Examination of Witnesses (Questions 160
WEDNESDAY 9 DECEMBER 2009
Mr Ilias Chantzos and Dr Jose Nazario
Q160 Lord Dear:
Indeed, gentlemen, you have already dealt with resilience and
I conclude from that, if I am clear in my own mindand correct
me if I am wrongthat you think the internet structure is
certainly vulnerable but you think it is highly unlikely that
you could bring it down completely, either by botnets or natural
disasters, ships with their anchors and all the rest of it. Would
you like to put some sort of percentage on that, by which I mean
if the total internet cannot be brought down in its entirety,
what do you think is the worst case? Would you see 20%, 30%, 40%
as the maximum damage that could be occasioned, or is that an
Dr Nazario: It is a challenging question, your
Lordship. If you look at the internet background structure there
are some interesting features to it, for example in how autonomous
networks are connected to each other. Through accidents of market
and natural forces there are tremendous amounts of consolidation
to a few key players, globally and regionally. If there were,
for example, a catastrophic exploitation of vulnerabilities within
one of those key players, you might see a reasonable amount of
the internet lose connectivity to the rest of the world and even
to each other in large measure. We have seen certainly with the
case of the FLAG cable cut by the boat anchors parts of the continent
of Africa lose connectivity or have greatly diminished capacity
which effectively reduces their internet connectivity to zero.
Q161 Lord Dear:
It may be a naive question but would you like to put a figure
Mr Chantzos: I would go further than Mr Nazario
and I would say that you are giving me an impossible question
to answer. The reason why is because Mr Nazario is seeing it from
an ISP perspective and I am seeing it from the security provider
perspective, if you like, and from that point of view we would
begin an endless discussion as to first of all what kind of attack
are we talking about. For example, if I look not from the point
of view of bringing down the internet meaning there would be no
connectivity but actually hitting and attacking the nodes, ie
the different end points, the different computers, your PC, my
PC, Joe Bloggs' PC on the street. Is there potential that there
would be a major malware, a major virus which would go out and
hit all those machines? Well, yes, we have seen those in the past,
but it would not mean that the internet would not work. Rather
it would mean that the end point of the internet for some, presumably
many, could potentially be infected at a very high speed. Have
all of us survived those kinds of attacks? Absolutely, but, then
again, can there be an attack which for example had a virus infecting
the end points and then telling them to shut down or not work
or whatever? Yes, that is possible. Then to challenge you in a
different way, I would ask you why would an attacker do that?
What do I mean by that? If I think about it from his modus
operandi, hacking now is for fortune, it is not for fame.
Attacks are financially motivated. At least the cyber criminal
ones are, which is the vast majority of attacks. It is in my interest
to have the network up and running so that I can steal information
which I can then trade in the on-line black market, so I would
rather have it on and running and me acting like a biological
virus, like a mosquito that goes underneath your defences and
sucks your blood, because if you realise that I am there you are
going to swat me and I will not be able to make money any more.
Q162 Lord Dear:
I am grateful, thank you. Perhaps a slightly easier question to
answer, although it does touch on the whole global issue, and
I am conscious of that when I ask you, how well do you think the
UK is doing, bearing in mind the UK is a player in a much more
fluid environment? Is it possible to isolate the UK and say they
are doing very well, well, could do better? Is that a question
that is impossible to answer as well?
Mr Chantzos: I think it is possible. I would
answer that the UK is doing quite well. I would answer that the
UK is doing quite well because if I look at the statistics historically
that we have been gathering over the years, there was a time,
four years ago I think roughly, that the UK was top of the amount
of attacks that were launched from the UK. I think now the UK
Q163 Lord Dear:
Which were mounted from the UK or?
Mr Chantzos: Launched from the UK to other countries,
which means that basically there were perhaps too many machines
in the UK that were infected. In fact that is normal if you look
at the sheer numbers of population and the broadband enablement.
This is also why countries like the US or countries like China
feature top in the number of attacks. The sheer number of broadband
users is such that it is numerically impossible not to be somewhere
high on the list, but if you look at the UK, the UK was up and
now the UK has gone significantly down that list of top attackers.
Considering the amount of broadband penetration this means actually
the UK has been doing quite well. If you add on top of that the
advances that the UK has made from a public policy stand-point,
so if you look at the awareness with activities like Get Safe
Online, if you look at the awareness within government and the
public sector with activities like the Digital Britain
report and the Cyber Security Strategy, the creation of the Co-ordination
Centre within the Cabinet Office, the security operations part
within other government departments, I would say that the UK is
doing quite well and is also quite advanced. Then again, as we
said, the threat landscape moves so it is an evolving process.
Q164 Lord Dear:
Dr Nazario has been nodding as you said that. Would you agree
generally with what has been said?
Dr Nazario: Yes. I am just looking over our
third quarter report for the European Union, which includes Great
Britain along with a number of its peers in the region. Great
Britain is doing very well. This is across a number of different
axes including denial of service attacks, inbound and outbound,
the number of infected PCs, and the number of malcode hosting
sites. This is a handful of metrics that we collect that we can
provide some insight on this. The number of infected PCs within
Great Britain appears to be pretty well-managed. On the number
of denial of service attacks, inbound and outbound, unfortunately
they lead in the European Union, according to our measurements.
On a global scale they are at number three for the quarter. The
attack size is six gigabits per second peak size and about 40
gigabits per second for the largest for the quarter that we saw
globally, so it is pretty substantial in most regards when you
think about just denial of service attacks, inbound and outbound.
Those are generally well-managed by the providers and the operators
here in the UK. The number of infected PCs, so this is the number
of consumers for example that are affected by information-stealing
viruses as well as proxies for other nefarious activities is relatively
small and well-managed. I would attribute this to being well-connected
with regards to the security operations community, ISPs and CERTs,
so they have well-trained staff, they have adequate resources
and they have data flowing continuously in and out to help them
discover and manage the problems.
Q165 Baroness Billingham:
Gentlemen, is the internet safe for consumers to use and will
this Communication make any difference to that?
Mr Chantzos: The Communication, as I said, is
intended to stimulate and promote co-operation within Member States
and within Member States and industry, so the Communication in
principle is not addressing or dealing with consumer issues. If,
let us say, governments work better together and the industry
works better together with the government, the theory isand
I would imagine the practice would bethat the consumer
would also get benefit. Having said that, is the internet safe
for a consumer to use? The on-line world is a reflection of the
off-line world, I would argue, so the level of security that we
have in the off-line world and the level of security challenges
that we are facing in the off-line world are similar also to the
level of security challenges that we are facing in the on-line
world. In the same way that I would not pick up someone from the
street and tell him I trust him and give him my credit card and
tell him to go and do something with it, I would not do the same
on the internet. In the same way I have locks in my house and
I lock the windows in the evening and do not leave the door open,
it is pretty much a similar approach. Security is a question of
people, process and technology, so whereas you cannot expect the
consumer to be 100% responsible for his level of security, you
also need to have an expectation that he will do what the bone
patres familias, the reasonable average man would do to protect
himself, as I said, off-line or on-line. It is a question of having
the proper technology in place. The most well-known Symantec technology
in this area is Norton AntiVirus and Norton Internet Security,
but I would also turn it round and say it is also a question of
us, the industry, the government, trying to make aware and trying
to educate people about the security threat and the security issues
that exist especially for the more vulnerable parts of the population,
children or older age groups, to try to make sure that they understand
that when they are connected on the internet just because they
are behind closed doors and in the safety of their home, it does
not mean that they should not take some reasonable precautions
when they are on-line. A number of security incidents occur because
of ignorance. People not understanding the value of their personal
information and just putting it up on social networks, or doing
things like clicking on email attachments from people they do
not know, so a lot needs to be done in that area, and I am pleased
to say the UK with activities like Get Safe Online is very far
Dr Nazario: I would concur with much of that.
It is important to remember, though, that our experience has shown
that as CERTs become stronger in a country and gain more traction,
that consumers benefit directly and indirectly out of that. Even
though the policy and recommendations set forth so far by the
Commission are focused on a national infrastructure at that level,
I think that there is going to be a tremendous benefit that will
reach the end consumer. I concur also with Mr Chantzos that consumers
of course need to become better educated but they also need to
recognise that the security is very reflective of the real world.
Part of the challenge we have seen constantly in this area is
that technology at this point is still "magic" for many
people. That is not unreasonable. It brings out the idea of the
reasonable average man. Just as we do not expect all drivers to
understand the complexities of mechanical forces or Newtonian
physics, they will drive safely for a number of different reasons,
including mechanisms built into their car as well as certain aspects
of physics. Here it is not necessarily so obvious, and the fact
that your credit card information, for example, has been pilfered
and sold on-line is not immediately obvious to you until it is
too late, so there are some challenges there, but I think in large
measure there will be some benefit to the end consumer.
Q166 Baroness Billingham:
Could I ask a short supplementary. We have used the term here
"consumers" and there is such a variation. We have already
talked about heads of state as consumers. You could look at me
as a consumer. If there were a cyber attack on my computer at
the moment the only information you might be able to glean from
it is the size of the turkey that I have just ordered from Marks
& Spencer's. I have to say to you that we do have a responsibility.
Within the EU all Member States have a responsibility to all levels
of consumer, from the most basic to the most sophisticated. You
have already made this point very clearly, the need for people
to be made more aware and to protect themselves to a certain extent.
I am just wondering if within this piece of work that we are now
looking at there ought to be built in some more awareness-raising
features to ensure that everybody becomes more certain and more
aware of what they ought to be doing in order to protect themselves
at whatever level they are using it.
Mr Chantzos: Frankly, I would not disagree with
you about the importance of awareness-raising. I cannot stress
enough how important it is to make people aware of what the security
threat is. Also because in many ways awareness is a bit like a
marketing campaign. In what sense? You need to keep reminding
people and you need to keep educating them. Also different threats
or different societal aspects of those threats arise all the time.
Cyber bullying is a very good example of an attitude that we did
not have in the past. Because of the advent of social networks,
with the teasing the kids do at school, suddenly an issue between
two kids can suddenly become an issue for a whole community of
kids. There is very much an issue of education. It is an issue
of the education of children themselves as to what is appropriate
ethical behaviour. It is also an issue of education of parents,
of teachers, of caretakers, so it is wider community issue. On
the other hand, if I look at the way, frankly, the division of
work within the European institutions is done, I am not that surprised
that the issue of awareness-raising is not necessarily contained
in this specific Communication. Having said that, if I look at
the work that the EU has done in this area, I can point to the
specific awareness programmes of the European Network and Information
Security Agency. I can point as well to the Internet Safety Action
Plan and the Internet Safety Action Plan Plus, which are all about
providing even the funding mechanism for call lines, for testing
products and basically building helplines and mechanisms which
identify the proper content, which test different technologies,
and try to raise awareness around these issues.
Baroness Billingham: Thank you very much.
Dr Nazario: I think there is room for that type
of programme within the recommendations when you think about best
practices for CERTs which hopefully would include replicating
programmes such as Get Safe Online, educating the public and,
as I mentioned earlier, pushing for more secure software from
vendors that the consumers will eventually use.
Q168 Lord Richard:
In the Communication from the Commission where they talk about
CERTs they seem to be moving in the direction of advocating national
CERTs rather than sector CERTs or industrial CERTs or indeed company
CERTs. We had some evidence from two people who run CERTs, if
that is the right word for CERTs, or who are involved with their
running. Do you think CERTs are useful and helpful?
Mr Chantzos: Yes.
Dr Nazario: Yes.
Q169 Lord Richard:
We can all read that, we got that. Do you have any view as to
what sort of CERTs would be most useful? Do you think that the
Commission idea that you have national CERTs would be easier for
you to work with than the present structures that you have got
in the UK where it is sectoral?
Mr Chantzos: I am not a Commission official
so I cannot interpret what they say authoritatively and say why
the Commission is doing what it is doing. Having said that, I
think the reason why the Commission is approaching this issue
this way is because, seeing it from their perspective, they would
like to raise, allegedly, the level of security within Europe,
and they need to start from somewhere, so rather than going and
saying, "Banking sectors across the European Union need to
have their own CERTs," they are probably better off saying
Member States need to have their own CERTs because, as I mentioned,
some of them do not even have that. It is necessary to begin your
awareness campaigning from that point of view. Having said that,
personally I can see the value of the sectoral system and I would
argue that at the stage of maturity that the UK is, the sectoral
system is the way to go. Why? Because different communities have
different risk appetites and have different security requirements
and, as a result of that, different security profiles, which different
sectoral CERTs aim to serve. That was very brief from my end!
Dr Nazario: I would concur that CERTs are very
valuable. My interpretation, again not being a member of the Commission,
was that it was the most tractable and the most beneficial place
to start. I do like sector-specific CERTs. I believe that inter-CERT
communication within a country is going to be key so we have an
international touchstone and a national point of contact that
can then be pushed out and each of these teams can of course,
as Mr Chantzos said, address their own needs in a very sector-specific
Mr Chantzos: The co-ordination and information
exchange when it comes to the CERTs is the key point when you
We have been given a certain amount of information about ENISA
with its responsibilities for delivering European Union policies
and programmes. Could you tell us what you think about ENISA?
We have had criticism about them being based in Crete but it would
be helpful if you could give us a frank assessment of what they
do and who benefits.
Mr Chantzos: My Lord Chairman, for reasons of
transparency I should first and foremost mention that I am a member
of the ENISA Permanent Stakeholders' Group, so I am member, if
you like, of their advisory committee which sits within the three
institutional aspects of ENISA. ENISA has three different bodies,
their Executive Director, appointed by the Member States, the
Management Board, whereby the Member States' representatives meet
and set the direction for the agency, but then its institutional
stakeholders, if you like, the Permanent Stakeholders' Group,
so I am one of those members of the Permanent Stakeholders' Group.
From that point of view I could say that I have some intimate
knowledge about the work that ENISA has been doing and even had
a role in providing advice in what I believe ENISA should be doing.
I participate there in my personal capacity, meaning I participate
there as Ilias Chantzos and not as Ilias Chantzos, representative
of Symantec. I think that is also important to mention, to be
clear with the institutional point. Having said that, ENISA has
been designed to be a centre of excellence and has been designed
to be a platform for exchange of information, exchange of best
practice, of brokerage, of co-operation and exchange of views.
It has not been designed to be an operational agency. I think
this was very clear from the very beginning, so from that point
of view, with the limitations that its mandate is setting, I think
that ENISA has been doing a fairly good job. If you look at what
ENISA was expected to do in its first years of establishment,
first of all it was expected to establish itself, which within
the European Union context is in itself a challenge, bearing in
mind that we are talking about relatively small agency numbers
but with considerable bureaucracy. That is the nature of the rules
and that is what we all have to live with, so on one hand we need
to be mindful of that and on the other hand we need to be mindful
of the fact that their main tasks were issues like awareness-raising,
CERT co-operation and the promotion of the idea of building CERTs.
They have been focusing a lot on critical infrastructure protection.
They have not been busy mainly with policy. The policy is not
defined by ENISA. The policy is defined by the Commission. Rather
what they have been busy with is executing the different requests
or the different, let us say, activities of implementing the policy
that they have been getting from the different Member States.
The primary client of ENISA is not the citizens of the European
Union; it is the European institutions and the Member States.
From these points of view I would argue that they have delivered
some quite solid work. Having said that, we need to be mindful
that the mandate of ENISA is under discussion and review right
now and there is discussion as to what they want ENISA to be doing
next, so frankly, once we have gone through the democratic process,
we will see what additional challenges they will be called upon
to execute. My assessment, and I think this would be also Symantec's
assessment, is that they have done quite well so far. It is also
relevant to mention that they recently had a management change
as well as part of the end of the five-year mandate of the previous
executive director. They have brought in now a new Executive Director
who also has considerable experience in this area, so I think
overall we are all hopeful of additional good work.
Dr Nazario, do you want to add to that?
Dr Nazario: We are somewhat familiar at Arbor
Networks with ENISA. We know some of their participants. We are
not ourselves participants in the projects at all. We have been
invited on a couple of occasions to participate in the WOMBAT
early warning system that they have developed.
Mr Chantzos: WOMBAT is FP7 research.
Dr Nazario: Within the context of ENISA we have
been asked to contribute data to some of the programmes and we
have not. We have elected not to for commercial reasons within
Arbor. We have seen them around a little bit. I think that they
have built a decent foundation in their first years since their
launch. They have had some success clearly. They have turned out
some interesting research that is very relevant. My concerns,
coming from my perspective and my community, are that they have
not necessarily reached out as widely as they could and they have
not gotten as much involvement with the members as they could.
That is the perspective I have come to at this point with them.
I think that is their biggest challenge in the years ahead.
Q172 Lord Hannay of Chiswick:
So is what the two of you are saying on this ENISA point that
ENISA needs to do what it is currently being asked to do better
than it is doing it now, or is it that you think that ENISA's
mandate should be expanded in order to undertake tasks which hitherto
it has not been asked to do?
Mr Chantzos: I do not think I am saying the
same thing as Mr Nazario on this so maybe you should not couple
us together. I am saying that ENISA has done a good enough job
so far. To use another expression, ENISA has been a force for
good so far. ENISA has had challenges because of its mandate and
I think that is generally recognised. That mandate is going to
be reviewed and we need to see what that mandate will look like
when that review is completed. I cannot prejudge what 27 Member
States of the European Parliament or what the Commission will
propose. Mr Nazario feels, if I understood him correctly, that
ENISA could be reaching out more. My view is that if you look
around the table at who ENISA has been talking to, it has been
talking to a number of key industry players. Can we reach out
to more people? You can always reach out to more people but you
Q173 Lord Hannay of Chiswick:
Can I press you a little bit on the possible extension of the
mandate. Of course nobody is asking you to predict what the 27
Member States or the Commission may propose but you are in this
industry, and what I am really asking you is where do you see
an expansion of ENISA's mandate being useful for the collectivity
of European Member States?
Mr Chantzos: Where do I see ENISA expanding
Q174 Lord Richard:
Where are the gaps in the present mandate?
Mr Chantzos: If you look at the way the ENISA
mandate is drafted, it gives a list of objectives and then it
gives a detailed list of tasks by which these objectives can be
achieved, so I think to start with, frankly, it is fairly unique
if you look at the way other agencies' roles have been drafted.
In many ways that is the result of the compromise within the different
discussions that happened some years ago. I think what one should
be looking to is a more clear-cut and succinct mandate as to the
areas that ENISA should be busy with. Right now for instance we
have ENISA being busy with aspects of the telecoms package now
that it has been agreed on the implementation side, but that is
because the telecoms package as secondary legislation is actually
calling for ENISA to do things. It is not because it is within
the ENISA mandate. For instance, there is a general provision
of ENISA providing more advice or providing advice in the area
of EU legislation. Maybe that should be done more clearly. Maybe
that should be done more solidly within the mandate rather than
having to give a specific legal base every time, to give you a
very concrete example. Frankly, this may be something worth us
coming back to you with specific proposals as to what they need
to be doing because you are asking me a point which involves legislation.
Lord Hannay of Chiswick: I think that
would be useful.
Thank you both very much for coming. If you feel you would like
to send us a memorandum on that very last point, we have the new
Director coming here from Crete to give evidence before us a week
today and therefore it would be very helpful if you could give
us your thoughts on this in the next 48 hours if you possibly
could. I know that is asking rather a lot but it would give members
of the Committee important background thoughts in order to have
a discussion with the new Director next week.
Mr Chantzos: Another point that may be worth
considering, my Lords, is that we have actually been called from
the European Commission to submit our comments on the public consultation
about the future of ENISA, so that is already available in public
and we could certainly make that available to you immediately
because that is already our stated opinion, and we could additionally
see what can be done from our end in the admittedly short time.
That would be very helpful. We have enormously enjoyed your kindness
in coming here. You have been very full and I think you have been
very frank too. We appreciate that very much. We shall pay the
greatest possible attention to what you have said in writing our
report which we hope to publish before too long next year and
hopefully before the general election, whenever that is. Thank
you; we appreciate it.
Mr Chantzos: It is the second time I have addressed
the House of Lords, my Lord, so I am honoured to be here and thank
you very much again for taking the time.