United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by BT

INTRODUCTION

  1.  The Committee's inquiry is welcomed as a means of taking stock of where we are on this important issue. The Internet continues to grow in importance for individuals as well as businesses. Unfortunately, it is a sad fact of life that BT and others, including individuals, need to spend considerable time and effort in devising ways to protect themselves, their customers, their customers' information, and their assets from fraudsters and pranksters.

  2.  As in so many similar situations, as countermeasures develop so does the sophistication of those intent on causing problems. It is a constant battle to stay ahead that needs dedicated resources and a co-operative approach between individuals, industry and Government.

  3.  However, it is important to retain a sense of proportion. Existing laws are almost certainly adequate to deal with most of the issues that arise—there is very little that is actually new here, it is mainly just that today's electronic communication channels offer a different way for the issues to come to the fore. In any event, companies such as BT are working very hard to implement protective measures and are introducing new services, some applying automatically and some to be used by customers if they wish, that provide increasingly sophisticated protection. We are working both to protect our own end consumers and with other businesses who use our services and need themselves to help their customers.

  4.  Raising awareness of the issues leads to greater understanding by customers about what can be done to protect themselves, but this is an ongoing process. For example, there is plenty of advice on how to spot scam emails apparently offering good deals, amazing returns, cash and so on—all if you provide bank or other personal details. A measure of commonsense goes a long way too. However, whilst it may be obvious to most people that anything that seems too good to be true probably is, there seem to be lots of people who can be taken in when faced with such "amazing" offers.

  5.  In this response we provide comments on the specific questions posed in the questionnaire as well as a summary of some recent research into the issues surrounding trust, security and privacy in the electronic world.

DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  6.  Most of the issues considered to be "threats" in the online world are actually just current manifestations of existing problems as seen through the medium of electronic communication. People need to be aware of potential threats, but to keep them in proportion. They need to take commonsense precautions, and take advantage of protection services, some automatic, some that must be applied, that are offered by companies such as BT.

  7.  There are three main areas of concern for private individuals relating to Internet security:

    —  online fraud, including identity crime;

    —  viruses, trojans and other malicious attacks; and

    —  child safety.

  8.  Impersonating someone else was an issue long before the advent of electronic communication. Gathering personal information about another individual is not something that can only happen through the Internet but, nevertheless, identity crime, as it is known, is a growing issue. In February 2006 BT published an Internet security report[2] on Online Identity Theft, written in conjunction with CPP, Get Safe Online, Lloyds TSB, Metropolitan Police and Yahoo! The report highlighted the growth of online threats and included advice on protecting identity and where to go for advice or help if problems arise.

  9.  BT has recently added Identity Theft Protection[3] to the other security measures available on its consumer broadband product BT Total Broadband.

  10.  Viruses, trojans, worms, spam and botnets[4] are still the most likely way in which online security will be breached. BT is committed to providing the best possible protection for its customers and to do this BT not only offers a range of protection in the network but also a wide range of security features are provided as part of the email, narrowband and broadband ISP service to UK consumers.

  11.  As well as BT and others providing security features, and individuals taking responsibility, companies offering online services work with each other and with Government on various initiatives to deal with these problems. For example, as well as the standard anti-virus and firewall products we provide, we are also working with anti-spam and anti-botnet groups led from the UK (ISP and DTI led groups) and international groups such as the OECD. We are members of the International Botnet Task Force. In all cases we are working with law enforcement agencies.

  12.  On Child Safety there are various initiatives designed to make for a safer online environment, recognising that children are less experienced in the ways of the world and may have a propensity to divulge more information about themselves to strangers than they ought. This, of course, is an issue much wider than just in the online environment. BT has led the way in trying to deal with child pornography through its Cleanfeed project,[5] which prevents access to sites identified by the Internet Watch Foundation as illegal. We are one of the sponsors of Get Safe Online, which provides advice on Internet security. Our own BT Broadband services offer inclusive online security features, including Parental Controls as well as anti-virus and firewall products.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  13.  It is not possible to provide a meaningful answer to this question. The February 2006 report mentioned above contains some research data but this does not pretend to be definitive nor does it cover all issues that might be thought to represent what is covered by the term "security breaches". Individuals will become aware of matters relating to, for example, viruses or identity, at different stages, depending on the nature of the issue and their own online behaviour patterns.

How well do users understand the nature of the threat?

  14.  Trustguide[6] is a collaborative project between BT Group and HP Labs, in partnership with the University of Plymouth's Network Research Group, continues the dialogue that began with the Foresight Cyber Trust and Crime Prevention project focused on building a safer cyber world. Trustguide was concerned with exploring issues of trust, security and privacy in ICT based applications and services via a series of workshops and discussion groups that covered as broad and appropriate a spectrum of the UK's citizens as the scope of the project allowed. The aim of the project was to use this dialogue and its outputs to establish recommendations and guidelines for the research, development and delivery of trustworthy ICT and to inform the policymaking processes used by government, industry and other key organisations.

  15.  In summary, the report suggests that consumers have a basic level of understanding that threats exist and that they need to protect themselves against them. The depth of that knowledge is less obvious; while people were confident in using appropriate terms, further investigation revealed little evidence of in depth appreciation and awareness of the dangers.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  16.  Internet security is both a product issue and a consumer concern. Amongst other things, consumers should:

    —  understand the risks and safeguards available;

    —  ensure firewall, anti-virus and anti-spyware software are installed;

    —  keep these protections up to date;

    —  keep their computer operating systems up to date;

    —  protect personal and financial details; and

    —  set up parental controls where children are computer users and move the computer to a family room.

  17.  To supplement the actions consumers should be taking themselves in terms of managing protection software, ISPs can take additional measures on their behalf. For example on 12 October, BT announced it was implementing a new spam detection system "Spam Buster", which not only tracks down "professional" spam emanating from the BT network but also protects individual PCs against being hijacked to produce more spam.

  18.  There is also an issue for hardware and software development in that products are often released to the market before being fully checked for flaws, which means that many software vulnerabilities are only discovered once a product is in live use. Greater checking beforehand could, of course, lead to more costly products and later market availability, so there is a balance to be struck.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  19.  See the Trustguide report for awareness levels. Set against a background of plentiful advice from ISPs, government, campaigns of various sorts, it is clear that changing attitudes and awareness is a matter of education—and education from an early age is as important as "educating" older sections of the population through advertising and advice.

What factors may prevent private individuals from following appropriate security practices?

  20.  There may be a lack of awareness of what is available and what can be done. There may be a confidence issue—how to get the best from the services and software possibilities on offer? Even with awareness and competence, however, people do not always do the "right" thing—we know we shouldn't smoke, or drink and drive, or break the speed limit, or cross the road without looking, etc. But people do all of these things and there is nothing special about them not taking all the precautions available online.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  21.  Some security should be built into operating systems or hardware and enabled by default. A high degree of automation will avoid customers having to configure services themselves, which will reduce the potential security risk. An example of hardware security is contained in the BT Home Hub. It contains Firewall and Intruder Protection software which are switched on as the default setting. Where customers need to proactively download or activate new protection software, ISPs in general are trying to make this simpler.

Who should be responsible for ensuring effective protection from current and emerging threats?

  22.  ISPs, software vendors, network operators, government, educators and customers all have a part to play.

What is the standing of UK research in this area?

  23.  BT is actively engaged in a wide-range of research and innovation activities, engaging with world-leading teams around the world. Other UK companies are similarly engaged.

  24.  As is common in Internet-related activities, sources of innovation are globally distributed. Investment in research in this area probably reflects the patterns indicated in recent R&D surveys, ie UK spending in terms of a percentage of GDP is higher than in some EU countries, but is lower than the USA. The rate of research spending, including the development of post-graduate researchers, in the Far East is rising quickly. Overall, surveys indicate that the quality of UK research is high, but there is a need to ensure that gaps in investment in research between the UK and other countries and regions are closed.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

How far do improvements in governance and regulation depend on international co-operation?

Is the regulatory framework for Internet services adequate?

  25.  Increasing usage of ICT and the Internet has led to an increase in the perpetration and propagation of security issues with a cross-border element. A corresponding increase in focus on developing effective mutual co-operation between relevant agencies to investigate and pursue harmful cross-border activities is needed, together with increased resources to deliver results.

  26.  However, rapid progress is an unrealistic expectation, given delicate issues of national sovereignty, different priorities of governments and the absence of uniform global standards in this evolving area. Continuing dialogue and exchange of best practice would seem to be the appropriate model to cultivate a shared understanding of the issues and challenges and the motivation to provide effective mutual assistance. The example of the recent successful prosecution and harsh sentences handed out in Russia to perpetrators of a Denial of Service attack illustrates that progress is being made.[7]

  27.  We believe it is for users and service providers alike to take security measures, rather than for regulation or law to be relied upon to drive this. Security is a matter of great importance and service providers in a competitive market, such as we have in the UK, are driven by the demands of customers and by the pressure from other providers to offer and provide ever more sophisticated and powerful security services in order to maintain their competitiveness.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  28.  Money may be considered to be one barrier but there are organisations, like BT, who implement security initiatives such as Cleanfeed without making them commercial investments. They are seen as part of our corporate responsibility to our customers and beyond.

  29.  Indeed, there are strong incentives to invest in security issues in order to build and maintain a good reputation, and to match what others are offering, even if such investments are not immediately seen as commercial propositions.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  30.  As stated earlier, we believe the existing legal and regulatory provisions to be adequate for dealing with issues arising from the use of electronic communication services. There must be a sense of proportion when considering "problems" and potential solutions. For example, not all spam is criminal or a security issue, and not all mass-mailings are "wrong".

How effectively does the UK participate in international actions on cyber-crime?

  31.  The Internet operates across borders and so we need international co-operation to manage issues around its security. The UK has taken a very sensible decision to foster cross-border co-operation rather than looking at issues in national isolation.

  32.  The UK Government, regulatory and law enforcement authorities are involved in partnership with industry (including BT) in a broad range of initiatives in the OECD, ASEM (Asia-Europe Meeting) and EU. The Virtual Global Taskforce (police forces from around the world working together to fight online child abuse) is one such initiative in which initially bilateral co-operations are being successfully developed into a broader matrix of co-operation with agencies around the world.

  33.  We believe that the UK has a key role in these initiatives as a consistent, balanced and credible "voice of reason". This is made possible by the shared understanding in the UK across all stakeholders that:

    —  dealing with personal Internet security is a risk-management issue in which there is shared responsibility;

    —  personal behaviour is ultimately more important in managing the risks than a purely technical approach;

    —  many features which impact on security are not intrinsically and unequivocally malign and damaging, but the context for their use may lead to negative outcomes;

    —  technology and behaviour continue to evolve; and

    —  considerable variation exists between different countries in their traditions and cultural approach to security and protection issues and widespread usage of ICT (including the Internet) exacerbates the challenges of reconciling these different approaches.

  34.  This means that the UK brings to such international actions a pragmatic, nuanced and holistic approach that recognises that rushing into legal and regulatory interventions is inappropriate and has real potential to create unwanted, unintended consequences.

  35.  BT is an active supporter of both national and international co-operative action. As we move into the implementation of our 21st Century Network we will continue to secure our Networks and work with various organisations to stay one step ahead of problems as far as we can. For example, BT is currently involved in several initiatives, such as:

    —  G8 Working group on strengthening partnerships within Government and Businesses;

    —  International Botnet Task Force (Microsoft and LEA initiative to combat organised crime and protect the public);

    —  GIAIS (Global Internet Alliance for Information Security. A Microsoft run programme to help ISPs and Corporates protect their customers);

    —  FIRST (Forum of Incident Response and Security Teams—a trusted group of over 130 Blue Chip companies that share information on Internet Security);

    —  TF CSIRT (a trusted European forum of Computer Security Incident Response Teams that have pressed the EU into funding training legal handbooks and several other projects. They also share information and provide and early warning network); and

    —  ETIS (the global IT Forum for Telecommunications).

October 2006

2   http://www.btplc.com/onlineidtheft/onlineidtheft.pdf Back

3   Free of charge on BT Total Broadband options 2 and 3. Back

4   The term "virus" is used to cover all kinds of malicious or undesirable software. A "worm" is like a virus in that it replicates itself but it does so without attaching itself to a host program. A "trojan" is an apparently useful program containing hidden functions that can exploit the privileges of the user to do things the user did not intend. "Spam" refers to electronic junk mail or junk newsgroup postings. A "botnet" is a term for number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Back

5   A filter which blocks child abuse sites. It is available to all ISPs. Back

6   http://www.trustguide.org.uk/Trustguide%20-%20Final%20Report.pdf Back

7   http://www.kommersant.com/page.asp?id=709912 "Eight Years for Extorting Millions" The Balakov City Court, Saratov region, has sentenced to eight years in colony with a strict regime and 100,000-ruble penalty each of three hackers of Russia accused of extortion, causing material damage and establishing and applying hostile software. Investigating the case of Russian hackers that used to blackmail British companies lasted for a year. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007