Protecting Europe against large-scale cyber-attacks - European Union Committee Contents


Examination of Witnesses (Questions 160 - 176)

WEDNESDAY 9 DECEMBER 2009

Mr Ilias Chantzos and Dr Jose Nazario

  Q160  Lord Dear: Indeed, gentlemen, you have already dealt with resilience and I conclude from that, if I am clear in my own mind—and correct me if I am wrong—that you think the internet structure is certainly vulnerable but you think it is highly unlikely that you could bring it down completely, either by botnets or natural disasters, ships with their anchors and all the rest of it. Would you like to put some sort of percentage on that, by which I mean if the total internet cannot be brought down in its entirety, what do you think is the worst case? Would you see 20%, 30%, 40% as the maximum damage that could be occasioned, or is that an impossible question?

  Dr Nazario: It is a challenging question, your Lordship. If you look at the internet background structure there are some interesting features to it, for example in how autonomous networks are connected to each other. Through accidents of market and natural forces there are tremendous amounts of consolidation to a few key players, globally and regionally. If there were, for example, a catastrophic exploitation of vulnerabilities within one of those key players, you might see a reasonable amount of the internet lose connectivity to the rest of the world and even to each other in large measure. We have seen certainly with the case of the FLAG cable cut by the boat anchors parts of the continent of Africa lose connectivity or have greatly diminished capacity which effectively reduces their internet connectivity to zero.

  Q161  Lord Dear: It may be a naive question but would you like to put a figure on that?

  Mr Chantzos: I would go further than Mr Nazario and I would say that you are giving me an impossible question to answer. The reason why is because Mr Nazario is seeing it from an ISP perspective and I am seeing it from the security provider perspective, if you like, and from that point of view we would begin an endless discussion as to first of all what kind of attack are we talking about. For example, if I look not from the point of view of bringing down the internet meaning there would be no connectivity but actually hitting and attacking the nodes, ie the different end points, the different computers, your PC, my PC, Joe Bloggs' PC on the street. Is there potential that there would be a major malware, a major virus which would go out and hit all those machines? Well, yes, we have seen those in the past, but it would not mean that the internet would not work. Rather it would mean that the end point of the internet for some, presumably many, could potentially be infected at a very high speed. Have all of us survived those kinds of attacks? Absolutely, but, then again, can there be an attack which for example had a virus infecting the end points and then telling them to shut down or not work or whatever? Yes, that is possible. Then to challenge you in a different way, I would ask you why would an attacker do that? What do I mean by that? If I think about it from his modus operandi, hacking now is for fortune, it is not for fame. Attacks are financially motivated. At least the cyber criminal ones are, which is the vast majority of attacks. It is in my interest to have the network up and running so that I can steal information which I can then trade in the on-line black market, so I would rather have it on and running and me acting like a biological virus, like a mosquito that goes underneath your defences and sucks your blood, because if you realise that I am there you are going to swat me and I will not be able to make money any more.

  Q162  Lord Dear: I am grateful, thank you. Perhaps a slightly easier question to answer, although it does touch on the whole global issue, and I am conscious of that when I ask you, how well do you think the UK is doing, bearing in mind the UK is a player in a much more fluid environment? Is it possible to isolate the UK and say they are doing very well, well, could do better? Is that a question that is impossible to answer as well?

  Mr Chantzos: I think it is possible. I would answer that the UK is doing quite well. I would answer that the UK is doing quite well because if I look at the statistics historically that we have been gathering over the years, there was a time, four years ago I think roughly, that the UK was top of the amount of attacks that were launched from the UK. I think now the UK—

  Q163  Lord Dear: Which were mounted from the UK or—?

  Mr Chantzos: Launched from the UK to other countries, which means that basically there were perhaps too many machines in the UK that were infected. In fact that is normal if you look at the sheer numbers of population and the broadband enablement. This is also why countries like the US or countries like China feature top in the number of attacks. The sheer number of broadband users is such that it is numerically impossible not to be somewhere high on the list, but if you look at the UK, the UK was up and now the UK has gone significantly down that list of top attackers. Considering the amount of broadband penetration this means actually the UK has been doing quite well. If you add on top of that the advances that the UK has made from a public policy stand-point, so if you look at the awareness with activities like Get Safe Online, if you look at the awareness within government and the public sector with activities like the Digital Britain report and the Cyber Security Strategy, the creation of the Co-ordination Centre within the Cabinet Office, the security operations part within other government departments, I would say that the UK is doing quite well and is also quite advanced. Then again, as we said, the threat landscape moves so it is an evolving process.

  Q164  Lord Dear: Dr Nazario has been nodding as you said that. Would you agree generally with what has been said?

  Dr Nazario: Yes. I am just looking over our third quarter report for the European Union, which includes Great Britain along with a number of its peers in the region. Great Britain is doing very well. This is across a number of different axes including denial of service attacks, inbound and outbound, the number of infected PCs, and the number of malcode hosting sites. This is a handful of metrics that we collect that we can provide some insight on this. The number of infected PCs within Great Britain appears to be pretty well-managed. On the number of denial of service attacks, inbound and outbound, unfortunately they lead in the European Union, according to our measurements. On a global scale they are at number three for the quarter. The attack size is six gigabits per second peak size and about 40 gigabits per second for the largest for the quarter that we saw globally, so it is pretty substantial in most regards when you think about just denial of service attacks, inbound and outbound. Those are generally well-managed by the providers and the operators here in the UK. The number of infected PCs, so this is the number of consumers for example that are affected by information-stealing viruses as well as proxies for other nefarious activities is relatively small and well-managed. I would attribute this to being well-connected with regards to the security operations community, ISPs and CERTs, so they have well-trained staff, they have adequate resources and they have data flowing continuously in and out to help them discover and manage the problems.

  Q165  Baroness Billingham: Gentlemen, is the internet safe for consumers to use and will this Communication make any difference to that?

  Mr Chantzos: The Communication, as I said, is intended to stimulate and promote co-operation within Member States and within Member States and industry, so the Communication in principle is not addressing or dealing with consumer issues. If, let us say, governments work better together and the industry works better together with the government, the theory is—and I would imagine the practice would be—that the consumer would also get benefit. Having said that, is the internet safe for a consumer to use? The on-line world is a reflection of the off-line world, I would argue, so the level of security that we have in the off-line world and the level of security challenges that we are facing in the off-line world are similar also to the level of security challenges that we are facing in the on-line world. In the same way that I would not pick up someone from the street and tell him I trust him and give him my credit card and tell him to go and do something with it, I would not do the same on the internet. In the same way I have locks in my house and I lock the windows in the evening and do not leave the door open, it is pretty much a similar approach. Security is a question of people, process and technology, so whereas you cannot expect the consumer to be 100% responsible for his level of security, you also need to have an expectation that he will do what the bone patres familias, the reasonable average man would do to protect himself, as I said, off-line or on-line. It is a question of having the proper technology in place. The most well-known Symantec technology in this area is Norton AntiVirus and Norton Internet Security, but I would also turn it round and say it is also a question of us, the industry, the government, trying to make aware and trying to educate people about the security threat and the security issues that exist especially for the more vulnerable parts of the population, children or older age groups, to try to make sure that they understand that when they are connected on the internet just because they are behind closed doors and in the safety of their home, it does not mean that they should not take some reasonable precautions when they are on-line. A number of security incidents occur because of ignorance. People not understanding the value of their personal information and just putting it up on social networks, or doing things like clicking on email attachments from people they do not know, so a lot needs to be done in that area, and I am pleased to say the UK with activities like Get Safe Online is very far ahead.

  Dr Nazario: I would concur with much of that. It is important to remember, though, that our experience has shown that as CERTs become stronger in a country and gain more traction, that consumers benefit directly and indirectly out of that. Even though the policy and recommendations set forth so far by the Commission are focused on a national infrastructure at that level, I think that there is going to be a tremendous benefit that will reach the end consumer. I concur also with Mr Chantzos that consumers of course need to become better educated but they also need to recognise that the security is very reflective of the real world. Part of the challenge we have seen constantly in this area is that technology at this point is still "magic" for many people. That is not unreasonable. It brings out the idea of the reasonable average man. Just as we do not expect all drivers to understand the complexities of mechanical forces or Newtonian physics, they will drive safely for a number of different reasons, including mechanisms built into their car as well as certain aspects of physics. Here it is not necessarily so obvious, and the fact that your credit card information, for example, has been pilfered and sold on-line is not immediately obvious to you until it is too late, so there are some challenges there, but I think in large measure there will be some benefit to the end consumer.

  Q166  Baroness Billingham: Could I ask a short supplementary. We have used the term here "consumers" and there is such a variation. We have already talked about heads of state as consumers. You could look at me as a consumer. If there were a cyber attack on my computer at the moment the only information you might be able to glean from it is the size of the turkey that I have just ordered from Marks & Spencer's. I have to say to you that we do have a responsibility. Within the EU all Member States have a responsibility to all levels of consumer, from the most basic to the most sophisticated. You have already made this point very clearly, the need for people to be made more aware and to protect themselves to a certain extent. I am just wondering if within this piece of work that we are now looking at there ought to be built in some more awareness-raising features to ensure that everybody becomes more certain and more aware of what they ought to be doing in order to protect themselves at whatever level they are using it.

  Mr Chantzos: Frankly, I would not disagree with you about the importance of awareness-raising. I cannot stress enough how important it is to make people aware of what the security threat is. Also because in many ways awareness is a bit like a marketing campaign. In what sense? You need to keep reminding people and you need to keep educating them. Also different threats or different societal aspects of those threats arise all the time. Cyber bullying is a very good example of an attitude that we did not have in the past. Because of the advent of social networks, with the teasing the kids do at school, suddenly an issue between two kids can suddenly become an issue for a whole community of kids. There is very much an issue of education. It is an issue of the education of children themselves as to what is appropriate ethical behaviour. It is also an issue of education of parents, of teachers, of caretakers, so it is wider community issue. On the other hand, if I look at the way, frankly, the division of work within the European institutions is done, I am not that surprised that the issue of awareness-raising is not necessarily contained in this specific Communication. Having said that, if I look at the work that the EU has done in this area, I can point to the specific awareness programmes of the European Network and Information Security Agency. I can point as well to the Internet Safety Action Plan and the Internet Safety Action Plan Plus, which are all about providing even the funding mechanism for call lines, for testing products and basically building helplines and mechanisms which identify the proper content, which test different technologies, and try to raise awareness around these issues.

  Baroness Billingham: Thank you very much.

  Q167  Chairman: Dr Nazario?

  Dr Nazario: I think there is room for that type of programme within the recommendations when you think about best practices for CERTs which hopefully would include replicating programmes such as Get Safe Online, educating the public and, as I mentioned earlier, pushing for more secure software from vendors that the consumers will eventually use.

  Q168  Lord Richard: In the Communication from the Commission where they talk about CERTs they seem to be moving in the direction of advocating national CERTs rather than sector CERTs or industrial CERTs or indeed company CERTs. We had some evidence from two people who run CERTs, if that is the right word for CERTs, or who are involved with their running. Do you think CERTs are useful and helpful?

  Mr Chantzos: Yes.

  Dr Nazario: Yes.

  Q169  Lord Richard: We can all read that, we got that. Do you have any view as to what sort of CERTs would be most useful? Do you think that the Commission idea that you have national CERTs would be easier for you to work with than the present structures that you have got in the UK where it is sectoral?

  Mr Chantzos: I am not a Commission official so I cannot interpret what they say authoritatively and say why the Commission is doing what it is doing. Having said that, I think the reason why the Commission is approaching this issue this way is because, seeing it from their perspective, they would like to raise, allegedly, the level of security within Europe, and they need to start from somewhere, so rather than going and saying, "Banking sectors across the European Union need to have their own CERTs," they are probably better off saying Member States need to have their own CERTs because, as I mentioned, some of them do not even have that. It is necessary to begin your awareness campaigning from that point of view. Having said that, personally I can see the value of the sectoral system and I would argue that at the stage of maturity that the UK is, the sectoral system is the way to go. Why? Because different communities have different risk appetites and have different security requirements and, as a result of that, different security profiles, which different sectoral CERTs aim to serve. That was very brief from my end!

  Dr Nazario: I would concur that CERTs are very valuable. My interpretation, again not being a member of the Commission, was that it was the most tractable and the most beneficial place to start. I do like sector-specific CERTs. I believe that inter-CERT communication within a country is going to be key so we have an international touchstone and a national point of contact that can then be pushed out and each of these teams can of course, as Mr Chantzos said, address their own needs in a very sector-specific way.

  Mr Chantzos: The co-ordination and information exchange when it comes to the CERTs is the key point when you have several.

  Q170  Chairman: We have been given a certain amount of information about ENISA with its responsibilities for delivering European Union policies and programmes. Could you tell us what you think about ENISA? We have had criticism about them being based in Crete but it would be helpful if you could give us a frank assessment of what they do and who benefits.

  Mr Chantzos: My Lord Chairman, for reasons of transparency I should first and foremost mention that I am a member of the ENISA Permanent Stakeholders' Group, so I am member, if you like, of their advisory committee which sits within the three institutional aspects of ENISA. ENISA has three different bodies, their Executive Director, appointed by the Member States, the Management Board, whereby the Member States' representatives meet and set the direction for the agency, but then its institutional stakeholders, if you like, the Permanent Stakeholders' Group, so I am one of those members of the Permanent Stakeholders' Group. From that point of view I could say that I have some intimate knowledge about the work that ENISA has been doing and even had a role in providing advice in what I believe ENISA should be doing. I participate there in my personal capacity, meaning I participate there as Ilias Chantzos and not as Ilias Chantzos, representative of Symantec. I think that is also important to mention, to be clear with the institutional point. Having said that, ENISA has been designed to be a centre of excellence and has been designed to be a platform for exchange of information, exchange of best practice, of brokerage, of co-operation and exchange of views. It has not been designed to be an operational agency. I think this was very clear from the very beginning, so from that point of view, with the limitations that its mandate is setting, I think that ENISA has been doing a fairly good job. If you look at what ENISA was expected to do in its first years of establishment, first of all it was expected to establish itself, which within the European Union context is in itself a challenge, bearing in mind that we are talking about relatively small agency numbers but with considerable bureaucracy. That is the nature of the rules and that is what we all have to live with, so on one hand we need to be mindful of that and on the other hand we need to be mindful of the fact that their main tasks were issues like awareness-raising, CERT co-operation and the promotion of the idea of building CERTs. They have been focusing a lot on critical infrastructure protection. They have not been busy mainly with policy. The policy is not defined by ENISA. The policy is defined by the Commission. Rather what they have been busy with is executing the different requests or the different, let us say, activities of implementing the policy that they have been getting from the different Member States. The primary client of ENISA is not the citizens of the European Union; it is the European institutions and the Member States. From these points of view I would argue that they have delivered some quite solid work. Having said that, we need to be mindful that the mandate of ENISA is under discussion and review right now and there is discussion as to what they want ENISA to be doing next, so frankly, once we have gone through the democratic process, we will see what additional challenges they will be called upon to execute. My assessment, and I think this would be also Symantec's assessment, is that they have done quite well so far. It is also relevant to mention that they recently had a management change as well as part of the end of the five-year mandate of the previous executive director. They have brought in now a new Executive Director who also has considerable experience in this area, so I think overall we are all hopeful of additional good work.

  Q171  Chairman: Dr Nazario, do you want to add to that?

  Dr Nazario: We are somewhat familiar at Arbor Networks with ENISA. We know some of their participants. We are not ourselves participants in the projects at all. We have been invited on a couple of occasions to participate in the WOMBAT early warning system that they have developed.

  Mr Chantzos: WOMBAT is FP7 research.

  Dr Nazario: Within the context of ENISA we have been asked to contribute data to some of the programmes and we have not. We have elected not to for commercial reasons within Arbor. We have seen them around a little bit. I think that they have built a decent foundation in their first years since their launch. They have had some success clearly. They have turned out some interesting research that is very relevant. My concerns, coming from my perspective and my community, are that they have not necessarily reached out as widely as they could and they have not gotten as much involvement with the members as they could. That is the perspective I have come to at this point with them. I think that is their biggest challenge in the years ahead.

  Q172  Lord Hannay of Chiswick: So is what the two of you are saying on this ENISA point that ENISA needs to do what it is currently being asked to do better than it is doing it now, or is it that you think that ENISA's mandate should be expanded in order to undertake tasks which hitherto it has not been asked to do?

  Mr Chantzos: I do not think I am saying the same thing as Mr Nazario on this so maybe you should not couple us together. I am saying that ENISA has done a good enough job so far. To use another expression, ENISA has been a force for good so far. ENISA has had challenges because of its mandate and I think that is generally recognised. That mandate is going to be reviewed and we need to see what that mandate will look like when that review is completed. I cannot prejudge what 27 Member States of the European Parliament or what the Commission will propose. Mr Nazario feels, if I understood him correctly, that ENISA could be reaching out more. My view is that if you look around the table at who ENISA has been talking to, it has been talking to a number of key industry players. Can we reach out to more people? You can always reach out to more people but you cannot—

  Q173  Lord Hannay of Chiswick: Can I press you a little bit on the possible extension of the mandate. Of course nobody is asking you to predict what the 27 Member States or the Commission may propose but you are in this industry, and what I am really asking you is where do you see an expansion of ENISA's mandate being useful for the collectivity of European Member States?

  Mr Chantzos: Where do I see ENISA expanding the mandate?

  Q174  Lord Richard: Where are the gaps in the present mandate?

  Mr Chantzos: If you look at the way the ENISA mandate is drafted, it gives a list of objectives and then it gives a detailed list of tasks by which these objectives can be achieved, so I think to start with, frankly, it is fairly unique if you look at the way other agencies' roles have been drafted. In many ways that is the result of the compromise within the different discussions that happened some years ago. I think what one should be looking to is a more clear-cut and succinct mandate as to the areas that ENISA should be busy with. Right now for instance we have ENISA being busy with aspects of the telecoms package now that it has been agreed on the implementation side, but that is because the telecoms package as secondary legislation is actually calling for ENISA to do things. It is not because it is within the ENISA mandate. For instance, there is a general provision of ENISA providing more advice or providing advice in the area of EU legislation. Maybe that should be done more clearly. Maybe that should be done more solidly within the mandate rather than having to give a specific legal base every time, to give you a very concrete example. Frankly, this may be something worth us coming back to you with specific proposals as to what they need to be doing because you are asking me a point which involves legislation.

  Lord Hannay of Chiswick: I think that would be useful.

  Q175  Chairman: Thank you both very much for coming. If you feel you would like to send us a memorandum on that very last point, we have the new Director coming here from Crete to give evidence before us a week today and therefore it would be very helpful if you could give us your thoughts on this in the next 48 hours if you possibly could. I know that is asking rather a lot but it would give members of the Committee important background thoughts in order to have a discussion with the new Director next week.

  Mr Chantzos: Another point that may be worth considering, my Lords, is that we have actually been called from the European Commission to submit our comments on the public consultation about the future of ENISA, so that is already available in public and we could certainly make that available to you immediately because that is already our stated opinion, and we could additionally see what can be done from our end in the admittedly short time.

  Q176  Chairman: That would be very helpful. We have enormously enjoyed your kindness in coming here. You have been very full and I think you have been very frank too. We appreciate that very much. We shall pay the greatest possible attention to what you have said in writing our report which we hope to publish before too long next year and hopefully before the general election, whenever that is. Thank you; we appreciate it.

  Mr Chantzos: It is the second time I have addressed the House of Lords, my Lord, so I am honoured to be here and thank you very much again for taking the time.


 
previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2010