Examination of Witnesses (Questions 500
- 519)
WEDNESDAY 31 JANUARY 2007
MR ROY
ISBELL, MR
ILIAS CHANTZOS,
MR MARK
SUNNER AND
MR PAUL
WOOD
Q500 Lord Mitchell:
Is it a competitive market, or do people co-operate, more to the
point?
Mr Chantzos: We have enjoyed a longstanding
co-operation relationship with Microsoft. We believe it is important
that this co-operation relationship continues exactly because
ultimately it is also better for the users. It is better that
we work together to protect them, as opposed to working in different
directions. At the same time, this must not be done at the expense
of inter-operability. Ensuring an adequate level of inter-operability
ensures diversity in the security system, it ensures that customers
have freedom of choice, freedom to choose what security solutions
they need for their own security posture, for their own security
needs. It also ensures that the consumer, the average user is
not biased, is not dragged into a particular security technology
which perhaps may not be his choice. It ensures that there is
innovation and ultimately ensures that we avoid having a single
point of failure. To go back to your question, yes, I maintain
the point that we have a very competitive marketplace, but I also
maintain the point that it is the role of the industry and the
competition authorities to work together to ensure that that level
playing field remains.
Q501 Lord Mitchell:
And as for software security being built into the operating system?
Mr Chantzos: Having baseline security is obviously
better than having no security at all. At the same time, the security
of the operating system is not necessarily a security solution
and taking some steps to, if you like, harden the operating system
is a step in the right direction. However, the challenge we have
on baseline security is first of all the evolving threat landscape.
The fact that it is baseline means that it is basic. The threat
landscape is such that, quite frankly, the type of threat which
most users are facing is far higher than what the baseline security
is providing and also having a baseline security, unless the user
is adequately educated, runs the risk of providing a false sense
of security.
Q502 Lord Patel:
Symantec suggests that "diversity in software platforms and
applications is key to containing the spread of security threats,"
so who is going to be responsible for achieving this and how?
Mr Chantzos: Do I understand your question correctly
as asking me who is responsible for entering the security?
Q503 Lord Patel:
No, it is based on Symantec's quote that "diversity in software
platforms and applications is key to containing the spread of
security threats". So how are we going to achieve this diversity
in software then?
Mr Chantzos: It is not our job to dictate changes
in products or the choice of consumer, clearly.
Q504 Lord Patel:
Whose job is it?
Mr Chantzos: Certainly not ours. However, we
do think it is important that we work together, that we work in
an inter-operable environment to deal with security threats.
Q505 Lord Patel:
Let me be more challenging. We know Microsoft controls most of
it. Microsoft will argue that those who want to attack it are
going to attack it for money, so having diversity does not solve
the issue?
Mr Chantzos: I am sorry, but you need to see
it not from the perspective of, "I want to attack for the
money," but from the perspective of threat, vulnerability
and risk management. If you see it from that perspective, I am
attacking something which is vulnerable, which is widely deployed,
and I hope to be able to exploit it so as to be able to capitalise
on all of that. So to go back to my original point, having diversity
in the eco system and having diversity in the security solutions
which are there means there is no single point of failure which,
if exploited, would be able to take out the entire infrastructure
successfully. As I said, we have been working together with Microsoft
and we hope that we will continue to be able to work together
with Microsoft. At the same time, the choice of the technologies
and the choice of the security around the technologies should
be left to the user and I would like to stick with that, if you
like.
Mr Sunner: It is a really good point and I think
the reality is we do have a dominant eco system in terms of platform,
which is Windows. I think it is really interesting to note that
now that the iPod generation is entering into the workforce and
Macs and OSX is right back in vogue, sure enough the volume of
vulnerabilities and things being discussed for Macintosh is going
up. The only reason for that is because it is becoming a viable
eco system in its own right. In the same way one of them will
have attacks or threats inside email and web and instant messaging,
because they are ubiquitous eco systems whereas currently the
iron world is silo'd. So I think eco systems will always appear.
It is desirable to have diversity, but by the very nature of us
as users driving common platforms the eco systems will appear
and then they will be attacked. So I think it is nice to have
diversity, but the reality is that things will always gravitate
towards a single platform, as we have seen with mail platforms,
web browsers, et cetera, and then the threat will unfortunately
follow.
Q506 Chairman:
Would we not be better with a single operating system but a diversity
of security systems to protect it? At least you know what you
are protecting. I would have thought multiple operating systems
is going to dilute the security software world?
Mr Sunner: Actually it makes it a lot more complex
and possibly even unattractive for the attacker if you have diversity
because if you have got a smaller eco system it may not be attractive
to attack, but the reality is that you will end up with common
platforms. That is what we as users will ultimately demand. Ultimately
platforms will remain the same. I am sorry, could you just repeat
the original question? I beg your pardon.
Q507 Chairman:
I am just arguing that if you have got a single operating system
to protect, as it were, or to make sure it is secure then it might
clearly be beneficial to have that as a sort of open software
task so that the world's brains could concentrate on protecting
a single system. If you have two or three basic operating systems
then that workforce is spread over three systems?
Mr Sunner: I think the reality is that a secure
operating system is a Utopian view.
Q508 Chairman:
There is no such thing?
Mr Sunner: It is not realistic, because what
you have to remember is that whilst you can architect something
now which might be bullet-proof today, the bad guys will not stand
still. That is why we see platforms targeted in the way they are,
directly proportionate to the eco systems which exist. The minute
you have a platform which is dominant in any way it is a desirable
target and then people will work until they do find an exploit.
Mr Chantzos: My Lord Chairman, to start with
I would like to reverse the question you have just put, so have
one single operating system and many security providers. Why would
we not want to show innovation at the level of the operating system
to start with and have just one player and not have the possibility
to have many to operate with each other and many security providers
as well? So why would we not want to see more innovation in this
area? Why would we want to restrict innovation just to that? That
is perhaps something worth debating. The fact remains that the
points which my colleague from MessageLabs makes are rather accurate.
The more you see a dominant platform emerging, it is normal that
that dominant platform will be receiving a high proportion of
the attacks, which is why both variability as well as inter-operability
become key elements.
Q509 Lord Young of Graffham:
Despite the best efforts of both MessageLabs and Symantec, I do
get the occasional bit of spam trying to sell me another desktop
protection system! I am sure it is inadvertence on your part,
but there is a whole variety of systems, some of which in financial
terms are fairly expensive and some of which are free. Some do
it with a great deal of fuss, others operate behind the scenes
much more and just occasionally send you a reassuring message.
I personally operate from different machines probably three different
systems. How do I tell the difference between them and how do
I know, in the absence of getting an attack of some sort, an obvious
attack, that they are any good? Is there any way of measuring
them or actually understanding why I should pay more for Symantec
rather than take a free one from someone else?
Mr Isbell: I think you have to look at the infrastructure
behind it and the company which is actually putting that particular
software out there which is protecting it. The larger the infrastructure,
the larger the intelligence network, the bigger the set of analysts,
the more sensors that are out there, then the better able we are
to protect you. Therefore, having a global intelligence network
such as Symantec will give you a better sense and a better view
that the level of protection you are going to get is a lot higher.
The danger about the free security software which we have seen
is that it is the wrong way, and there is a particular case in
point, one of which came through on an adware which actually was
used to turn round on itself to actually get you to buy a particular
piece of security software. Having a trusted partner in the security
vendor with the adequate size infrastructure which is supporting
it and providing the intelligence at the back end I think is one
of the ways.
Q510 Lord Young of Graffham:
Are there circumstances in which you would be prepared to back
your trust with a guarantee, in other words, compensate customers
if malware got through in some sort or other?
Mr Isbell: The problem with giving guarantees
is that you have to set a guarantee up against a set of criteria.
Configuration of the software is ultimately down to the user for
his own particular profile and his own level of risk and how vulnerable
he feels he is, et cetera. So it is hard to give any form of guarantee
when you do not have control over that.
Q511 Lord Young of Graffham:
Or compensation? You cannot guarantee against any event happening,
but if I pay a lot more for a highly protective type of system
(so I am being told) am I entitled to complain when something
gets through and get compensation? That is what I am really getting
at because for the consumer it is the difference, perhaps, between
the expensive and the free, or not expensive but those who charge?
Mr Isbell: Again you hit the problem where if
you are entitled to compensation because we let something through
on our global intelligence network we would have to turn round
and say, "Well, did you do a live update? Do you have the
latest security software on your system that we are protecting
you against?"
Q512 Lord Young of Graffham:
Yes, but assuming that is the case, because all your systems update
automatically as soon as you get onto the Net.
Mr Isbell: That is user-configurable about whether
he wanted a live update automatically or actually selects when
he wants to update.
Chairman: We are very pleased to hear
that!
Lord Young of Graffham: I will not say
it was the obvious conclusion.
Q513 Lord Young of Graffham:
Could I ask a quick supplementary, which is that if you have a
large market share suffering from the Microsoft problem does it
then become of interest to the virus writers to specifically write
stuff which will get around your anti-virus software because that
way they know they will infect a reasonable proportion of computers?
Mr Isbell: It is true that we do see particular
elements of code which are trying to get around vendors' security.
That is true, but by having the infrastructure and the sensor
network and the analysts which we do we are providing a high degree
of protection.
Mr Sunner: If I could just take that and the
previous point. I am going to be a bit contentious here. In terms
of new things appearing, this is where there is a big difference
between a product and a service, because ultimately how does a
desktop anti-virus vendor know that there is a new virus out there
which they could not catch? It is because somebody got it, somebody
took the bullet. That then starts the race against time to get
a sample of that, to generate the code to be able to stop that,
to make that code available and get their diligent customer to
apply it. All that takes a window of time. Coming on to can people
exploit desktop products, absolutely, and again here is the flaw:
as the bad guy, I can download all of the currently available
desktop anti-virus products, have their latest signatures in front
of me and keep changing my viruses on my workbench until it sails
through all of them. I absolutely know now that this will succeed
because they are products. As a service, you cannot do that. You
cannot take a service on a CD and try it out. You get one shot
at getting something through and if it has failed you have already
learnt from it. I think that is the big difference.
Mr Isbell: I think we also need to clarify the
global intelligence network is also provided on a service type
basis. Let me just give you some statistics, if I may, about the
intelligence network which Symantec has out there. It is a vendor-neutral
intelligence network. There are 40,000 sensors deployed in 180
countries. We have 6,200 managed security devices deployed. There
are 120 million desktop gateway and enterprise AV systems out
there. We deploy 2 million decoy accounts for spam and anti-phishing.
As I have already said, we have 30 per cent of the world's email
traffic flowing through our botmail system. We have four security
operation centres around the world supporting 500 companies worldwide
and one in the UK. As I said, we have 1800 analysts, and so on.
So if you look at that infrastructure and the size of that, that
is providing a service to the people who buy the AV products,
et cetera, which we sell to provide that service, to constantly
update them through the live update system to the latest threat
landscape.
Q514 Earl of Erroll:
I just want to clarify a couple of points. Can you describe how
spyware works and how much of a problem is that?
Mr Sunner: The first point I would like to make
about spyware is that in threat terms it is quite embryonic. The
virus world will be 21 years old, arguably, this year. Spyware,
conversely, as it is talked about is about five years old, so
there is an issue with clarification here because in those 21
years of malware people understand what the difference is between
a trojan, a worm and a virus, et cetera, whereas when people say
"spyware" they can mean different things. In the early
stages spyware was really about this pop-up ad-type box, something
which would get into your browser so that potentially if you were
searching for, let us say, "car" maybe ads would start
to appear. This is about four or five years ago. In so doing,
the bad guy community kind of got back more data than it bargained
for. It was understanding what we were searching for, and that
information has real currency. So from there these browser patching
mechanisms started to be more interested in actually tracking
user browsers, what we are keying in, and potentially even profiling
people. Today, at the very, very sharp end of this now we are
seeing root kit level stealth which is equivalent to what we are
seeing in what we might call the traditional virus world. What
is important about that is that traditional viruses took 21 years
to go from the early benign floppy disk stuff to today, where
it is all about commercial gain. Spyware has been through that
same loop in five years and I think that has caught some areas
of the security community slightly off-guard. Of course, the common
denominator in the middle is the Internet. The Internet has always
been there and is basically fuelling what is possible with spyware,
which is again commercial gain, industrial espionage, all these
things. Does that help in terms of clarification of where we are?
Q515 Earl of Erroll:
Symantec sets a list of best practice for users, "Be aware
of the difference between adware and spyware," but actually
how are users expected to know the difference?
Mr Isbell: We tend to use the term now "security
risks" to cover the adware, the spyware, and so on, but most
of them have the similar characteristics: they are sitting there,
they are gathering information and then passing that information
back, whether it be tracking your consumer-type spending on the
Internet or whether it is to do key logging-type activity. So
we now refer to it as a security risk and try and deal with it
that way.
Q516 Earl of Erroll:
If I am on a website where I buy things normally, I will probably
be very happy that they track my profile because they can help
me go to the bits of the website I want. So that is not malicious
at all, whereas spyware might be giving some other details that
I did not want.
Mr Isbell: But that would be a voluntary choice
because you have selected that and nine times out of 10 when you
are on those websites "Do you want to receive mail?"
you click the box, and also you fill in questionnaires to give
information about your spending-type habits, your demographic.
The spyware-type activity is more to which websites you are browsing,
key loggers against your online banking to find out a little information
about that.
Q517 Earl of Erroll:
So does the law distinguish between the two, and is spyware legal?
Mr Chantzos: I will need to check specifically
for UK law, for English law. My understanding is that the 2258
eCommunications Data Protection Directive, which should be by
now part of UK law, English law, does actually forbid spyware.
It goes down the path of forbidding in fact what I would describe
as malicious cookies as well as spyware. Quite frankly, whether
their definitions of 2258 could use some refinement we are debating
with the Commission and, as I mentioned before, 2258 is up for
review and once it goes through the democratic process we will
be able to see what it will look like when the process is completed.
I believe that we might see also changes there.
Mr Sunner: If I could just add, again because
spyware is quite an embryonic term it has yet to have real clarification.
Many people will consider some of these tracking mechanisms which
profile where you have been around this site and we are talking
grade and risk kind of stuff. Some people consider that as spyware,
whereas the people who are putting it there will say, "We
are putting it there for legitimate reasons because we want to
profile our activity." So there is a real grey area which
exists in this embryonic term at the moment and it is not black
and white where you could say that all spyware is potentially
malware.
Mr Isbell: I would like to clarify that as well,
because if you think, "I want to track my children's web
activity," that could be deemed spyware.
Q518 Lord Young of Graffham:
Is it illegal, spyware?
Mr Sunner: Again, because it is a bit of a grey
area, it is covering such a broad range of things, some of which
are definitely malicious code, for sure, but another spectrum
which might be termed as spyware at the moment because it is quite
new could be considered as a commercial tracking application.
So, unfortunately, the word "spyware" is too broad a
spectrum to pigeon-hole.
Q519 Lord Young of Graffham:
Should there be tighter definitions?
Mr Chantzos: There have been efforts within
the industry to try to find an agreed definition of what we would
define as spyware, different people using different means to determine
what spyware is. Some are using threat matrix, for example, and
others are using complete definitions. We could certainly benefit
from more clarity and that is why I say when one looks at the
regulatory side, yes, perhaps these definitions need to be revisited.
|