Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 700 - 715)

WEDNESDAY 28 FEBRUARY 2007

PROFESSOR ROSS ANDERSON AND PROFESSOR MARK HANDLEY

  Q700  Lord Howie of Troon: In the course of this investigation we have heard quite a bit about e-crime. Is there such a thing as e-crime or is it just old-fashioned crime done in a new way?

  Professor Handley: I think the majority of it is old-fashioned crime done in a new way, but there are a number of things that are slightly different. One thing is the ease with which it is to perpetrate the same crime to millions of people. That makes it quantitavely different if not qualitatively different. The other thing that is noticeably different is that most of it is international (not all of it, by any means, but a lot of it is international). That was usually traditionally not the case with most traditional crime. That makes it much, much harder to reduce crime by means of arresting the people who are responsible. You end up having to defend in other ways. There are some e-crimes that are, I guess, novel. Distributed denial of service attacks are something where I do not think there is a direct real world analogue. You get may be flash crowds in stores but it is really rather different because in distributed denial of service attacks the person perpetrating the attack is anonymous; the machines doing it are compromised machines. I think most of the attacks in terms of social engineering and fraud and so forth are regular real world crimes that have made the leap over into the electronic world. The ease of perpetuating the crime and the international nature of them I think makes them noticeably different.

  Professor Anderson: Last month we got the first respectable academic survey of this of which I am aware which looked at the correlation between the up take of the Internet in America and the reported crimes in the various serious categories of interest to the FBI. It is an interesting methodology because the Internet was taken up at different rates in different US states (it was quick in Alaska perhaps because you could say there is not much else to do there). When the figures were looked at it turns out that only three of the large number of categories of crime were affected. Two were down: crimes of sexual violence and also prostitution offences were down, which the authors of the paper believe was a substitution effect from much cheaper pornography as this was reflected only in males aged 15 to 24. The one offence that was up was the category of offence known to the Americans as `runaways', basically teenagers running away from home. That is not further disambiguated into categories of runaway, but those are the numbers that we have. The Internet makes it easier for people to run away from home.

  Q701  Lord Howie of Troon: How does the Internet make it easier to run away from home?

  Professor Anderson: Presumably because somebody who wants to run away from home finds it easier to make what 30 years ago were called pen friends. There will obviously be a number of these cases where the friends are in fact predators but there are no further figures on what proportion of those runaways involve some kind of danger. These are the first numbers that we have. It must be said that these numbers are only relevant to serious federal offences and do not cover the lesser things like spam and so on, but they are the first results in. In general, apart from that, I would agree with Professor Handley that we are seeing an awful lot of old crimes being re-hashed. Fraud has always happened. Social engineering has always happened. We are seeing internationalisation and it is interesting that the police are going to start mainstreaming crime, they are going to take the view that in future many crimes will have some kind of on-line dimension. General police forces as opposed to specialists are going to have to be able to deal with that.

  Q702  Lord Howie of Troon: It seems to me that the police will be required to look at crime in a different way. Are the police forces really equipped to do that? Presumably you need a high level of specialisation.

  Professor Anderson: There have been serious, pervasive and long term problems with computer forensics in the UK. An awful lot of police forces are going to have to do an awful of learning in order to get up to speed. This is something on which many colleagues have been working at various levels but there is still a long, long way to go I am afraid.

  Q703  Lord Howie of Troon: You mentioned the international level, I suppose that would be the dark side of globalisation. How do the police here deal with foreign criminals?

  Professor Anderson: The problem is not generically different from the problem that you had 40 years ago with the widespread arrival of cars and motorways. Then there was the problem of a burglar from Birmingham who could drive to Hampstead, do a couple of houses and be back in Birmingham by breakfast time. The Birmingham police did not know the crime had happened and the Hampstead police did not know that this burglar existed. It is the same thing but on a larger scale. What makes it particularly more difficult is that many of the offences are small ones—perhaps card fraud for tens of pounds or dozens of dollars—and the people who perpetrate this have been perpetrating it in Romania against a card holder in Britain, via merchants in the USA and might reckon that nobody is going to come after them. My suggestion for dealing with volume crime of this kind is that there should be randomised enforcement. What I mean by that is that the crimes are reported, the police take a view on how serious the crimes are and allocate a score to them, roll the appropriate dice and if it turns out that this particular £10 credit card fraud comes up this month then they go after that fraudster with the same vigour with which they go after a murderer. That way you ensure that someone who perpetrates millions of £10 frauds comes into police sights eventually. However, if you simply take the view—as I am afraid police forces tend to nowadays—that `anything below the £x million mark if it is international is too difficult for us', then you are giving carte blanche to the bad guys to engage in volume crime for low denomination transactions.

  Q704  Lord Harris: Is there a danger though that if the matter came to court, the person would be tried on the basis of a £10 fraud and the penalties would be proportionate to that rather than the millions of other frauds?

  Professor Anderson: That is a matter for individual judicial systems. I know Scotland is different from England in this respect and I think some attention has to be paid to that. I assume that if the police pay serious attention to someone who has done a card fraud and they trace through the servers and other things that are involved, then if the guy is involved in anything like a big scale they would end up with DVDs of thousands and thousands of other transactions to be taken into consideration. Then of course you really can extradite someone and throw the book at them.

  Professor Handley: One of the problems with internationalisation of course is that these trails typically will lead through one or more countries where the laws are not well aligned with our own and even if the laws were well aligned with our own there is always the language barrier in trying to trace something through in the timescale that needs to be done to actually get the forensic evidence needed to back it up. I think the task is going to be really difficult. Ross is probably right that you do actually have to take on some of these lower level crimes to try to trace them back otherwise you will not catch those very large numbers of small amounts, but it is going to be really difficult and this is where I suspect that the majority of the successful action will not be in catching the people responsible but in trying to prevent it in the first place.

  Q705  Lord Broers: Are the FBI ahead of this?

  Professor Anderson: I tend to think not. I am not a hundred per cent certain of that. Certainly when it comes to dealing with a number of classes of offence and abuses we have seen private companies taking on a private enforcement role.

  Q706  Lord Sutherland of Houndwood: The FIPR in its evidence says the following: "We would caution the committee against endorsing the industry line that `user education' is the solution to Internet security problems". Maybe it is not the solution, but does education have a part at all?

  Professor Anderson: In safety critical systems it is well known on the basis of longer experience than we have here that if you have a system that is difficult to use the last thing you should do is blame and train as it is called. What you should do instead is to fix the problem. When it comes to insecurity of common software products there is certainly an obvious incentive on the companies to say that it is up to the user to buy antivirus software and when the European Network Information Security Agency (ENISA) was set up two or three years ago there was intense lobbying from industry to the effect that ENISA should not lobby the European Commission to bring in liability rules for software vendors but rather should spend its budget on educating the citizens of Europe that they should go out and buy a lot of antivirus software. I was not very happy with this because if Ford were to sell you a car that did not have seat belts and then told the DTI to run an advertising campaign telling people to go out and buy seatbelts then you would not be very impressed, would you?

  Q707  Lord Sutherland of Houndwood: I take the point that there are great risks of perverse incentives here but on the other hand even if one puts a liability or responsibility for helping the education on the company so that with each package you buy there would be a good practice sheet on the front which would be intelligible to those who are not specialist in the field, some things could be more easily avoided. It is just like telling people to put locks on their windows which did actually reduce the risk of them being burgled, if only diverting the burglar to some other poor person who had not.

  Professor Anderson: There is a problem with that in that the industry has been getting rid of manuals as fast as it could for the past 25 years. When I first bought an IBM PC it came with a manual; if you buy a PC nowadays you cannot get a manual, you are expected to plug it in, turn it on and figure out how to use it. Telling industry to hand out advice sheets to customers goes completely against how the industry has gone.

  Q708  Lord Sutherland of Houndwood: It does not have to be sheets though. It could be that when you plug in your machine and put in the disc and the thing begins to bubble in front of you, first up is a list of good practice hints. It is not a huge project we are talking about.

  Professor Anderson: It is a usability issue. The industry nowadays expects customers to be able to use these products intuitively. That being the case it should provide safe defaults. It should see to it that even if JavaScript must be turned on then the consequences of turning it on are limited to the greatest extent possible.

  Professor Handley: The primary piece of user education that we give users at the moment is, "Don't open an attachment unless you are expecting it". This is ridiculous. It is completely ridiculous that our software systems are so bad that it is actually unsafe to open an attachment. This should be fixed as a technical solution but it has to have the right incentives. It is ridiculous that opening an attachment can compromise your machine. We know how to sandbox these things. There are three layers of protection between the software that is opening the attachment and what goes on. It is not that technically hard to do but the industry has not gone there because they have not had the incentive to do so. The standard thing is to tell the user to exercise some sensible judgment about this as a substitute to actually fixing the real problem.

  Q709  Lord Mitchell: I do not get it. Everybody, on an increasing basis, is absolutely aware of the danger. Anybody who uses a computer realises that if some sort of virus gets in it can cause huge problems. It would seem to me that if I were Microsoft or anybody else I would have as a selling point that it is more protective against viruses. It is very interesting that the Apple advertisements being run in the US in particular actually say that Microsoft has 117,000 viruses that can affect a machine and Apple has none. I do not know whether that is true or not but they are making a selling point out of it so I am surprised it does not happen.

  Professor Handley: Microsoft have clearly got security over the last few years. Their systems have got a lot better but there is still a long way to go between where they are now and where they could be. Personally I use a Mac and I know Ross uses a Mac and we would not consider using Windows for many reasons but that is not to say that the Mac I use I do not consider to be a desperately secure machine. It is not bad but it could be a huge amount better. The main reason why Apple computers are not vulnerable is simply that their market is smaller. They do have some parts of their design which are better but if you look at the best practice in the industry it is an order of magnitude better than where we are with the main stream operators and this is coming through systems such as DSB or SELinux or some of the open source ones where people have really tried to nail these problems. They are telling a good security story; they are selling on the basis of security now but I still do not think they are quite there. We really should not be trying to educate our users around the deficiencies of a system. It is like selling a car and saying, "Don't drive down a road with bumps because the wheels will fall off". You do not do that; you try to make a car so it is a bit more robust.

  Q710  Earl of Erroll: Security researchers sometimes get into trouble with the criminal law for demonstrating security problems or face civil suits when companies get upset about their findings. Do you think you and your colleagues are adequately protected?

  Professor Anderson: No, I do not think we are. As you may be aware from recent changes in the Computer Misuse Act which could be interpreted by a vigorous prosecutor as saying that anybody who has hacking tools is a bad person. I understand that the Home Office is going to try to fix this by publishing guidelines for prosecutors. I do not think that is really satisfactory because guidelines for prosecutors can be changed at the stroke of a pen, you do not even need the affirmation of both Houses of Parliament as you would expect with regulation. I think this is definitely unsatisfactory.

  Professor Handley: I would agree completely for basically the same reasons. We do work which is in a grey area as regards the way the law is written, not necessarily the way it is enforced. Last year's Police and Justice Act definitely has terms in there which make security research and trying to figure out where things are vulnerable risky as an activity.

  Q711  Earl of Erroll: Has this discouraged people from going into the area?

  Professor Handley: I do not think there have been any prosecutions in the area so I suspect not.

  Professor Anderson: It has caused some anxiety at other universities who teach security courses about whether they can let their undergraduates have access to certain tools.

  Q712  Earl of Erroll: Is proactively looking for flaws a good thing? Are we better off not knowing?

  Professor Anderson: This was the argument about security vulnerability disclosure in general in operating systems and I think we have kind of settled that. Disclosure is a good thing. Certainly there are abstract models and we have produced one of them which shows that in a perfect world disclosing vulnerabilities helps the attackers and the defenders equally. However, as the practical world deviates from these ideal models, disclosure is usually advantageous.

  Q713  Earl of Erroll: I must say that sometimes I feel like that old principle that if you are in a group of people running away from a bear the only important thing is not be the slowest.

  Professor Anderson: The problem with having legal uncertainty about what to do is that then the incentive on academics is not to be the most outspoken: do not criticise GCHQ, do not criticise the banks, do not point out that the Home Office is messing up with its reporting guidelines and so on; do not ever irritate somebody who might then be in a position to do a bad thing. That is not good.

  Q714  Lord Harris: Could I ask whether you have come across any evidence of the corporate sector not wanting to find out about how secure their systems are because if they knew they would be more liable because they have identified something and perhaps not done enough about it?

  Professor Anderson: There are plenty of cases like that. Just last week we had a banking delegation visit us who said they would really rather that such research was not done. We are simply explaining what the bad guys are already doing.

  Q715  Lord Broers: Can I finish with a question about traceability? Professor Handley was talking about the difficulty of finding where things come from, particularly with certain countries who do not behave in a transparent way. If every country did behave in a transparent way, are the electronic switching systems that are used in networks that are built by companies like Cisco capable today of recording every act they take?

  Professor Handley: No, they are not. The basic network itself is not capable of recording what goes through it at anywhere near the sort of rates that you would have to record everything that had gone on. There was a quote from one of my colleagues who was developing fast Internet switches a while back which is: "We can count them or we can switch them but we can't do both". If you actually wanted to store all of the data that was exchanged you probably can, at least at the edge ISPs, record information about the connections that go on and which machine connects to which. It is not cheap to do but it can be done. Certainly at the level of e-mail there are now requirements to do this but for all the other traffic no, the technology simply is not there to record everything that is going on all the time, not at cost effective rates anyway.

  Professor Anderson: If you look at UK universities there are about a hundred universities with Internet activity of about 2Gb per second. If the NSA wanted to wiretap everything it would take quite a few more fibres across the Atlantic to carry it across to Fort Meade and what would they do with it once it was there? The moral is that if you are going to filter traffic for any purpose—whether it is wiretapping, whether it is firewalling, whether it is censorship or whatever—you basically have to do it in real time unless you are looking at relatively small volumes of data, or a relatively concentrated focus on parts of the edge of the network.

  Lord Broers: We have asked you a lot of questions and you have given us a lot of clear answers. Thank you very much. We appreciate your time and contribution. Should anything occur to you subsequently please let us have it in writing and we will include it in the evidence. Thank you very much indeed.



 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007