I write in response to the call for evidence on Personal Internet Security.

  I acknowledge that I am a security practitioner, engaged in the public sector as an Information Security Officer, and I therefore have a perspective on your subject. But I do not intend to reveal the identity of my employer: this submission is a personal one and not corporate. Unfortunately this denies me the use of my employers' incident records and my comments are therefore largely anecdotal.

  I am pleased that Parliament is considering these issues, and I am extremely keen to help as much as I am able.

DEFINING THE PROBLEM

  I think it is first worth discussing what the requirement for Personal Internet Security is.

  Individuals rarely think through this question, but their requirement is for a system which is readily available for most (say more than 99%) of the time; which does not expose them to significant risk of crime perpetrated against them; and which affords them a reasonable degree of privacy—meaning confidentiality and not being bothered by unwanted material (such as pop-ups, spyware, phishing attacks and spam). The requirement also includes a degree of confidence in the material which is presented to them—so protecting them from fraud, and again from phishing attacks. Like the use of their motor car, they do not expect a perfect standard of safety, but a fairly high one—more so when their families are involved.

  There may be a wider issue—that they take it for granted that their personal security is preserved when they give personal information to others on the internet. They do not expect the use of a chat room or a web site to lead to the disclosure to third parties of their information. They expect that organisations to whom they give their information will respect their privacy and related interests (as required by the Data Protection Act 1998 in the UK).

  The very idea of a security requirement is problematic in that it is not explicit but assumed and inferred, and taken for granted. That it is only seriously considered after something has gone wrong, when in practice it is usually too late for any satisfactory remedy.

  So to the threat. I have heard it said that any offence may now be committed via a computer. The offences of personal harm are more difficult, but one can argue that they are possible. In my five years experience of Infosec, I have seen examples of many of these.

  Fraud is extremely common. So are hacking attacks, phishing, viruses and spyware. Hacking on a corporate network is attempted several million times a year. Viruses arrive at the rate of about 20,000 viruses a year. We cannot quantify fraud attempts, but I would guess at around 20,000 attempts per year. We receive more unwanted e-mail than the personal and business-related combined.

  At home, my computers are much less active, so attacks are much less numerous. I do not document them, but I regard them as commonplace. About three times a year, I rebuild a machine belonging to friends or family after damage by a virus.

  My credit card details have apparently been compromised this summer, for the first time—as a result of an eBay transaction.

  More recently I find that my e-mail contains dozens of messages which are from other computers—rejecting e-mails which I have never sent. One obvious explanation for this is a virus on another computer which holds my e-mail address. Another is that my address has been obtained from a web transaction. The first "bounceback" messages were to Thomson@...—this is an address which we have used only once on a holiday company web site (I use this mechanism routinely to trace the source of problems). So it seems probable, but less than certain, that this address was compromised in that transaction: it leaked as a result of accident or otherwise by the holiday company. I feel entitled to expect that they would treat my information with respect: with due care. Now a large number of spam and virus e-mails are being sent—apparently from me. My reputation may be damaged.

  So I believe that these events are reasonably commonplace. The threat is very high.

  I believe that the threats and trends are the same for home computing as for corporate. But the numbers are far smaller.

  Sensitised at work, I apply the same techniques and solutions at home. I spend a huge amount of effort at work on raising user awareness: one of my techniques is to relate the topic to their own information and their home computers.

  For many years I relied on the Norton/Symantec solutions. I have come to prefer the BT Yahoo environment, which provides and manages them for me. I recommend that to friends and family. However, since moving away from Norton, I no longer notice attacks on my machines, and I now rely on personal judgement and reports of anomalous behaviour in order to detect breaches. My credit card company, Halifax, and PayPal (relates to eBay) detected the problem with my credit card, much to my surprise, they were very astute.

  I believe that a huge majority of users do not even attempt to understand the issue. They follow somebody's recommendations, implement anti-virus and often a firewall, and then forget about security unless/until something goes wrong. So patching and updating virus signatures is largely a matter of luck. They assume that there is a low level of threat, as when they drive their car.

  Many users have still only the sketchiest ideas of security problems and solutions because they have very little knowledge/confidence/commitment to their computers in the first place. My parents, my brothers and sister, and my in-laws are a good example of this—of 20 users in my family, only four of us have any interest in managing the computer as distinct from using it. I suspect that is a relatively high proportion.

  Many people think of financial details in relation to information security, but my background makes me aware that the interests of my children are inextricably linked with the security of my computer. Their personal information—including habits and venues, descriptions, and possibly sound and images of them could be exposed. The computer can easily be used as a medium to manipulate their actions. Somebody who purports in an e-mail or a chat room to be a 12 year old girl can easily be a 50 year old paedophile.

  There is at present very little assurance that any computer-based statement is true or honestly made.

  "Spoofing" is easy. I could purchase for a pittance five domain names such as houseofcommons.uk.net for example and thus purport to be a Government Minister—reasonably convincingly and with little chance of detection.

TACKLING THE PROBLEM

  I am deeply impressed by the offerings of BT Yahoo. These allow individuals to implement good levels of security on their computers—firewalls, antivirus, pop up controls, anti-spyware, anti-spam, and parental controls on web surfing, all for a modest price, and requiring a very small input from the users.

  Unfortunately, most users are not sensitive to security issues, but are extremely sensitive to price, and competitors are cheaper than BT, so this is making limited inroads into the problem so far.

  Many police officers simply reject computer technology as far as they can. Few have any degree of IT competence, let alone in matters of security, investigation of "cyber crime" or the gathering of computer-based evidence.

  Cost and effort are critical.

  The Government is attempting to lead us towards electronic transactions in preference to the paper and personal ones from the past. These depend upon the availability of a computer—at both ends. To that extent, the private computers are important.

  My son and my daughter rely on the Internet for help with their studies. My wife and I use it extensively for all sorts of purposes. The loss would be significant because of their studies; otherwise the loss would be no more than a nuisance. And I believe that we are more dependent on computers than most families. So the availability of the system is not as important as business critical systems (such as the payroll) are within an organisation.

  I have a relevant professional position: the personal security of the individual members of the organisation's staff is important. So for five and a half years, I have worked hard to raise their awareness. I cannot quantify the present level of awareness, but I am sure that it is a minority who have taken much notice. An important part of the context is that I am able to provide evidence of incidents which take place—so to prove that security is not merely "just in case". I have never heard our staff refer to national initiatives for security—I believe they are unknown.

  I believe that the following of appropriate security practices requires intellect, motivation, effort, and funding. Hard enough for government organisations to adopt, let alone private individuals. In my view, organisations must somehow spoon-feed individuals with sound security.

  It is my view that today's PC design traces its history back to a time in which the computers were not linked to networks and could be adequately secured within a locked building. Security has been an addition, made reluctantly.

  As most computer products come to market the supplier's priority is to deliver quickly and initiate the revenue stream. As a result, software often matures in patches and modifications made after the product is first sold. And it seems safe to say that security features are rarely a major selling point.

  Microsoft XP, for example, has been on sale for several years, with a firewall capability but it is only recently that this capability has been enabled by default.

  In the end, only the individual can be responsible for his own security, like locking one's car.

  I cannot conceive of successfully making suppliers responsible, especially given the international nature of the business, and the issues of jurisdiction.

  It seems to me that in the same way that government influences health issues such as smoking and obesity, there is an obligation to work on personal computer security.

  Police forces have a responsibility for investigating computer crime. They have arguably an obligation to prevent crime—including computer crime. But they have very little of the skills and resources to do so. And they are culturally inclined to reject the idea. Chief Constables would presumably say that they have no computer crime problem (because they have no mechanism for addressing it).

  The work of the national information security authorities is very important and influential. They provide training and help with the selection of security products, but their target audience is corporate—and primarily in the public sector. And public sector authorities struggle to slowly adopt credible security measures. I believe that little of this work percolates through to individuals' computers.

  It seems important to note that the threats and trends of incident change very rapidly. Anti-virus software now needs updating daily to keep up. New vulnerabilities and attacks also emerge daily (see Communications Electronic Security Group publications).

  Password technology was perfectly adequate say 10 years ago. But more computing power than ever is available to the mischievous; and password cracking techniques have come on in leaps and bounds. Today a password is fairly unconvincing as a security measure.

  It is also important to note that technical defence is only a part of the solution. Some years ago, several individuals in my organisation received a perfectly ordinary uninfected e-mail. It told them that their computer had a virus, and provided detailed instructions. Two individuals followed the instructions diligently and removed critical software components from their operating system. It was a do-it-yourself virus.

  Some hoaxes are almost as damaging as the attacks they describe.

  Equally "phishing" attacks rely successfully on gullible users supplying information.

GOVERNANCE AND REGULATION

  IT governance initiatives have some influence in reducing security threats—in corporations, but almost none in the private environment. In my own organisation, we have adopted national standards (in 2001) and we now claim, with honesty, an 83% level of compliance.

  I believe that the British Standard (BS7799: ISO 17799) has been extremely useful as a language of security and a model, but only for corporations, and then not for all of them. My Local Authority still aspires to any degree of compliance. Their networks are regularly paralysed by viruses, to the extent of damaging children's education. For example, my son was recently preparing an A Level coursework submission, when his school network failed for about a fortnight. I am aware that teachers routinely carry details of child pupils on laptops which have no effective protection.

  Few individuals have even heard of the document.

  As the production of hardware and software is international, so governance and regulation must also be international. But it seems unlikely that effective agreements could be reached with enough agility to address the changing problems. So I see this as a fairly hopeless issue.

  I do not accept that the regulatory framework for internet services is adequate. But given the jurisdiction and agreement issues, I think that this can never be totally effective.

  I am utterly certain that the main barriers relate to awareness and motivation. The Government's drive to e-government was heedless of the security issues. These were assumed to be solvable by practitioners, and to some extent this was true. Government departments are reluctant to adopt sound security practices (the press daily publishes security scandals). Police forces are reluctant and unable to attach any significant priority to their own security or anyone else's, suppliers are motivated by profit—not the interests of the consumers, and there is a very limited public awareness of the issues.

  The Bichard Report has gone some way to raise government awareness of the importance of Information Management.

  It is my view that Information should now be a Cabinet Level issue—a Ministry of Information is called for if we are to make much progress in relation to the security of corporations or individuals. I believe that Britain plays a leading role in the Information Age—and we should develop it fully rather than stifle it.

  I suggest that the police service, and the criminal justice community, should be driven to address computer crime matters competently and adequately.

  There is some assumption that computer crime is the work of rather benign nerds. This overlooks paedophiles, fraudsters, mercenary hackers and virus writers. But I do not believe that quantitative evidence is available to define the source of attacks adequately.

CRIME PREVENTION

  I am "in the business"; and my enthusiasm is probably evident by now. I am wholly unaware of any government crime prevention policy relating to information.

  I do not believe that my local HiTech Crime Unit has the skills or resources to tackle the volume of computer crime. I am aware of the Serious and Organised Crime Agency which may be better equipped to tackle more serious aspects of the problem—I cannot comment on their adequacy.

  The legislative framework will always struggle with the international dimension of the problem.

  The Data Protection Act 1998 seems to me to be phrased with vagueness—enough to deter most resulting legal action. This act contributes very little to the debate on security and affects only corporations—not individuals. This could usefully be revised.

  The Computer Misuse Act 1990 is now well out of date, and is limited to purely technical attacks. It does not, for example, address the issues of the Do-It-Yourself virus I described earlier, and it does not address the issues of Denial of Service attacks.

  The Regulation of Investigatory Powers Act creates an offence of intercepting communications, and thus attempts to protect the privacy of e-mails.

  It is often said that computers merely provide new avenues for the commission of all the old offences. Older laws such as Theft Acts and Criminal Damage Act create offences which can be carried out through a computer. The legislation was phrased with such clarity that these seem unlikely to cause a problem.

  A paedophile may groom his victims through computers, and eventually commit physical assaults. These areas are adequately catered for in the existing criminal law.

  Initially there was a great deal of concern about the law of evidence as it relates to computers. But I understand that in practice, there has been little difficulty here. Defendants have not challenged computer based evidence significantly, but we seem to be relying on old principles carried into modern times. I suspect that if and when defence lawyers become IT literate, more difficulties will emerge in this area.

  There is one practical problem which remains. It is that it may be easy to prove that whoever used the computer committed an offence: but without an admission by the offender, or some unusual circumstance, it is extremely difficult to prove who used the computers. As I have said, my machines at home are shared by four family members and visitors occasionally have access to them. So in practice, almost anything I do is deniable. The law could specify access controls, or creates strict liability offences, but I do not envisage that either of these approaches would be foolproof.

  The problem is not so much the adequacy of the law as the adequacy of the resources required to enforce it.

  I am aware that security authorities collaborate on an international basis to prevent, manage and investigate threats. I am aware of very few successful prosecutions resulting from thousands of incidents.

  In conclusion, you will see by now that I believe that Personal Information Security is a problem which urgently demands action in several areas: action in relation to suppliers, in relation to awareness of individuals, and in relation to enforcement of the law. Even then some fundamental problems remain because of the international nature of the Internet.