United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by Research Councils UK (RCUK)

INTRODUCTION

  1.  Research Councils UK (RCUK) is a strategic partnership that champions the research supported by the eight UK Research Councils. Through RCUK the Research Councils are creating a common framework for research, training and knowledge transfer.

  2.  This memorandum is submitted by RCUK and represents our independent views. It does not include, or necessarily reflect the views of, the Office of Science and Innovation (OSI). RCUK welcomes the opportunity to respond to this inquiry by the House of Lords Science and Technology Committee[28] and provides evidence from RCUK in response to the main topics and questions identified in the consultation document.

  3.  RCUK asks the Science and Technology Committee to note the following:

    —  The Council for the Central Laboratory of the Research Councils (CCLRC) is responding in its capacity as technical advisors and not in its capacity as a legal council. As an employer, CCLRC has consulted on the aspects of employees using the Internet at home as private individuals.

    —  In relation to EPSRC, much of the work involved in defining the problem either falls in the domain of private companies, or research into social issues which are covered by other Research Councils. Undoubtedly, many of the researchers funded by EPSRC will be engaged with those defining the problem, but they will be using this as a driver for research. This, in itself, is not led by EPSRC and as a result the impact of that understanding is only seen second-hand in the form of research grant applications around solution technologies.

DEFINING THE PROBLEM

  4.  There are many different reasons why private individuals use the Internet. This may be choice, neccesity, interest, reference, companionship, shopping etc. A common factor is that individuals increasingly trust Internet based services. On the whole, society now regards Internet access and Internet services as "normal", not just for IT experts. While most individuals are concerned about their personal security they do not understand how to assess IT security risks. They do not wish to become IT security experts, so that they can make informed judgments, they just want the Internet to work safely.

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  5.  In broad terms, the threats to individuals from the Internet and Internet services can be grouped as "technical" and "non-technical".

Technical threats

  6.  While most individuals are aware that technical threats, such as computer viruses, worms or spyware exist, they are not aware of how they pose a direct or indirect threat to them. The vast majority of individuals do not wish to, or need to, understand how these technical threats work. Often they are only aware of the threat once it has resulted in some destructive or invasive activity on their own personal computer-based device(s).

  7.  Organisations and Companies are usually more aware of technical threats as these pose a higher risk to their day to day operations. As such, they have usually taken advice from IT professionals or security experts to reduce this exposure by:

    —  Keeping computer systems up-to-date with security fixes.

    —  Installing computer anti-virus software.

    —  Using a "Firewall" between the organisation and the Internet.

    —  Issuing individuals with usernames and passwords to audit use.

  If implemented correctly, these techniques can vastly reduce the level of technical risks to organisations and the individuals within them.

  8.  Individuals care about security. Good experiences from within organisations such as work, school, college etc. have resulted in many individuals developing the perception that the "internet is safe". However, as the individuals are not IT security experts they lack the skills to understand the steps taken by organisations to protect themselves and find it difficult to privately implement technical solutions. They often see them as too technical; too costly (eg not free); too cumbersome or irrelevant. The language and terminology used by IT security experts is inaccessible to most. This lack of IT security understanding effectively forces individuals to accept a higher personal risk when using the Internet from home. Some organisations provide advice on home computer use to their employees, particularly if the home computer is used partly or wholly for purposes associated with employment.

  9.  Technical threats are relatively mature, well known and understood within computing environments. Individuals may have heard of the following simple categories based on how systems are impacted:

    —  virus—(infection comes via a floppy disk, software or e-mail);

    —  worm—(can spread by itself—the infection does not need a host);

    —  spyware—(sends information to a third party without the individual's permission or knowledge); and

    —  port scanning—(an individual attempts to gain access to your computer);

  but do not know or care about how to distinguish a computer "virus" from "spyware".

  10.  Recently no new major categories of technical threats have emerged but some manufactures are starting to use the term "malware" to include all viruses, worms and spyware. The trend of combining the characteristics of basic technical threats to construct "hybrid" or "blended" attacks continues with an attendant increase in technical sophistication, level of automation and speed of attack. In addition, the time taken to develop and issue new attacks is decreasing.

  11.  E-mail remains the major method of attack against individuals due to high level of unsolicited e-mail (or "spam") which if read or respond to, can install unwanted software (or "malware") on their systems. The malware may be downloaded from a website referred to in the spam message or attached to the message. Once installed, the malware can cause direct or indirect harm to the individual. Port scanning that could result in an attacker finding access to system administrator functions and thence control of the machine is also on the increase.

Non-technical threats

  12.  By the very nature of the Internet, it brings individuals into contact with many others faster and potentially across greater social and physical distance than traditional media for communication. What one individual finds "interesting" can be perceived as a threat by another. The lack of physical clues and social signals can also prevent individuals avoiding unwanted contact.

  13.  As with all human endeavours, a minority of individuals are motivated by criminal gain to find ways to abuse systems and services that the majority trust. This abuse can be targeted against private individuals or organisations and can either be direct or indirect. In the context of accessing the Internet or Internet services, it is important to remember that this criminal activity is not dependent on any technical means. Criminal activity is very much a business (with questionable motives) that will "follow the money" and will attempt to exploit private individuals. The Internet is now used by sufficiently many private individuals for some criminal activities to be cost effective.

  14.  Most, if not all, individuals who use the Internet, initially trust it. They may hear of technical threats (such as viruses) and non-technical threats (such as "phishing") but unless they are directly or indirectly affected by these, they may believe that these "happen to others". The Internet does not add any new fundamental risk to individuals within society. However, the sheer scale, diversity and inherent trust in the Internet and services offered by it can be abused resulting in:

    —  Theft (eg money taken from bank account).

    —  Fraud (eg buying or selling items that you do not have or own).

    —  Impersonation (eg "identity theft").

    —  Deception (eg obtain information by pretending to be a bank—"phishing").

    —  Extortion (eg threatening to disclose information about activities on the Internet).

    —  Abuse (eg exposure to offensive images).

    —  Defamation (eg wrongly accused of an act).

    —  Invasion of privacy (eg unwarranted access in to private matters).

  15.  Recently the activity known as "phishing", which is a blended attack where individuals are deceived into revealing private information that can be used to impersonate them within the Internet, has been increasing. This often results in direct financial loss or theft.

  16.  All of these non-technical threats exist in the "real" non-Internet world but individuals have learned ways to judge and manage these. For example, individuals are advised by banks not to lose their Personal Identification Number (PIN) when they use cash machines or pay for goods in shops. They routinely try to physically shield or secure the entry of PINs on shop keypads so that onlookers (including staff) cannot see it and use it. They know that not doing this could result in them losing money.

  17.  If individuals assume that purchasing goods via the Internet is just as safe as in a physical shop or store they will not have the physical clues that can help validate this assumption. Some individuals may be unable to judge how to replace these physical clues with appropriate Internet clues. An example may be the use of the HTTPS protocol to protect purchases via the Internet—the equivalent of shielding a PIN number in a shop. The use of the HTTPS protocol on its own does not guarantee that the web site is genuine. For example, the individual may not be buying from a genuine merchant.

  18.  Some of the physical and emotional clues used to prevent other forms of abuse such as fraud or extortion, develop as individuals mature. A lack of social awareness can make some individuals more vulnerable to some of the non technical threats. It is unsafe to generalise and state that "younger or older individuals are at more risk".

What is the scale of the problem? How re security breaches affecting the individual user detected and recorded?

  19.  On an annual basis, the number of technical threats is continuing to grow steadily at approximately 1,000 per month (from July 2002 to December 2005 the estimated number of distinct viruses grew from approximately 75,000 to 115,000). While some new viruses and worms have caused short term dramatic increases in this number, the impact on individuals who use anti-virus products has been less dramatic.

  20.  Non-technical threats such as distinct phishing web-sites are also increasing steadily at approximately 800 per month. (Between July 2005 and 2006, the number of phishing web sites increased from 5,654 to 14,191). These evolve rapidly and attempt to trick individuals into giving access to information or resources that can harm them. While IT security companies can help, they are always reactive to these new threats and the impact to individuals is increasing.

How well do users understand the nature of the threat?

  21.  Individuals are concerned by the threats but do not understand them. Intuitively they know they wish to be protected but do not know how to assess possible solutions.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  22.  The Research Councils would welcome the outcome of the report which may identify the research challenges facing this area.

  23.  The UK has a very strong Information and Communications Technology Research Community, and the underpinning research into both hardware and software is of a high international standing. EPSRC's research projects have been funded mainly through their responsive mode route, but are also in response to calls for proposals from the EPSRC Crime Programme. Although providing a focus for research related to crime, the Programme has not had a call specifically targeted at Personal Internet Security. The projects supported span a range of technologies and approaches, from understanding the threat from a system perspective, through to profiling of the activities of criminals on the web. Many of the aspects of tackling the problem will be closely linked with understanding human behaviours and social interactions. Many of the EPSRC funded projects involve social science collaboration, however a major proportion of social science research in this area is funded by ESRC such as the various projects on Privacy and Trust under the ESRC e-Society Research Programme.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  24.  Clearly this is an area of importance and risk, both real and perceived, to the public. EPSRC is currently engaging with its Societal Impacts Panel to identify ways in which the research community in the ICT area can engage with the public to identify the issues, and any research challenges associated with them. In addition, ESRC is working with the Technology Strategy Board on a proposed call relevant to human factors in network security.

  25.  Individuals believe that the Internet Service Providers (ISPs) that provide access to the Internet in private homes should take some responsibility in providing a "safe" service. This could be take the form of:

    —  "free" access to technical tools that can stop known threats (eg worms, SPAM and viruses) from being sent to individuals;

    —  having a system that automatically protects individuals from known attacks (eg TCP port scanning or access to phishing web sites);

    —  schemes such as the Central Sponsor for Information Assurance (CSIA), CSIA Claims Tested (CCT) kite mark could be extended to allow ISPs to demonstrate a commitment to protect individuals by agreed means; and

    —  a tax incentive for ISPs to participate in the agreed kite mark scheme.

  26.  "Free" to an individual includes not needing to know how the service works, just that it is active, current and effective. ISPs may wish to charge for this "safe" service but this is likely to discourage individuals. It may be more effective if ISPs received a tax incentive for participation in any such "safe" service.

  27.  Individuals may wish to use digital certificates to help increase their confidence in the on-line identity of others they deal with. This could include major websites, government organisations and banks. To gain any real benefit, this would require significant participation by a large number of individuals and organisations and would be unlikely to succeed if it was costly or required technical intervention by the individuals. Existing commercial and Government infrastructures could be expanded to form a national trust framework supporting the authentication and authorisation of individuals and organisations.

What factors may prevent private individuals from following appropriate security practices?

  28.  Individuals are aware that good security practice is in their interest. Often they just do not understand it. It is very difficult, if not impossible, to produce generalised accessible good security practices information that individuals wish to find and act on.

  29.  Some individuals are aware of on-line resources such as the Government IT Safe web site (http://www.itsafe.gov.uk/) and may purchase third party add on security products such as anti-virus software etc. As a society we have been led to believe that we must have access to the Internet 24/7 but few are prepared to pay for a renewable annual subscription to these "additional" services.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  30.  While it is possible for manufacturers to improve how their products work so that the risk to individuals is reduced, this is unlikely to happen on a national scale unless there is a clear financial gain or deterrent. A voluntary standards based approach (such as an extended CISA CCT scheme) may allow some to develop a market to attract new customers, but again this is unlikely to succeed if individuals do not get the benefits for free.

Who should be responsible for ensuring effective protection from current and emerging threats?

  31.  Manufacturers could take steps to improve the way their products work and reduce some of the exposure to individuals. This may benefit some market sectors and damage others. ISPs could pre-filter and control Internet traffic but some individuals may see this as a loss of privacy and a right to free speech. Ultimately individuals are responsible for their own actions, but care is needed to provide for the safety of vulnerable populations, especially children.

What is the standing of UK research in this area?

  32.  While the UK does not specifically have a leading reputation for academic research on IT Security, there are some outstanding institutions that specialise in this and related fields. A number of UK companies have developed an authoritative reputation for advice. However UK does have a very strong position in research on trust and human computer interaction which could lead progressively to more flexible, understandable and safe protections systems.

  33.  As mentioned previously, ESRC are in discussions with the technology Strategy Board about various collaborative opportunities between researchers and business relating to Network Security which clear strongly relates to issues around computer security. This would include investigating both technological and non-technological vulnerabilities in systems, how they are used and implemented. This kind of initiative will draw in researchers from related areas to look at these and therefore develop research capacity in the field by utilising existing capacity in related area of research.

GOVERNANCE AND REGULATION

  34.  Governance and regulation are issues generally considered at the development stage and by business more generally. EPSRC does not hold a position on governance and regulation, although ESRC funds a number of projects which have clear regulatory and governance relevance.

How effective are initiatives on IT governance in reducing security threats?

  35.  Current IT Governance initiatives are largely targeted towards organisations and not individuals. They require IT Security skills and funding to implement. As such, they have had little or no impact on private individuals. Given this it may be considered that there are several anti-groomimg paedophilia initiatives which could be considered as making some head-way although the question asked here appear to look at financial threats not grooming. Since individuals may be committing offences in regard to the intellectual property rights of companies and artists this may be considered relevant in tackling criminal threats involving the specific use of these technologies.

How far do improvements in governance and regulation depend on international co-operation?

36.  The Internet does not recognise national or state boundaries. Regulation within any state can be bypassed unless there are strong enforceable international agreements between states. A topical example of this is Online Gambling, which is illegal in some countries and not others.

Is the regulatory framework for Internet services adequate?

  37.    The current UK regulatory framework for ISPs is adequate but would benefit from additional guidance and enforcement and should be regularly revisited to account for new developments.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  38.  While some organisations use international standards for the management of IT security (ISO/IEC 27001:2005), these are not generally applicable to personal use of the Internet. A barrier to this is the potential for moral hazards. Organisations find achieving this standard complex, time consuming and costly with little visible return on investment.

CRIME PREVENTION

  39.  EPSRC provides a raft of underpinning research which may be used in the prevention of crime in this area, but is more usually exploited further down the development chain. There are occasional examples of specific research in this area (eg "Detecting and Preventing Criminal Activities on the Internet"—Professor D Parish, Loughborough), but as before these are either in response to a generic crime call or through open responsive mode.

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  40.  Individuals who have suffered direct loss usually wish that the perpetrator is prosecuted in some way, although the individual's first concern is that they should suffer no loss rather than that criminals will be prosecuted. Often with computer damage or crime and individuals feel that UK enforcement agencies are not coping with these threats. The inability to prosecute individuals after apparently tracing them is seen by many as a failure of the system. Again individuals lack the legal and IT Security skills to realise how difficult this apparently simple task can be.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  41.  CCLRC is unable to comment on how effective the legislative framework in the UK is in challenging cyber-crime. In 2004, the All Party Parliamentary Internet Group reported on the possible revision of the Computer Misuse Act 2000. Although the ESRC does not hold opinions directly on the standard of legislative frameworks they do support researchers which clearly play a role in considering and addressing such issues and challenges. For example, ESRC fund researcher in International Relations, Socio-legal studies and Criminology (AHRC funds research into Law).

How effective does the UK participate in international actions on cyber-crime?

  42.  RCUK is unable to comment on how effectively the UK participates in international actions on cyber-crime.



28   http://www.parliament.uk/parliamentary_committees/lords_s_t_select/internet.cfm Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007