Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 643 - 659)

WEDNESDAY 28 FEBRUARY 2007

PROFESSOR ROSS ANDERSON AND PROFESSOR MARK HANDLEY

  Q643  Chairman: Professor Anderson and Professor Handley, thank you very much for coming to speak to us; we appreciate you time and your willingness to come and join us. You realise where we are in this inquiry, I think. Certainly Professor Anderson spoke to us at our seminar as well. We have had many sessions already taking evidence so it will be very useful for us today to close down on some of the issues. I do not think we have a lot of members of the public with us, but I am sure they realise that there is a document outside telling people about this inquiry. Would you like to introduce yourselves and then, if you wish, make an opening statement or we can go straight into the questions. Professor Anderson, perhaps you would like to start.

  Professor Anderson: I am Professor of Security Engineering at Cambridge University. My background is mathematics and hardware engineering. Over the past half a dozen years I have been involved in developing security economics as a discipline, because we have come to realise that most of the things that go wrong, go wrong from misplaced incentives at least as much as from technical errors. For my sins I chair the Foundation for Information Policy Research which is an Internet policy think tank. As for substantive matters for the Committee I set these out in the paper that you received in October last year.

  Professor Handley: I am Mark Handley. I am Professor of Network Systems at UCL. Primarily I am a networking research person; I have been involved in designing network protocols and network systems for many years. I have done a lot of work in the IATF which is the main Internet standards organisation for designing Internet protocols and that sort of thing and I am the main author on quite a number of the RFC documents as to how the network actually functions, especially to do with multi-media, Internet telephony and that sort of thing. Increasingly over the last few years I have been working on the networking side of security with particular emphasis on combating denial of service attacks but we have also done work in other areas such as operating system security and things like breaking wireless encryption on wireless LANS and things like that.

  Q644  Lord Broers: Let me start with the first question that we have. Do you think that security is getting better for individuals on the Internet or is getting worse?

  Professor Anderson: I would think that overall things are actually getting worse. The reason for that is that over the past few years crime has become commercial. Instead of people who write viruses simply trying to infect ten million machines to impress their girlfriend, they are setting out to infect hundreds of thousands of machines in order to make money. As you have real commercial incentives for people to install Adware on computers, for people to steal credit card numbers, and as the criminal networks develop that allow these to be turned into money, so the amounts of trouble that is caused to people as a result of their activities on-line appears to be going up.

  Q645  Lord Broers: Would you agree with that, Professor Handley?

  Professor Handley: I would largely agree with that. The situation I think is getting worse because the stakes are getting higher. On the other hand, some parts of the industry are getting better. If you look, for example, at operating systems security, Windows Vista for example is a significant step up from Windows XP, so some parts of the space are improving but overall the stakes are getting higher and the Internet is changing from being a network which is primarily of PCs to being a network of PCs, mobile devices, televisions and telephones and all of this sort of stuff. It is being used for things which are of much more economic significance so the stakes for people using it are higher and the stakes for people who are trying to abuse it are higher. I think overall it is getting worse.

  Q646  Lord Broers: What do you see as the main emerging threat?

  Professor Handley: The biggest things that concern me are not quite so much about the security of the individuals as about the net effect of the Internet as a whole with all of these individual machines getting compromised and the damage that can be done on the infrastructure as we start to move towards a converged network for voice traffic for television as well as just data and the traditional Internet applications. That is the thing that concerns me as an emerging threat.

  Professor Anderson: I would tend to see the biggest emerging threat as being not so much technological, although I believe there will be a lot more bad stuff, for example RFID credit cards acting together with NFC mobile phones are a particular living menace. I see also the problem of this conflict between the Internet way of doing business, if you like, whereby liability gets dumped as much as possible on the end user, and the conventional way of doing business whereby the conventional rules and liability apply. I can see that more and more businesses as they move on-line are going to test the limits of what they can get away with in terms of re-writing contracts, and this could lead to market failures. To give you an example, a couple of days ago I had to renew my car insurance and I am informed that the insurance will not pay out if the car gets stolen as a result of the thief getting the keys. In other words if you leave the keys in the car or the keys are stolen from my house then there is no pay-out. This appears to be an instance of the insurance industry following in the footsteps of the banks in respect of their Internet business. I can see that causing an awful lot of trouble in a whole lot of different sectors.

  Q647  Lord Mitchell: A previous witness that we had gave us an amazing statistic which I still find quite difficult to believe but I am assured it is correct, which, I think, is that 14 per cent of people who use the Internet have had such a bad experience that they never use it again. I find that quite difficult to believe as a number but he certainly said that with some degree of certainty. Whatever the number may be, if indeed all of this becomes greater and the skills in the organised crime who have huge amounts of money to invest in this become more proficient can you see a situation where the whole industry could come under threat?

  Professor Anderson: I can foresee that there will be some big crunches ahead for which some kind of legislative or regulatory intervention is necessary. If, for example, liability rules in the UK and the USA drift too far apart then we could end up putting our own industry or our own citizens at a significant disadvantage. I do not have a good enough crystal ball to see exactly where those crunches are going to come.

  Q648  Lord Mitchell: I do not understand the differences between the two liabilities.

  Professor Anderson: For example, if you bank on-line in the USA then Regulation E says that if something goes wrong it is the bank's fault. That basically goes back to a precedent in the 1970s when a lady disputed an ATM transaction with her bank and won. Comparable cases in the UK were lost by the customer and as a result we saw in around 2000 all the banks in the UK changing their terms and conditions so that if you accept a password from them for use on the Internet, then if anything goes wrong it is your fault. This is creating a divergence between how on-line banking works in America versus how it works in Britain. Unfortunately for us, the Internet is in effect an American creation; the tools we use—web servers, web browsers and so on and so forth—are largely developed in America for American markets and under American assumptions. If we go into this arena with substantially different consumer protections then we can expect that something is going to go wrong.

  Professor Handley: I think that is a very valid point. I would not expect the whole industry to collapse but what I would be concerned about would be that a lot of the potentially strong uses for the Internet might be substantially weakened. Basically, anything that requires a significant amount of trust might attempt to find alternative ways of doing business. On the other hand, there are an awful lot of uses for the Internet where we do not require so much trust and so the cost/benefit trade off ends up better for that part of the industry. For example, I would not expect e-mail or regular web browsing to suffer substantially from that but I would perhaps expect on-line commerce to suffer and then this convergence process which is happening right now would suffer significantly.

  Q649  Lord O'Neill of Clackmannan: Professor Anderson, I think we have exchanged questions and answers over similar places but further down the corridor in the Commons. You caste yourself in those days very much in the role of the Cassandra. How much have you been vindicated in your pessimism over the years?

  Professor Anderson: As I recall last time we were speaking that was export controls.

  Q650  Lord O'Neill of Clackmannan: It might have been that or it might have been just e-commerce in the general sense.

  Professor Anderson: On the export control front that is still a live issue although I suspect it is not really the business of this Committee. This was something on which academics were talking only this week to the DTI. There are many unresolved issues about how we reconcile academic freedoms with the control that the Government wishes to exercise at the transfer of technology to foreigners. As far as e-commerce is concerned, we have seen it flourishing in some areas but not others; we have seen it flourishing in some countries but not others. Now that we have enough data to be scientific rather than just guess about it, I am coming to the conclusion that it is things like liability which make the big difference. For example, in South Africa it is difficult to do e-commerce because the banks there take an even more defensive view than here. When we bought a ticket for my mother-in-law to visit us from Cape Town I ended up having to fax the travel agent there two pages of my passport, both sides of my credit card and so on. Speaking to colleagues in South Africa there are certainly difficulties in doing on-line business there because of the view banks take. We have to be careful that we do not end up going out on a limb and marginalising ourselves and being cut off from the benefits of globalisation.

  Q651  Lord O'Neill of Clackmannan: Do you think your pessimism in those days was justified or do you think maybe you were being a little more gloomy than perhaps we needed to be? Or do you think experience has vindicated you?

  Professor Anderson: I think the issue on export controls is certainly still a live one. The problems that everybody anticipated in cryptography policy—which was something else we talked about then—have not come to pass because people in practice do not use cryptography in any way that has raised the policy issues that people were concerned about then.

  Q652  Lord Broers: Your evidence from the Foundation for Information Policy Research notes that as safety-critical services become reliant on the Internet human lives will be put at risk. Can you explain this in more detail?

  Professor Anderson: To take an example, ten years ago we relied for primary communications on the telephone system, and it was assumed that at telephone exchanges you would have the ability to function for quite some period of time in the event of a power cut. I believe the rule was that you would have six weeks' worth of diesel sitting at the telephone exchange. That now has been cut to a few days and I hear, for example, from engineers involved in that that in order to get the electricity grid back up again after an outage the engineers have to have access to their mobile phones. On the other hand, a number of the mobile phone operators only have a few days' worth of reserved power at their switching centres and at their masts. So we have eroded quite a lot of safety margin. Another problem that we come across is that although people try to create redundancy in their networks (for example by seeing to it that backbones go two different routes along the country), the increasing number of layers of networking means that it is difficult to control your network all the way down to the physical layer, and there have been one or two cases of people suffering network outages where, unknown to them, their network provider had helpfully routed both of their channels through the same piece of fibre which then got taken out by building construction work. So yes, there are going to be problems.

  Professor Handley: I believe it is more than that because what is happening at the moment is a transition from regular telephony services which Ross was primarily talking about to Internet telephony services as the primary way to provide all the phone service. BT have just started to switch off the circuit-switched telephone network; they started in Cardiff this year and it will progress over the next few years. The way BT are doing this is that they are providing it over the same network as they are providing their Internet services. They are separating them; they are doing two separate networks; they are providing a whole bunch of redundancy there; they are doing it correctly but it is the same network. Obviously they are in competition with everybody else and it is not necessarily in everybody else's financial incentive to actually provide so much redundancy and to separate things off so much. We are moving away from there being a circuit-switched telephone network at all to basically it being primarily Internet telephony, hence you get this coupling between these end systems which we see getting compromised so readily and the telephone network and increasingly the television network too as Internet television comes in. All our communication eggs are going to be in one basket and we have to make sure that that infrastructure is robust.

  Q653  Lord Sutherland of Houndwood: Going back to the question of personal Internet security, in your view who should be responsible for this? Where does the responsibility lie?

  Professor Handley: Responsibility really needs to lie with the people who can be effective in enabling that. That really essentially means that for the most part—not entirely, but for the most part—that cannot be the end user because most end users simply do not have the technical skills or knowledge or ability to deal with that. The question is: where should it lie? I do not think you can point to any one place, although all the places you might point at seem to try to pass the buck. Responsibility should, I believe, lie with software vendors to produce software which is at least as good as the industry knows how to produce. I do not think we can expect better than that; it will not be flawless but it should be better than it has been traditionally and you want to race to the top there, not to the bottom. Some responsibility should lie with Internet providers. That is not to say that Internet providers should stop the end system being compromised in the first place. I do not believe it is actually possible to do that in the middle of a network. On the other hand, they probably should be responsible for some degree of monitoring of their networks and when they see an end system that is misbehaving—some of those are fairly obvious to see, not all of them—then I believe they should have the obligation to disconnect that machine from the network and follow up rapidly. Obviously another part of the story lies with the financial services industry and people who are actually providing services which are where the customer can actually be defrauded, so a fair amount of liability has to lie with the banks and the rest of the financial services industry. I do not think you can point at any one place; I think it has to be most of those and primarily not the end customer.

  Q654  Lord Sutherland of Houndwood: Can you, especially in such a distributed set of responsibilities, allocate legal liability in any clear ways to follow those responsibilities? Without legal liability well, we have done our best but that is it.

  Professor Handley: I think you probably can although I have to admit I am not a legal expert. If your PC, for example, gets compromised at the moment there is no real liability for the software vendors or the person who sold them the PC or anything else. The question then is: did the person who sold you that software or the person who wrote that software or whatever actually the best job industry knows how to do in writing that software? If they did then I really do not think they should be liable, but if they did not then I think some liability ought to be there. That is the part of the system where it gets compromised. Once it has been compromised then I think the liability to disconnect them, if it is possible to detect them, should lie with the ISP before that machine goes on and does lots of damage to the rest of the world. Then of course the third part of that was the financial services part and that, I think, is what Ross was talking about earlier in terms of financial liability. Again the consumer is not the person who can actually deal with this so they should not be where the buck ends of stopping it unless they have done something really stupid but for the most part that is not the case.

  Q655  Lord Sutherland of Houndwood: Just to stick with the software, is it a matter of simply design or is it maintenance and upgrading of the system as new threats come to be identified and understood?

  Professor Handley: I think it is a combination of the two. What we have not done a great job on is deploying defence in depth which is really the primary strategy for dealing with this. If you look at Windows Vista there are 50 million lines of code in there; it is not going to be bug free. The space shuttle has about 2.5 million parts and they blow up every 50 flights. Windows Vista is going to have failures and any operating system is the same; it is not specifically a Microsoft problem. What you can do is provide various degrees of compartmentalisation within the software so that when something goes wrong the damage is contained. We know quite a lot about how to do that. One example is an operating system called SELinux (Security Enhanced Linux) which is pretty good at doing that. Those techniques are not generally employed; they tend to get in the way of what users want to do some of the time and that is why they are not deployed. On the other hand, if liability was with the software vendors to make sure that they did the best in the industry then suddenly the incentives to overcome those usability issues are really there. I think it is possible to improve things a lot beyond where they are right now.

  Q656  Lord Sutherland of Houndwood: That is a bit depressing because what it suggests is a nightmare with lawyers pursuing not wholly cashable cheques because of the distribution of responsibilities in less than completely hard ways.

  Professor Handley: The goal, if you do set up any liabilities for software, has to be to try to drive the improvement of the software and not to try to punish software vendors for screwing up or even for compensating the victims. It has to try and be to improve the industry as a whole so that in the long run people are safe.

  Professor Anderson: I tend to the view that the big conflict, if you like, between the old world way of doing things where you have clear liability between vendor and customer and the Internet way of doing things which is that for many years vendors have got away with disclaiming all liability—is going to have to be fixed sector by sector. It is too big and intractable a problem otherwise. I expect, for example, that if my car will crash and kill me then my widow will be able to sue Mr Volvo for an awful lot of money. I do not want that property to go away just because they have started putting software in the antilock braking system rather than making it out of analogue electronics. If we get to the point that a car needs to download a software upgrade every month—which some vendors are beginning to move towards—then what are the consequences of that? I think the way to fix that is to say to the car vendors that their liability rules will not change, they will not be able to put in a little click licence on the dashboard whereby you have to press "I accept" before you can drive the car and if they do then Parliament will override them. At present I have one of these annoying "I accept" buttons that I have to press on the SatNav. If it goes further than that into a car as a whole then Parliament has to stop it.

  Professor Handley: There is another problem which is that we traditionally regard the Internet as being composed primarily of things that resemble PCs as the end systems. That is now changing and we are having a lot of devices that are at the edge of the network which are in regular, normal customers' homes and things which are not PCs. Quite a lot of us have, for example, wireless routers. A wireless router is, in principle, a software upgradeable device but I challenge you to get most customers to upgrade those within their life time. It will not happen. Ninety-something per cent of them will never be upgraded because people do not have a clue how to do it. Microsoft have a pretty good task with Windows Update and so do most of the other operating system vendors but that is not the only device in the network. One of the big security problems that has come up just recently is people driving past people's houses and reprogramming their wireless routers because they have the default password and directing people via some third party to interrupt all of their business. We have a lot of devices out there which are not going to be solved by the mechanisms we traditionally have and that is just increasing.

  Q657  Earl of Erroll: We have been told by Bruce Schneier that software manufacturers should be made liable for losses arising as a result of the frauds, but one of the other aspects of it is that you cannot make software without any bugs or flaws in it. You are going to have another consequence of that which that if you are, say, Microsoft, and you have done the operating system, you are not going to know how other people's software is going to interact with that so you are going to tend to want to lock things down to your software only. Could this be highly anti-competitive? Will it in fact stop people innovating and producing new things?

  Professor Anderson: One of the things that we have learned, looking at security economics, is that companies tend to make their software insecure when they are grabbing hold of a market and then add too much security later, often of the wrong kind, in order to lock people in. Yes, I am sure that all sorts of attempts will be made to lock people in. However, in the case of Microsoft software, there would be other ways of doing it. It is true that an awful lot of the unreliability comes from applications fighting each other, but the way in which applications install themselves or are installed or uninstalled and are protected from each other is something to which Microsoft has started to pay attention, and if it were facing the correct commercial incentives it would be paying an awful lot more attention. Yes, it would be a process.

  Q658  Earl of Erroll: Is the trouble not so much for Microsoft but the other person? Let us say I wrote a software programme and it was going to have to run under a Microsoft operating system, I might not be aware of some of the subtleties in the updating mechanisms or something like that, so it could inadvertently introduce a flaw into it. Who would then be liable? The safest thing, in case Microsoft feels it is partly liable, is to prevent me doing that.

  Professor Anderson: Microsoft has made its fortune on having an open platform, relatively speaking, on which many, many application vendors can run their wares, so such an extreme response would not be in their commercial interest. There are going to be difficult cases where something fails because somebody installed something—package A—and software—package B—on his machine. They disagreed with each other and at a certain time the machine crashed. There are a number of ways forward. For safety-critical applications you can say this machine may not have any software on it other than the approved company configuration or whatever. Recent advances in virtualisation which Cambridge has been doing an awful lot of work on enable one to run multiple virtual machines on one PC which are separated off from each other by fairly strong software mechanisms. That is another route to take but you are going to end up eventually with some hard cases for courts to decide, where ascribing liability to this vendor or that vendor or to the user who misconfigured the machine will be a complicated question of fact.

  Q659  Earl of Erroll: What is this going to do for open-source software and for freeware where someone is not even being paid for it or people are doing it for the good of the community?

  Professor Anderson: What I think is going to happen with open source software is that if you buy a box, a personal video recorder from TiVo for example, and it catches fire and burns your hand, you would expect to be able to sue TiVo. TiVo use Linux software; your case is against TiVo or against Dixons or wherever you bought the TiVo from. Possibly TiVo have a case against Linux and it is then down to the open-source software community to see to it that their contracts with people who embed their software in their devices do not include unreasonable recourse or, if they do, that they have insured the risk properly. If someone like TiVo is going to use free software as a platform for its device rather than paying 20 dollars a box to Microsoft, then the obvious outcome is for them to take appropriate insurance because they know that in practice they are not going to have a very valuable recourse against the thousands of hobbyists who actually wrote Linux.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007