Examination of Witnesses (Questions 840
WEDNESDAY 28 MARCH 2007
You might argue that if the disk was activated in the computer
when it would not otherwise have been activated you would be correct,
would you not?
Mr Coaker: That is an interesting thought.
Margaret Hodge: But who would you charge?
Q841 Baroness Hilton of Eggardon:
The person setting up the botnet?
Mr Coaker: If you could find them, yes.
Baroness Hilton of Eggardon: Certainly,
that is if they are put in hundreds of thousands of people's computers.
Q842 Earl of Erroll:
Surely if launching a denial of services attack is illegal, which
it now is, then for conspiring to do so or purchasing software
with the intention you could get them under some form of conspiracy
Mr Coaker: You could, yes, I think.
Mr Webb: What we do not have is a blanket offence
for buying or possessing them. If there is criminal intent involved,
certainly that would be.
I would have thought it would be a positive move to make it illegal
to collect together enough computers to have a substantial botnet
unless you had a licence so to do. If you are doing it because
you want to make calculations on climate, then you might have
a licence to do it. We will get onto other questions about people
who actually explore the security of the networks, but to allow
people to hire out the use of a botnet to inconvenience everybody,
if not to defeat service on the Internet, I would have thought
should be illegal.
Mr Coaker: Chairman, let us write to you about
that. It is an interesting point. We are trying to capture the
criminality by the use of the computer facility, the computer
hardware, software, or whatever. We are trying to capture the
criminality through its use or supply, or the adaptation, but
in part the point of committees like this is to reflect on points
which people make, so let us reflect on that and write to you
on that particular point to see whether we can move forward.
Mr Webb: Even with the law as it stands, the
computer industry has concerns that it is potentially criminalising
I think one of the points to consider is that the person running
the botnet may well be in Eastern Europe, so if somebody is caught
here transferring money via their credit card, or however, to
somebody in Eastern Europe who is operating a botnet which operates
with half a million computers in the UK then one should be able
to go after that person.
Mr Coaker: It is an important point, though,
Chairman, that the industry is concerned about the whole operation
of dual usage and we do need to be proportionate and make sure
that we allow legitimate business to carry on in an effective
way. That is not to say that we do that in a way which means that
we cannot tackle criminality, but we have been very effectively
working with industry and we need to carry on with that self-regulatory
and productive approach.
Q845 Lord Young of Graffham:
It is a legal business to sell knives in this country if they
are part of a dining room set, or something of that sort, but
it is illegal if you are selling knives knowing that they are
going to be used for criminal purposes.
Mr Coaker: That is a similar thing that we are
trying to do with respect to computers.
Q846 Lord Young of Graffham:
But a botnet would be the same thing if it is actually being hired
out to somebody.
Mr Coaker: Yes, but that is the use of the system
rather than the actual network.
Q847 Lord Young of Graffham:
Yes, it is the mens rea. It is the intention in fact?
Mr Coaker: Yes.
Q848 Lord Harris of Haringey:
Do you have a record of the number of incidents there have been
for people using botnets illegally?
Mr Coaker: Again, Chairman, we can look into
that, but I do not have it here. It might be useful if we write
to you and you could circulate that to the Committee, if that
Mr Smith: I think it is almost impossible to
measure that in the UK, but there are industry commentators such
as Symantec who do research into this and observe the development
and use of botnets, and we can certainly provide information to
you on that.
Q849 Lord Howie of Troon:
Changing the subject a little, you will be aware, I am sure, that
there are security breach notification laws in California and
30 or so states nearby. Have you any views on this? Would you
like to see such things here?
Margaret Hodge: I am aware of that particular
bit of legislation and clearly if somebody has their identity
stolen there ought to be a right of notification. It looks an
enticing bit of legislation. We are looking at it and Europe is
looking at it, and Europe might well come forward as part of the
review of the electronic communications framework, which I think
we are expecting in about July. They may well come forward with
a proposition around this area. I would simply draw to the Committee's
attention what I am sure you have already thought of, which is
the difficulty of framing that intent in a practical way because
you would have to decide what breaches would you report precisely,
what is the trigger for a report, those sorts of issues, and you
do not want to end up in a situation where people either become
really blasé about it because they get so many reports
of breaches or they become so scared that they do not take advantage
of the new information communication technology. On that latter
point, we already know that actually people's fear of these sorts
of crimesand I was surprised to see this statisticis
much greater than their fear of muggings or burglary. So there
is quite a lot of fear around this and we do not want that to
be something which leads to exclusion from all the benefits which
information communication technology developments b ring individuals.
It is an interesting bit of legislation. We need to examine it.
The devil is in the detail and we will think about it and look
at what Europe brings forward in the summer.
Q850 Lord Howie of Troon:
You say you are looking into it. I seem to have heard that several
times during this session, you are looking into this, you are
looking into that and you are looking into the other thing. Have
you seen anything yet that is helpful?
Margaret Hodge: I think we are doing things
which are helpful in trying to curtail crime and that surround,
working with the industries so that they are better at the technology
to ensure that they prevent it happening in the first place. What
Vernon has been talking to you about is that there is a huge amount
of activity in trying to detect it. I suppose the other thing
which we jointly do is that a lot of effort goes into providing
education and information to individuals so that they get smarter
at using technology. Phishing is a classic example. If we did
not give away our bank details so readily online our behaviour
could immediately halt it and wipe out one area of cyber crime.
Q851 Lord Howie of Troon:
You mentioned a proposal from the European Union. As we understand
it, they would likely restrict notification to just telecom companies.
Do you think that is adequate?
Margaret Hodge: What they have said, as I understand
it, and I might defer to Geoff on this, is that they will use
national regulatory authorities (which in our case would be Ofcom)
as the regulator, but I do not think there is a restriction as
to who would report through to Ofcom.
Mr Smith: That is absolutely a very fair point.
In the US it is applied to all businesses and what the European
Commission is saying, through the framework review proposal, is
that this kind of legislation might apply to communications providers,
which would be telecoms companies and ISPs. It looks slightly
odd on the face of it to only be applying this kind of legislation
to those providers and we could have the oddity of eBay or Amazon
not being impacted by the legislation while Yahoo and Orange would
be. This has to be seen, I guess, as a kind of transitory solution.
It does show that European thinking is moving along the same lines
as the US, but the US experienceI do not know whether you
gathered this when you went to the Stateshas not been happy.
I think the profusion of different legislations with different
requirements has made a lot of lawyers rich, but I am not sure
that it has actually increased security or increased consumer
confidence. I fully accept the point the Minister has made. It
is an interesting idea, but we have got to get it right.
Q852 Lord Harris of Haringey:
We were advised that one of the problems was because there was
separate legislation in 30 different states. Presumably that is
not something you are envisaging. But we were also told one of
the real benefits of this was that because of the reputational
impact this has on companies the result has been that they take
breaches in information security, whether it is a lost laptop
or messy access to their IT systems, much more seriously and it
has raised it up the agenda as far as they are concerned. That,
presumably, must have a beneficial impact.
Margaret Hodge: It should be, but the danger
of that is that you over-report and then you are into what levels
should you be reporting to maintain confidence in people using
IT generally as part of their lives, or do you over-report and
then you become so blasé that they take none of it seriously?
That is why the devil is in the detail of how you would frame
Lord Harris of Haringey: I do not think
anyone was suggesting to us that there had been a negative effect
on e-commerce as a result of the breaches.
Chairman: I think that is right, but
they did say that the impact fell after a time.
Lord Harris of Haringey: As far as individuals
were concerned, yes.
That is correct, and so one has got to be careful not to report
too much, as you say. But just having it in the background we
think is very valuable in any case.
Margaret Hodge: Yes.
Q854 Baroness Hilton of Eggardon:
If we can revert to the protection of individuals and whether
the IT community industry should be doing more to look after people
and prevent security breaches, do you think that would be beneficial?
They kept talking to us about end-user agreements and flexibility
of the system and all those other things they feel they should
retain, but we were feeling that the people in between, the people
who devised the software, the ISPs and so on, could do more to
protect individuals. Would you agree?
Margaret Hodge: You mean should we encourage
them or should we coerce them?
Q855 Baroness Hilton of Eggardon:
Margaret Hodge: On the encouragement, self-regulatory
front, I think we would be 100% for that. There is progress in
where we are today compared with where we were a year ago or five
years ago. If you look at the mechanisms now that we have got
for filtering spam or checking for viruses, it is all much better
today than it was a few years back. We do encourageand
we do it actually through the DTI by getting partnerships between
our knowledge transfer network partnerships, which bring together
all the key stakeholders from academia through to industry players
across the industry through to consumers, the whole lot, and they
share information and knowledge and also then can access various
technology research pots of money to try and work in that area.
I think we ought to do more. The more we can encourage, the more
we should. The only thing I would add is the point I have made
before, which is that just as important is the education of consumers,
which is why our Get Safe Online efforts I think, are pretty important.
We probably ought to be doing more to support consumers in using
their technology sensibly.
Q856 Baroness Hilton of Eggardon:
What about protecting consumers by providing them with more information
when they get new computers? There is all this talk about firewalls
and a various range of vocabulary which perhaps people do not
Margaret Hodge: I can tell you that as a minister
you have difficulty!
Q857 Baroness Hilton of Eggardon:
That new patches need to be put on the software, and so on. That
is all Greek to people and I think perhaps some simple instructions
to people which went with their new computer could be helpful.
Margaret Hodge: Before we came into the Committee
hearing today I was so amazed somebody on the Committee knows,
but how we ever got to "phishing" with a "ph"
I do not know.
Q858 Lord Howie of Troon:
Indeed, I have often wondered!
Margaret Hodge: That is the sort of technological
obscuration which I do not think helps anybody and acronyms in
this world are also very difficult. I suppose the only other thing
I would say about ISPs doing more and the industry making a greater
effortI have talked about what we do at homethis
is also an area where we need to cooperate, not just in Europe
but globally because that is absolutely vital in combating fraud.
What about regulation which requires sellers with computers to
state the condition in terms of time of their protective software,
so that if you have got a computer which has just not been updated
for six months with the latest viruses then it should state it
like an out of date litre of milk, that this product is out of
date, it is past its sell-by date? Why do we not do that?
Margaret Hodge: That is an idea which I think
is worth exploring. What it presumes is that people know what
they are buying. I have not looked at it in this area, but I am
looking quite carefully at the moment as we go for digital switch-over
at consumer knowledge as they purchase new televisions to cope
with the switch-over and I think there is a huge lack of knowledgewith
the sales staff also, interestingly enough, not just consumersas
to what software they are purchasing. So it is a good idea, but
it has got to be part of a bigger picture is probably what I would
say to you on that.