK law, my understanding is that the directive does not require prior monitoring of their eCommerce to provide infrastructure as part of its security technology. There is an explicit requirement of no prior monitoring. As a result of that, in the current trend landscape that we have just discussed with, for example, targeted trojans perhaps that may be an issue which I think Brussels needs to revisit.

  Q486  Earl of Erroll: That brings me on to really the point I want to raise, which is are the UK laws on spam viruses adequate and appropriate at the moment, or where would you see a need to change them?

  Mr Chantzos: In my effort to answer the previous question from Lord Sutherland I tried to lay out as succinctly as I could the regulatory framework, which is rather complex. In a nutshell, we think that the Information Commissioner could be doing more in this area but would need to be empowered adequately in order to be able to do that.

  Q487  Earl of Erroll: You remind me, that was one of the things I wanted to ask you. Why have you set up yet another body doing that when we already have the police site trying to do that and there are others at the policing and enforcement end with powers of arrest and things like that trying to work on this. Surely it would be more sensible to reinforce them than to have yet another person who is going to have to acquire investigative powers?

  Mr Chantzos: To start with, I am not suggesting that we should establish a body. The Information Commissioner, as I am sure you know, is already there. Having said that, having the Information Commissioner, having more powers in the area of dealing with issues relating to information security—in fact the European directives foresee a role in this area—I do not see that being unreasonable. Of course, ultimately the arresting powers and investigative powers around this should be the police. The UK police, I believe, are doing a rather good job in this area, but they can always do better. There can always be more resources. There is also a challenge which has to do with the reporting of the eCrime, that is to say whether eCrime is actually being reported as eCrime or whether eCrime is actually being reported as fraud, for example. We had this discussion internally and, quite frankly, maybe it merits a wider discussion, whether there should be a central depository for depositing eCrime or whether that can be done at a regional level. All these are elements which one could further review to try and see where there can be improvements in the system, but to start with when it comes to legislation, to things which could be changed, as I said the issue of breach identification, which is currently under discussion in Brussels and is already under discussion in the US, perhaps that is a step in the right direction. As I said also, in Brussels right now there is discussion about the role of the ISPs and in the UK the Computer Misuse Act has been updated to address these issues. We would like more clarity around what is in the Computer Misuse Act, but in principle that is a good step. Giving more tools to the law enforcement authorities to do their job effectively would certainly be something we would welcome. So, if you like, the UK is going in the right direction. The question is, perhaps, going the extra mile and co-ordinating that with the other international figures and the people whom the UK is teaming with.

  Q488  Earl of Erroll: Is part of the problem—it is this cross-border, global aspect to it—that there are people in the UK who should be prosecuted and cannot be? Is that part of the problem?

  Mr Chantzos: That is a very good question. Are there people who should be prosecuted in the UK? My understanding is that in the past there have been cases whereby people were not able to be prosecuted or were able to get away relatively lightly on offences. Having said that, as I said, the fundamental instrument around this area, the Computer Misuse Act, has been updated to address this issue. We would like the Computer Misuse Act to be more clear. However, we need to see information security as a dual approach, so there is the prevention side and there is the detection and prosecution side. The Computer Misuse Act and the data retention legislation, which would give a possibility that you can trace back via the ISPs, is dealing with the suppression and prosecution side of things. If one was to look at the prevention side of things, for example establishing a breach notification regime, as we have seen in places like the US, it could function as a great enabler of information security because it creates incentives for people to invest around this kind of technology. It is a question also of facilitating, promoting, motivating people to go down this path rather than just merely mandating the suppression of the offences.

  Q489  Earl of Erroll: So you see the Information Commissioner as being on the preventative side rather than the resource side?

  Mr Chantzos: Yes. I am sorry if I did not make that clear.

  Q490  Lord Sutherland of Houndwood: You have been eloquent in saying you think the police are doing quite a good job, which is very reassuring to hear you say that. Do you have any system for sharing information, because a lot of the information which has come out today I would have thought would be of great interest to those concerned with law enforcement. Is there any systematic way this is done? I ask both companies to respond on that.

  Mr Chantzos: Obviously the law enforcement authorities as well as anybody else who is willing to acquire by normal commercial means have access to the Symantec intelligence network and early warning capabilities. That is the first aspect. As a general rule, I would say that Symantec is a good corporate citizen and a responsible one, so when requested by the law enforcement authorities via the appropriate channels and within the boundaries of the law, we will respond to a request.

  Q491  Lord Sutherland of Houndwood: But that means in effect the boot is on their foot, they must take the initiative on this, rather than a sharing of information?

  Mr Chantzos: If you look also at the way the criminal and justice system works, there are rules of secrecy around the way the investigation is taking place. We cannot, and we should not know what it is the police are investigating. They should reach out to us and tell us, again provided they do that via the proper channels and appropriate means. Quite frankly, there is also the question, do we have it to give to them? Sometimes it could be that it sits on the desktop of the individual in question.

  Q492  Lord Sutherland of Houndwood: Clearly there are two different sorts of information. One concerns a specific inquiry and what you say is absolutely right there, you cannot have prior knowledge of where the police are going, but there is also the more general point, the kind of information you have presented this afternoon, both of you, about trends, the way in which things are developing?

  Mr Chantzos: The data, for example, that Mr Isbell presented to you today regarding the Internet security threat report. These are, I would say, publicly available for free and I am sure that the law enforcement authorities are able to tap into them, if you like. In addition to that, I am sure that there would be also contacts and the possibility to ask a question about Symantec, "We read this. What does this mean in your report? Where do you see the future going?" So I think that they have the resources to tap into should they want to do that.

  Mr Sunner: I want to give some positive feedback here. We have always enjoyed a very good relationship with law enforcement, formerly the National Hi-Tech Crime Unit, now SOCA, and what we find is, as I think has already come up, when a threat is taking place you will find that the marketing people, be they the ISP, the mid-carrier or the end point, will have a bit of information. So from our perspective in virus terms if we make an interception—because a lot of the viruses we intercept are viruses which are broken, which do not actually work, so the person on the end who is actually creating this is there. If they are not very smart, when they sense that it is broken they try and fix it, so what we sometimes see is the seeding, the deliberate seeding, and if it is all coming from a single source that is a very, very important piece of information. What we know is just the source IP address. That will be from an ISP that we are probably not connected to, but at that point we give that information to law enforcement. They then will approach the ISP and hopefully might be able to unlock that next stage and that kind of relationship has worked very successfully in the past and I think it is one of these things which will become better as cross-relations between ISPs, as we are sharing the back-channel traffic about what came from where, become more open.

  Q493  Lord Sutherland of Houndwood: Is there any link with the police in terms of providing support for training, and so on, in this highly specialised world?

  Mr Isbell: We do run specialist courses and obviously the police can avail themselves of those and we do provide them when requested.

  Q494  Lord Sutherland of Houndwood: But it is again when requested?

  Mr Isbell: Yes.

  Q495  Lord Sutherland of Houndwood: Does that apply to MessageLabs also?

  Mr Wood: Certainly in my experience we have got a very skilled team of engineers who work very closely with the new emerging threats and when they discover something new they are in a position where they have the knowledge to be able to understand what is going on and understand how it works very quickly. They have very good relationships with the enforcement authorities and exchange information both ways. It is a two-way flow of information, so it is not always just about, "This is where we first saw something," it is also maybe about how it works, maybe other areas where they can look where we cannot, things that we cannot do that they have more authority to do.

  Mr Sunner: Quite often some of the intelligence we might have actually might be about stuff which is not in this country and that becomes harder for us. So we have again enjoyed a good relationship where we pass that to law enforcement, who maybe do have better, smoother contacts to another region to track something down, and again that has been quite successful. So I think the relationship is good from our perspective.

  Q496  Lord Sutherland of Houndwood: I find this reassuring because clearly it is a very highly technical specialist area. Just one slight change of tack, finally. We have a Government which is very keen on targets. Do you think it would be good to set some targets for the police in this area? Would that jolly things up a bit?

  Mr Chantzos: In the private sector we also tend to talk about targets, objectives, key performance indicators. One of the key questions, however, before we set an objective and agree to it—and I am saying it as a manager myself, I have to go through the process with my members of staff—is the question of is that target achievable? The second is, is it adequately resourced for it to be achievable? So before we look into the question of is it adequately resourced, I think it would be unfair to look into the question of what the target should be.

  Q497  Lord Sutherland of Houndwood: I think you could give a seminar in this Palace of Westminster. It would be very helpful! Do you think, nonetheless, the setting of targets, if sensibly designed, would actually move things on?

  Mr Sunner: Speaking personally, I think that what we are dealing with is such a moving target that it would potentially become difficult. We have seen the threat profile change dramatically in terms of viruses, spam, phishing and spyware across the board in the last six months, so if we were to try to articulate the things we were looking for and the threat profile six months ago, things have occurred since then that have changed the landscape. Therefore, I think it would be very, very difficult to set targets that flow all the way down to law enforcement that could be policed. I just do not think it would be viable.

  Lord Sutherland of Houndwood: That is very interesting. Thank you.

  Q498  Lord Mitchell: This is for Symantec really. You claim "a competitive market for [the] security software industry protects diversity and thereby enhances security". Do we have a competitive market at present, or should we be taking steps to improve things, and could you not just refer to the UK? This is a global market so I just wondered if you could do it from that point of view also?

  Mr Chantzos: Absolutely. Where do you start? To start with, you have MessageLabs and us, but obviously there are more than ourselves. Right now we believe we have a very competitive market and we think that this is the way to go. We always prefer that we let the market operate and the market forces work at their will. Obviously, there is a role for government to play and there is a role for the competition authorities to ensure that there is a level playing field in this area. It is difficult for just one company to deal with the complete Internet security issues as they emerge and as they form, therefore competition is necessary in order to create the level of innovation and the level of technology which would react quickly and efficiently to the new security threats. Having multiple providers means that the market can deal with the specific attack, the specific threats and the different players who are experts in their area can then, if you like, identify and address these threats in their niche market. That effectively ensures a wider net of response. Finally, having a monoculture of information security is risking to create a single point of failure, so should this single point of failure for some reason fail, should this single security posture fail, it has the risk of having a knock-out effect for the rest of the infrastructure, which is why it is important to have diversity in the system. It is very much a biological example, if you like.

  Q499  Lord Mitchell: At one of our previous sessions on 17 January Microsoft was here, Matt Lambert, and he was asked about the company's dispute with the European Commission over anti-competitive behaviour, particularly with respect to the new Vista operating system, and he defended Microsoft's position and claim to that, and again I quote: "We have always worked with other companies, including competitors, to try to make our systems as inter-operable as possible." I would like your views on that, please.

  Mr Chantzos: Your question is about inter-operability, if you like?


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007