WHO AM I?

  I am currently an independent consultant. I have been an active technician then manager and then director for IT and e-commerce in the private sector for 36 years. I have been co-opted onto the IET IT sector panel. As part of that committee I was asked to comment on the Eurim response on Personal Internet Security. I believe very strongly that this is an issue that needs focus and resolution sooner rather than later. However the resolution must be practical, pragmatic and easily updateable as technological advances demand, my overriding concern is that the culture change we need to address will not happen and therefore we need to put measures in place that are practical, easy to use and not costly for the citizen.

  My response is structured around the questions and follows the same format as the Eurim response. I believe the Eurim response to be a good response and so have only commented where I differ or have an additional view. I would be delighted to assist further in whatever ways are most helpful.

DEFINING THE PROBLEM

  The problem as I see it is that technology in the guise of the Internet, mobile phones and even multi channel TV affords the citizen the ability to do things that make their lives easier/quicker/more interesting, at the same time as opening up their personal data to people that abuse this information. However to tackle the problems properly each problem needs defining correctly and fully. An action plan then needs to be created to solve these problems in order of priority. The action plans must be cost effective and not impact the citizen's ease of use too much. Many parts of society have an interest in being part of the debate but often each party looks at it from their own particular discipline. By defining the totality of each problem the correct disciplines can be pulled together. Not enough use is made of companies who specialise in protection.

  New ways of storing and accessing data exacerbates the problem. For instance is the Committee looking at the position that Google is taking? For example would every citizen be aware that by using Google searches at a later date Google can publish your personal info on their search lists (unless you are knowledgeable and protect yourself).

  The Government itself must follow good practice in ensuring that its own systems are both adequately secure as well as accessible and "user-friendly". They must also share widely this best practice and importantly learn from private sector best practice.

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  The Internet is an open-access, network of networks with security and authentication constantly being added and updated. The primary funding of this security is by corporations and governments. The citizen only pays for software to protect themselves on their private PCs when they deem it to be necessary or if they have been hit. Organisations, both private and public, make sure that they set up appropriate security when opening their systems to individual use outside of the company firewall.

  The Internet has changed the life of most people and has given them various capabilities at a very cheap price. Freedom. We must make sure that we don't force an overkill and reduce the benefit or put people off using the Internet. The use of skype must be included in whatever actions come out of this piece of work.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  The nature of e-business is that in the private sector the security teams already have information exchanges that work in real time. Could these informal exchanges be extended and used to channel information and awareness training. Most companies don't tell the police of security breach matters because "somehow" it gets to the police who "talk" to journalists. We do need to help the public recognise phishing and give them somewhere easy to report it as currently they don't.

  There also needs to a central trend monitoring so that new types of attack and problem can be spotted early.

How well do users understand the nature of the threat?

  There is an age thing here. There are I believe (and what I have seen) that says the young, the middle and the older users use the Internet/technology differently. These differences give rise to different actions/needs. Usability labs need to test and highlight the differences. Maybe even teen advisors and grey advisors should be recruited. The young are instrumental in using things differently to us "oldies" and we need to work on this.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  I believe that it should be up to the ISPs to block emails from certain countries who do not police things properly in their own countries. Some countries do not force a a website to close even if it is mimicking a website in another country. An example of this was a person who launched an attack against L&G by putting up websites that purported to be official sites but were there to criticise L&G. It became increasingly difficult to close the websites as they were not registered in the UK. A person would be able to say that they wanted to receive emails from that country. WWW is global and therefore there does need to be a global debate. However sorting out problems in the UK should not wait for this debate to reach conclusion.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  I do not believe the citizen will protect themselves with the necessary degree of rigour. In speaking to a lot of normal users of the net they simply get frustrated and give up. Awareness is vital but we cannot depend on them protecting themselves (just as in real world crime). Automatic security driven by the ISPs is more practical and more likely to address the issue.

What factors may prevent private individuals from following appropriate security practices?

  Symantec currently do a lot of this help/education already. Just get them to publish it. Make it a rule of their license to do this awareness and every other appropriate vendor as well.

  The school curriculum should have this as a mandatory part but it should be built by kids for kids (ie people who know). All awareness needs to address the relevant audience. Why not get a competition for 6th formers or GCSE students to build it for the country and publicise it. Do the same for the pensioners.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  No private sector company would go for awards. Vendors would but would the public be interested in vendors winning awards.

Who should be responsible for ensuring effective protection from current and emerging threats?

  The Eurim recommendation (Safety and security has to be treated as part of the mainstream corporate social responsibility and good citizenship programmes of all those who wish their customers, citizens and taxpayers to make confident use on-line products and services) is impractical and the citizen won't do this unless it is easy, quick, cheap and non-intrusive.

What is the standing of UK research in this area?

  Why do we need UK research? What about all the other tech players who are more appropriate? This is global problem/issue and we should only do research if it is relevant to the culture of the UK.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  I totally agree with the Eurim recommendation (all proposals for new regulatory regimes must be subjected to a full systems review and impact analysis to check how they will achieve the objectives stated and at what cost to legitimate business, given current and prospective technologies and business models) however it must be done pragmatically and not with auditors.

CRIME PREVENTION

How effectively does the UK participate in international actions on cyber-crime?

  Need to involve eBay, Google and others more involved with using the net in new and revolutionary ways.

February 2007