Previous Section | Back to Table of Contents | Lords Hansard Home Page |
I declare an interest as chair of the e-Learning Foundation, which I set up in 2001 at a time when computers in the classroom were opposed on many levels. Now we are beginning to reach our goal, which is wonderful, but even so, I worry about the dangers that children face. Now, more than ever, computer manufacturers have a duty to inform the public and
10 Oct 2008 : Column 456
One of the biggest changes in the 16 months since this report was published has been the explosion in social networking, particularly Facebook. It is estimated that 85 per cent of American students use it, and I bet that the percentage in this country is not much less among our students. My sons have more than 700 friends on their Facebook sites. For many young people it is their primary method of social contact. They use it for digital photos, e-mail, announcement of parties and other social events. It is ubiquitous. Facebooked has now joined Googled among the youngs vocabulary. However, Facebook is a security nightmare. It is easy to access such sites, which is open season for the bad guys. I am told that university admission departments in this country access Facebook to check out new students, and recruiters trawl such sites in attempts to find out more about potential job applicants. Facebook needs to do more to protect its customers. Government needs to be more aware of the dangers.
The next major development since the publication of the report has been the astronomical growth of smart mobile phones. Today there are 1 billion PCs worldwide. By 2011, I have been informed that 3 billion smart phones will be in existence. This development means that all the security problems associated with any standard PC will be significantly enhanced now that computing is becoming totally mobile. Today, almost everything that we can do on a PC, we can do on a mobile phone. Soon we will have the ability to conduct video conversations through our phones while on the move. Once again, security issues have taken on a higher level of concern.
Associated with the mobile phone is the use of mobile VOIPvoice over internet protocolsuch as Skype. My iPhone now has a new application called Fring. It enables me to make phone calls to any destination in the world practically free of charge. It is true that the software is buggy and true that I need to stand close to a wi-fi hotspot but it is an indication of things to come. In the not-too-distant future, phone calls will be made not via landlines, nor via mobile operators, but via the internet. Again, the security aspects are formidable.
My final new development is a concept called SaaSsoftware as a service. The internet industry has frequently witnessed the arrival of disruptive technologies, and SaaS is truly disruptive. The development of fast internet connection and the proliferation of highly sophisticated hardware devices have combined to redefine how software is used. Todays model, whereby software vendors sell their programmes on a DVD and the customers operate these programmes on their own computers in-house, is fast-changing. SaaS uses a technology called Cloud, where the software is located remotelyeven continents awayand the customer inputs his data and receives data back from Cloud. To the customer, it has many advantages. It means that he
10 Oct 2008 : Column 457
Security is key. The vendors say that it is more secure to keep data on Cloud than to keep it locally, and I probably believe them. After all, that is where I keep my own personal data. On the other hand, the vulnerability of SaaS to a global strategic attack is not hard to imagine and not out of the question. Facebook, smart mobile phone growth, VOIP and SaaS barely featured in our report, yet today they are pointers of future IT developments. They are a measure of the ever-changing technological thrust that is occurring in this industry. Security issues are becoming more crucial and the consequences more frightening, yet Governments everywhere respond ponderously to this threat.
At the very least, I hope that this report and this debate inject some degree of urgency into addressing the dangers and risks of the internet.
Lord Sutherland of Houndwood: My Lords, I, too, thank the noble Lord, Lord Broers, for introducing this debate and for the seminal part that he played in the work of the committee in this area. We were very fortunate to have him and others in our team.
Sometimes the House of Lords is represented as being at some distance from real life. That is the perception that many have of usthey see pictures of ermine and all sorts of things. I dispute that view and cite as evidence this report and the follow-up report. We hit the target. We were right on track for the central issues in our society and have raised some fundamental questions, and I want to go through one or two of them.
Of course, another criticism of the House of Lords is that it ignores the elephant in the room and concentrates on details. The elephant in this Chamber, in the Chamber down the way and in many other rooms at the moment is the position of the banks in our society. Paragraph 20 of our follow-up report reads:
Professor Ross Anderson ... and Nicholas Bohm ... in their follow-up submissions are critical of the Governments reliance on the banking industry.
Of course, we see the wider context for that but there is also a very specific context in relation to the focus of this report. Why is that so? Internet trading and purchase, which now form a significant part of our economy, depend on confidence and trust in a variety of ways but specifically, as we informed ourselves very clearly, they depend on confidence and trust in the processes employed by the banks and in the priority that they give to personal internet security. Every purchase online, every purchase of a ticket for the theatre or a train, or every purchase on eBay depends on ones credit card functioning well and securely. A central question which we raise here is the role that the banks must play in future in guaranteeing the security of the information
10 Oct 2008 : Column 458
A system which depends on a decision by a bank on whether or not a customer has been defrauded is flawed by the fact that the bank has a direct financial interest in denying the customers claim.
We have learnt to be more careful about the reassurances given by banks. That is fundamental. My noble friend Lord Broers made the point so well that I need not elaborate on it. That is the elephant in the room today and relates to our report and to our concerns. Do we have confidence in the systems of the banks? Would that confidence be greatly increased if the banks were to be more transparent in reporting computer and internet fraud and in reassuring customers that they had this as a high priority in the processes which they put in place?
I want to comment on the government response to the original Select Committee report. We reported in July 2007 and the Government responded in October 2007 in a written reply which I regard as something of an own goalwhat Harold Macmillan taught us to call Events, dear boy, events. The government response was effectively a brush-off and it was complacent. Since then we have had the loss of personal data from Her Majestys Revenue and Customs which resulted in 25 million individuals being exposed; further revelations from the MoD today concerning 100,000 personnel, plus 600,000 potential recruits and the loss of security information; the Driver and Vehicle Licensing Centre; and so on. The record of the Government on this is not good and, in the eyes of the committee, those failings became failings in capital letters, following as they did the Government effectively saying they had no concerns or worries about the issues raised by the report.
Of course, it is a mistake to refer to these as just, Events, dear boy, events, out of the blue and not their fault or responsibility, because they represent massive failings by public bodies on which we, the citizens, rely with regard to the security of personal information. They are not events over which we have no control, but the point of much in our report is that the Government must take charge of this, ensure that the controls are in place and that the information that we either reluctantly, in some cases, or freely give to these government sources is protected and that our personal information does not become a matter of the public market place.
We passed through the stage of thinking of them as events some way back. The government systems, as I have suggested, seem to be badly flawed. However, we are proceeding down the line. Consider ID cards and the databases required to service that policy. I am not discussing the policy of having ID cards, as that is a matter for another day and another debate, but I am simply alerting the House to something of which I am sure it is already well aware: that the protection of the information to be held in connection with that policy must have a very high priority indeed and, in view of what has happened, reassurances and words will not do. These examplesand one could add NHS information to themindicate why the committee decided that the follow-up analysis and report were justified. The general
10 Oct 2008 : Column 459
To be positive, because so far I have been critical of the Government, we had a good and, on both sides, helpful discussion with two Ministers, Vernon Coaker and the noble Baroness, Lady Vadera, on 20 May 2008. There were at least two outcomes of that discussion which I regard as positive. The first was a commitment by Vernon Coaker to write update reports every two months. We have received the first two, and they were helpful. I look for more, but they are a good start and a positive response that matches the contributions that the Ministers made to our discussion. The principle of such reports is important and is much appreciated by the committee and more widely.
More updates are anticipated. The Council of Europe Convention on Cybercrime was signed in 2001, but it has yet to be ratified by this Government. In the discussion, we were promised that ratification will take place before the end of 2008. We had our two-monthly update in September and the next is due in November. I hope that there is some indication that before the end of this year action will be taken. That is just one example. There are many examples of where updates and expansions of what we have already been told will be useful.
A second outcome is that the full Science and Technology Committee has underlined its determination to be a scrutinising committee that will hold the Government to account in those areas where science and technology affect government policy and practice. It will do that and will follow up. It will not simply send reports into the ether to be left there. This is simply a marker to the Government that, as regards this and other reports, the committee will expect responses of the desired quality.
Lord Harris of Haringey: My Lords, I thank the noble Lord, Lord Broers, for the way in which he introduced this debate and for the excellent way in which he steered the inquiry. I learnt a great deal from him, not least about the complexities of web-based navigational aids on ocean-going yachts, a subject to which I had not previously given much, if any, thought. I also want to pay tribute to the work of the committees Clerk, Christopher Johnson, who has now been elevated to the position of your Lordships Clerk of the Journals. I am not quite sure what the Clerk of the Journals does, but I hope the position makes full use of his excellent talents and skills. I also thank our adviser, Dr Richard Clayton from the University of Cambridge, who, along with the Minister, is a member of the bearded elite.
Since our report was published, much has happened. There have been well publicised data losses at HM Revenue and Customs and from other government departments and agencies. Indeed, today we heard of the loss by EDS of an MoD hard drive containing the details of 100,000 service men and women. All this confirms my view that the committee was right to call for a data breach notification law in the UK. I commend the Government for their willingness to come clean and admit problems as they emerge, but that does not alter
10 Oct 2008 : Column 460
A data breach notification law would not solve those problems, but it would certainly concentrate the minds of those responsible. We must alter the mindset. It must be clear that information security is not some optional extra, and that for every business and organisation, information security is just as important as physical security. That is about the culture within organisations. Every employee must understand the importance of maintaining data security and their responsibility for doing so.
Perhaps if people recognised the potential value of personal data, they might be less cavalier in its treatment. For many people, a stolen identity will take weeks or months of effort to sort out. The FSA estimates that the cost of identity fraud in the UKadmittedly, using a fairly wide definitionis about £1.7 billion. During the inquiry, we were told by Team Cymru that on a single server in a typical month, there were for sale the data from 32,000 compromised Visa cards and 13,000 MasterCards. The price nearly three years ago was $1 for a US card and, apparently, $2 for a UK card. Associated data were also for sale, including the cardholders mother's maiden name.
Perhaps if employees were told that each personal record was worth at least £100it is probably morethey might treat a memory stick or, for that matter, the MoD hard drive containing 100,000 personal records as though it was worth £10 million. They would certainly treat it with substantially more respect. Engendering such a change in culture may require more than a data breach notification law. Perhaps we need something more akin to the framework created by health and safety legislation, where every manager would have to take personal responsibility for delivering information security in their area of responsibility or face prosecution. Perhaps we need an IT equivalent of the US Sarbanes-Oxley requirements to make people at board level take their responsibilities to heart. Nevertheless, as a first step, I ask my noble friend when he replies to reflect on whether the experience of the past few months and weeks has made it all the more urgent that we introduce data breach notification legislation.
The need for a shift in the burden of responsibility was also a key theme of the report in terms of those who should be responsible for ensuring personal internet
10 Oct 2008 : Column 461
There is every reason to suppose that such confidence could falter. According to a survey commissioned by Get Safe Online, e-crime is now more feared than mugging, car crime or burglary. I believe that the Department for Business, Enterprise and Regulatory Reform contests that, but there is no question that many people are fearful of conducting transactions electronically. Moreover, as the inquiry concludedalbeit, I must say, with an eye to the soundbitethe internet,
The government view, certainly as initially expressed to us, was that internet security ultimately rests with the individual. However, our view was that such a stance was no longer realistic and was in danger of compounding the perception that, in another soundbite from the report, the internet is a lawless wild west.
Responsibility for improving internet security should be shared. The committee used the analogy of road transport. Within the road transport system, the safety and security of the individual road user is protected at several levels. There is the network itself, with roads designed and engineered for safety, maintained, lit and signposted. Then there is the equipment that uses the networkin the road safety analogy, cars and other vehicles have safety features built into their design. Individual users are taught how to drive and subjected to testing and monitoring. Finally, the network is policed with a clearly defined legal framework for the use of the network, with those who breach the law risking prosecution.
As far as internet security is concerned, the network providersthe ISPs and so onequipment manufacturers and software producers should all take some responsibility for making the network, the equipment and the programmes more secure. Similarly, businesses must have a role in making their interface with consumers safe and secure and protecting the position of those who transact with them. Finally, each user must be sensible and careful, although the Government can help by taking measures to raise IT literacy and improve understanding of security. The Government must ensure, of course, that the rules set are adequately and effectively policed.
The noble Lord, Lord Broers, referred to the value of a kite-marking security system. This is clearly necessary for equipment and software and for service providers. There should be better service advice given automatically on the first use of products. Default security settings should initially be set as high as possible. It should be an explicit decision of users to lower the settings. Security updates should automatically be downloaded,
10 Oct 2008 : Column 462
Why do so many commercial sites require information that is not necessary for the transaction concerned? The answer, of course, is that it provides them with useful marketing informationall the better to sell you future products. However, how well is that information protected? The impetus to complete the transaction will lead many people to provide more information that may not be strictly necessary but may be difficult not to provide, and to agree, or more likely not to disagree, to its use in all sorts of ways that in any event are probably outlined in a 20-page policy that most users will not bother to read.
As my noble friend Lord Mitchell has highlighted, of particular concern is the way in which some of the popular social networking sites encourage people, often teenagers, to reveal all sorts of personal details and information about themselves. This opens them up not only to identity theft but to sexual predators. Young people might also want to reflect on the impact on their future employment prospects when details of their wilder escapades may be readily available to would-be recruiters. The companies that run these sites have an obligation to warn people about these dangers, to enable people simply to remove material that with hindsight they wish they had not posted and to make it easier for users to report abuse and problems. Perhaps my noble friend Lord Brett will tell us in his reply whether the Government are happy to see social networking sites, which are used by so many teenagers and young people, operating so freely and in a way that could be so damaging to their users.
Then there is the problem of e-crime. The term is necessarily a loose one; fraud is fraud, whether it is committed using electronic means or any other means, and child abuse is child abuse, whether images of it are transmitted electronically or in any other way. However, to say that you cannot define it meaningfully does not alter the underlying issue that the way in which many crimes are committed or the ways in which they are facilitated have changed dramatically in recent years. It is therefore necessary to ensure that the police and enforcement agencies are equipped to respond effectively to this dramatic change. That is why the creation of the police e-crime unit is so important. I am grateful for the Governments support for this and for the resources that have been made available. I pay tribute in particular to my honourable friend Vernon Coaker, who worked so hard to bring this about and has now, I am pleased to say, been rewarded by promotion to Minister of State.
The creation of a centre of excellence that provides support and policy leadership to police forces around the country is essential given the rapid pace of technological developments and the speed at which criminals exploit these developments. Such a centre cannot be the end of the process. Every police force
10 Oct 2008 : Column 463
My final point relates to what the report did not cover: the wider question of the national infrastructure and internet security. As a nation, the systems that are essential for our health and well-being rely on computer and communications networks, whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, and, indeed, government and public services in general. All of them are vulnerable to serious disruption by cyber-attack, with potentially enormous consequences. The threat could come from teenage hackers with no more motivation than proving that it can be done. Even more seriously, it could come from organised criminals, intent on extortion or fraud, or from cyber-terrorists, intent on bringing about the downfall of our society. We now know that, following the cyber-attacks on Estonia and the cyber-disruption suffered by Georgia earlier this year, the threat may also come from nation states.
Moreover, most of the critical national infrastructure is privately owned and operated. It may not be in the commercial interests of those owners and operators even to acknowledge to anyone outside their organisation that they have had a problem. Do I, as an operator, want my other customers to know that my security, and therefore their security, has been breached? I think not. It would certainly not be good for business. In any event, it cannot be necessarily assumed that the commercial need to maintain system security is of the same magnitude as the national interest in that security; nor can we be confident about those parts of the CNI operated in the public sector. We live in a target-driven world, and security constraints are not necessarily adequately addressed in each departments key performance indicators, certainly when the key drivers of activity are improving the quantum of specific aspects of service delivery.
My final question to my noble friend is: are the Government really satisfied that our critical national infrastructure, which is now so dependent on the internet, is genuinely as well defended and secure as it should be?
Next Section | Back to Table of Contents | Lords Hansard Home Page |