Protecting Europe against large-scale cyber-attacks - European Union Committee Contents

Examination of Witnesses (Questions 140 - 159)


Mr Ilias Chantzos and Dr Jose Nazario

  Q140  Chairman: Dr Nazario.

  Dr Nazario: Thank you very much for your time, Lord Chairman. I am Dr Jose Nazario and I have been with Arbor Networks since about 2002. Prior to that I was in biochemistry doing a PhD in the field in 2002 as well. Arbor Networks was founded in the year 2000. We have been a company for about nine years now. I am currently the manager of security research of the company working for the Chief Technology Officer of the company, Dr Rob Malan, who was actually also one of the founders of the company. His research, together with Professor Jahanian and others led to the founding of the company after many years of research into detecting and thwarting denial of service attacks at the carrier scale—the ISP scale. Arbor Networks builds products, among them including the Peakflow product line which helps large providers—so these are Tier 1 backbone providers to the Internet; and Tier 2 providers, broadband providers, mobile providers and many others and large enterprises. We measure their traffic, detect denial of service attacks and filter them out using our products or even partners' or competitors' products as well. We also build devices to provide service control for the broadband edge in our e-Series through an acquisition early last year. Arbor Networks chiefly focuses on the availability part of the information security space. We employ about 270 people around the world. We are headquartered in Chelmsford, Massachusetts in the US, just outside of Boston, with a major engineering office in Ann Arbor, Michigan, which is where I am located. We have people in the UK, in Europe and globally as well. Our customers include large ISPs, including British Telecom and many others around Europe and around the world, as well as governments and, as I mentioned, large enterprises.

  Chairman: That is very comprehensive; thank you. Lady Garden?

  Q141  Baroness Garden of Frognal: That is a very helpful introduction. Do you think that the programme set out in the EU Communication on large-scale cyber attacks is going to make any difference to Internet resilience? Or do you feel that this is something which the Internet industry has well in hand already?

  Mr Chantzos: I think we need to begin by making a very important distinction. The Commission Communication on Critical Infrastructure Protection is a policy statement; it is not a programme itself, it is a statement of intentions. It is what the Commission would like to do in this particular area. So the first requirement for the Communication to have an impact is actually the Communication to be followed through. It is the Commission to do the different things that it talks about; it is the Commission to do work on early warning; it is the Commission to do work on common exercises; it is the Commission to do work on information exchange, and the ENISA mandate to be reviewed and so on and so forth. There is a list of something like ten items which are foreseen in the Communication. From our perspective we need to bear in mind that the Communication is aiming at first of all raising the level of awareness and the level of security within the Member States and in the work that the Member States are doing with each other. I am saying that because that will indirectly, hopefully, also raise the view of the level of resilience within the European Union. I think it is also fair to recognise that when we talk about a European Union of 27 Member States we talk about 27 Member States that have a variety of approaches and also a variety of their level of development in terms of how they understand issues of network and information security and how they understand issues of critical infrastructure protection. So in that regard also things which are obvious perhaps in London about how we need to be working and collaborating with people like industry, which is what the Commission Communication is calling for, with public and private partnerships, may not be that obvious in other places in Europe. To conclude, (a) the Communication can have an impact but it needs to be followed through; and (b) the Communication in terms of where it is targeting, its first and foremost audience is we will take the Member States, so the impact that that would be is more likely to be interacting on the overall work that the Member States do with themselves and with the industry.

  Q142  Baroness Garden of Frognal: Presumably coming from industry you have to make the balance between collaboration across industry and competitiveness because obviously you are in business to make profit.

  Mr Chantzos: Clearly. From our perspective there are a number of issues when one is looking at this cross-border collaboration. Is cyber security, is critical infrastructure protection a pan-European problem? Absolutely. Is critical infrastructure an area that the industry needs to be working on? If I just look at the telecoms environment it is fully liberalised, so from that point of view the infrastructure is owned by the private sector and therefore it is a question of public/private partnership in collaboration. At the same time no single industry has the solution to the problem but also when we talk about collaboration we need to make sure that (a) we do not violate our competition obligations in collaborating; but also that there is the framework in place to do collaboration. What do we mean by that? Collaboration, examples like information exchange, exchange of best practices, building of trust require a framework to do that conversation at European level. The framework does not necessarily exist. They require the financial incentives to do that at a European level which also would exist; but most importantly they also require the legal basis or at least the lack of legal obstacles to be in place at European level in order to be able to do that. When it comes to legal obstacles, for example, if I can give a very concrete example for your Lordships' consideration, data protection legislation. The way that we implement and understand data protection legislation in a country like the UK, whereas in principle it is harmonised, may be somewhat different to what we understand it in a place like Sweden. So whereas you may want to have a country like Sweden and the UK cooperating, on the other hand you need to be thinking very carefully as to whether you are doing something which in terms of information exchange that UK and Swedish law would allow.

  Q143  Chairman: Dr Nazario, do you want to come in?

  Dr Nazario: The programme described by the EC in the report earlier this year will, we believe, start to make a difference, although it is insufficient in some respects. The goals or the descriptions that Promis has outlined, all of which we agree with in principle based upon our experience with regard to public/private partnership, regarding the role of CERTs and regarding the role of the need to harmonise legislation for providers and for security in mind, as an example, all of these are key instruments as well as data sharing. However, it is vague in many places and it is incomplete as well. I would have liked to have seen it, based on my own experience, suggest more cooperation, for example, with the existing organisations, such as FIRST, and really stress these participations, as well as some of the other larger organisations that have emerged over the years to provide either industry-wide or operational communities and stressing these as points of cooperation, in particular for the public-private partnerships as well as models of how the data might be gathered and shared. So it is a broad outline that we agree with in principle; we figure it is a decent foundation but insufficient to really be a complete impact.

  Q144  Lord Richard: Could I take up the second half of Lady Garden's question where she said is resilience something that the Internet industry has got well in hand already? Do you have it well in hand?

  Mr Chantzos: So let us take a step back—in what sense? We talk about Internet resilience but what do we really mean? Do we really mean whether the Internet is in a position to withstand a major attack? I would answer that the Internet is probably one of the most resilient networks that has ever been built. I would argue that the Internet has been designed to withstand a nuclear war; so from that point of view the work that the industry has done around the Internet is actually quite good. There have been incidents where there have been large-scale attacks against the Internet infrastructure and also there have been incidents which have been literally accidents that have to do with Internet infrastructure. For example, I remember that there has been an incident whereby an anchor of a ship was dropped off the coast of, I think, North Africa, and as a result it cut the underwater sea cable and basically lost connectivity. Is that an issue for the industry to address? We are dealing here with the situation of an accident and maybe there should have been more resilience for more alternative routes to channel that. So, from that point of view, it is a question of economic efficiency—do we need, do we have, should we have? The enemy of the good is the better and I would argue that the industry has already done some good enough work but it is not just industry issues that need to be addressed, and it is also a question of a risk management approach.

  Q145  Lord Richard: Can you tell me what work it is that the industry has done on this?

  Mr Chantzos: Before I answer the question, however, for what kind of industry would you like me to focus on? Would you like me to focus on ISPs? Would you like me to focus on our industry?

  Q146  Lord Richard: Yes.

  Mr Chantzos: For the industry at least that I can speak of, when I look at the security industry, our work around resilience has primarily been in trying to make our software much more efficient and as much as possible least vulnerable. So if I look at the work that we have done I can point to activities around a number of companies in order to make their software less vulnerable, either through software management life cycles or through engineering and processes within the software building capabilities of the companies in question. I can point as well to organisations like SAFECode, which are designed to bring the different parts of the industry together in their changing best practices on how they can build the applications that will either run on the Internet or protect the Internet from being more vulnerable.

  Q147  Chairman: It may be that you would feel after this session you would like to provide a supplementary paper on this.

  Mr Chantzos: Provide more data on this; sure.

  Q148  Chairman: Dr Nazario.

  Dr Nazario: I would like to focus on the ISP operator community aspect of it, both from a security as well as a simple resilience model. Every day we see attempts at attacks against protocols, against infrastructure—what we call the protocol stack of the Internet. So anything from physical wiring to how it is carried, all the way through to applications such as email and the Web browsers. This is a stack of protocols designed to be resilient; it can be affected at one point or another and even remedied at one point or another, which gives it a tremendous amount of flexibility. However, in this complexity we do see some risks. In large measure the operational community is able to quantify these and actually remedy them either by working with major vendors like Cisco, Juniper and others, or in forums such as ICASI, or even in some ad hoc forums, for example around the recent SSL vulnerability; to be able to investigate fixes and to apply these fixes as quickly as possible for operational and business continuity. Natural disasters have occurred as well as some man made accidents, as well as operator error. A good example of operator error is the incident where a Pakistani ISP attempting to filter YouTube traffic for its domestic users actually affected YouTube traffic for the entire world through a mis-advertised route. The Internet was able to respond within a matter of hours, both detecting it and attempting to address it, again, because of the complexity of the protocol stack and the resiliency within there. Outages such as power outages or cable cuts again can be routed around the Internet and can be accommodated almost immediately by the Internet infrastructure, as well as in the near term adding capacity by simply laying new cable or building new connections. And attacks, for example, against routing servers or key exchange points have all been dealt with and put in hand again partially by the redundancy build in the network that automatically kicks in, as well as the operating community discovering the attacks and filtering them out as quickly as possible by discussing the attacks, sharing data and applying filters as needed. Again, some resilience is built into the community that is there but there are gaps unfortunately because in some cases they do not have the investment that they want to make, that they can make because of, for example, how long-term it might be or how strategic it might be compared to immediate business concerns. So there are some fundamental risks there and there are of course challenges with the number of players and some of the fundamental vulnerabilities such as in DNS or SSL protocols and coordinating all of that to represent themselves provide real challenges ahead for our industry.

  Q149  Lord Richard: I would perhaps make a comment which is that really what you are saying to us is that on the whole the industry is coping but that if certainly additional things were done—not great things—within the compass of the industry that it should be all right and you do not need anything like the EU intervention to improve it.

  Dr Nazario: I believe that you used a very apropos word by saying "coping". I think that some assistance would be valuable; I think that some coordination might be valuable to facilitate what many people want to achieve or would wish to achieve. I think that might be valuable to bring to the organisations.

  Mr Chantzos: If I may comment? If I look at examples like, for instance, the Conflicker virus. That was a very good example whereby the industry stuck together. The so-called Conflicker working group worked through the possible fixes and came up with a solution very quickly. If we look historically at cases of attacks against the DNS servers, whereas there have been attacks, let us say, in three out of the 14 DNS servers have we been witnessing any significant impact on our Internet experience? None at all. From my perspective I think to turn round and say if we do a few things then everything is going to be fine, I would argue that it is perhaps a somewhat simplistic way of addressing the problem. Why? First of all, the threat landscape is changing all the time; it is evolving. Doing a fix now does not mean that it will work in three months from now. In some ways it is an arms race; it is trying to figure out what the next move is going to be. So rather than trying to apply just the technological fix or just pump more money into the system, I think it is important that we also try to address some more of the fundamental roots of the problem. On the other hand, I do believe in the value of coordination and cooperation as being an element of the overall mix and I think that this is really, if I see it from an EU standpoint, what the EU would like to try to push forward, and from that point of view, frankly, we would welcome that Communication and we would be supportive of it. To comment on something that Dr Nazario said, that the EU is vague, I take the point that it may be somewhat vague, but I would also like to remind all the people in this room that the EU may be deliberately vague for some very good reasons. In what sense? First of all, when you do your policy statement you do not necessarily want to outline all the bits and pieces, especially if that policy statement is dependent upon the consensus or the cooperation of 27 sovereign governments. In addition to that, let us not forget that when we are talking about information security we are talking about the issues that impinge upon national sovereignty, which impinge upon issues of national security and which put in question how much role and how much legal basis the EU has to act and up to what level. So I would argue that there are very good reasons why the policy needs to be generic because ultimately it needs to be a policy which will not supplement the role of the national governments and the role of the sovereign government in this particular case. It needs to follow the principle of subsidiarity.

  Q150  Lord Harrison: I wanted to drop anchor, my Lord Chairman, on the Mediterranean anecdote. Did anything change? Was the change, for instance, to ensure that there was the concentration of lines for the Internet so that there could be more resilience in the future because there were alternative ways round? Did it make a change in any way, shape or form?

  Mr Chantzos: I would need to go back, frankly, and look at how the issue has been addressed since because we are talking about an incident that happened a year, a year and a half ago. I do not represent an ISP so I would not necessarily be privy to all the routing changes that may have happened. Having said that, there were a number of emergency measures taken to re-route the traffic in order to allow for more capacity as well. Obviously there was an issue of outage for some hours when the incident happened, but I think that overall if you look at the bigger picture, let us say, short of literally physically coming and cutting the cable and then trying to find an alternative route and in the end being able to serve that route, I would say that the issue was addressed adequately. The question is how likely is it that in the whole of the Mediterranean Sea a ship is going to come and drop the anchor over the undersea cable? Frankly, when we come to talk about security this is the issue of what I call a risk management approach. So what is the level of risk? What is your risk appetite? What is the level of risk that you are prepared to take? If you are prepared to take a level of risk as to how likely it is that there will be a ship that would aim with its anchor on our cable, then if you are not prepared to take that risk then maybe you need to lay another cable, but that means that you need to be prepared to pay the ticket and the price for that cable. But if you consider that unlikely—let us think about it, how long have we had the Internet now, 20, 30 years—that we have had in 30 years one ship cutting a cable, maybe that is an acceptable risk. There will not be such a thing as 100% security ever on anything, so in the end that is what we need to balance and that is the investment decision for the industry and also for the government.

  Q151  Lord Hannay of Chiswick: A lot of the evidence that we have received indicates that the issue of security tends to be addressed at the national level, as you yourself have just said. It is the realm of the 27 Member States. Or, alternatively, if it is addressed on a multinational level it tends to be so on a wider basis than just the European Union, and the Communication that we are looking at is pretty vague, to put it mildly, about how to bring the United States, Russia, China and other big players in. Could you say a little bit more about what you think the role of a regional organisation like the European Union is? Is there space for it between the national work that is going on, with Britain setting up its own cyber defence and so on, and the global work that needs to go on in order to provide resilience to what is, in fact, a global asset? Is there a space in between or is that space not really there?

  Mr Chantzos: To put it in a very simplistic way, I believe that there is space and I believe that there is room and a role to play and I would even go as far as to say that they are not mutually exclusive. In what sense? As I said, there are interesting discussions and there will be even more interesting discussions now that the Lisbon Treaty is coming into effect in Brussels as to what is the role of the European Union in this particular area. Having said that, I think that the legal basis on this issue has evolved over time and the EU has a role to play in terms of taking care of its own Member States, while acknowledging that this is a global problem. As I said before, the Member States have a different level of development. If I can bring in a very good example and if I look at my own country, Greece—I am a Greek national—it does not have, at least right now, a national government CERT, whereas in the UK you have been doing work and you have been advancing the notion of having CERTs, specialised CERTs within the industry, and having a government CERT, having an MoD CERT and so on and so forth. Greece has been a member of the European Union for 30 years now and within the Euro Zone and within the Schengen Treaty, et cetera. So it is a question of the different levels, if I can use the term, of development, the different levels of advancement; and the different levels of focus that the different Member States have. I would argue that the overall European Union security collectively, including the UK's one, would be benefited if all the Member States would get up to a higher level of security. That does not mean that the UK would have to lower its level of security, but it would suggest at the very least that we can, if I can use the term loosely, drag the rest to a level that would be able to have the rest of the Union talking the same language and have a common understanding about the threat. If I can give you an example that Symantec has done in this area. Symantec was awarded a grant as part of the work—and we had a press release about this, so it is publicly available and I can share this with you—on a programme that would define standards that would facilitate secure messaging about vulnerabilities, threats, incident management and good practices across the European Union and across the different CERTs. That was funded by the European Programme on Critical Infrastructure Protection; so that was EU money that was given to Symantec partly and other partners to co-fund a messaging standard that could be used among the different CERTs, government and private sector or other bodies interested to take up that standard in Europe to exchange information about the attacks that they are seeing, which is not a bad thing. I would argue that is in line also with what Dr Nazario just said in terms of being able to say, "Okay, we understand this is happening; you guys say the same thing, so what are we going to do about it? Are we talking the same language; are we talking about the same threat?" Is there a role for the US? Of course there is; absolutely. The same whether there is a role for the UK from subsidiarity and from a national sovereignty standpoint. The activity of the EU is not replacing a Member State—I certainly hope it will not and I certainly do not think that this is the intention of the Commission, at least at this stage. Do we need to be talking to the Americans; do we need to be talking to the Chinese? Of course we do, but we need to be doing that at national and European level. It is just that right now the EU needs to start from somewhere and it does that by taking care of its own house.

  Q152  Chairman: Dr Nazario?

  Dr Nazario: We concur with regard to the fact that the EU has a major role to play; it is a common economic system, with common political goals, and a common social community as well, even though there are of course many distinguished Member States each with their own distinctive voices. There are, of course, shared goals and economies. Engaging with the US is going to be key, I think, for connectivity purposes—no nation is an island on the Internet—and they are all tied together as well from the standpoint of supplying resources, both operational resources as well as software resources. So being able to communicate as a single economic voice or a unified voice to software vendors around the world will have a significant impact at raising, for example, software quality standards and software features. That will be very, very important as well and it is something that I would encourage the Commission to examine as a mechanism to improve security for the Member States through these relationships. There are, of course, challenges in some regards to language issues as well as to shared standards. As an example, many of us have some difficulties reaching effective partners, for example in China or in Russia, to be able to begin to address common problems. Those barriers are coming down by simply meeting people and making introductions. We have very similar goals but those barriers have an historical foundation that is going to be very difficult to overcome in some regards. We all recognise that we have very similar goals and we all want to achieve very similar things. You must work with the rest of the world, including the US, Russia and China to achieve those goals—it cannot be done otherwise.

  Q153  Lord Mackenzie of Framwellgate: Could I move to a more practical case study and could you give us your understanding of what actually happened during the so-called cyber wars in Estonia and Georgia?

  Dr Nazario: With regards to Estonia these events occurred in large measure in April and May of 2007. Arbor began receiving enquiries from partners and friends in Europe, including Finland and Germany on behalf of the Estonians. This included private partners, such as F-Secure, as well as FICORA and other folks, ISPs included. We were carrying some of that traffic and seeing some of that traffic and wanted to know what we had been seeing and what we could do to help the Estonians, so we began digging into some of our data. We have a programme called ATLAS, which is a global honey-pot system, which ties together a number of different data sources, including shared data from our Peakflow monitors around the world as to the nature of the attacks, the scale and duration, as well as botnet tracking, where we can understand the origins of some of those attack commands—who may be behind them and what tools they are using for some of those. So we were asked to bring much of this data to bear and to assist and we actually wound up deploying some of our gear with the Estonians to help to filter out some of the traffic, as did many others including Cisco. We shared equipment to help them as well as resources to help them address that. What we observed in Estonia, as we have written about in the past, were non-state actors, responding to what we anticipate to be non-state actors, or interpret to be non-state actors, acting largely in a sympathetic manner to the political tensions between Moscow and Tallinn over the movement of the statue. This was a very tense issue. We do not have any evidence that we had gathered that would suggest anything much more serious and that is one of the things to keep in mind here, that these attacks, both in Estonia and Georgia and many other places around the world, follow these diplomatic tensions—they do not generally lead them. So by the end of May—in fact after Victory Day, May 9—the attacks began to dwindle and we saw coordination and forms and blogs that they tracked; we saw a number of tools used, including botnets and handwritten tools and custom written tools and scripts designed to watch some of the attacks, coordinated and called for by many different parties largely in the Russian language world. So that is much of the former Soviet Union. We saw significant attacks. The attack scale themselves that we measured was modest by global standards but was in fact significant for Estonia's resources. In Georgia we actually tracked attacks going into Georgia's President Saakashvili's website in mid July during some of the build-up to the groundwork of August 2008. We actually had some difficulty reaching the Georgians to alert them of this fact, which I think highlights some of the challenges across Europe with regard to the unevenness of response capabilities. We worked in large part through the Estonians to help the Georgians actually detect and filter some of the traffic and some of the resources from Georgia were moved to the US as well as to Estonia, where there were better capabilities to filter out the attack traffic. The attacks in Georgia we detected were larger in magnitude but again still modest on a global scale, and lasted a bit longer than the ones in Estonia. So we saw a maturation, if you will, of the process that had begun far before Estonia but really hit the global stage in Estonia in 2007 and 2008 in Georgia.

  Mr Chantzos: Being a barrister I would like to choose my words carefully. You referred to cyber war. I would somewhat question that because war and acts of war have a certain meaning within law and have a certain meaning within the Geneva Convention and have a certain meaning as how we understand it. I am saying that because, as Dr Nazario has pointed out, it is very difficult in the Internet environment to do threat or attack attribution, basically to say who is to be blamed for something.

  Q154  Lord Mackenzie of Framwellgate: I did use the term "so-called" cyber warfare.

  Mr Chantzos: Indeed, but as this is a public record I will be on record as being cautious about it. We have seen a number of discussions and I have attended conferences like the one organised by the NATO Cooperative Cyber Defence Centre of Excellence in Estonia, whereby what has been debated is things like the nature of if there is such a thing as a nature of cyber war what would cyber war look like? How likely is it that we are going to have military conflicts with cyber elements, et cetera? So have we seen large-scale attacks on IT systems in particular countries, such as in the case of Estonia and Georgia? Absolutely. Our role in those cases could have been much more focused around things like understanding and identifying the nature of the malware that has been used in deploying the appropriate counter measures to be able to basically remove the malware from the infected computers. We have seen an increase of botnet activity targeting specific countries. Most botnet attacks will be spreading all around the world and so, technically speaking, there were European countries, for example, attacking Estonia through the botnets whereas it was not necessarily, let us say, the countries themselves rather the computers had been taken over and were successfully compromised and were used by third parties to launch those attacks. In terms of the history of how the attacks occurred and materialised and their timeframe, I do not disagree with Dr Nazario. In fact what has been in the press is quite well known—political tensions either because of a particular part of Georgia, in the case of Georgia, or the removal of the statue in Estonia and then this climax of reaction also on the Net. What it is important and interesting to highlight is when it comes into a discussion about how these attacks were organised and coordinated and about the power that the Internet has in terms of growing a grassroots campaign. How quickly within the Internet the word of mouth or the different communities can be called upon for that action to materialise and manifest in some kind of a protest—mass emailing in terms of reaching out to constituencies and expressing concern and opposition or, in this particular case, into the activities that we have seen.

  Q155  Lord Hannay of Chiswick: Could you throw any light at all on the allegations that have surfaced in the last two or three weeks about the attacks that were made on the University of East Anglia's material on climate change, on which there have been quite serious allegations that these attacks originated from Russia and were politically motivated. It is, of course, slightly different from the Estonia and Georgia case because it is not an attack designed to take out—it is an attack to gain access to and then make use of material that belonged to somebody else. Can you cast any light on that? Perhaps at the same time you could also, dealing with Georgia and Estonia in particular, try and throw a little light on this matter? Nobody, I think, has yet suggested that the Russian state was involved in the attacks on Estonia and Georgia because there is no evidence of it. On the other hand, presumably the Russian state has some capacity to interdict actions from its own users, so even if you accept the view that this was a lot of patriotic right-wing Russians sympathising enormously with what Russia's policy was in Estonia and Georgia, is there not still another question behind that which is why has the Russian state not done anything to inhibit people doing that? So even without going into the conspiracy theory that they are manipulating these people for their own purposes, you still surely have a question mark about why they are not doing anything to inhibit it. Could you throw any light on this?

  Mr Chantzos: Two thoughts on this. I would like to understand more about the East Anglia attack that you mentioned. But if I look at the way that attacks happen on the Internet a lot of focus has been put on attacks which are examples of, let us say, denial of service because these kinds of attacks are very visible—something does not work. If you realise that you do not have connectivity people can access information that you have. So from that point of view it is immediately realisable. However, a very significant amount of attacks is not about disabling the infrastructure by the denial of service, but rather it is about collecting confidential information. If I look at the latest Internet Security Threat Report, which is the annual report that Symantec produces on the current state of the Internet threat, it is roughly 150 pages long and I believe that in our submission we have shared some of the data and should you want additional data we are more than happy to make that available—and we publish it once a year. If you look at the Internet Security Threat Report I think roughly 87% of the top 50 new malware, new viruses that have been produced aim at stealing confidential information. So in many ways the modus operandi of an attacker will very often be information-centre driven. Why? Because the information has value, so it will very often be around stealing information. The same tools that are designed by cyber criminals in order to steal confidential information are the same tools that can be used also for some kind of espionage—economic or otherwise. From that perspective again, as I said, short of literally doing forensics and following the forensic trail on the attack in question, i.e. doing physical and online investigatory and forensic steps, it is really difficult to tell who is behind that or any other attack of this nature. The same tools that can be used to steal your credit card numbers can also be used for stealing business secrets. So I hope that addresses East Anglia.

  Q156  Lord Hannay of Chiswick: On reflection after this session, and because it is now a matter of extreme interest to a lot of people, if you were to come across more material it would I am sure be helpful to us, if you could make that available. We have to grapple with the fact that now there are three possible incidents in which there seems to have been some concerted action taken from a Russian base. Whether that was a Russian state base or a Russian individual private base, so far all the evidence is the latter rather than the former, but that, as I say, does not actually answer all the questions.

  Mr Chantzos: My Lord, just to give you an idea of the magnitude, if I can use numbers, we are talking malware, we are talking about a virus stealing information, back in 2002 we had 20,000 new viruses a year, last year we had 1.6 million new viruses. We project, unofficially—and we will have the numbers officially hopefully some time soon—that we will be looking at roughly, possibly—please do not hold me hostage to the number—three million new viruses this year. The way of the writing of the viruses, the way of the writing from malware, to be technically correct, is done is so that it evades detection; it goes through the same software engineering process that business products, technology, commercial software is going through. You can literally go and buy online the malware and use a licence agreement with it, which promises you updates of the malware and which will be null and void should you give the copy of your malware to the security industry—us. In many ways we are getting now to the point whereby every time the malware writers discover a new vulnerability they write a new form of virus and then they take that new form of virus and create hundreds of variables so as to try to avoid detection. The argument that you make that it seems that it is coming from country A or country B, I fully take the point; but if I could point to another statistic and look at the Internet Security Threat Report, global United States is the top attacking country across the world—top attacking country, so number one in malicious code rank, number three in the amount of zombies, and number one in the amount of phishing websites. Number one in terms of attack of origin. That does not suggest, obviously, that the US is attacking the UK rather what it does suggest is that the way the cyber space is designed it allows for people to be able, unfortunately, to take over other people's computers and utilise those to launch attacks remotely and make detection much, much more difficult. If I can use a different regulatory example, of which all of you may be aware, the whole reason why there is an EU data retention legislation and the whole reason why ISPs in the UK and in other countries around Europe are expected to retain data for a period of months to assist law enforcement investigations is to be able to follow the forensic trail. It is to be able to go back and say, "Whoops! We think something happened and we need to have the data in order to be able to go back and go back and go back." But even that trail is going to go cold the moment that you go to a country which is unwilling to cooperate.

  Q157  Lord Harrison: With all the qualifications about the term "cyber warfare" should we be looking to NATO for help as well as the European Commission about the protection of the Internet?

  Mr Chantzos: Each one of them has a role to play, my Lord.

  Q158  Lord Harrison: What would be the balance of that role?

  Mr Chantzos: I would submit the EU is having more of a role in the civilian side of things. Clearly the whole work around critical infrastructure is about basically protecting infrastructure which is critical for our society but is actually run by the private sector. I think it is a question of proportionality. In what sense? If you look at countries like the US they have developed a Cyber Command. If you look at NATO we are talking about the Cyber Defence Management Authority, and obviously within the NATO Communications Security Agency (NCSA) NATO has a certain set of capabilities in this area. In the end it is a question of doctrine and proportionality. In what sense? What would you define as a military threat or a military incident that would justify a proportionate and appropriate military response? Would it be an attack on the critical infrastructure that would be so critical that it would disrupt and threaten, as you define it, national security? Would it be the fact that military facilities are being attacked? Would it be a combination of both? There is clearly an element whereby it is for the industry, for civil society, and for law enforcement to work with this, and then perhaps there is an element whereby it is a combination of all of them together, and then an element which goes more to the security services defence part of the overall security operations. There is no quick, simple answer because there is no clear demarcation line.

  Q159  Lord Harrison: Could I ask Dr Nazario for his answer. Is there any evidence of the European Commission or the EU talking to our NATO colleagues about this?

  Dr Nazario: I am not aware of any, your Lordship, but I am not privy to all the communications between the EC and NATO. I concur in large part with Mr Chantzos' splitting of the problem with regards to the bulk of it should be borne by the EU on the civilian side and there is certainly a role for NATO to play with potential military threats. There are many questions that are being asked by NATO with regards to whether they should be engaged and whether they should invoke the common defence articles with regard to some of these questions. There are very many unanswered questions there with regards to whether these threats rise to that level—proportionality again. Mr Chantzos correctly alluded earlier to many of the challenges that we face with his remarks around the Geneva Convention and the laws of war. I am not qualified to answer. I am just an interested observer in terms of those debates. I do know that there is a tremendous challenge with any outside party whatsoever, whether it be the EU and EC, or whether it be NATO coming in, for example, and assuming control of a network, only because of the complexity of anybody's network. Network technology is so bespoke in some cases for the very large traffic providers, the configurations are so finely tuned and tailored any outsider who comes in, no matter how qualified, is very liable to do some damage initially through accident. A supporting role however is certainly going to be very, very crucial here, to build bridges and provide expertise and assistance in those areas, to expand capabilities, to expand reach and to expand experience, and there I think the roles of the EC and the EU as a common defence area as well as NATO certainly have a role to play. I also could not hope to address the disjointed nature of NATO membership and EU membership. That is another challenge in this regard.

  Mr Chantzos: Two things very briefly on the point that you mentioned. My understanding is that in the press there has been information about senior level contacts between the EU and NATO. For the record I think that is relevant to mention. I would point again to the legal basis of the EU. Issues of national security and national defence are not Community competences. I would also highlight the point that the membership of NATO and the membership of the EU are somewhat different, so that is also something that needs to be considered.

  Chairman: Thank you very much. Lord Dear, would you like to maybe combine two questions. I am just watching the clock and we must move on.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2010