Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 525 - 539)

WEDNESDAY 21 FEBRUARY 2007

MR BRUCE SCHNEIER

  Q525  Chairman: Mr Schneier, thank you for coming to see us. We very much appreciate the opportunity to talk to you. Perhaps you could first introduce yourself.

Mr Schneier: I am Bruce Schneier. I am basically a security technologist. I write; I speak; I do a lot of thinking in security and how security fits into society. My background is from cryptography, to computer security, to more general security. I had a company in the United States, Counterpane Internet Security, which last October was purchased by BT. So now I am a BT employee. It is important for you to realise two things. One, I am here not as a BT employee but as a security expert; so what I am saying is me and not the company position. Two, I am an American and so my perspective is very much the American laws and the American experience; so I might get some of the UK perspective off. Those are my two caveats.

  Q526  Chairman: Thank you for that. We fully appreciate that although Counterpane, the company you founded, has been acquired by BT and you are now an employee of BT, we are talking to you today in your personal capacity, not in any way as a representative of BT.

  Mr Schneier: Excellent.

  Q527  Chairman: Let us get into the questions then and let me ask the first question. Is it possible to put a figure, however approximate, on the cost to the global economy of the insecurity experienced by those using the Internet? What are the main categories of cost and where are they borne?

  Mr Schneier: It is a hard question and everyone tries to answer this, because everyone wants to know what are the costs of insecurities. It is hard because a lot of the costs are fuzzy; a lot of them are not well known. We do not have the kind of data you might have on bank robberies or conventional street crime. When you look at the costs, there are the direct financial costs. Right now the big crime is identity theft and there are significant costs. In the US, it is now being said that the amount of profit is greater than the drug trade. That number is being bandied about. It is very hard to know if that is true, because real numbers are hard to get. How much of it is Internet-borne versus "just happens to use the Internet"? Certainly it is in the billions, and direct money is being stolen. When banks are broken into through cyber means they often do not publicise the losses, and so we do not have access to any of that data. A lot of companies keep this secret. There are direct costs also in proprietary information. There is lots of anecdotal evidence that it is not really good to release a lot of data as to how much that costs. The other class is loss of productivity, loss of time. You will see this in the media: "Big Worm Hits", and it is tens of billions of pounds in damage. That is calculated by how many hours did it take for people to get rid of it, times how much they are paid, and that is how much it costs. Of course, these people are paid on salary and they are working overtime; so are those costs real or not? It all depends how you count. A loss of productivity: if your email is down for a day, there is a loss there; but how much do you make up? Amazon knows literally to the penny how much money they lose if their website goes down. They know their throughput. But, much to everyone's surprise, when their website goes down for an hour they tend to make that money back over the next day or so. The customers do not leave and go elsewhere; most of them just say, "Oh, the website's down. I'll try again later". So do you really count those costs? That is hard. There are therefore those indirect costs. There is another class of costs, which I call the "fuzzy costs"—the reputation costs. There are some very public breaches that cost companies their good name. A good example was in the United States a couple of years ago. There was a breach of ChoicePoint, a data broker, and 165,000 personal names and information were stolen. That company took a very serious hit in their stock price, and you could make a very good argument that was directly an effect of the attack. How much is the brand of a bank worth? So there are the costs there. There are also insurance costs that companies are paying. You could look at the entire cost of the security industry. In effect, all the security products you buy are making up for the bad products you have to protect, and that is a multibillion-pound industry. So you look at it that way. It is real hard to get a handle on the numbers, but that is a flavour of where they might be.

  Q528  Chairman: Do you have a feel for the problem that there is to the individual? We are mainly interested in personal Internet security. Personal identity theft is very troubling for people. I assume that must consume a great deal of time. Would you have any idea about the number of people who never get it resolved?

  Mr Schneier: No, we do not know. There are identity theft numbers that are out there. One of the problems is that the definition of identity theft has been changing, so it is hard to get a handle on. The US Government publishes numbers. I do not know what they are, but I know they are published. What exactly do they mean by identity theft? If I steal your credit card out of your wallet and go use it, that is identity theft but it is not what we are talking about here. We are talking about someone impersonating you to a bank, getting credit, getting loans. We have had examples of somebody going away on vacation; they come home and their house has been sold, because someone impersonated them in the real estate market and sold their house. They are very hard things to unravel. Numbers are tough. I think that the US really has a very bad way of dealing with credit reports, credit ratings, and how regulated the industry is. It can take years for someone to restore their good name. In many cases, the money lost is eaten by the banks and the credit card companies, and that is relatively straightforward. It is the time to restore your good name and the stress. It takes people years; they cannot get loans; in some cases their car gets repossessed, even though it is not them; there are arrest warrants out for them. That is what takes a huge amount of time. Putting a dollar figure on that is very difficult, but that is the real cost to the individual. When people are scared, that is what they are scared about. In the US, if you lost your credit card it is a $50 maximum charge to you as an individual; but if your credit rating gets trashed, the effects are enormous; they permeate all through your life. You have trouble getting a job; you cannot get a loan; when you try to rent an apartment, you are not able to. It really affects you.

  Q529  Lord Young of Graffham: What do you understand by "personal Internet security" and who should take responsibility for it?

  Mr Schneier: I think that there is a lot of responsibility to go around. The way I often look at it is who can take responsibility? It is all well and good to say, "You, the user, have to take responsibility". I think the people who say that have never really met the average user. I always use my mother as an example. She is not stupid; she is very intelligent, but this is not her area of expertise. If I tell her, "You have to be responsible for your Internet security", she will not be able to. It is too technical, in ways she cannot deal with. So I think that there is a role for the individual, but I like the notion of credit cards. You, as an individual, are responsible for the first $50 and the rest we force the credit card companies to take. This is interesting. Even if you as an individual take your card and fling it out of the window or hand it to somebody and say, "Here, use it", you are only liable for $50, even though you did all the things wrong. The reason that was done—I think it is actually very brilliant—is because the credit card companies are able to solve the problem. Once that law is passed, the credit card companies invest in technology. You can go through that. We used to have books of bad numbers; now there is online real-time verification of fraudulent cards. Cards are delivered in the mail separately from the pin that activates it. You have to call and manually activate a card. There are expert systems that look through the database of transactions, looking for fraudulent patterns. I travel the world. I have used my card in four countries in one day. I was in Winnipeg, Canada, last year and my card was stolen. I used it in a restaurant and somebody copied the number and made a forged card. In two transactions, Visa cancelled my card—and I am amazed. So I think there are some things that we make the user do. Then we have to look towards who else can do it. I think that the ISPs for home users very much should be responsible. Not that it is their fault, but that they are in an excellent position to mitigate some of the risk. There is no reason why they should not offer my mother anti-spam, anti-virus, clean-pipe, automatic update. All the things I get from my helpdesk and my IT department by virtue of being a BT employee they should offer to my mother. I do not think they will unless the US Government says, "You have to". I think that there is a place where the responsibility should be there. Going back, I think that the financial institutions need to bear a lot of responsibility. Here is the problem in the US. Someone gets my personal information, goes to a credit card company with my details—and in the US credit cards are very easy to obtain, so it is a much more pernicious problem than in the EU—and get a credit card in my name. So damage has happened to me and I do not even know about it. I was not involved in the transaction at all. The credit card company should be responsible for that and should be forced to make me whole. They should be the ones to go through the stress of restoring my good name, not me. That makes sense. I would like to see some responsibility on the software vendors, the operating system vendors, the hardware vendors. We are paying the price of insecure software. There is—and I make this up—a vulnerability in an application program or operating system. Someone uses that to hack into my mother's computer; put a Trojan on the computer; it sniffs her password, and now steals money out of her account. You cannot say that the software vendor is 100% liable for this, but I think it is equally true that they are not zero per cent liable. There is a piece that they can do. When you start looking round, there are a lot of places where you could take responsibility. All the companies really want to push it off; they do not want it. But if you give it to them, like the credit card industry, then capitalism takes over. Once they have the responsibility, they are now going to figure out how to solve it cheaper, better, faster, smarter—and we will get good solutions.

  Q530  Lord Young of Graffham: If we are talking about personal Internet security, we are talking about the average "silver surfer" using it at home. It seems to me that there are three areas. First, I am responsible for the hardware I buy. Occasionally there are hardware faults that give leaks in firewalls. Secondly, I am responsible for the software I use. Thirdly, it is how I use it—so if I leave my password insecure. There are those three areas, therefore. How do I distinguish between my responsibility and the responsibility of the hardware vendor and the software vendor? Those are the two main areas.

  Mr Schneier: I think it is hard and I think this is where the tort system really works. I am not an attorney but recently—because I am looking at the legal aspects—I read a book on torts. There are incredibly complicated case histories of partial liability and who gets what. It looks like the system, although it is not easy, sorts that stuff out: how much of it is the user's responsibility; how much of it was the hardware, the software, the website, the ISP in the middle, the DNS server here or some other user over there. You can have examples of DNS attacks, where the company was not even responsible; that some other attacker attacked a named server held by a public organisation, redirecting traffic from the bank to this now phoney bank website. I am entering my bank details; I am fooled. It would be hard to say that I am responsible. There are some visual cues that I might or might not be noticing. These are very hard cases, but I think that we need to start poking at it. We need to start peeling it away. It is probably many years, in different litigations, before we sort it out.

  Q531  Chairman: What you are saying basically is that, while the responsibility is distributed, you think a formula can be made up to distribute that almost quantitatively. So if you have a certain problem, then it is either the ISP provider, or it may be you, or it may be your software manufacturer, or it may be your hardware manufacturer.

  Mr Schneier: And it could be a combination of things, like you see in some other areas of tort. Automobile liability—is it the fault of the driver, the automobile manufacturer, the part manufacturer, or the road conditions? There are standards of care that are brought to bear; there are safe driving practices that we expect from people; there are safe road conditions. Investigations are made, the parties come into a room and demonstrate, "I did this and therefore I'm not liable" or "I did this" or "You didn't do that". So it is less that there is a formula; more, there will be a recipe for figuring who did what. It is likely to be relatively standardised. I think that a lot of these frauds are very replicable; that they are not one-offs; that when you see an attack that works, it happens again and again. Attackers change tactics depending on the defences, but the primary fraud is the same. Opening a credit card in my name is a very standard thing that is done.

  Q532  Lord Young of Graffham: Could I come on to e-banking? A personal experience—my daughter had an account with one of the big banks broken into, money taken, and the account was closed. The bank obviously paid up in those circumstances, but is e-banking safe? We are becoming more and more reliant on the use of e-banking.

  Mr Schneier: "Safe" is a relative term. To me as a user, if I am not liable, then it is safe. The bank, as a business, decides—however many basis points their fraud is. If you look at credit cards or cheques, fraud is not zero but it is a cost of doing business. You are going to have the CISO of PayPal here. Ask him how many basis points fraud is, and I will bet you that it is under one per cent. It is something that they are trying to get down, but they are a profitable business even though that fraud is there. So the question for the user to ask is, "Am I liable?". If the bank said to me, "We are going to give you a password and if money comes out of the account using that password you have to pay it, regardless of whether you did it or not. You are liable for all withdrawals", I will say, "I don't want that password", because I do not know what the bank's security practices are. I cannot control them. The bank can do something. A file gets broken into, a password is stolen, my money is taken and now I am at fault. If the bank says, "Here is a pin and only withdrawals you make will you be charged for, and any you dispute we will give you the benefit of the doubt", then suddenly I am okay with it, because it is not my risk. The real question is who bears the risk. ATM cards are another example. If there are fraudulent ATM withdrawals from my account, I call my bank and they reverse them. They will probably pull the tapes, look at the video recordings, see who actually did it; but I have the benefit of the doubt there. So I am perfectly happy with my bank card. If it was the other way, I would be less happy.

  Q533  Lord Young of Graffham: Do you think things are improving or becoming more difficult?

  Mr Schneier: Things are becoming more complicated. I think the jury is out on whether they are getting better or worse. By any metric, the numbers are getting worse. Fraud is increasing; loss is increasing; damage is increasing.

  Q534  Lord Young of Graffham: But volume is increasing too.

  Mr Schneier: Yes, volume is increasing too. Definitely the criminals have found the Internet as a very good place to steal. One of the reasons is because it is so easily international. We actually see jurisdiction shopping. Organised crime will find countries with poor computer crime laws, easily bribed police, no extradition treaties, and they will launch their crimes from there. We see a lot—at Counterpane we are monitoring—from sub-Saharan Africa, from Eastern Europe, from South America, from South-East Asia. So I think it is a growth area in crime. We are seeing much more personal identity information being stolen, but a lot of that is because you steal them in bigger batches now. It is not that there is not a lot of evidence that there is more crime there; I think there is. I think that companies are getting a better handle on fraud. Again, you will have PayPal here and they are great people to ask about stuff like that. PayPal is a monster target out there, because their business is transferring money over the Internet. What better target for an Internet criminal? I will bet that their fraud has been going down, because they are getting better at policing what they are doing. Sometimes you will see measures that banks institute that do not reduce fraud but they move fraud around from one bank to another and then, when all banks are up to this level, a new tactic is developed. So things are definitely getting more complicated. I would say that on a personal level they are getting better, because companies are very scared of all users losing faith, saying, "Oh, it's not safe to buy on the Internet". If that happens, it will be a huge loss.

  Q535  Earl of Erroll: Can I quickly ask a question on banking first? One of the problems in the UK with banking is if the bank felt that the person had given away their PIN number, because they had written it down and someone had seen it, they denied all liability and they were refusing to release details whether it was possible at all. The default position was that the banking system must be secure because the banks would not release information on it. Did you have that trouble in the States?

  Mr Schneier: In the States, it appeared from the beginning that they followed the credit card model: that the bank had to prove that you had committed fraud. I think that is a much better model, because the user has no ability to prove that he did not give away his PIN.

  Q536  Earl of Erroll: That was the problem here.

  Mr Schneier: In the US the bank cards very quickly followed the credit card model, and I think that was very brilliant. In fact, in a lot of ways in the US—and I do not know if it is true here—both models go through the same systems. If I go to a store and I pay with my bank card or my credit card, it is the same swipe machine. It is the exact same system.

  Q537  Earl of Erroll: It is the same here, yes. On a completely separate issue, you have long been an advocate of holding software companies liable for flaws in their products. Why would this be a good thing?

  Mr Schneier: This gets back to putting the responsibility for the problem on them to go back and fix the problem. I will give a very broad explanation. We are paying, as individuals, as corporations, for bad security of products. We are paying it in after-market firewalls, anti-virus, buying Counterpane services, and everything else. It is a huge industry. It is costing us a lot to have insecure software. If we put the liability onto the vendors, it would be expensive but they would either invest in better-quality software development or longer development cycles; they might have to buy insurance; they would certainly charge more for their products. So there would be a cost to that also. But in this second way, in this other cost, the software is improving. Right now, we have a situation where the software is poor quality; we buy these after-market products; the software does not get any better. I want to see the liability moving onto the vendors, to give them a bigger impetus to fix their products. Most of the costs are an externality. The software vendor has an insecure product: the cost is borne by us users. There are several ways you can move the liability back. You can do it through regulation; you can do it through liability that forces the software vendors to spend more money on security, produce more reliable products, and we all benefit. In general, that is why I think that is a good idea.

  Q538  Earl of Erroll: Just to clarify, by "vendor" you do not mean a third-party intermediary; you mean the original manufacturer of the software?

  Mr Schneier: No, I mean the manufacturer. In US law—and this happened in the 1920s with automobiles—you would buy an automobile from an independent car dealer and you had a problem with it. You could only sue the car dealer; you could not sue the vendor. That is the notion of privity. That was changed in the 1920s with the very famous case of McPherson vs. Buick, which set the precedent that you as the individual could sue the auto manufacturer and not the dealer. The idea was that the auto manufacturer could fix the problem. Similarly, you need the same thing with software. It is the person who designed, wrote, built the software, the hardware.

  Q539  Earl of Erroll: I am not sure we have the same legal system here. I know that for a lot of stuff you sue the person, and to us the vendor is the retailer of the thing, not the original producer or manufacturer. That is a slight sidetrack, because one of the things that has come out from previous witnesses is that it is virtually impossible to produce software without some flaws in it. You then also get a mix of software on an end-user's system which will be interrelating in unpredictable ways. How do you decide where the liability lies? Surely it will just make the whole thing impossibly expensive or impossible for people to produce new software?

  Mr Schneier: I do not think that "difficult" is a reason not to try. Certainly those are issues. I think that we are expecting flaw-free software. I can tell you as a security expert that we in the industry have no idea how to design flaw-free software. We cannot do it. We can do a much better job. If you look at the software development processes in aircraft manufacture, avionics, or in the space shuttle, they are completely different from mass-market software. It probably is not appropriate for mass-market software, but there are things we can do. Even that software is never flaw-free. There have been rockets that have blown up. An Ariane 5 rocket is an example that comes to mind. We can do better, however. This is one of my problems. There are lots of secure development tools out there that are not being used; because, when push comes to shove, there is budget, you have to get your product out quickly, and security takes a back seat to features, to getting it out there. So more pressure on the vendors to do a better job—not a perfect job—because there will be some standard of due care; some standard that you follow.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007