ISPA UK

  1.  ISPA is the trade association for companies involved in the provision of Internet Services in the UK. ISPA was founded in 1995, and seeks to actively represent and promote the interests of businesses involved in all aspects of the UK Internet industry. ISPA currently has over 150 members, representing around 95% of the UK Internet access market by volume.

INTRODUCTION

  2.  ISPA welcomes the House of Lords Science and Technology Committee inquiry on personal Internet security, but is concerned to ensure that the nature of the Internet is not misunderstood and hopes that this response offers clarity on how ISPs in the UK are working together and with their consumers to promote personal Internet security.

  3.  Although this inquiry is billed as the first parliamentary study on this issue, this is an area that ISPA has been committed to addressing since its inception in 1995, as well as being an issue that has gained a significant amount of coverage recently and much interest in the political arena. The All Party Parliamentary Internet Group (APIG) visited Washington DC in February 2005 to discuss how the UK and US could lead the way in tackling various network integrity and Internet security issues, including spam, viruses, zombie computers, rogue dialers and denial of service attacks. Other government led industry groupings include the Home Office inspired Internet Crime Forum (ICF), the DTI anti-spam working group and the London Action Plan among other related initiatives.

  4.  ISPA's current activity on personal Internet security includes the planned annual ISPA Parliamentary Advisory Forum (PAF) to be held in January 2007 on the topic of Personal Internet Security bringing together key industry players, government officials, parliamentarians and lawyers in debate and discussion. ISPA has also recently met with the Office of Fair Trading regarding their Market Study into Internet Shopping where ISPA emphasised the ongoing work that ISPA Members are involved in to promote personal Internet security. A number of ISPA members are, for example, actively supporting the latest phase of the Get Safe Online awareness campaign.

  5.  ISPA is strongly committed to combating the threats to personal Internet safety. ISPA agrees with the approach advocated by UK Government emphasising shared responsibility and firmly believes that the ISP industry is only one part of the equation in response to such threats. Other parts of the equation include software companies, the formal schooling and education system including adult education, independently produced advice and guidance available online, branded product differentiation and a whole wealth of complementary approaches developed in tandem with those offering services online.

DEFINING THE PROBLEM  What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  How well do users understand the nature of the threat?

  6.  ISPA members take the security of their customers very seriously and offer products and services such as consumer education material to help consumers protect themselves. ISPA strongly agrees with the Department of Trade and Industry's (DTI) approach to dealing with cyber security which advocates a three-pronged approach comprising of end user education, technical (network or provided to users) solutions and global co-operation on enforcement.

  7.  However, it is important not to forget that many security threats that are present online do not differ greatly from the threats that present themselves to consumers offline. This includes scams known as Nigerian money transfer fraud or 419 scams which are received by post, fax and email, identity theft which can occur both through phishing attacks or letters being taking out of a dustbin and intrusion which is not merely confined to the online world.

  8.  There is widespread misunderstanding regarding the nature of the threat, and ISPA members are committed to working with their customers to help address this by highlighting ways users can minimise the threat and informing their customers how they can better protect themselves.

  9.  The increasing number of zombie computers is a prime example of a security threat that users can avoid by using the advice given by their ISP. A zombie is a computer attached to the Internet that has been compromised by various means and is often used without the knowledge of the owner to perform malicious tasks under remote direction. Most owners of zombie computers are unaware that their system is being used in this way, but with the help of their ISP could take simple steps to easily rectify the problem. Infected zombie computers are now the major delivery method of unsolicited commercial email, also known as spam. It is estimated that they send between 50-80% of all spam worldwide.[1] This is a self-perpetuating problem and it seems that many users are unaware that their system is being used in this malicious way. ISPs provide a number of solutions and products to minimise the problem and are working to inform users of the simple steps that they can take to protect themselves. In this way ISPA believes that inroads can be made into greatly reducing these types of security threats and breaches.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals?

  10.  ISPA supports the Government endorsed multi-stakeholder approach and believes that its members have a responsibility to provide clear information for consumers and simple products for consumers to use to address the security threats that present themselves in the online world. However, an ISP should be likened to a locksmith. While a locksmith can provide an individual with a lock they cannot oblige the individual to use the lock and bolt the door. In the same way although an ISP can promote the security tools that they provide they cannot compel a consumer to make use of them. Users also have a responsibility to take reasonable measures to protect the computer and other equipment that they are using.

What, if any, are the potential concerns and trade-offs?

  11.  ISPs invest heavily in the development and deployment of security solutions. Consumers and ISPs alike will both benefit from a secure network which would result from an increased take up of security solutions.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  12.  Many UK ISPs regularly run specific campaigns to promote security information. Get Safe Online (GSOL) is a joint government and industry initiative designed to help protect consumers against Internet threats. Supported by a wide grouping of industry and government, GSOL offers advice about rectifying common online security problems. Government sponsors include the Cabinet Office, DTI, Home Office, Serious Organised Crime Agency (SOCA) and the National Infrastructure Security Co-Ordination Centre. ISPA believes that joined up Industry action by the various sectors affected by the threats to online security in the UK will be the only way to fully combat online security threats. The wide range of industry participants involved in GSOL from the Communications, Banking and Security industries demonstrate that GSOL has started to facilitate this. However, while consumer awareness has been raised there is still a long way to go in changing consumer attitudes.

What factors may prevent private individuals from following appropriate security practices?

  13.  The major factors preventing private individuals from following appropriate security practices problem is not a lack of awareness, or an under provision of technical solutions but rather a lack of confidence and the misconception that expert knowledge is required.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  14.  The industry is aware of the potential threat to its own networks and customers so products are designed with this in mind. ISPs work closely with law enforcement specialist units to gain better knowledge of how products are misused so this can be taken into account when designing new products or new versions.

Who should be responsible for ensuring effective protection from current and emerging threats?

  15.  We support the UK Government's multi-stakeholder approach as defined above.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  16.  UK Government has played a significant role in reducing security threats through the various policy and advice initiatives previously mentioned in this response.

How far do improvements in governance and regulation depend on international co-operation?

  17.  ISPA has high hopes for the upcoming Internet Governance Forum (IGF), an international multi-stakeholder policy forum that will discuss Security as one of its topics when it meets at the end of October 2006. This will help to consolidate the international co-operation which has already been mentioned in this response, as well as being a vital component of the multi pronged approach to dealing with cyber crime.

Is the regulatory framework for Internet services adequate?

  18.  ISPA firmly believes that the current market based approach is fit for purpose, and should not be changed. For the past 10 years ISPs in the UK have been at the forefront of proving that self-regulation is a viable model for the Internet industry and that it works effectively. A clear endorsement of the success of this model is the approach to self-regulation adopted in the UK's Communications Act 2003 and applied by the UK's national regulatory authority, Ofcom.

  19.  ISPs in the UK have spearheaded efforts to help consumers use the Internet safely whilst maintaining consumers' access to the vast array of resources that can be accessed via the Internet. As a testament to the commitment of ISPs to help and support their customers, many of the tools offered by ISPs to consumers to help them manage their own online experience have developed over time as new issues arise. A number of ISPs currently provide access to forms of parental control that users can apply themselves through a selection of various levels of protection. Equally, ISPs provide advice and guidance on how to avoid or prevent becoming a victim of scams such as rogue diallers or having their service compromised by a virus. It is common for users to be provided with information on how to check whether their equipment has been attacked and also, where to look for software that offers protection from such infection.

  20.  Most ISPs operate help lines and offer service within the framework of an Acceptable Use Policy. This has proved to be a clear benefit to users and provides transparency to a user on the actions their ISP will take to protect the service offered for all customers. This applies regardless of the type of service (dial-up, broadband, business or residential) taken by a customer and demonstrates a clear commitment on the part of ISPs to manage provision of service across the industry. Customers are given regular updates on risks associated with spam attacks and other malicious activity.

  21.  ISPA and its members have also taken a number of initiatives to help customers identify the appropriate contact points for specific types of concern. These include:

a.  In 1996 the Internet Industry set up the Internet Watch Foundation (IWF) to provide a hotline for Internet users so illegal content hosted in the UK could be removed from the Internet. IWF figures show that in 1997, 18% of child abuse images were hosted in the UK. This figure is now down to significantly less than 0.2% due to the responsible approach by the Internet industry in the UK. Home Office Minister Vernon Coaker MP recently (September 2006) praised the UK's ISP Industry for their work over the last ten years in successfully tackling CAI hosted in the UK highlighting the importance of partnership.

b.  The ISPA Code of Practice ensures members comply with a "Notice & Takedown" regime as outlined in the eCommerce Directive and UK regulations, while ensuring that ISPs are not liable for illegal content of which they are unaware. It is currently estimated that there are over 15 billion websites around the world, with this figure ever increasing, which can be updated constantly. It is impossible, in practice, to monitor such a vast amount of content. If the Police, a judge or the IWF asks ISPs to take down illegal material then it is removed swiftly.

c.  ISPA works closely with the Police and is involved in the work of the Internet Crime Forum (ICF) which looks at ways in which ISPs and law enforcement can tackle crime relating to Internet use such as chat rooms, newsgroups and on-line child "grooming".

  22.  The evidence shows that ISPs are committed to helping consumers and this industry wide focus has encouraged the ISPs to strive for best practice through self-regulation and the development of appropriate tools to deal with differing issues suggests this is very much the norm.

  23.  The ISP industry in the UK has proved that the Internet industry is working in harmony to promote safety online. This is evidence of co-operation and the ability to work together—proving that self regulation is possible and that it works.

  24.  However, the ISP industry is only one part of the equation in response to threats to personal Internet safety and a whole wealth of complementary approaches including formal schooling, adult education, independently produced advice and guidance available online, branded product differentiation and co-operation from all sectors of UK industry providing online services is needed.

  25.  ISPA firmly believes that the Lords Science and Technology Select Committee should not consider regulating the activities of ISPs as a panacea to the problem of personal Internet security. Rather, personal Internet security must be viewed as part of bigger picture. ISPs welcome being a part of the wider approach to promoting personal Internet security, but they are not the body with which the issue should end. ISPA believes that additional regulation would not be an appropriate way forward and, rather then stifling innovation, Government should support a market-based approach to producing security solutions for users and promote awareness among users on simple steps they can take to promote their own online security.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  26.  ISPA believes that strict and stringent regulation in this area would be a barrier to developing information security systems and standards, and that a flexible approach is needed in order to be responsive to problems as they arise. A technology neutral stance combined with a flexible self regulatory regime involving all relevant stakeholders and an industry-led standards process are needed in this area to safeguard future innovation.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  27.  ISPA welcomed the work of the now disbanded National High-Tech Crime Unit (NHTCU) and worked closely with the team. ISPA has since established good contacts with the Metropolitan Police eCrime Unit and will continue to forge successful dialogues and partnerships with the relevant Law enforcement bodies.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  28.  ISPA supports the current legislative framework with key components including the Regulation of Investigatory Powers Act (RIPA) and the Computer Misuse Act (CMA) but would welcome more stringent remedies against spammers.

How effectively does the UK participate in international actions on cyber-crime?

  29.  ISPA regrets the dropping of eCrime from the G8 agenda. However, ISPA supports the UK's involvement in the various different international initiatives already mentioned in this response, and hopes that the IGF discussions will work to increase international participation. Additionally many ISPA members with an international presence participate globally in new technology groups which work on an International basis.

23 October 2006