Examination of Witnesses (Questions 700
WEDNESDAY 28 FEBRUARY 2007
Q700 Lord Howie of Troon:
In the course of this investigation we have heard quite a bit
about e-crime. Is there such a thing as e-crime or is it just
old-fashioned crime done in a new way?
Professor Handley: I think the majority of it
is old-fashioned crime done in a new way, but there are a number
of things that are slightly different. One thing is the ease with
which it is to perpetrate the same crime to millions of people.
That makes it quantitavely different if not qualitatively different.
The other thing that is noticeably different is that most of it
is international (not all of it, by any means, but a lot of it
is international). That was usually traditionally not the case
with most traditional crime. That makes it much, much harder to
reduce crime by means of arresting the people who are responsible.
You end up having to defend in other ways. There are some e-crimes
that are, I guess, novel. Distributed denial of service attacks
are something where I do not think there is a direct real world
analogue. You get may be flash crowds in stores but it is really
rather different because in distributed denial of service attacks
the person perpetrating the attack is anonymous; the machines
doing it are compromised machines. I think most of the attacks
in terms of social engineering and fraud and so forth are regular
real world crimes that have made the leap over into the electronic
world. The ease of perpetuating the crime and the international
nature of them I think makes them noticeably different.
Professor Anderson: Last month we got the first
respectable academic survey of this of which I am aware which
looked at the correlation between the up take of the Internet
in America and the reported crimes in the various serious categories
of interest to the FBI. It is an interesting methodology because
the Internet was taken up at different rates in different US states
(it was quick in Alaska perhaps because you could say there is
not much else to do there). When the figures were looked at it
turns out that only three of the large number of categories of
crime were affected. Two were down: crimes of sexual violence
and also prostitution offences were down, which the authors of
the paper believe was a substitution effect from much cheaper
pornography as this was reflected only in males aged 15 to 24.
The one offence that was up was the category of offence known
to the Americans as `runaways', basically teenagers running away
from home. That is not further disambiguated into categories of
runaway, but those are the numbers that we have. The Internet
makes it easier for people to run away from home.
Q701 Lord Howie of Troon:
How does the Internet make it easier to run away from home?
Professor Anderson: Presumably because somebody
who wants to run away from home finds it easier to make what 30
years ago were called pen friends. There will obviously be a number
of these cases where the friends are in fact predators but there
are no further figures on what proportion of those runaways involve
some kind of danger. These are the first numbers that we have.
It must be said that these numbers are only relevant to serious
federal offences and do not cover the lesser things like spam
and so on, but they are the first results in. In general, apart
from that, I would agree with Professor Handley that we are seeing
an awful lot of old crimes being re-hashed. Fraud has always happened.
Social engineering has always happened. We are seeing internationalisation
and it is interesting that the police are going to start mainstreaming
crime, they are going to take the view that in future many crimes
will have some kind of on-line dimension. General police forces
as opposed to specialists are going to have to be able to deal
Q702 Lord Howie of Troon:
It seems to me that the police will be required to look at crime
in a different way. Are the police forces really equipped to do
that? Presumably you need a high level of specialisation.
Professor Anderson: There have been serious,
pervasive and long term problems with computer forensics in the
UK. An awful lot of police forces are going to have to do an awful
of learning in order to get up to speed. This is something on
which many colleagues have been working at various levels but
there is still a long, long way to go I am afraid.
Q703 Lord Howie of Troon:
You mentioned the international level, I suppose that would be
the dark side of globalisation. How do the police here deal with
Professor Anderson: The problem is not generically
different from the problem that you had 40 years ago with the
widespread arrival of cars and motorways. Then there was the problem
of a burglar from Birmingham who could drive to Hampstead, do
a couple of houses and be back in Birmingham by breakfast time.
The Birmingham police did not know the crime had happened and
the Hampstead police did not know that this burglar existed. It
is the same thing but on a larger scale. What makes it particularly
more difficult is that many of the offences are small onesperhaps
card fraud for tens of pounds or dozens of dollarsand the
people who perpetrate this have been perpetrating it in Romania
against a card holder in Britain, via merchants in the USA and
might reckon that nobody is going to come after them. My suggestion
for dealing with volume crime of this kind is that there should
be randomised enforcement. What I mean by that is that the crimes
are reported, the police take a view on how serious the crimes
are and allocate a score to them, roll the appropriate dice and
if it turns out that this particular £10 credit card fraud
comes up this month then they go after that fraudster with the
same vigour with which they go after a murderer. That way you
ensure that someone who perpetrates millions of £10 frauds
comes into police sights eventually. However, if you simply take
the viewas I am afraid police forces tend to nowadaysthat
`anything below the £x million mark if it is international
is too difficult for us', then you are giving carte blanche to
the bad guys to engage in volume crime for low denomination transactions.
Q704 Lord Harris:
Is there a danger though that if the matter came to court, the
person would be tried on the basis of a £10 fraud and the
penalties would be proportionate to that rather than the millions
of other frauds?
Professor Anderson: That is a matter for individual
judicial systems. I know Scotland is different from England in
this respect and I think some attention has to be paid to that.
I assume that if the police pay serious attention to someone who
has done a card fraud and they trace through the servers and other
things that are involved, then if the guy is involved in anything
like a big scale they would end up with DVDs of thousands and
thousands of other transactions to be taken into consideration.
Then of course you really can extradite someone and throw the
book at them.
Professor Handley: One of the problems with
internationalisation of course is that these trails typically
will lead through one or more countries where the laws are not
well aligned with our own and even if the laws were well aligned
with our own there is always the language barrier in trying to
trace something through in the timescale that needs to be done
to actually get the forensic evidence needed to back it up. I
think the task is going to be really difficult. Ross is probably
right that you do actually have to take on some of these lower
level crimes to try to trace them back otherwise you will not
catch those very large numbers of small amounts, but it is going
to be really difficult and this is where I suspect that the majority
of the successful action will not be in catching the people responsible
but in trying to prevent it in the first place.
Q705 Lord Broers:
Are the FBI ahead of this?
Professor Anderson: I tend to think not. I am
not a hundred per cent certain of that. Certainly when it comes
to dealing with a number of classes of offence and abuses we have
seen private companies taking on a private enforcement role.
Q706 Lord Sutherland of Houndwood:
The FIPR in its evidence says the following: "We would caution
the committee against endorsing the industry line that `user education'
is the solution to Internet security problems". Maybe it
is not the solution, but does education have a part at all?
Professor Anderson: In safety critical systems
it is well known on the basis of longer experience than we have
here that if you have a system that is difficult to use the last
thing you should do is blame and train as it is called. What you
should do instead is to fix the problem. When it comes to insecurity
of common software products there is certainly an obvious incentive
on the companies to say that it is up to the user to buy antivirus
software and when the European Network Information Security Agency
(ENISA) was set up two or three years ago there was intense lobbying
from industry to the effect that ENISA should not lobby the European
Commission to bring in liability rules for software vendors but
rather should spend its budget on educating the citizens of Europe
that they should go out and buy a lot of antivirus software. I
was not very happy with this because if Ford were to sell you
a car that did not have seat belts and then told the DTI to run
an advertising campaign telling people to go out and buy seatbelts
then you would not be very impressed, would you?
Q707 Lord Sutherland of Houndwood:
I take the point that there are great risks of perverse incentives
here but on the other hand even if one puts a liability or responsibility
for helping the education on the company so that with each package
you buy there would be a good practice sheet on the front which
would be intelligible to those who are not specialist in the field,
some things could be more easily avoided. It is just like telling
people to put locks on their windows which did actually reduce
the risk of them being burgled, if only diverting the burglar
to some other poor person who had not.
Professor Anderson: There is a problem with
that in that the industry has been getting rid of manuals as fast
as it could for the past 25 years. When I first bought an IBM
PC it came with a manual; if you buy a PC nowadays you cannot
get a manual, you are expected to plug it in, turn it on and figure
out how to use it. Telling industry to hand out advice sheets
to customers goes completely against how the industry has gone.
Q708 Lord Sutherland of Houndwood:
It does not have to be sheets though. It could be that when you
plug in your machine and put in the disc and the thing begins
to bubble in front of you, first up is a list of good practice
hints. It is not a huge project we are talking about.
Professor Anderson: It is a usability issue.
The industry nowadays expects customers to be able to use these
products intuitively. That being the case it should provide safe
turned on then the consequences of turning it on are limited to
the greatest extent possible.
Professor Handley: The primary piece of user
education that we give users at the moment is, "Don't open
an attachment unless you are expecting it". This is ridiculous.
It is completely ridiculous that our software systems are so bad
that it is actually unsafe to open an attachment. This should
be fixed as a technical solution but it has to have the right
incentives. It is ridiculous that opening an attachment can compromise
your machine. We know how to sandbox these things. There are three
layers of protection between the software that is opening the
attachment and what goes on. It is not that technically hard to
do but the industry has not gone there because they have not had
the incentive to do so. The standard thing is to tell the user
to exercise some sensible judgment about this as a substitute
to actually fixing the real problem.
Q709 Lord Mitchell:
I do not get it. Everybody, on an increasing basis, is absolutely
aware of the danger. Anybody who uses a computer realises that
if some sort of virus gets in it can cause huge problems. It would
seem to me that if I were Microsoft or anybody else I would have
as a selling point that it is more protective against viruses.
It is very interesting that the Apple advertisements being run
in the US in particular actually say that Microsoft has 117,000
viruses that can affect a machine and Apple has none. I do not
know whether that is true or not but they are making a selling
point out of it so I am surprised it does not happen.
Professor Handley: Microsoft have clearly got
security over the last few years. Their systems have got a lot
better but there is still a long way to go between where they
are now and where they could be. Personally I use a Mac and I
know Ross uses a Mac and we would not consider using Windows for
many reasons but that is not to say that the Mac I use I do not
consider to be a desperately secure machine. It is not bad but
it could be a huge amount better. The main reason why Apple computers
are not vulnerable is simply that their market is smaller. They
do have some parts of their design which are better but if you
look at the best practice in the industry it is an order of magnitude
better than where we are with the main stream operators and this
is coming through systems such as DSB or SELinux or some of the
open source ones where people have really tried to nail these
problems. They are telling a good security story; they are selling
on the basis of security now but I still do not think they are
quite there. We really should not be trying to educate our users
around the deficiencies of a system. It is like selling a car
and saying, "Don't drive down a road with bumps because the
wheels will fall off". You do not do that; you try to make
a car so it is a bit more robust.
Q710 Earl of Erroll:
Security researchers sometimes get into trouble with the criminal
law for demonstrating security problems or face civil suits when
companies get upset about their findings. Do you think you and
your colleagues are adequately protected?
Professor Anderson: No, I do not think we are.
As you may be aware from recent changes in the Computer Misuse
Act which could be interpreted by a vigorous prosecutor as saying
that anybody who has hacking tools is a bad person. I understand
that the Home Office is going to try to fix this by publishing
guidelines for prosecutors. I do not think that is really satisfactory
because guidelines for prosecutors can be changed at the stroke
of a pen, you do not even need the affirmation of both Houses
of Parliament as you would expect with regulation. I think this
is definitely unsatisfactory.
Professor Handley: I would agree completely
for basically the same reasons. We do work which is in a grey
area as regards the way the law is written, not necessarily the
way it is enforced. Last year's Police and Justice Act definitely
has terms in there which make security research and trying to
figure out where things are vulnerable risky as an activity.
Q711 Earl of Erroll:
Has this discouraged people from going into the area?
Professor Handley: I do not think there have
been any prosecutions in the area so I suspect not.
Professor Anderson: It has caused some anxiety
at other universities who teach security courses about whether
they can let their undergraduates have access to certain tools.
Q712 Earl of Erroll:
Is proactively looking for flaws a good thing? Are we better off
Professor Anderson: This was the argument about
security vulnerability disclosure in general in operating systems
and I think we have kind of settled that. Disclosure is a good
thing. Certainly there are abstract models and we have produced
one of them which shows that in a perfect world disclosing vulnerabilities
helps the attackers and the defenders equally. However, as the
practical world deviates from these ideal models, disclosure is
Q713 Earl of Erroll:
I must say that sometimes I feel like that old principle that
if you are in a group of people running away from a bear the only
important thing is not be the slowest.
Professor Anderson: The problem with having
legal uncertainty about what to do is that then the incentive
on academics is not to be the most outspoken: do not criticise
GCHQ, do not criticise the banks, do not point out that the Home
Office is messing up with its reporting guidelines and so on;
do not ever irritate somebody who might then be in a position
to do a bad thing. That is not good.
Q714 Lord Harris:
Could I ask whether you have come across any evidence of the corporate
sector not wanting to find out about how secure their systems
are because if they knew they would be more liable because they
have identified something and perhaps not done enough about it?
Professor Anderson: There are plenty of cases
like that. Just last week we had a banking delegation visit us
who said they would really rather that such research was not done.
We are simply explaining what the bad guys are already doing.
Q715 Lord Broers:
Can I finish with a question about traceability? Professor Handley
was talking about the difficulty of finding where things come
from, particularly with certain countries who do not behave in
a transparent way. If every country did behave in a transparent
way, are the electronic switching systems that are used in networks
that are built by companies like Cisco capable today of recording
every act they take?
Professor Handley: No, they are not. The basic
network itself is not capable of recording what goes through it
at anywhere near the sort of rates that you would have to record
everything that had gone on. There was a quote from one of my
colleagues who was developing fast Internet switches a while back
which is: "We can count them or we can switch them but we
can't do both". If you actually wanted to store all of the
data that was exchanged you probably can, at least at the edge
ISPs, record information about the connections that go on and
which machine connects to which. It is not cheap to do but it
can be done. Certainly at the level of e-mail there are now requirements
to do this but for all the other traffic no, the technology simply
is not there to record everything that is going on all the time,
not at cost effective rates anyway.
Professor Anderson: If you look at UK universities
there are about a hundred universities with Internet activity
of about 2Gb per second. If the NSA wanted to wiretap everything
it would take quite a few more fibres across the Atlantic to carry
it across to Fort Meade and what would they do with it once it
was there? The moral is that if you are going to filter traffic
for any purposewhether it is wiretapping, whether it is
firewalling, whether it is censorship or whateveryou basically
have to do it in real time unless you are looking at relatively
small volumes of data, or a relatively concentrated focus on parts
of the edge of the network.
Lord Broers: We have asked you a lot
of questions and you have given us a lot of clear answers. Thank
you very much. We appreciate your time and contribution. Should
anything occur to you subsequently please let us have it in writing
and we will include it in the evidence. Thank you very much indeed.