United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by the British Computer Society

INTRODUCTION

  The British Computer Society (BCS) is the leading professional body for the IT industry. With over 56,000 members, the BCS is the leading Professional and Learned Society in the field of computers and information systems.

  The BCS is responsible for setting standards for the IT profession. It is also leading the change in the public perception and appreciation of the economic and social importance of professionally managed IT projects and programmes. In this capacity, the Society advises, informs and persuades industry and government on successful IT implementation.

  BCS is determined to advance IT knowledge and deliver professionalism at the highest standards by "Creating the IT Profession" for the 21st century.

DEFINING THE PROBLEM

1.  What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  There are four main threats to the individual:

    —  Loss of the use of information on their computer.

    —  Disclosure of information to third parties which the citizen does not want—most obviously by persons gaining access to the citizen's computer by any means including physical theft or loss of the computer.

    —  Use of personal information to the detriment of the citizen (which may follow on from disclosure).

    —  Use of the citizen's machine for purposes the citizen does not wish.

  This may manifest itself as:

    —  Internet: Malicious code including viruses, worms, trojan code and spyware. Also remote "bot" code, whereby the citizen or organisation becomes an unwitting conduit to (often illegal) acts such as becoming the source of distributed denial of service attacks, or the provision of storage/distribution of material.

    —  Email: Spam, phishing attacks (designed to cause the unwary to part with confidential personal information, and spurious offers (designed to part the unwary from their assets by offering large fees to permit money payments through their account, highpaying jobs requiring no effort, etc). In many cases spam can account for more than 50% of a user's mail.

    —  Phones and mobile phones: hacking, eavesdropping, rogue calls from numbers operating a high cost return call, incentives to call highrate premium numbers.

    —  Wireless access: Often not secured out of the box, and generally not understood by private individuals.

  New threats emerge with new technology—for example, as phone and PDA technology mertge, the interest in attacking "intelligent" phones will increase. VOIP (Voice Over Internet Protocol) will come under increasing attack as its use becomes more widespread.

2.  What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  It is difficult to know the scale of the problem, as many user issues are not reported, and indeed it is often difficult to know to whom one should report ones concerns. However, it is accepted within the industry that the UK is a major (if not the major) source of remote "bot" Distributed Denial Of Service attacks, and this is an unintended consequence of large scale broadband uptake with relatively little awareness on the consumer's part of the risks involved.

  The threats as such probably remain fairly constant, but with the increasing globalisation of the Internet and the increasing number of subscribers worldwide, the number of people who are potential victims and the number of potential attackers who could gain (legitimate or illegitimate) access to IT equipment and to the information they contain increases.

  The citizen or organisation may run programs (eg antivirus, antispam or antispyware programs) to check for unwanted content in the stored data and programs on their computer (such programs may not be up to date at any point in time). However, if unwanted content is detected the citizen probably does not record that but merely gets rid of the offending item. Were every citizen to report these events to the authorities it is doubtful if the authorities could cope with the avalanche of reports.

  What is not (readily) available to the citizen is the ability to detect if his/her computer has been taken over by the illintentioned.

  The technical means by which illintentioned people may access the citizen's computer will vary with the software in use. The software will continue to contain bugs, legitimate functionality will continue to be misused and there will always remain the unknown vulnerability in all software; therefore at any point in time the citizen's computer remains at risk even if the citizen had done everything that the IT experts said they should do.

3.  How well do users understand the nature of the threat?

  An assumption could be made that novice users are unaware, and more experienced users become aware via news reports, service provider notification, and exchange of information between communicating users. Many users may have knowledge of security threats, but at the same time may have little appreciation of the implications to themselves, or any appreciation as to what they might do to mitigate such risks.

  Websites run by both Government and the private sector try to educate the user, but these are "pull technology" and require the user to go looking for the information they contain. Often the user will not recognise the need to look in these areas, despite considerable marketing effort.

  There is some anecdotal evidence that there are both timid people who won't use any part of the system because of the publicity given to the risks, and paranoid users whose reaction to security threats is extreme and disproportionate. Both extremes are a problem, in different ways, and neither understand the meaning of the information on offer.

  Often, awareness is coloured by folklore. For example, there is no known case of a credit card being intercepted whilst being sent on the Internet. It is just too difficult to achieve. Conversely, there are many cases where vendors with poor security have exposed their customer's credit card records, with disastrous results. Yet the belief persists that the transmission is the risk, rather than supplier security.

TACKLING THE PROBLEM

4.  What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and tradeoffs?

  Private individuals are not likely to have the same levels of security and technical support that users in organisations have—if there were some way of providing this to users it would help (but for user uptake it would have to be at low cost both in the financial sense, and cost of time to the user). Existing takeup on such services as are already on offer through ISPs is unknown but suspected to be low.

  Technical remedies can be helpful, but usually impose both a financial burden and technical difficulties (regarding compatibility and configuration on systems that are individually customised). Security measures such as passwords have limited use as a security measure, as most users (private individuals and the workforce) do not follow password advice (on combinations, and making regular changes to passwords) if it becomes arduous.

5.  What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  In absolute terms, the answer to this is unknown. It is generally accepted that the level of awareness amongst the user community is low. So also is the level of interest in the subject. There is at least a strand of thought which would suggest that it will always be low, and that education of the user is a last resort and an admission that technology has, as yet, no answer.

  However, the security issues can be mitigated if not solved by technical means, given a willingness to do it. In the long term, products must be secure and capable of protecting the user against themselves.

6.  What factors may prevent private individuals from following appropriate security practices?

  In general terms, the following apply:

    —  Cost—all the security programs are extras often with annual charges. There is a cost in time to install and maintain them.

    —  Complexity—people may not understand how to use security features and/or misconfigure them.

    —  Forgetfulness—people simply forget to back up or run the security software.

    —  Cognitive limitations typically users will resort to easily remembered security processes. For example, despite guidance they will choose weak passwords, keep written records of passwords, and use the same password as far as possible for all communications/transactions. Most encryption products, where used, are highly secure, yet the user's private keys (which ultimately drive them) are protected by simple pin or password combinations which are extremely weak.

  Often a lack of awareness that the dangers apply to them, and/or lack of knowledge in security management may mean that users may opt for risk, rather than cumbersome and inconvenient security practices.

7.  What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computerbased products?

  Manufacturers of operating systems or hardware suppliers should play a major role but the results of their efforts may not be efficiently utilised by users, or by the technical configuration of the user machine. At present, dialogue boxes requesting input from the user often do not provide the information the user needs in order to make a sensible decision, but invite a "yes" answer to vaguely worded questions, even in the face of potential threats, thus negating the power of the product.

  Manufacturers could supply all machines with appropriate prevention and detection software as standard. These, together with other standard software packages, would need regular updating which, using the Internet, is not a problem (providing updates do not disrupt settings in the computer). Manufacturers must make the security products easy to use, and provide mechanisms to detect misuse.

  This suggestion raises commercial issues for the suppliers of software and possibly competition issues if the number of suppliers is limited on a worldwide basis. For example, whilst the security community in general welcomed the security measures inbuilt into the new Vista operating system, the decision of the EU to force Microsoft to "unbundle" security measures in Vista in favour of the commercial interest of competing vendors could be seen as counterproductive.

  User psychology pitched against security infiltrators is a major security issue.

8.  Who should be responsible for ensuring effective protection from current and emerging threats?

  Ultimately, only the user can do this. Manufacturers, service providers, computer stores and internet sites can advise, cajole and even try to insist upon secure behaviour, but they cannot enforce it.

  Communications gatekeepers (ISP's, telecommunications providers) are in the best position as the link between the user device and the "outside" world—however, to "ensure" effective protection they would need to be "assured" that user devices have the technical capabilities required and that users have an understanding of good security practice. This may not be feasible.

  Protection will always cost, and users will always reserve the right to reject the advice.

  However, whilst the user must take the consequences of his own decisions, he should have proper redress against organisations who supply product that is grossly defective (which does not exist at present). The Government should have a responsibility to look after its citizens by holding suppliers to account for negligent design of their products.

  The citizen should also be able to take action against organisations that disclose personal information, as this could be seen as theft.

9.  What is the standing of UK research in this area?

  BCS would not wish to comment on this area.

GOVERNANCE AND REGULATION

10.  How effective are initiatives on IT governance in reducing security threats?

  IT governance of itself is of little use to the citizen—even if the citizen knew about it and understood it much of current governance regulation is irrelevant to a home user. IT governance (or at least the security aspect thereof) is of value to organisations in achieving two objectives:

    —  bringing real discipline to IT departments; and

    —  ensuring that IT staff realise they are part of the organisation and there is a need to align their activities to the rest of the organisation.

  The emphasis on introducing effective security into information systems, often as a result of regulatory pressure, has led to improvements in security in the larger organisations but has largely ignored small business, micro business and the consumer.

11.  How far do improvements in governance and regulation depend on international cooperation?

  International standards are key to a global economy. However, there are no international standards relating to the personal user.

  Regulation is difficult because it is endlessly variable in detail. Regulation can make systems unnecessarily complex. Also software created in one country to their rules does not necessarily apply elsewhere even if it is sold as if it did.

  International regulation would help provided the regulators in each country applied them in the same way, just as a wider implementation of ISO/IEC 27001 would help corporate and business users. It would also help business if general commercial regulatory activities did not appear to treat IT as a separate issue but made it clear that IT should be integrated into the business.

12.  Is the regulatory framework for Internet services adequate?

  Greater international co-operation on catching offenders and extradition treaty simplification in the case of computer crime would help more than regulation, from the citizen perspective. Computer Crime is international and the local ISP is often not in a position to deal with it, irrespective of regulation.

13.  What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  The major barrier is seen in the difficulty in reconciling the views of many different parties, which often requires a dilution of the required regulation. There are also different perceptions of personal responsibility, and a variable desire for a legislative solution to what can be seen as an issue of personal choice.

  It is difficult to see, in practice, how international or even national standards would assist the consumer at the point he buys his broadband subscription, particularly if there is a cost penalty to adherence to standards which would make him choose a noncompliant supplier on cost grounds.

CRIME PREVENTION

14.  How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  The present legal structure is probably adequate, given that current changes are enacted. The Police are considerably under strength to address cyber crime, given that their computer experts are also involved on "higher" priorities (eg terrorism and pornography). The police would benefit if skilled people in organisations were able to present to them the necessary details for prosecutions in a form suitable for evidence However there is no public guidance as to how to do this in detail (the ACPO guidelines provide an overview). This hinders the public from assisting the police (and possibly reporting the crimes). The Police advice is that the citizen reports all cybercrime to the local police station on paper. The effect of this is the people do not report the crimes, which leads to underreporting and is bad for governance generally. Also the citizen will often get a very poor impression of the Police if they try to do this.

15.  Is the legislative framework in UK criminal law adequate to meet the challenge of cybercrime?

  The framework is probably adequate in general, but theft of intellectual property is an area where the framework could be improved. White collar crime gets a low priority unless it involves huge sums of money.

16.  How effectively does the UK participate in international actions on cybercrime?

  The provisions of The European Convention seem to have been implemented as expected, and the UK would appear to play its part.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007