INTRODUCTION

  THUS plc is a leading provider of Internet, data and telecoms services in the United Kingdom. Our Internet services are principally offered under the "Demon" brand in the UK.

  Internet security is of utmost importance to THUS both in terms of the security of our own network, but also the security of our customers. It is in our own interests to not only ensure the integrity of our network and brands remain intact, but also that are customers needs are also addressed. To this end we approach the problems from a number of angles:

—  We have a dedicated Network Abuse team that deals with complaints and acts proactively to address issues before they become a problem.

—  We participate in various working groups and forums, such as the Internet Crime Forum, the Internet Service Provider Association working groups, as well as interacting with government and law enforcement on the issues either directly or via these groups.

—  We work with industry partners to ensure that issues are addressed speedily.

—  We provide information to our customers and help them resolve any issues as well as providing details of what to look out for.

—  Future work includes considering a "walled garden" approach to fencing off affected customers until their networks are repaired, more online advice and developing our online offerings such as our spam filtering service.

  We believe that we all have a role to play in addressing security issues online and that ISPs are only part of that solution. Software companies, legislators and Internet users all have a part to play.

DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  The main issue that we see affecting customers' security is the proliferation of compromised machines that are being used to distribute the vast majority of spam. Spotting and fixing these "zombies" account for the bulk of the work of the Network Abuse team.

  Although spam in itself is an issue, these zombies are being used to spread other associated security risks, such as phishing scams and viruses as well as the capturing of personal data via keyloggers.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  We detect breaches in a number of ways: responding reactively to reports and complaints about our customers' compromised machines and by spotting trends in the email traffic data (ie unusual patterns with email and viruses). We also monitor spam blocklists to ensure that our network is not blocked, this helps us identify new issues (ie specifically what led to us appearing on the blocklist in the first place).

  We also work with partners in industry to help their customers. Specifically a number of these partners have a "spam" button which can be used to send us reports about spam originating on our network.

  Furthermore we provide information to our customers when they join our services and work with them to resolve any compromised machines. We have plans to increase the amount of information that we provide to our customers as well as other technical solutions to limit the effect compromised machines have on our network and other Internet users.

How well do users understand the nature of the threat?

  In dealing with the issues highlighted above, we have come up against a number of common problems:

—  Customers' machines are poorly configured, so they are running as open mail proxies (allowing anyone to send email via their mail servers).

—  Customers have poor password policies.

—  Customers' anti-virus and anti-spyware software is not kept up to date and monitored to ensure they are functioning properly.

—  Customers don't ensure that their operating systems and software are fully patched.

—  Customers have poor policies for allowing who has access to their networks, particularly when it comes to laptops (that may access other networks) and wireless networks with no or poor encryption.

—  When fixes are available it can take days or sometimes weeks before they catch up with the problem.

—  If we provide too much information about security issues then often customers lose interest.

—  Identifying the true perpetrator of the breach is too resource intensive, so most effort is on fixing the problem rather than investigating the cause.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  The Internet industry is already taking these matters seriously. Everybody though, has a role to play: software vendors to make their security tools easier to use; PC vendors to ensure that preinstalled software is properly configured, up to date and preconfigured with suitable security software, etc.

  Also everyone can play a role in educating users about the dangers and how to avoid them, be they parents, concerned consumers or businesses. But, we must also be careful here not to scare people off the Internet because they are too worried about the risks, as this could be costly for the development of the economy and cost more than the risks we're trying to protect them from.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  According to recent press reports[34] consumers are more concerned about Internet security issues than they are of more "conventional" crimes such as burglary. But, although many may know about the various risks, they are perhaps not knowledgeable enough to spot them when they arise or fix them.

  When we work with our customers to resolve issues we often find that the problem can be resolved, but push too much information at the customer and they will often lose interest. This is more likely the case with consumers than business users.

What factors may prevent private individuals from following appropriate security practices?

  Lack of understanding of the issues and how to fix them, which may in part be caused by poor usability of the tools available to help.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  This question is probably best answered by software and hardware vendors, but it would seem that the trick is to get the balance right. Too much enforced protection and the systems become unusable and frustrating to the user and get turned off; too little and the user's lack of knowledge means they are unlikely to spot problems soon enough.

Who should be responsible for ensuring effective protection from current and emerging threats?

  Although Internet Service Providers like THUS are doing a lot for their own customers and therefore the Internet community as a whole, a nationwide education and safety campaign and a central point for information to educate the user is needed (services such as http://www.itsafe.gov.uk are a good start but could probably do with more exposure).

GOVERNANCE AND REGULATION

How far do improvements in governance and regulation depend on international co-operation?

  As the Internet is a global phenomenon, regulating in the UK or indeed across Europe is unlikely to prevent the bulk of issues and they are worldwide issues.

Is the regulatory framework for Internet services adequate?

  We would like to see a universal ban on spam in the UK, not just spam to consumers, but to businesses also.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  Since most, of these security issues originate outside the UK, it is difficult to see how any kind of national crime prevention policy can affect this area. This needs to be approached at a European and global level.

23 October 2006