INTRODUCTION

  The National Education Network consists of the broadband networks of the English Regional Broadband Consortia and the regional infrastructures in the Devolved Administrations of Wales, Scotland and Northern Ireland.

  The National Education Network (NEN) is also a dedicated education network; it harnesses the power of broadband technology to deliver unique content and services, enabling users to share learning resources. The National Education Network offers many advantages for schools and offers a secure and safe environment where issues such as copyright are managed and where teachers, pupils and parents can work confidently together.

  It has recently been noted that the National Education Network, a major government funded ICT project, has been delivered on-time and on-budget.

  The NEN Technical Strategy Group comprises representatives from each of the English Regional Broadband Consortia and from the Welsh, Scottish and Northern Ireland devolved administrations with DfES, C2kNI, LT Scotland, Becta and UKERNA. The Group's objective is to advise on the technical strategy required to ensure that such networks interoperate, provide best value and support teaching and learning. The Group also influences suppliers, bearing in mind the substantial government investment in this area.

  Although the Call for Evidence refers to private individuals, there is a great overlap between children and young people at home, in the community and at school. While the protection of pupils in school is relatively good through supervision, filtering and education for responsible use, these same pupils become vulnerable outside the school.

DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  1.  The threats include computer virus, trojan and spyware infection.

  2.  Financial scams and phishing and the consequent loss of confidence in the utility of email systems.

  3.  The assault on personal values by pornographic and other types of offensive websites and offers of pornographic and offensive material by email.

  4.  For many, particularly the young, the revealing of private information via social networking sites is a relatively new worry.

  5.  Young people may also have to contend with bullying by email, instant message or phone (text).

  6.  We understand that the Internet is being increasingly used by paedophiles to groom children, taking advantage of the difficulty for an individual in identifying who has sent an email or text.

  7.  In schools we can no longer expect that the material that pupils will see, or that communications with the outside world can be controlled by the school's physical boundaries. An inappropriate email or text message could be received or sent by a pupil in a second whereas only a few years ago a letter or telephone call would have passed through the school office and been noticed.

  8.  While schools, via their Local Authorities and Regional Broadband Consortia, have the best filtering systems available, the cost of their purchase and management is a drain on limited funds.

  9.  All teachers are suddenly in the forefront of guarding against a new threat which may make them feel personally unsure and uncomfortable.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  10.  The scale is huge, with spam comprising more than 80% of email for many people. Although many are learning to ignore such material, some are deeply affected and may even believe they have contributed by some mistake they may have made in their use of on-line systems.

  11.  Any Internet connected computer will be infected within minutes by viruses or spyware unless protected. Users may not realise that their computer has been affected until its performance slows to a crawl. Security problems are rarely reported by private individuals.

How well do users understand the nature of the threat?

  12.  Such threats put perfectly honest people into indirect contact with con-men and thieves without a conscience, this situation may be difficult to cope with. While many users understand in general terms about spam, viruses and scams, some users continue to open email attachments from unknown senders.

  13.  Few users will have access to real expertise in making a computer secure, unless they purchase their computer with security software installed and enabled.

  14.  Young people's understanding of the nature of security and safety threats varies with age. More mature pupils will have probably developed some on-line safety strategies—better than their parents in many cases. However most young people probably underestimate the threat, for instance the considerable lengths that an adult might go to groom a young person. Some young people engage in on-line or phone bullying.

  15.  It is probably also true that—out of school—the wide availability of pornography on-line has degraded young peoples' expectations of relationships.

  16.  Some parents understand the nature of the threat and take appropriate action to work with their children to minimise risk. Most parents, however, do not understand the threat and are therefore incapable of managing the risks taken by their children.

  17.  Teachers have embraced the Internet to a large degree although they have far less time available to develop their skills as compared with their pupils. Many teachers will have purchased their own computers and home Internet access, at least partly to prepare themselves for their professional work. In terms of using on-line systems in their teaching the security and safety risks are mostly mitigated by precautions taken by the school networks.

  18.  Many teachers use of the Internet is probably less exploratory and less wide-ranging than that of pupils. Teachers will need to develop a better understanding of the risks involved in order to better advise their pupils.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  19.  We note that these threats are caused by unsavoury people rather than by the technology itself, and that the technology brings a wide range of benefits to education that Internet use is now a normal and essential part of learning.

  20.  Young people are to some degree used to risk and generally learn how to survive in a dangerous world. Engaging with young people to help them develop their innate ability to detect threats and to respond appropriately has to be the most powerful approach.

  21.  Clearly we have also to use technological counter-measures such as anti-virus and filtering, but these measures will never completely eradicate undesirable material. Supervision and education are just as important.

  22.  More work is required by all filtering system developers to produce products that directly relate to the UK schools market rather than a world-wide commercial market.

  23.  The Becta work in approving Internet Service Providers for safety and security is to be applauded but needs to engage more deeply with a complex problem.

  24.  For some time schools have used filtering systems to prevent access to undesirable materials and intercept and monitor inappropriate messages. Senior management must take greater responsibility for managing these systems to ensure that decisions are based on educational policy, rather than technical convenience.

  25.  The biggest issue is in homes where many young people have open access to the Internet if they wish and parents may have little control. There is plenty of material available to help parents, but it is believed that many do not actively respond to the threat.

  26.  The business case for the perpetrators of much of the more annoying spam is based on a small minority of people responding to what virtually always turns out to be a con. It would be good to think that if people were better educated never to respond, the business would collapse. An essential strategy is user education.

  27.  It is good to report the recent increase in appreciation of the problems in some schools through the work of CEOP and Becta. However to engage with all pupils in all schools is a massive task that requires well trained staff to be effective. The current level of resource available is far too low to enable excellent programmes such as Think U Know to be widely disseminated.

  28.  The computer operating system must be as secure as possible and arrive installed on the computer with all the tools required and configured ready to work out of the box. An issue here is that incorporating all security in the operating system may increase the Microsoft near monopoly and stifle competition. Ideally Microsoft would work in partnership with many specialist security companies.

  29.  The industry must be encouraged to offer secure systems with a minimum of complexity and requirement for user expertise. The splitting of the countermeasures into antivirus, anti-spam, adware, spyware etc may be good for business, but can confuse the customer. IT systems must be fit for purpose, which includes security.

  30.  A major issue is that many communication systems enable the sender of a message to hide their identity. This may be as simple as mike5476@yahoo.com, but is Mike aged 13 or 30? Where does he (or she?) live? We do not want to enter the debate on national identity cards, but if at least school-age pupils could be certain of the identity of other school-age people then security would be improved.

  31.  The work by Becta, UKERNA, the Regional Broadband Consortia and others on authentication including the Shibboleth system is therefore important.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  32.  Public awareness is probably high, but only to the extent of being aware of email spam, pornographic material and viruses. Awareness of their responsibility in reducing the threat is far lower, for instance most parent worry about their children's Internet access but relatively few ensure safe systems or even check what their child is accessing.

  33.  Becta has recently produced excellent publications on e-safety which deserve wider reading in schools. The Local Authority is best placed to offer advice to schools on e-safety and child protection although resources are stretched.

What factors may prevent private individuals from following appropriate security practices?

  34.  Lack of knowledge about basic computer configuration and security, which is not surprising as few in the population are technical.

  35.  Bad experiences with security software that does not install easily or does not appear to work fully.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  36.  It is essential that new products are very well designed. Many security threats make use of flaws and vulnerabilities in the systems attacked, particularly in operating systems where the predominant system is Microsoft Windows. More work is required from Microsoft to ensure it offers the most robust operating system possible, without locking down the computer such that it becomes difficult to use.

Who should be responsible for ensuring effective protection from current and emerging threats?

  37.  It would be a mistake to attempt to ban Internet applications such as social networking sites (Bebo etc). It is often not the site itself that is the problem, for instance Bebo provides a free and easily-used application for mature people to publish material and to connect with like-minded people. The problem is in users that are too young or naive to see the dangers in publishing personal information or in trusting someone whose identity cannot be verified. Of course some social networking sites make their money through dubious advertisements for finance.

  38.  Social networking sites, however, must bear the responsibility for ensuring that the young user cannot access the site. It is appreciated that currently there does not seem to be a mechanism to make this possible.

  39.  Schools bear the responsibility for the safety and security of their pupils whilst on site or on school business. This is not a trivial task and the training of staff with this responsibility is important and currently sometimes neglected. Responsibility for e-safety covers pastoral, technical and educational aspects and all these staff will need to develop their abilities and procedures particularly in working together to resolve these complex issues.

  40.  Schools also have a responsibility to educate pupils for safety, even if the risk is more out of school than in. We appreciate that adding material into the curriculum is a further strain on teachers and time, but this is now essential.

What is the standing of UK research in this area?

  41.  This difficult for us to judge. However we believe that UK work is well thought of in other countries. It should be said that some countries feel that in the UK we veer to far towards regulation rather than educating young people for the responsible use of the Internet and related technologies.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  42.  UK-based firms are now taking a more responsible attitude to security and this is presumably at least partly due to better IT governance. However the vast majority of Internet security threats would appear to come from America and many other parts of the world where regulation is poor.

  43.  At UK government, Becta and Regional Broadband Consortia levels there is a good focus on governance in e-safety policy for education.

  44.  However at school level there is some concern. Many schools have not considered sufficiently at senior management level, the need to create and maintain an e-safety policy and in particular the need to ensure its implementation.

How far do improvements in governance and regulation depend on international co-operation?

  45.  The Internet itself is international, which is one of its major contributions and benefits but also a source of difficulty in regulation. Many of the IT suppliers of network equipment, operating systems and security and filtering applications are international and depend on that larger market for income to cover their research and development work, partly in countering criminal exploitation of the Internet.

Is the regulatory framework for Internet services adequate?

  46.  We are not qualified to judge. However with the rapid rate of technology development and exploitation by the criminal and the slower development of user knowledge it would seem unlikely that regulatory frameworks are adequate. However care must be taken to ensure that reputable firms which contribute to developing safe and secure systems are not restricted by over-regulation while parasitic organisations and those that give insufficient priority to protecting users' safety and security are brought into line or penalised.

  47.  It is essential that schools protect their staff and students by obtaining Internet services through a high-quality educational Internet Service Provider (ISP). Typically the ISP will be carefully selected by the Local Authority or Regional Broadband Consortium. Becta is developing an approvals mechanism for educational ISPs.

  48.  It would be easy to inhibit Internet use in schools by insisting on a "one size fits all" regulatory regime based on eliminating all risk. Schools must be able to decide how to educate their pupils to take a responsible approach to many risks including drugs, bullying and road safety as well as Internet use. Schools need to set their own policy for e-safety, some will emphasise regulation and some emphasise education depending on their pupils' age and maturity.

  49.  One of the difficulties is that a school can opt-out of the Internet provision that the Local Authority or Regional Broadband Consortium offers. While this is a small minority of schools, these pupils are being placed at risk as non-educational Internet providers rarely have adequate filtering, security or user-support in place. Indeed as their prices are lower, it is economically impossible to offer these services.

  50.  There is a danger that if the central funding provided by Government for school broadband Internet access is reduced, some primary schools may decide that they cannot afford the high-quality and secure LA/RBC solution.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  51.  Becta is undertaking excellent work in moving UK schools towards a standards-based approach to the design of IT systems. Standards for hardware, software, networking and safety and security are an integral part of this development. RBCs have contributed to this work.

  52.  The barrier to the adoption of standards is often at school level where technical staff have their own local interpretation of network design and may be resistant to change. School senior managers often do not have the expertise to challenge their technical staff, which are anyway difficult to appoint or retain.

  53.  Due to the increasing devolution of funding to schools, few local authorities have sufficient technical strategy staff to influence schools, which in any case are to a large extent autonomous in their decisions as to ICT.

  54.  If broadband grant funding were to be completely devolved to schools in the future, such influence that RBCs and LAs have in educating and influencing schools towards standards-based systems and in implementing safe and secure IT systems would be very much diminished.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  55.  It is good to report that local police forces are beginning to work with child protection officers and education departments to counter threats to school pupils and to children outside school. Some schools are in the process of giving responsibility for e-safety to a member of staff.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  56.  We are not qualified to comment on this, except to say that new threats appear frequently and at huge scale, as seen in social networking. The legislative framework must move at least as fast as the problem, or at least the ability of the interpretation of law.

How effectively does the UK participate in international actions on cyber-crime?

  57.  Again this is difficult to comment on. However the vast majority of illegal material is generated abroad and the international dimension is vital to its reduction.

October 2006