United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by the National Computing Centre Limited

SUMMARY

  1.  In this response to the House of Lords Science and Technology Committee inquiry into Personal Internet Security, the National Computing Centre recognises that the personal user community is starting to protect itself in certain respects (such as an increased use of antivirus and firewall software) but is exposing itself more through the proliferation of opportunities for self-publicisation (vanity publishing) that the Internet encourages. The energy needed to get to grips with the real and apparent complexities of the measures for secure use of computers is locked in battle with the pervasive complacency that research suggests to be the second to largest, most prevalent risk.

INTRODUCTION

  2.  The National Computing Centre (NCC) is pleased to have the opportunity to deliver the evidence herein on security issues affecting private individuals when using communicating computer-based devices, either connecting directly to the Internet, or employing other forms of inter-connectivity.

  3.  NCC is the single largest and most diverse corporate membership body in the UK IT sector.

  4.  NCC champions the effective deployment of IT to maximise the competitiveness of its members' business, and serves the corporate, vendor and government communities.

  5.  NCC delivers a continuum of services including; independent and impartial advice and support, best practice and standards, personal and professional development, managed service delivery, awareness raising and experience sharing.

  6.  These services are designed to support IT and IS professionals and their teams throughout their management careers and faciliate operational excellence in the industry. NCC is a social enterprise owned by and run for the benefit of its members.

DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  7.  The security threat manifests itself to individuals in three aspects of privacy risks.

    —  The first is the most publicised under the label of identity theft where personal details are harvested with nefarious intent to imitate the victim to defraud them directly, or use the alias to defraud others.

    —  There is also a growing trend for vanity publishing of personal details. This may be harmless fun for some but may encourage the attention of "cyberstalkers" or paedophiles to others.

    —  Thirdly there is the ease of which information about individuals activities may be posted to the Internet thus making public what may be previously have been expected to remain private.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  8.  Research focuses on the institutional experience and so recording is done by, for example, banks who have to deal with the effects of a breach (such as illegally "authorised" transfers of funds). The fear of reputational risk probably adds another level of constraint on the free reporting that would gauge the scale of the problem. It would be difficult to have a meaningful reporting point for individuals who have suffered a security breach as they are likely to expect that the responsibilities for their protection lie with the institution from who they seek recompense. Home users who have certain security countermeasures from some vendors can report breaches which are used to update records. However the key problem to this is the availability of this information and the need to have a particular configuration. There is a wider theatre of victims who will suffer the inconvenience of a security breach—such as a virus infiltration or loss of control during a Distributed Denial of Service attack, and having expended energy in overcoming the problem will not look for any authoritative reporting point.

  Note:  The last sentence of this paragraph is an example of the communications problem endemic to the whole issue on improving personal security. The majority of the population want computers to access services and are being forced into having to increase their technical appreciation of how they work so that they will understand the need, and therefore means, to defend them.

How well do users understand the nature of the threat?

  9.  Users do not, on the whole, understand these threats well. They have to:

    —  be aware of the threat itself—such as identity theft (we note the coincidence of this consultation with a national campaign to protect against this);

    —  understand that the mechanism through which this threat is realised can be:

    (i)  technical—such as the covert installation of software to harvest identification details;

    (ii)  social—such as e-mails which either play on the psychology of Internet activity like the entering of usernames and passwords into familiar looking websites; and

    (iii)  sociotechnical—such as e-mails which goad the user into an action that leads to (i).

    —  then understand the solution to the problem which will vary from resisting temptation to open an unexpected e-mail attachment to having to update the software on a computer to prevent many forms of malicious software embedding itself; and

    —  fight complacency. An NCC survey into the top IS/IT risks identified "Complacency, lack of awareness or understanding of risks, or accepting too much risk" as the second most prevalent potential problem. This reflects the human limitation of misapplying personal experience and discounting past and future risks.[17]

  10.  Evidence that users would appear not to really understand the problem is shown by the growth in the use of websites which encourage the divulging of personal information (eg myspace). Even if they are not explicitly stating exploitable details, they are passing on the first leads to identity thieves. One might even say that "bloggers are asking for it" by advertising lifestyle and personal details. It has been suggested that the humble "out of office reply" is an invitation to would be thieves to track down unattended property.

  11.  Examples of this vanity publishing can be seen at:

    —  http://www.bebo.com/

    —  http://www.faceparty.com/

    —  http://www.xanga.com/

    —  http://www.youtube.com/

    —  http://en.wikipedia.org/wiki/List_of_social_networking_websites

  12.  These sites are also an obvious port of call for even more perfidious practices as creating false personas with criminal intent other than identity theft.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  13.  There is no silver bullet. An "in depth" approach is needed including:

    —  Authoritative parenting that prevents—or at the very least discourages—the development of inappropriate web-posting behaviour.

    —  Continuous improvement of software quality by the developers and service providers to reduce vulnerabilities in the hardware and software.

    —  More research—and realisation of its results—to enable the distribution of improved software, operating systems and applications, including protective software, to a non-technical audience.

    —  In-built security tools at levels across the technical spectrum (from network to applications and data) to protect the novice but flexible enough to be switched off by the more expert user who wants to increase their level of protection.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  14.  Initiatives are increasing and improving in quality, notably http://www.thinkuknow.co.uk/ and http://www.getsafeonline.org/. However we should ask whether the Internet is the right place to treat the perception and understanding of problems with the Internet? An "in depth" approach using non-Internet-based resources is necessary.

  15.  The number of helpful sites can be as overwhelming as the incoming phishing e-mail. For example there are:

    —  http://www.cardwatch.org.uk/

    —  http://www.codephish.info

    —  http://www.identitytheft.org.uk/

  16.  Whist some specialist information can be found:

    —  http://www.howtowipeyourdrive.com

    —  http://www.microsoft.com/security/protect

    —  http://www.millersmiles.co.uk/

    —  http://www.spamfo.co.uk/

What factors may prevent private individuals from following appropriate security practices?

  17.  A lack of understanding of the technology leads to a natural lack of understanding of how threats can be realised through that technology. We may expect to see that those attacks which are difficult to detect becoming more costly to deal with as they are likely to have embedded problems into say, several generations of back-up, before being discovered. Personal backing up of data is unlikely to be well practised. Pride in good practice should be encouraged but it must not lead to complacency. Security breaches are like mermaids: just because you haven't seen one doesn't mean that they don't exist. We need to encourage development of trust technologies so that we can let in a few constant friends rather than trying to bar a changing crowd of foes. But don't forget the security in depth principle of not relying on any single approach.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  18.  The lesson has been learnt by the software vendors but they are to an extent hostage to fortune that the proliferation of hardware and software means that there is rarely anything new under the sun. New innovation has still to interoperate effectively with legacy technology and the nature of software means that it is almost impossible to guarantee the permutations encoded in a product will secure that product in most (or more) configurations.

  19.  This is why the in-depth approach combining accountability, technology and education is essential:

    —  Accountability—Create a system of recognition for legitimate Internet "crawling" software so that Internet Service Providers (ISPs) can block unrecognised (perhaps uncertificated) attempts to harvest information. Legitimate applications (for example, Google, AltaVista, and Autonomy) would bear electronic authenticity certificates.

    —  Technology—Technology should be developed with mandatory attention to the non-functional requirement of security.

    —  Education—The responsible use of information technology should be part of the compulsory curriculum of citizenship in schools.

Who should be responsible for ensuring effective protection from current and emerging threats?

  20.  Now that the Department of Trade and Industry's biannual survey of security breaches in business is making the happy report that the high proportion of businesses are catching the security incidents, it is the time to strengthen the user community with the sharing of the effective measures. It would seem that there is a watershed of attack running from the protected (corporate) to the unprotected (small businesses) and we see this continuing beyond, to the personal users of information technology.

  21.  Information is passed along a convoluted network of veins, arteries and capilaries, its security is at risk throughout the journey. It is more vulnerable in some places than others. Like the straight Roman roads, we must reduce the kinks and bends where the enemy can lurk.

  22.  It is undoubtedly good news that more attacks are being detected. We may expect less damage from those which are easy to detect providing defences are strong throughout and we do not get caught by a weakness that is exploited whilst in the shadow of a well defended system.

  23.  We may never have everyone fighting the information security war. We can recognise that although some may sit and watch, others dive into the thick of it, and some run after with a stretcher, we must always strive for inclusiveness. Where information is managed using technology, understanding all the implications will get technical. Initiatives like "Get Safe On Line" have vital roles but to paraphrase Einstein, it can make the solution as simple as possible but no simpler. Vulnerabilities and patches are "techie". Just as we have seen the Botnets run from the watershed of protection into the trenches of home or small business computing, we need to stem the flow by doing as much as we can to make security measures accessible or automatic. This can be shored up with the increasing desire for professional recognition in information security with a professional institute at its zenith.

What is the standing of UK research in this area?

  24.  We should be making it easier to achieve commensurate levels of assurance (realising relative security) by paying attentions to lessons learnt from experience. The certification of Japanese organisations to the Information Security Standard BS 7799/ISO 2700 far exceeds that of UK certification. We should consider an investigation of how Japanese individuals may be benefiting by the formalisation of information security management by those who service them.

  25.  Recent reports have highlighted that (a) Internet misuse has switched from more nuisance to criminal intent and (b) rather than attack defended corporate networks, these criminals are taking advantage of more vulnerable information technology of home and small business.

  26.  Research is needed into how we may promulgate the lessons learnt by the corporate experience to those who want the benefit of technology without the having to master much if any of its complexity.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  27.  It is good that there are initiatives which recognise the "chain" of responsibilities that connects the corporate, public sector, small business and personal information technology users. Only in that wider context can the actions on the individual be put into context.

  28.  The formalisation of ethics and good governance in the UK, leading to a demand for demonstrable management of operational risk, has largely matured since the last decade of the Twentieth Century. As seems to be usual, the emergent risk of tardily reported inadequacies in high-level governance with the Maxwell pension funds, the Bank of Credit and Commerce International (BCCI), and Polly Peck became the driver. The first set of improvements was proposed by Sir Adrian Cadbury, former chairman of the Cadbury chocolate company, in "The Financial Aspects of Corporate Governance". This was a code of conduct for stock market-listed companies addressing ethical as well as legal questions. The implementation only really became clear when Turnbull prompted attention to risk management.

  29.  This evolution of benchmarks for corporate governance was given focus by a working party of the Institute of Chartered Accountants in England and Wales (ICAEW). This was led by Nigel Turnbull, so the subsequent documents "Internal Control: Guidance for Directors on the Combined Code" has become known as the "Turnbull Report". Its message is that good corporate governance is achieved by internal controls and risk management. Like Sarbanes-Oxley and Basel II, financial prudence is the driver and a high quality of transparent reporting is a key aspect of compliance. Risks need to be managed and their acceptance must be from the highest level.

  30.  The ability to put this into practice has been greatly boosted by the Higgs Report which reviewed the roles and effectiveness of non-executive directors in the UK. As a result, the report sets out measures designed to improve the structure and accountability of boardrooms in the UK. This is vital to instil a transparent approach to risk management.

  31.  Government is concerned with enabling the public and private sectors as well as individuals to achieve secure and resilient information systems. To achieve this, the UK has established the Central Sponsor for Information Assurance (CSIA) to facilitate working in partnership with the public and private sector to address the protection of information systems, the information they carry, and their users from hi-tech crime. The department promotes education and awareness of information security and takes in hand training and skills for professionals.

  32.  The confidentiality, availability and reliability of information systems and the information they handle is an important concern for Government. The continuous provision of goods and services to citizens depends on the smooth running of the information systems supporting them—particularly in the event of a crisis. But Government cannot make the UK's information systems secure by itself. Most information networks are neither owned nor operated by Government so we each must play a part in protecting all our information systems—from home computers, to the IT networks behind large companies to local and central government systems. In fact we are becoming so interconnected that the contagion from a home computer can spread to business and into Government and vice versa. We need to develop a new culture of cybervigilence which means that we must not only protect our computers from viruses, we must protect our privacy and identity from those who would abuse it. The complexity of the risks requires a scalable approach that can be made to fit the size and place of impact. A risk mitigation framework standards can be designed as to account for the risk and stakeholder view or weltanschauung in its application. Risks to security are no longer a simple matter of who you keep out; they are a complex and changing set of layers that decide who you let it in and how far. NCC is engaged in the research and development of such a framework.

How far do improvements in governance and regulation depend on international co-operation?

  33.  International co-operation is important to combat the perception of the relative safety of perpetrators who take advantage of technical and social vulnerabilities from regimes that they feel safe in.

Is the regulatory framework for Internet services adequate?

  34.  No commentary submitted.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  35.  Information and knowledge are the thermonuclear competitive weapons of our time.[18] Any information that an organisation holds is an important asset and needs to be treated as such. Risks are inherent in the software driving information systems that store and process that information. It is therefore not surprising that in order to secure information, international consortia (such as the Basel Committee for Banking Supervision) and governments have set out regulations with punitive measures for non-compliance to encourage a proactive response to risk. Individual examples of compliance are knitted together under the banner of good governance so that risks to the disclosure of sensitive, personal information carry national and international obligations rather than allowing the risk of disclosure to be accepted. In addition to the social obligations of the regulatory regimes, information system users are typically at risk from e-crime including the misuse of computer systems for fraud, hacking, virus and denial of service attacks, software piracy, on-line child abuse, extortion and drugs trafficking. In addition to the social protection and e-crime, misuse (deliberate or accidental) of information systems by otherwise legitimate users is still the highest security risk.

  36.  Regulatory bodies react to emergent risk by creating laws and regulations (social obligations) to promote the environment in which organisations have to manage risk as part of their operations. The drivers for organisations to proactively respond to these emergent, undesirable outcomes are regulatory pressures. According to some recent commentary from the USA this is now less so and the argument to invest in security because of, for example the Sarbanes-Oxley Act, is no longer resonating at board level. Because, although risk management is a continuous process, regulations are seen to be "here and now". In contrast, there is faith that (non regulatory) risks can be avoided. This section discusses how national and international, government, and non-governmental organisations have recognised the need to either establish policies for managing risk or deliver tools to implement policies.

  37.  National Computing Centre members were consulted on their attitude to standards to investigate whether the hearsay and anecdotes that suggested dissatisfaction in the accessibility of information in standards could be found in a cross section of stakeholders in information systems. The following discussion is collated from feedback collected during this consultation and not previously published. It drew out the opinion that the presentation of standards—and the processes used to develop them—are flawed. It is especially relevant to this paper because it shows how the proposed risk treatment framework can itself mitigate some of these concerns.

  38.  Standards appear to be unpopular amongst information system stakeholders because of their perceived complexity, the many sources offering apparently helpful standards, difficulties in the visible process of defining standards, the rigidity of compliance requirements, and the cost of the documentation. Each of these concerns is described in more detail below, before discussing how the work to be done in response to the observations made in this paper may help to overcome the apparent consternation towards standards.

  39.  The complexity of standards is thought to result from the need to try to include not only the intended scope of implementing a technology or process, but also predict the effect of unintentional applications. This results in the perception of much of the information in standards as being preventive and therefore negative. Successful standards are seen to be simple or minimalist, with the emphasis on communication rather than `prevention'. Although it is undoubtedly important that the impact of proposed changes are understood, it is more important that the need for the change is recognised and accepted by all stakeholders. Leadership and teamwork were cited as the framework for successful projects; standards provide a communications medium within that framework.

  40.  The source of standardisation was also noted to be an area of confusion with many contributors to the body of knowledge of IT standardisation. One respondent to the survey cited, as examples, ECMA, ITU, BSI, and ISO. Another respondent referred to the declaration of certain suppliers as being the owners of standards whereas they may have been more successful in penetrating the market place with a particular technology. References by separate respondents to the consultation were made to the remark by Andrew S. Tanenbaum[19]: "The nice thing about standards is that there are so many of them to choose from", referring to the proliferation of standards, and the bawdy "The Matelot's Prayer"[20], intimating a love-hate relationship with standards whose proliferation is not differentiated by quality.

  41.  The development process in which standards are formulated, reviewed, agreed, and then published was deemed to take too long, have too many roles involved, and be too concerned with synthesising a product that satisfies all view points. The problems were specifically reported as time consuming, bureaucratic and the need to compromise to reach a consensus. The derivation of standards from a series of meetings, will normally take place over a period of years where as market changes and business opportunities seem to be more immediate. The layers of committees and standards bodies mean that it is very difficult to navigate how a standard is progressing or have access to the latest thinking until a consensus is reached. The effort to gain agreement is time consuming and can lead to the omission of useful information that, having been removed during editing, is not circulated to the wider standards audience.

  42.  Whereas kite marking by the British Standards Institution of certain products such as glass, hot water bottles, and tyres commands a certain degree of respect in the relevant market places, compliance with information system standards—particularly process standards—does not command similar respect where standards are expected to deliver a degree of assurance on the part of the supplier. Compliance is also seen as difficult as there seems to be limited understanding that there is more than just simple pass-fail tests to be applied, particularly in a complex IT system.

  43.  The cover price of standards is regularly seen as prohibitive, particularly to small businesses who see the full cost in terms of `cash flow' rather than the benefits that accrue from the implementation of the standard, possibly on many occasions, spreading the cost over more then one project.

  44.  A framework where standards are linked as solutions to risk may mitigate many of these perceived flaws by making accessible and more obvious, the information in standards that is directly relevant to operational issues. This may be accomplished by using a taxonomy-centric framework that avoids adding any layers of complexity to the standards. A framework may be designed to overcome complexity through navigation based on stakeholder views and "deliver" a standard from one of several sources to treat a risk regardless of bias to the publisher of that standard. The corollary being that the uptake of standards could increase risk awareness and reduce the failures that have given concern over the performance of certificated organisations. Working within the framework proposed in this paper will not make standards cheaper but it could be used to direct users to very specific standards that will offer them value for money through the treatment of otherwise expensive risks. Changes to the bureaucratic standards development process are outside the scope of the commentary in this paper.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  45.  Crime prevention policy needs to be embodied in a comprehensive campaign that spans education to encouraging and supporting co-operation between public and private institutions. It should be built on accountability, education and co-operation:

    —  Accountability—Retailers should expect to only sell "locked down" products which meet the current standard of security "out of the box". Users would be able to accept risk by switching off facilities if they have an appropriate level of understanding to manage those risks. Products could be certificated (for example as an extension of the CSIA Claims Tested (CCT) Mark and retailers could be accredited for their adherence to this approach to security.

    —  Education—Responsible and acceptable use of information technology needs to be embedded in the education of children and adults. This must range from an understanding of what's safe to do on-line and where different facilities mean different approaches to what they are used for. Transactions from a mobile phone are not the same as transactions from a personal computer at home and are not the same as transactions from a computer in a café or library.

    —  Co-operation—Notification of vulnerabilities and breaches needs to be shared so that timely action can be taken.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  46.  The UK and the International community needs a framework that encourages disclosure of breaches to ensure that (a) the scale of the problem is clear and (b) the risks that are realised are notified in sufficient time for other potential victims to take preventive action.

How effectively does the UK participate in international actions on cyber-crime?

  47.  No commentary submitted.

20 October 2007


17   Ian I Mitroff, Harold A Linstone, The Unbounded Mind: Breaking the Chains of Traditional Business Thinking, Oxford University Press Inc, USA 1993. Back

18   Thomas A Stewart, Intellectual Capital: The New Wealth of Organizations, DIANE Publishing Co., 1998. Back

19   Professor of Computer Science, Department of Computer Science, University of Amsterdam. Back

20   20th Century Royal Navy song. Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007