Previous Section | Back to Table of Contents | Lords Hansard Home Page |
I believe that Personal Internet Security has already had a significant impact on government thinking. However, there is still too much complacency on this issue: information security remains the poor relation of information technology and of physical security. Information security is not an optional extra. If we do not get this right, public confidence in the internet is at risk, and with it business confidence and perhaps, if we consider the reliance of our national infrastructure on electronic systems, even our national security.
The Earl of Erroll: My Lords, I, too, thank the noble Lord, Lord Broers, for introducing this debate and add to the cumulative thanks to all who assisted in the reports production. They did an excellent job.
I find the report very interesting and useful because it taught me a certain amount. One of the more useful things was the philosophy behind the way we looked at things. We looked from the citizens point of view. Quite a lot of evidence came from large companies, including banks, and gave the large businesses point of view. Oh well, they said when in those days £33.5 million was lost through online bank fraud; but that was only the sum that the banks had not managed to offload elsewhere. From the citizens point of view, those were individual £500 and £1,000 losses, enough to destroy their mortgage payment for the month and to have a huge impact on their life. It is very important that it was a parliamentary committee that looked at the matter, because we are here to look after citizens, not necessarily to try to control them and tell them how they must run their life.
We also tried to think of incentives for people to do the right thing rather than having regulations. We have quite enough regulations already; they seldom prevent what they seek to forbid. They do not often modify behaviour or they only modify it in an unexpected waythe law of unintended consequencesbecause it is too complex to be controlled by simple systems of rules. Security economics became an interesting topic and taught me quite a bit;I want to mention that later.
One conclusion was that we should go back to good old-fashioned principles. We pass pots of laws to say that people cannot burgle houses but they still go on burgling houses. We try to deter people from doing it by locking them up from time to time or giving them mild penalties, which makes some of the newer generation decide that burglary is not a good career path. We have to be very careful that, by just looking at and analysing these issues, we do not turn Britain into a safe haven for e-crime because, though we know it is going on, there is nothing we can do about it.
Facebook has been mentioned a couple of times. The internet is changing how we have to look at things. We have work out where the dangers lie and what other things we should look at. The point of danger could be transferred to somewhere we would not expect. I shall make a couple of points on that. Online, including on Facebook, there will be records of very stupid behaviour that people may have done when they were young. Not always, but in many cases, we may be very lucky and our friends will have lost the photographs of us at a party. Unfortunately, now, such photographs will be preserved in digital form on the internet and they are probably sitting there somewhere.
We need to realise that we have a right to a moment of madness. If you are trying to hire an outgoing person who is very good with people, the life and soul of the party, good at getting contracts and getting into companies, you probably do not want someone who is so dull that they never appear at a party on Facebook. The person who may not behave quite correctly might be the person you want. For certain people, a few interesting Facebook pages might be useful.
As my children keep pointing out, there is a lot of security on Facebook. It has been hugely improved and they certainly keep their pages locked down so that only their friends can see them. They do not join generic groups, like the London group, where anyone
10 Oct 2008 : Column 465
Most points on the report have been covered well by everyone else. Going back to us not being a safe haven for e-crime, the thing that really worried me is policing. I am delighted to see that the Home Office is injecting £3.4 million extra into a central e-crime police unit. I am worried that the Mets £3.9 million will be taking police resources from somewhere else. There is not a full £7 million of new money going in.
Detective Superintendent Charlie McMurdie has been trying to push this forward for a very long time, at a certain sacrifice to her career. I respect her and others hugely for trying to drive this forward, so I am delighted to see that something is happening. Let us hope that this is built on and grows. It is all very well collecting, collating and analysing all these crime statistics, but something has to be done about disincentivising the rest. I echo other noble Lords when I say I hope that the APACS unit, which collects bank statistics, interfaces this new unit properly and does not just send stuff to SOCA when it thinks fit. SOCAs remit does not cover this area. It is only concerned with large, serious, organised crime with an international flavour.
I turn to data loss and the headlines that EDS has lost a hard drive, as we have just heard. My first point on that is that all the data were on a drive owned by EDS and, therefore, was being processed by an American company, possibly in the United States. Some of our data, which we are forced to give the Government, are now processed in America. America has the Patriot Act which allows it to look at any data processed in the States, which is why SWIFT, the European banking system, removed its data centre from California to Switzerland. It got fed up with American companies getting business intelligence by putting in Patriot Act requests to look at European bank transfers.
We should take that very seriously. All sorts of interesting things could come out of it which could impact, when combined with other data, on the UK citizen. It has been suggested to me that American companies or subsidiaries operating in the UK, processing the data of UK citizens, still may be subject to the Patriot Act indirectly, possibly through Sarbanes-Oxley mechanisms or some other rules. I do not know whether that is so, but, if it is, it is extremely concerning for government contracts.
The second point about data loss is this: why did the HMRC disk go missing? Apart from various factors like the two single points of contact within HMRC, a wonderful concept which interests me, and all sorts of issues around muddle accountability, the main reason involved targets. Parliament insists that HMRC should report to Parliament every year, and the National Audit Office has to collate information from HMRC to do that. It is a career-threatening issue not to
10 Oct 2008 : Column 466
The third point on data loss is the data breach notification stuff. It is an excellent idea from the point of view of trying to get a grip on the thing. How we decide what a data breach is is another matter in that if no harm is done, is it still a data breach? We have to ask whether the data are encrypted adequately and so on. I would say that that is then not a breach. But if the notification is published widely, it presents a huge phishing opportunity. Quite a lot of letters were sent out by certain illegals saying, We notice that your data have been lost by HMRC. We would like to secure your bank account. Please send us your details. A much wider phishing opportunity can be opened up which can catch poor innocents who do not understand all this. We need to be careful how we react to and handle these situations. It is not as simple as just informing people.
I turn now to economic issues concerning banks and the card not present problem. The reason I feel strongly that liability should be loaded back on to the banks for all transactions through credit cards where those cards are stolen is that the banks decide the security of the token which merchants big and small have to accept in order to conduct electronic transactions either over the telephone or on the internet. The token is not adequate because chip and pin does not work remotely. But the banks have no commercial incentive to upgrade the token because in all card not present transactions, the liability is offloaded on to the merchant. The big ones can cope with it, but the small ones cannot. Ridiculous situations arise such as when my wife tried to buy a ticket over the internet for my daughter and another to fly out to Thailand on holiday. She got a very good price from some people in Wembley who said, In order to protect ourselves because you are spending £1,000, could we please have a photocopy of the front and back of your credit card and your passport so that we are covered?. That is not good
10 Oct 2008 : Column 467
I want to wind up with two brief points. We face a new threat because we are about to be hit by what I think will be the communications data Bill, but they will not tell us what is in it. The proposal is to centralise all communications information in the UK in the Home Office so that it can more efficiently search that information for clues when a terrorist attack takes place. The information will be accessible under RIPA to all sorts of other bodies, but I shall leave that to one side because it is not what I am really worried about. Of more concern is officials searching all that data and the danger of inaccurate inferences instigating intrusive investigations into the private lives of citizens, with potentially unsafe outcomes. If officials start thinking, Is this person this or that?, they will eventually embark on data matching and data mining. The information will also become a possible target for foreign intelligence. If you want to find out if one company is looking at another company, what better way is there than to look at what web searches it is making? The information will include a record of web searches, what is being looked at, emails and everything else. It will not set out the content, but that is less important. It is what someone is up to, the pattern of use and the inferences to be drawn that matter. There is an opportunity not for people to lose disks, but for people inside the system who might be corrupt. GCHQ has a long tradition of security and is very careful in this area. I am not sure that the same standards are inculcated in the Home Office, but if this proposal is serious, I hope they are before it is introduced.
Finally, I am worried about the plethora of people who try to protect us as citizensthere is a surveillance commissioner, an Interception Commissioner and perhaps a couple of others. They tend to report via the heads of the departments that they are reporting on or to the Prime Minister, who is basically the head of all executive departments; he is the head of the Executive. So someone who is keeping an eye on the Executive reports to Parliament via the Executive. That is not right.
The Information Commissioner reports directly to Parliament but feels quite swamped sometimeshe is under funded, under resourced and comes under attack, some of which is quite personal. I think the idea that he had of setting up a new authority to bring together all of the services that protect personal information is quite a good one. With the right people in it, plus extra people from outside, it could make sure that peoples privacy and information are protected properly. It could consider whether data breaches should be notified more widely and so on.
I am worried about the incentives for this organisation, which I would call the Personal Information Protection Authorityor PIPA; and, because he who pays the piper calls the tune, I would make it answerable to Parliament and not the Executive.
Lord Bhattacharyya: My Lords, this is an enormously important topic and one on which the well-being of a great number of companies and families rests. The effectiveness of the report and what has been said is shown by how far the Government have travelled since their first response last year. For this contribution, the noble Lord, Lord Broers, and all the members of the committee deserve the thanks of all of us who are concerned about data security in this interconnected age.
As a society we are becoming increasingly dependent on technology, particularly the internet and communications networks; we use them at home, at work and throughout commerce and Governments across the globe. Risk, however, is less tangible in cyberspace. People know what it means to lock their front doors, but they do not have the same knowledge of what to do when online. It is not intuitive, we cannot use the senses upon which we depend in everyday life to help us.
For example, a large online gambling company was recently discovered to have had super-users. Certain players were able to win large sums at poker by knowing the cards that their opponents held. As those who are familiar with card games will recognise, that is a significant advantage. It became public knowledge only because customers of the company became aware of unusual play by such super-users. This triggered an online investigation by members of the internet forums and, as a result, the company concerned has so far repaid some $6 million to consumers who lost money on its site.
There are some interesting lessons here. First, the company was incorporated under the jurisdiction of a Canadian Indian tribe, the Kahnawake. The company was a respected and trusted brand. It was regulated in the same way as its competitors, and the consumers only regulatory remedy was through the Kahnawake gaming commission. That is not satisfactory, to say the least. Millions were effectively stolen, and yet there is no clarity about who benefited or where the money went and no data trail on who lost out. Most remarkably of all, after having announced that their software contained holes that allowed the winning of millions of dollars through underhand means, the sites concerned are still trading and still prospering.
We require a multi-layered approach to addressing these problems. That will involve building technology of higher integrity which is not pervaded by vulnerabilities to be exploited by those with malicious or criminal intent. But this will always occur. No matter how many safeguards you build in, there will always be someone with criminal intent. In turn, this means that we must make security solutions easy to use, not so difficult that users simply turn them off because they are unaware of the protection that they offer. The final step is to provide the necessary regulation and checks and balances so that we can deter misuse.
The report used the helpful analogy of the road networks to describe a shared burden of responsibilities. It makes the key point that while great responsibility rests with the road users, their safety also relies on those who design and maintain the road network, with its signs, lines and markings.
Online, I am concerned by the lack of security education on the part of software and hardware developers, business managers, civil servants and all those who have to interact with digital information. I believe we need to investigate the programmes developed by the United States; it has made it a priority to develop centres of national excellence to provide a framework and guidance for students and institutions in information assurance education. Consider the road example again: we provide awareness campaigns on specific issues and education on principles through driving lessons. Very little work has been done to understand how the computer users comprehend the risk that they are taking and what their actions or inactions actually mean.
Alongside dealing with the problems of today, now is the time to design in security for the future. Traditionally, research on e-security has been focused on specific solutions for individual problems which results in individual products for each problem. Security solutions have followed only after the discovery of security gaps, so we have had firewalls, anti-malware program, anti-phishing measures, and so on. This is not scaleable and is limited in effectiveness since we only respond as we encounter problems, as opposed to proactively planning security for the future.
We are now developing the networks and services for the next wave of technologies. We should not make the same mistake of failing to design in security from the start. With advances in mobile communications, we could soon be connected wherever we are and whatever we are doing, as noble Lords have said. Access to information and services via the internet will be as necessary as water and electricity.
The increasing number of devices that will store and hold our information also increases the potential threat to our security and even our personal safety. Consider mobile healthcare in the future: tomorrows pacemakers might be part of an integrated body area network able to transmit patient healthcare data to doctors and allow them to modify patient treatment. With researchers already developing wireless attacks on current pacemakers, it is easy to see how this more complex internet-connected system raises concerns not only about data privacy but the potential for risk to patient safety.
In other words, we will need to prevent new technologies and systems being attacked, and we cannot afford to wait for failures in order to plan our protection. We need to understand the changing threat and how to manage our risks dynamically and in response to it. We need to consider how to build systems to tolerate intrusions while still offering degrees of security, not have them fail. We need to develop technologies to allow individuals to have meaningful control over their information and online activities while still maintaining accountability. We need to provide tools to reduce and remove vulnerabilities and holes in our systems. We need to design the interfaces and controls of security technologies so that they are easy and intuitive to use, and so more effective when deployed. These are just a few examples of technological responses that must be researched now if they are to succeed.
I welcome the decision of EPSRC and the Technology Strategy Board to invest in a range of projects on data security and privacy, but I believe that this can only be the beginning of such interdisciplinary research objectives. In the short term, we can focus on the current risks and make users aware of these and the techniques needed to keep them safe online. Raising consumer awareness to the dangers helps stimulate the adoption of the products and service which offer safety. At the same time, regulation has its place to play, and without teeth to remove business contracts, fines and penalties, business may decide that a lack of protection for their users data is a risk worth taking. The penalties have to serve as a deterrent to businesses that fail to act as well as the criminals who wish to take advantage of their weaknesses.
This has to be an international effortI cannot see it happening within our national boundaries alone. I hope that following the judicious use of the carrot and the stick by the committee, the Government will ensure that a similar carrot-and-stick approach to regulation is a high priority in the European and global forums, in which this issue must ultimately be resolved.
Lord Birt: My Lords, I declare an interest as a director of PayPal Europe. I applaud the diligent and painstaking work of the noble Lord, Lord Broers, and his committee, an example of the House of Lords working at its very best.
E-crime on the scale which we now see it has emerged only during the past four or five years. Before that, it was mainly a few geeky kids showing off; now we face a massive and sustained criminal attack. Many millions of emails are sent on phishing expeditions, aiming to trick the innocent into revealing their security details. Malware is infiltrated, like the creature in Alien, into the inner workings of our PCs to steal our most confidential personal data. Botnets, networks of ill intentioned software robots, can attack and sometimes bring down major and sophisticated entities, and sometimes ransom them. Far worse is surely to come.
The losers are not just major merchants offering products and services online and the online payment providers, but many tens of thousands of ordinary individuals who are not always protected from loss. The scale of the economic loss is now enormous. Gartner estimates the current global cost at $3.2 billion, but I suspect that that is a serious underestimate.
Who are the perpetrators? Many perpetrators have highly advanced computing skills. Some are lone wolves, who, when they get up in the morning, devote their whole day to internet crime, knowing that they are highly unlikely to be caught. But those anti-fraud experts who have most studied online theft have good reason to believe that as much as 70 per cent of economic crime on the internet is now the work of organised crime syndicates
As the noble Lord just said, e-crime is now primarily global, not national. The bulk of syndicates have home bases in Russiawhich is interesting for those of us who sat through the previous debateand elsewhere
10 Oct 2008 : Column 471
How can this growing threat be countered? First, individual consumers and merchants can of course be more savvy and alert, and can be better educated to be so. Secondly, online providers can intensify their work of hardening targets, making it increasingly difficult to commit e-crime. They are developing ever more ingenious means of achieving this.
Thirdly, ISPs could stop averting their gaze from manifest criminality. Their technology is sophisticated. They can detect peer-to-peer theft. They can identify which of their customers PCs have malware. ISPs can pinpoint the originators of phishing expeditions sending out their millions of ill intentioned emails. But, so far, in the UK and around the world, ISPs have not been inclined to fight crime.
Next Section | Back to Table of Contents | Lords Hansard Home Page |