Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 500 - 519)

WEDNESDAY 31 JANUARY 2007

MR ROY ISBELL, MR ILIAS CHANTZOS, MR MARK SUNNER AND MR PAUL WOOD

  Q500  Lord Mitchell: Is it a competitive market, or do people co-operate, more to the point?

  Mr Chantzos: We have enjoyed a longstanding co-operation relationship with Microsoft. We believe it is important that this co-operation relationship continues exactly because ultimately it is also better for the users. It is better that we work together to protect them, as opposed to working in different directions. At the same time, this must not be done at the expense of inter-operability. Ensuring an adequate level of inter-operability ensures diversity in the security system, it ensures that customers have freedom of choice, freedom to choose what security solutions they need for their own security posture, for their own security needs. It also ensures that the consumer, the average user is not biased, is not dragged into a particular security technology which perhaps may not be his choice. It ensures that there is innovation and ultimately ensures that we avoid having a single point of failure. To go back to your question, yes, I maintain the point that we have a very competitive marketplace, but I also maintain the point that it is the role of the industry and the competition authorities to work together to ensure that that level playing field remains.

  Q501  Lord Mitchell: And as for software security being built into the operating system?

  Mr Chantzos: Having baseline security is obviously better than having no security at all. At the same time, the security of the operating system is not necessarily a security solution and taking some steps to, if you like, harden the operating system is a step in the right direction. However, the challenge we have on baseline security is first of all the evolving threat landscape. The fact that it is baseline means that it is basic. The threat landscape is such that, quite frankly, the type of threat which most users are facing is far higher than what the baseline security is providing and also having a baseline security, unless the user is adequately educated, runs the risk of providing a false sense of security.

  Q502  Lord Patel: Symantec suggests that "diversity in software platforms and applications is key to containing the spread of security threats," so who is going to be responsible for achieving this and how?

  Mr Chantzos: Do I understand your question correctly as asking me who is responsible for entering the security?

  Q503  Lord Patel: No, it is based on Symantec's quote that "diversity in software platforms and applications is key to containing the spread of security threats". So how are we going to achieve this diversity in software then?

  Mr Chantzos: It is not our job to dictate changes in products or the choice of consumer, clearly.

  Q504  Lord Patel: Whose job is it?

  Mr Chantzos: Certainly not ours. However, we do think it is important that we work together, that we work in an inter-operable environment to deal with security threats.

  Q505  Lord Patel: Let me be more challenging. We know Microsoft controls most of it. Microsoft will argue that those who want to attack it are going to attack it for money, so having diversity does not solve the issue?

  Mr Chantzos: I am sorry, but you need to see it not from the perspective of, "I want to attack for the money," but from the perspective of threat, vulnerability and risk management. If you see it from that perspective, I am attacking something which is vulnerable, which is widely deployed, and I hope to be able to exploit it so as to be able to capitalise on all of that. So to go back to my original point, having diversity in the eco system and having diversity in the security solutions which are there means there is no single point of failure which, if exploited, would be able to take out the entire infrastructure successfully. As I said, we have been working together with Microsoft and we hope that we will continue to be able to work together with Microsoft. At the same time, the choice of the technologies and the choice of the security around the technologies should be left to the user and I would like to stick with that, if you like.

  Mr Sunner: It is a really good point and I think the reality is we do have a dominant eco system in terms of platform, which is Windows. I think it is really interesting to note that now that the iPod generation is entering into the workforce and Macs and OSX is right back in vogue, sure enough the volume of vulnerabilities and things being discussed for Macintosh is going up. The only reason for that is because it is becoming a viable eco system in its own right. In the same way one of them will have attacks or threats inside email and web and instant messaging, because they are ubiquitous eco systems whereas currently the iron world is silo'd. So I think eco systems will always appear. It is desirable to have diversity, but by the very nature of us as users driving common platforms the eco systems will appear and then they will be attacked. So I think it is nice to have diversity, but the reality is that things will always gravitate towards a single platform, as we have seen with mail platforms, web browsers, et cetera, and then the threat will unfortunately follow.

  Q506  Chairman: Would we not be better with a single operating system but a diversity of security systems to protect it? At least you know what you are protecting. I would have thought multiple operating systems is going to dilute the security software world?

  Mr Sunner: Actually it makes it a lot more complex and possibly even unattractive for the attacker if you have diversity because if you have got a smaller eco system it may not be attractive to attack, but the reality is that you will end up with common platforms. That is what we as users will ultimately demand. Ultimately platforms will remain the same. I am sorry, could you just repeat the original question? I beg your pardon.

  Q507  Chairman: I am just arguing that if you have got a single operating system to protect, as it were, or to make sure it is secure then it might clearly be beneficial to have that as a sort of open software task so that the world's brains could concentrate on protecting a single system. If you have two or three basic operating systems then that workforce is spread over three systems?

  Mr Sunner: I think the reality is that a secure operating system is a Utopian view.

  Q508  Chairman: There is no such thing?

  Mr Sunner: It is not realistic, because what you have to remember is that whilst you can architect something now which might be bullet-proof today, the bad guys will not stand still. That is why we see platforms targeted in the way they are, directly proportionate to the eco systems which exist. The minute you have a platform which is dominant in any way it is a desirable target and then people will work until they do find an exploit.

  Mr Chantzos: My Lord Chairman, to start with I would like to reverse the question you have just put, so have one single operating system and many security providers. Why would we not want to show innovation at the level of the operating system to start with and have just one player and not have the possibility to have many to operate with each other and many security providers as well? So why would we not want to see more innovation in this area? Why would we want to restrict innovation just to that? That is perhaps something worth debating. The fact remains that the points which my colleague from MessageLabs makes are rather accurate. The more you see a dominant platform emerging, it is normal that that dominant platform will be receiving a high proportion of the attacks, which is why both variability as well as inter-operability become key elements.

  Q509  Lord Young of Graffham: Despite the best efforts of both MessageLabs and Symantec, I do get the occasional bit of spam trying to sell me another desktop protection system! I am sure it is inadvertence on your part, but there is a whole variety of systems, some of which in financial terms are fairly expensive and some of which are free. Some do it with a great deal of fuss, others operate behind the scenes much more and just occasionally send you a reassuring message. I personally operate from different machines probably three different systems. How do I tell the difference between them and how do I know, in the absence of getting an attack of some sort, an obvious attack, that they are any good? Is there any way of measuring them or actually understanding why I should pay more for Symantec rather than take a free one from someone else?

  Mr Isbell: I think you have to look at the infrastructure behind it and the company which is actually putting that particular software out there which is protecting it. The larger the infrastructure, the larger the intelligence network, the bigger the set of analysts, the more sensors that are out there, then the better able we are to protect you. Therefore, having a global intelligence network such as Symantec will give you a better sense and a better view that the level of protection you are going to get is a lot higher. The danger about the free security software which we have seen is that it is the wrong way, and there is a particular case in point, one of which came through on an adware which actually was used to turn round on itself to actually get you to buy a particular piece of security software. Having a trusted partner in the security vendor with the adequate size infrastructure which is supporting it and providing the intelligence at the back end I think is one of the ways.

  Q510  Lord Young of Graffham: Are there circumstances in which you would be prepared to back your trust with a guarantee, in other words, compensate customers if malware got through in some sort or other?

  Mr Isbell: The problem with giving guarantees is that you have to set a guarantee up against a set of criteria. Configuration of the software is ultimately down to the user for his own particular profile and his own level of risk and how vulnerable he feels he is, et cetera. So it is hard to give any form of guarantee when you do not have control over that.

  Q511  Lord Young of Graffham: Or compensation? You cannot guarantee against any event happening, but if I pay a lot more for a highly protective type of system (so I am being told) am I entitled to complain when something gets through and get compensation? That is what I am really getting at because for the consumer it is the difference, perhaps, between the expensive and the free, or not expensive but those who charge?

  Mr Isbell: Again you hit the problem where if you are entitled to compensation because we let something through on our global intelligence network we would have to turn round and say, "Well, did you do a live update? Do you have the latest security software on your system that we are protecting you against?"

  Q512  Lord Young of Graffham: Yes, but assuming that is the case, because all your systems update automatically as soon as you get onto the Net.

  Mr Isbell: That is user-configurable about whether he wanted a live update automatically or actually selects when he wants to update.

  Chairman: We are very pleased to hear that!

  Lord Young of Graffham: I will not say it was the obvious conclusion.

  Q513  Lord Young of Graffham: Could I ask a quick supplementary, which is that if you have a large market share suffering from the Microsoft problem does it then become of interest to the virus writers to specifically write stuff which will get around your anti-virus software because that way they know they will infect a reasonable proportion of computers?

  Mr Isbell: It is true that we do see particular elements of code which are trying to get around vendors' security. That is true, but by having the infrastructure and the sensor network and the analysts which we do we are providing a high degree of protection.

  Mr Sunner: If I could just take that and the previous point. I am going to be a bit contentious here. In terms of new things appearing, this is where there is a big difference between a product and a service, because ultimately how does a desktop anti-virus vendor know that there is a new virus out there which they could not catch? It is because somebody got it, somebody took the bullet. That then starts the race against time to get a sample of that, to generate the code to be able to stop that, to make that code available and get their diligent customer to apply it. All that takes a window of time. Coming on to can people exploit desktop products, absolutely, and again here is the flaw: as the bad guy, I can download all of the currently available desktop anti-virus products, have their latest signatures in front of me and keep changing my viruses on my workbench until it sails through all of them. I absolutely know now that this will succeed because they are products. As a service, you cannot do that. You cannot take a service on a CD and try it out. You get one shot at getting something through and if it has failed you have already learnt from it. I think that is the big difference.

  Mr Isbell: I think we also need to clarify the global intelligence network is also provided on a service type basis. Let me just give you some statistics, if I may, about the intelligence network which Symantec has out there. It is a vendor-neutral intelligence network. There are 40,000 sensors deployed in 180 countries. We have 6,200 managed security devices deployed. There are 120 million desktop gateway and enterprise AV systems out there. We deploy 2 million decoy accounts for spam and anti-phishing. As I have already said, we have 30 per cent of the world's email traffic flowing through our botmail system. We have four security operation centres around the world supporting 500 companies worldwide and one in the UK. As I said, we have 1800 analysts, and so on. So if you look at that infrastructure and the size of that, that is providing a service to the people who buy the AV products, et cetera, which we sell to provide that service, to constantly update them through the live update system to the latest threat landscape.

  Q514  Earl of Erroll: I just want to clarify a couple of points. Can you describe how spyware works and how much of a problem is that?

  Mr Sunner: The first point I would like to make about spyware is that in threat terms it is quite embryonic. The virus world will be 21 years old, arguably, this year. Spyware, conversely, as it is talked about is about five years old, so there is an issue with clarification here because in those 21 years of malware people understand what the difference is between a trojan, a worm and a virus, et cetera, whereas when people say "spyware" they can mean different things. In the early stages spyware was really about this pop-up ad-type box, something which would get into your browser so that potentially if you were searching for, let us say, "car" maybe ads would start to appear. This is about four or five years ago. In so doing, the bad guy community kind of got back more data than it bargained for. It was understanding what we were searching for, and that information has real currency. So from there these browser patching mechanisms started to be more interested in actually tracking user browsers, what we are keying in, and potentially even profiling people. Today, at the very, very sharp end of this now we are seeing root kit level stealth which is equivalent to what we are seeing in what we might call the traditional virus world. What is important about that is that traditional viruses took 21 years to go from the early benign floppy disk stuff to today, where it is all about commercial gain. Spyware has been through that same loop in five years and I think that has caught some areas of the security community slightly off-guard. Of course, the common denominator in the middle is the Internet. The Internet has always been there and is basically fuelling what is possible with spyware, which is again commercial gain, industrial espionage, all these things. Does that help in terms of clarification of where we are?

  Q515  Earl of Erroll: Symantec sets a list of best practice for users, "Be aware of the difference between adware and spyware," but actually how are users expected to know the difference?

  Mr Isbell: We tend to use the term now "security risks" to cover the adware, the spyware, and so on, but most of them have the similar characteristics: they are sitting there, they are gathering information and then passing that information back, whether it be tracking your consumer-type spending on the Internet or whether it is to do key logging-type activity. So we now refer to it as a security risk and try and deal with it that way.

  Q516  Earl of Erroll: If I am on a website where I buy things normally, I will probably be very happy that they track my profile because they can help me go to the bits of the website I want. So that is not malicious at all, whereas spyware might be giving some other details that I did not want.

  Mr Isbell: But that would be a voluntary choice because you have selected that and nine times out of 10 when you are on those websites "Do you want to receive mail?" you click the box, and also you fill in questionnaires to give information about your spending-type habits, your demographic. The spyware-type activity is more to which websites you are browsing, key loggers against your online banking to find out a little information about that.

  Q517  Earl of Erroll: So does the law distinguish between the two, and is spyware legal?

  Mr Chantzos: I will need to check specifically for UK law, for English law. My understanding is that the 2258 eCommunications Data Protection Directive, which should be by now part of UK law, English law, does actually forbid spyware. It goes down the path of forbidding in fact what I would describe as malicious cookies as well as spyware. Quite frankly, whether their definitions of 2258 could use some refinement we are debating with the Commission and, as I mentioned before, 2258 is up for review and once it goes through the democratic process we will be able to see what it will look like when the process is completed. I believe that we might see also changes there.

  Mr Sunner: If I could just add, again because spyware is quite an embryonic term it has yet to have real clarification. Many people will consider some of these tracking mechanisms which profile where you have been around this site and we are talking grade and risk kind of stuff. Some people consider that as spyware, whereas the people who are putting it there will say, "We are putting it there for legitimate reasons because we want to profile our activity." So there is a real grey area which exists in this embryonic term at the moment and it is not black and white where you could say that all spyware is potentially malware.

  Mr Isbell: I would like to clarify that as well, because if you think, "I want to track my children's web activity," that could be deemed spyware.

  Q518  Lord Young of Graffham: Is it illegal, spyware?

  Mr Sunner: Again, because it is a bit of a grey area, it is covering such a broad range of things, some of which are definitely malicious code, for sure, but another spectrum which might be termed as spyware at the moment because it is quite new could be considered as a commercial tracking application. So, unfortunately, the word "spyware" is too broad a spectrum to pigeon-hole.

  Q519  Lord Young of Graffham: Should there be tighter definitions?

  Mr Chantzos: There have been efforts within the industry to try to find an agreed definition of what we would define as spyware, different people using different means to determine what spyware is. Some are using threat matrix, for example, and others are using complete definitions. We could certainly benefit from more clarity and that is why I say when one looks at the regulatory side, yes, perhaps these definitions need to be revisited.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007