1.  HP strongly supports the Government's vision[13] of:

"Creating a country at ease in the digital world, where all have the confidence to access the new and innovative services that are emerging, whether delivered by computer, mobile phone, digital television or any other device, and where we can do so in a safe environment".

  2.  We would like to direct our comments at helping the Committee understand the nature of the problem and are very willing to provide the Committee with any additional information or help they may need. In particular if members would like to gain a greater understanding of any of the technologies involved we will happily provide experts or host a visit to our research laboratories in Bristol.

DEFINING THE PROBLEM

  3.  Personal Internet security is, and is going to remain, a moving target. This presents considerable challenges for policy makers in understanding both the nature of the problem and the consequences of actions designed to tackle aspects of the problem. We see four factors contributing to the complexity:

—  a rapidly changing technology landscape;

—  an increase in organised cybercrime;

—  national responses to what is primarily an international problem; and

—  poor understanding of individual attitudes to trust, security and privacy.

  4.  The technology landscape continues to evolve rapidly. The next few years will see a proliferation of devices brought about by communication and computing convergence, new online experiences, richer users of mobility and media, more immersive gaming and greater participation in online communities. Within 10 years we are likely to see significant improvements in display technology, with consequent changes in the way we interact with information. Beyond that, nanotechnology holds the promise of providing ever more processing power at ever less power consumption. It is extremely hard to envision how all this technology will be used, where it will be vulnerable, and where cybercrime will be targeted. In particular, it would seem highly unlikely that security advice five years from now will be based on recommending that you have a firewall and anti-virus software in place.

  5.  The past year has also seen a rapid increase in organised cybercrime. Newly connected devices are probed within minutes. Consumers remain vulnerable to identity theft and phishing scams, and their machines are often unknowingly subverted to provide "botnets"—the means to launch attacks on more lucrative targets. The security community has little understanding of the epidemiology of virus propagation. And more money can be deployed by criminal groups to find, and exploit, vulnerabilities than it is economically viable for companies to spend on designing and developing more secure hardware, software and services. It is worth noting that many of those who search for exploitable weaknesses are happy to be "paid" in such forms as passwords to porn sites rather than just cash.

  6.  Whilst recognising that many of the challenges are international, most nation states are focusing their attention domestically. This presents resource challenges for the ICT industry to significantly engage, and also runs the risk of fragmented and inconsistent responses that do little to increase Internet safety.

  7.  Following the DTI Foresight Cyber Trust and Crime Prevention project's recommendation that more work was needed to understand public attitudes towards trust in the technologies that underpin the Internet and our use of it, BT and HP jointly initiated a study. The project, called Trustguide,[14] was sponsored in part by the DTI Sciencewise programme[15] and completed in October 2006. We would like to draw attention to the findings of the Trustguide project.

DEFINING THE PROBLEM—TRUSTGUIDE FINDINGS

  8.  Over a period of 15 months Trustguide ran workshops in the UK with approximately 250 citizens of various backgrounds and ages, who possessed a wide range of interests, levels of technical understanding and personal values. Workshops explored, through the use of current and emerging technologies, where the tensions lie in providing "Internet enabling technologies" that also fulfil personal expectations of trust, privacy and security.

  9.  The evidence gathered is both revealing and, at times, alarming. Trustguide found that there is a lack of public understanding of the threat or, more precisely, the risks that using the Internet presents. It highlights the considerable challenges of demonstrating to citizens where the systems they use are indeed safe, secure and can be trusted, and where they need to exercise caution.

  10.  The workshops discussed issues of trust in the context of a wide range of familiar applications, including:

—  e-government and public sector IT;

—  national identity cards, authentication technologies and identity management;

—  data privacy, surveillance and data gathering;

—  adequacy of legislative frameworks and education programmes; and

—  fraud, theft and the impact on trust in e-commerce.

  11.  Workshop attendees represented a broad range of citizens, from ICT novices to professionals, children and adults in education, employment and retirement.

  12.  We believe that the evidence gathered supports the following key findings:

—  There exists a high degree of distrust of ICT mediated applications and services (mediated meaning delivered using a range of technologies).

—  A majority of attendees believed that it is impossible to guarantee that electronic transactions or electronically held data can be secure from increasingly innovative forms of attack.

—  There is evidence that citizens clearly perceived that the threat of cyber crime exists, but understanding is at a superficial level (eg of viruses, spam and firewalls); and felt that they should take actions to protect themselves, but lacked the know-how to act safely.

—  Virtually all attendees commonly referred to "risk" rather than "trust" when describing their ICT mediated experiences, and felt more comfortable and secure when restitution existed.

—  Lack of control and lack of openness lead to mistrust. Citizens want more responsibility to be taken by government, the banks and Internet Service Providers (ISPs) and for guarantees to be provided.

—  Education to enhance personal Internet security is currently patchy and ad hoc across all age groups, most worryingly in secondary schools. Education needs to be accessible to all and at all levels.

  13.  Trustguide took a "citizen-centric" approach to understanding the beliefs and needs of users in relation to trust, security and privacy in ICT mediated activities and concluded with a set of six guidelines aimed at enhancing the trustworthiness of ICT. The guidelines address the main concerns raised by those who attended our workshops, and cover education, experimentation, restitution, guarantees, control and openness. These and other findings are reported fully in the Trustguide report.[16] An extended summary of the findings and resulting guidelines established by Trustguide, relevant to this investigation, have been submitted separately to the sub-committee through the DTI Sciencewise panel.

  14.  The study confirmed assumptions that solutions to the problem of personal security are not simply technological and that there is a range of social factors (eg personal risk differences and brand reputation) that must be considered in order to raise the level of trust and acceptance. In particular within HP we recognise the role and importance of corporate brands in engendering trust in individuals.

  15.  As a technology company we recognise the key role that technology plays in building a secure Internet; however, evidence from Trustguide suggests that technological advancement by itself does little to address the fears and concerns of individuals. Ultimately, it is the way in which we address these concerns that will make those underlying technologies most effective.

TACKLING THE PROBLEM

  16.  We believe that greater attention in three areas will help to tackle the problem:

—  technology innovation;

—  increased professionalism; and

—  engagement and education.

Technology

  17.  It is likely that advances in technology will remove much of the burden placed on individuals today. The combination of virtualisation (providing sandboxed execution and separation of concerns) and trusted computing (providing remote attestation, secure storage and a root of trust) will go a long way to establishing a trusted infrastructure for individuals, businesses and government. In short this is what will make online shopping in a cybercafé safe. Both CSIA and CESG have been highly supportive in encouraging industry to develop and trial these technologies, and UK academics have been keen to work more closely with industry.

  18.  This summer industry (HP, Infineon, Intel, Microsoft), together with CESG and the German equivalent (BSI), sponsored a European summer school, for graduate students, in trusted infrastructure technologies at Oxford. The formation of the DTI knowledge transfer network and the attention being paid to cybersecurity in Europe with FP7 (the 7th Framework Programme for EU-wide research) all indicate that the UK and Europe has an active and engaged research community.

  19.  Because HP runs its worldwide security research from Bristol we understand that a key role for ourselves is to couple the UK research base with the predominantly US led IT industry.

  20.  However the considerable criminal money available to find and exploit vulnerabilities and the availability of social networking and search tools to help mount sophisticated and targeted attacks would suggest that governments would be ill advised to leave technology innovation leadership exclusively to industry.

Professionalism

  21.  Although cybersecurity remains high on the lists of concerns for CIOs, within many businesses those responsible for cybersecurity feel undervalued and vulnerable. So we welcome the formation of the Institute of Information Security Professionals (IISP) and its focus on increasing professionalism. It should not be underestimated how important the local provision of accredited expertise is in informally helping individuals, SMEs, schools and charities in getting to grips with making their environments safe. It would be extremely helpful if policy makers were able to find ways to recognise and encourage this professionalism, and its deployment for the benefit of society as a whole.

  22.  NISCC's programme of WARPs (Warning Analysis and Reporting Points) provide an important and successful model for information exchange and increased professionalisation between government and industry. It would be worth exploring whether similar mechanisms could be used to provide information to a larger audience.

Engagement and education

  23.  The problem has been recognised by many professional and trade bodies and they have initiated activities to engage their members in understanding some of the challenges we face. But by far the weakest link is the lack of continuing public engagement and education. We welcome Get Safe Online and would encourage further measures particularly in schools, not just around existing technologies but in preparing the next generation of early adopters to be smarter in understanding cyber risk and the choices they make.

GOVERNANCE AND REGULATION

  24.  Our engagement with other companies suggests that industry does understand the role it can play in tackling the problem. We have been extremely pleased with the partnership approach to tackling the problem that government departments and agencies are currently taking and believe that this route is the fastest way forward.

  25.  It is not clear that further legislation or regulation would increase the safety of individuals. And we would strongly encourage much more analysis of the overall ecosystem and who should pay before policy makers consider legislating for restitution. Poorly taken steps, despite good intentions, could easily cripple the UK's ability to take advantage of new technologies and services.

CRIME PREVENTION

  26.  If cybercrime and cyber enhanced crime continue to increase then it is clear that our enforcement agencies need considerably more support than they are receiving today.

CONCLUSION

  27.  HP believes that the UK is doing a lot right in building the community to tackle the problems and we would encourage the committee to look for ways of enhancing and supporting existing activity rather than looking for new initiatives that might spread that community too thinly.

October 2006

14   Trustguide website, http://www.trustguide.org.uk Back

15   Sciencewise website, http://www.sciencewise.org.uk/ Back

16   Trustguide publications: Final Report, http://www.trustguide.org.uk/publications.htm Back