Cyber Crime

HOUSE OF LORDS Science and Technology Committee 5th Report of Session 2 !
" #
Personal Internet Security
$ol%me &' Report

Ordered to (e printed 2) *%ly 2 # and p%(lished + ,%g%st 2 #
-%(lished (y the ,%thority of the Ho%se of Lords
London ' The Stationery Office Limited .+!/5 0inc $,T in U12
HL -aper +!5"
&Science and Technology Committee

The Science and Technology Committee is appointed (y the Ho%se of Lords in each session 3to consider science and technology3/
Current Membership
The 4em(ers of the Science and Technology Committee are' Lord 5roers 0Chairman2 Lord Col6yn Lord Has7el 5aroness Finlay of Llandaff 0co"opted2 Lord Ho6ie of Troon Lord -atel Lord -a%l 5aroness -erry of So%th6ar7 5aroness -latt of 8rittle Earl of Sel(orne 5aroness Sharp of 9%ildford Lord S%therland of Ho%nd6ood Lord Ta:erne For mem(ers and declared interests of the S%("Committee 6hich cond%cted the in;%iry< see ,ppendi= one/
Information about the Committee and Publications

&nformation a(o%t the Science and Technology Committee< incl%ding details of c%rrent in;%iries< can (e fo%nd on the internet at http'>>666/parliament/%7>hlscience>/ Committee p%(lications< incl%ding reports< press notices< transcripts of e:idence and go:ernment responses to reports< can (e fo%nd at the same address/
Committee reports are p%(lished (y The Stationery Office (y Order of the Ho%se/
General Information
9eneral information a(o%t the Ho%se of Lords and its Committees< incl%ding g%idance to 6itnesses< details of c%rrent in;%iries and forthcoming meetings is on the internet at' http'>>666/parliament/%7>a(o%t lords>a(o%t lords/cfm/
Contacts for the Science and Technology Committee

,ll correspondence sho%ld (e addressed to' The Cler7 of the Science and Technology Committee Committee Office Ho%se of Lords London S8+, -8 The telephone n%m(er for general en;%iries is 2 #2+? ! #5/ The Committee@s email address is hlscienceAparliament/%7/
CONTENTS Abstract
Paragraph
Pa ge
Chapter 1: Introduction Bac !round and ac no"led!#ents
7 $
+/+ +
Chapter %: O&er&ie": the Internet and personal security The Internet: basic de(initions
1 ' 1 '
2/ +
Tracin! Internet tra((ic
1 %
2/+
Security threats on the Internet today
1 )
2/+ !
The scale o( the proble#
1 *
2/2 #
+esearch and data collection
1 7
2/B !
Conclusions and reco##endations
1 ,
2/) 2
Chapter ): The net"or The prospects (or (unda#ental redesi!n o( the Internet
% ' % '
B/ +
+eco##endation
% 1
B/ C
The -end.to.end principle- and content (ilterin!
% 1
B/ ?
/ho is responsible (or Internet security0
% )
B/2
Conclusion
% 6
B/B )
Net"or .le&el security
% 6
B/B 5
Internet ser&ice pro&ision
% 7
B/) +
The -#ere conduit- de(ence
) 1
B/! 2
1oice o&er Internet Protocol
) %
B/! )
+eco##endations
) %
B/! #
Chapter 2: Appliances and applications 3sability &s security
) 2 ) 2
)/ 2
4aintainin! security5patchin! and security so(t"are
) 6
)/+ B
E#er!in! threats and solutions
) $
)/2 2
1endor liability
) $
)/2 5
2 1
)/B C
Chapter *: 3sin! the Internet: businesses O&er&ie"
2 ) 2 )
5/ +
Security standards
2 2
5/ C
Incenti&es
2 7
5/2 B
The en(orce#ent re!i#e
* 1
5/) 2
Conclusions and +eco##endations
* )
5/5 B
Chapter 6: 3sin! the Internet: the indi&idual O&er&ie"
* 2 * 2
!/ +
Indi&idual s ills
* 2
!/ !
A"areness &s no"led!e
* *
!/+ +
Sources o( in(or#ation and ad&ice
* 6
!/+ !
The role o( O(co#
* 7
!/+ ?
Education
* $
!/2 5
Personal sa(ety online
6 '
!/B B
+eco##endations
6 %
!/) !
Chapter 7: Policin! the Internet O&er&ie"
6 2 6 2
#/ +
The le!al (ra#e"or
6 2
#/B
6i!h &olu#e7 lo" deno#ination cri#e
6 7
#/+!
+eportin! procedures
6 $
#/2
The structure o( la" en(orce#ent
7 1
#/B5
Police s ills and resources
7 %
#/))
International action
7 *
#/5#
The courts
7 6
#/!B
Sentencin!
7 7
#/#
7 $
#/#)
Chapter $: Su##ary o( Conclusions and +eco##endations O&er&ie": The Internet and Personal Security
$ ' $ '
C/2
The net"or
$ '
C/!
Appliances and applications
$ 1
C/+2
3sin! the Internet: businesses
$ %
C/+!
3sin! the Internet: the indi&idual
$ )
C/2+
Policin! the Internet
$ )
C/25
Appendi8 1: 4e#bers and 9eclarations o( Interest Appendi8 %: /itnesses Appendi8 ): Call (or E&idence
$ 6 $ $ , %
Appendi8 2: Se#inar held at the Institution o( En!ineerin! and
Note: The +eport o( the Co##ittee is published in 1olu#e I :6; Paper 16*.I<= the e&idence is published in 1olu#e II :6; Paper 16*.II<> References in the te=t of the Report are as follo6s' 0D2 refers to a ;%estion in the oral e:idence 0p2 refers to a page of 6ritten e:idenceABST+ACT
The &nternet is a po6erf%l force for good' 6ithin 2 years it has e=panded from almost nothing to a 7ey component of critical national infrastr%ct%re and a dri:er of inno:ation and economic gro6th/ &t facilitates the spread of information< ne6s and c%lt%re/ &t %nderpins comm%nications and social net6or7s across the 6orld/ , ret%rn to a 6orld 6itho%t the &nternet is no6 hardly concei:a(le/
5%t the &nternet is no6 increasingly the playgro%nd of criminals/ 8here a decade ago the p%(lic perception of the e"criminal 6as of a lonely hac7er searching for attention< today@s 3(ad g%ys3 (elong to organised crime gro%ps< are highly s7ilf%l< specialised< and foc%sed on profit/ They 6ant to stay in:isi(le< and so far they ha:e largely s%cceeded/ 8hile the incidence and cost of e"crime are 7no6n to (e h%ge< no acc%rate data e=ist/
Underpinning the s%ccess of the &nternet is the confidence of h%ndreds of millions of indi:id%al %sers across the glo(e/ 5%t there is a gro6ing perception< f%elled (y media reports< that the &nternet is insec%re and %nsafe/ 8hen this is set against the rate of change and inno:ation< and the diffic%lty of 7eeping pace 6ith the latest technology< the ris7 to p%(lic confidence is clear/
The 9o:ernment ha:e insisted in e:idence to this in;%iry that the responsi(ility for personal &nternet sec%rity %ltimately rests 6ith the indi:id%al/ This is no longer realistic< and compo%nds the perception that the &nternet is a la6less 36ild 6est3/ &t is clear to %s that many organisations 6ith a sta7e in the &nternet co%ld do more to promote personal &nternet sec%rity' the man%fact%rers of hard6are and soft6areE retailersE &nternet Ser:ice -ro:idersE (%sinesses< s%ch as (an7s< that operate onlineE the police and the criminal F%stice system/
8e (elie:e as a general principle that 6ell"targeted incenti:es are more li7ely to yield res%lts in s%ch a dynamic ind%stry than formal reg%lation/ Ho6e:er< if incenti:es are to (e effecti:e< they may in some cases need to (e (ac7ed %p (y the possi(ility of direct reg%lation/ ,lso< there are some areas< s%ch as policing< 6here direct 9o:ernment action is needed/ So 9o:ernment leadership across the (oard is re;%ired/ O%r recommendations %rge the 9o:ernment< thro%gh a fle=i(le mi= of incenti:es< reg%lation< and direct in:estment< to gal:anise the 7ey sta7eholders/
The threat to the &nternet is clear< (%t it is still managea(le/ Go6 is the time to act< (oth domestically< and internationally< thro%gh the E%ropean Union and thro%gh international organisations and partnerships/
Personal Internet Security

C6APTE+ 1: INT+O93CTION
+/+/ The &nternet is a glo(al net6or7 of millions of interconnected comp%ter net6or7s lin7ing h%ndreds of millions of machines %sed (y o:er a (illion people/ &t transfers data (et6een these machines in s%ch a 6ay that the comp%ters at each end of a connection need not (e a6are of each other@s physical location< or the technical details of the many inter:ening data transmission systems/
+/2/ The origins of the &nternet lie in the +?# s< (%t it 6as opened to commercial traffic in +?C5< (egan to (e 6idely %sed (y indi:id%als in the early +?? s and is no6 so important that it is deemed to (e part of the critical national infrastr%ct%re of all de:eloped nations/
+/B/ The &nternet %nderpins a considera(le amo%nt of glo(al economic acti:ity< permitting h%ge changes in traditional (%siness models/ &t has also radically changed the 6ay in 6hich indi:id%als are a(le to access information< entertain themsel:es< and e:en the 6ay in 6hich they meet their partners/ &t has %ndo%(tedly (een< and contin%es to (e< a po6erf%l force for good/
+/)/ &t is also a comple= phenomenon that contin%es to e:ol:e and gro6 at a rapid pace/ &n 4arch 2 # the total n%m(er of &nternet %sers 6orld"6ide 6as p%t at +/++) (illion< or +!/? percent of the 6orld@s pop%lation/ &nternet penetration continent (y continent :aries from B/! percent in ,frica to !?/# percent in Gorth ,merica/ &n the United 1ingdom &nternet penetration is !2/B percent< among the highest in E%rope<
6ith gro6th from 2 "2 # p%t at +))/2 percent/ + Some eastern E%ropean co%ntries ha:e seen gro6th o:er the same period< al(eit from :ery lo6 le:els< of 6ell o:er +< percent/
+/5/ The fast"changing technology %nderpinning this gro6th in &nternet %se is :ery poorly %nderstood (y the :ast maFority of its %sers/ &ndeed< one reason for the prodigio%s s%ccess of the &nternet is that %sers can 3s%rf the 6e(3 6itho%t ha:ing to %nderstand the technical means (y 6hich information is accessed or comm%nicated/ The many layers of technology that lie (eneath the interface seen (y the %ser< typically a soft6are application 7no6n as a 6e( (ro6ser< are effecti:ely hidden/ 5%t F%st as the technology is for most %sers in:isi(le< so are the ris7s/ These ris s are #ani(old> They threaten personal security5that is to say7 they #ay under#ine the indi&idual?s ability to control the in(or#ation that they ha&e entered into or stored on connecti&e de&ices such as PCs7 #obile telephones7 or databases operated by co##ercial or!anisations7 !o&ern#ent a!encies and others> 1icti#s typically su((er (inancial loss throu!h (raud7 thou!h in cases o( identity the(t they #ay also su((er loss o( reputation7 or7 in e8tre#e cases7 #ay be accused o( cri#es they did not co##it
So%rce' &nternet 8orld Stats 0http'>>666/internet6orldstats/com>stats/htm2/
%' PE+SONA; INTE+NET SEC3+IT@
/Online ris7s may also impact %pon personal safetyH(y 6hich 6e mean they may lead to direct physical or psychological harm to the indi:id%al/ One high"profile threat is that posed to children (y predatory paedophiles< 6ho conceal their tr%e identity 6hilst %sing the &nternet to 3groom3 potential :ictims/ -ro(a(ly far more common is the online (%llying of children (y their peers< 6hile e:en ad%lts 6ho inF%dicio%sly disclose personal information online ha:e fo%nd that their personal physical safety has (een compromised/
+/!/ The title of this Report is Personal Internet SecurityH6e ha:e considered primarily iss%es pertaining to indi:id%al e=periences of the &nternet/ 8e ha:e not generally considered (%siness sec%rity iss%es< e=cept insofar as these affect the sec%rity of the data of indi:id%al c%stomers/ Th%s 6e ha:e made recommendations aro%nd the theft of personal data (%t not aro%nd ind%strial espionage/ Gor ha:e 6e considered matters of (%siness contin%ity< ris7s to ser:ices< or possi(le fail%re of the critical national infrastr%ct%re as a res%lt of the &nternet ceasing to operate for an e=tended period/ These are all important iss%esH(%t o%tside the scope of this Report/
+/#/ 8e ha:e heard many analogies in the co%rse of o%r in;%iry/ Gone of these analogies is e=actHthe &nternet is not li7e any other technology or ind%stry that has e:er (een created (efore/ Ge:ertheless< 6e ha:e fo%nd analogies %sef%l< if not in de:eloping concl%sions and recommendations< then at least in str%ct%ring o%r e:idence and o%r arg%ments in a readily comprehensi(le form/ The analogy that %nderpins the str%ct%re of this report deri:es from road transport/ 8ithin the road transport system< the safety or sec%rity of the indi:id%al road %ser is protected at se:eral le:els'
I The net6or7Hroads are designed and engineered for safety< maintained< lit< sign"posted< and so on/
I The e;%ipment that %ses the net6or7Hcars and other :ehicles that %se the net6or7 ha:e safety feat%res (%ilt into their design/
%1 PE+SONA; INTE+NET SEC3+IT@
&ndi:id%al %sers themsel:esHthey are ta%ght ho6 to dri:e< s%(Fected to testingE their (eha:io%r may (e monitoredE social press%res are also e=erted/
I The policing of the net6or7Hthere is a clearly defined legal frame6or7 for the %se of the net6or7E those 6ho (reach the la6 ris7 prosec%tion/
+/C/ These headings ha:e helped %s to esta(lish a clear and comprehensi:e analytical approach to &nternet sec%rity< em(racing technical sec%rity 0at (oth net6or7 and appliance le:el2< indi:id%al (eha:io%r< and policing/ The (%l7 of this report is therefore str%ct%red aro%nd these main headings/ First< ho6e:er< 6e descri(e the (ac7gro%ndHthe history of the &nternet< its maFor technical feat%res< and the nat%re of the threat faced (y indi:id%al %sers/ Bac !round and ac no"led!#ents
+/?/ The mem(ership of the s%("committee is set o%t in ,ppendi= +< and o%r call for e:idence< p%(lished in *%ly 2 !< in ,ppendi= B/ Those 6ho s%(mitted 6ritten and oral e:idence are listed in ,ppendi= 2/ 8e 6o%ld li7e to than7 all of o%r 6itnesses< as 6ell as those 6ho s%(mitted articles< (riefings and other materials in the co%rse of the in;%iry/
+/+ / 8e la%nched this in;%iry 6ith a seminar< held at the &nstit%tion of Engineering and Technology< in Go:em(er 2 !< and a note of the seminar is gi:en in ,ppendi= )/ 8e are :ery gratef%l to all participants in this e:ent/
+/++/ 8e 6o%ld li7e to p%t on record o%r than7s to the Dep%ty ,m(assador in 8ashington< ,lan Charlton< the Cons%l 9eneral in San Francisco< 4artin Uden<
%% PE+SONA; INTE+NET SEC3+IT@
and all their staff< for their help in organising a h%gely :al%a(le :isit to the United States in 4arch 2 #/ 8e are also gratef%l to a n%m(er of people 6ho< 6hile not appearing formally as 6itnesses< ha:e (een e=tremely genero%s in offering assistance and ad:iceHin partic%lar Linda Criddle of Loo7 5oth 8ays and Ed 9i(son of 4icrosoft/ 1>12> Ainally7 our Specialist Ad&iser (or this inBuiry "as 9r +ichard Clayton7 o( the 3ni&ersity o( Ca#brid!e Co#puter ;aboratory> 6is e8pertise in co#puter security has been in&aluable to us throu!hout the inBuiry> 6o"e&er7 our conclusions are ours alone /C6APTE+ %: O1E+1IE/: T6E INTE+NET AN9 PE+SONA; SEC3+IT@ The Internet: basic de(initions
2/+/ , comp%ter net6or7 is gro%p of comp%ters connected (y means of a telecomm%nications system< so that they can comm%nicate 6ith each other in order to (e a(le to share reso%rces or information/ ,n internet is a set of interconnected comp%ter net6or7s< and the &nternet 0capitalised to disting%ish the specific e=ample from the generic term2 is the glo(al net6or7 of interconnected net6or7s that transmits data (y means of the 3&nternet -rotocol3 0&-2Ha specific set of r%les and con:entions that defines ho6 information is comm%nicated o:er the many disparate net6or7s that ma7e %p the &nternet/
2/2/ ,s ill%strations 0s%ch as the 6idely disseminated image that appears on the front co:er of this Report2 ma7e clear< the &nternet is not a single net6or7< (%t rather a comple= net6or7 of net6or7s/ These net6or7s are lin7ed (y :irt%e of a shared paradigm for comm%nicating information 7no6n as 3pac7et s6itching3/
2/B/ -ac7et s6itching 6as first de:eloped in the +?! s for the United States Department of Defense"sponsored ,R-,GET< the prec%rsor of the modern &nternet/ 8hen end"%sers comm%nicate in a traditional 3circ%it s6itching3 system a dedicated channel is esta(lished (et6een them that others cannot %se/ &n a 3pac7et s6itching3 net6or7< the data sent (et6een the end points are (ro7en do6n into 3pac7ets3< 6hich are then ro%ted (et6een the :ario%s 3nodes3Hthat is< de:icesH that ma7e %p the net6or7/ The ro%ting may change from pac7et to pac7et and< at any gi:en time< a lin7 (et6een partic%lar nodes may (e shared (y many pac7ets passing (et6een different end %sers/ Each pac7et carries the address to 6hich it is sent and it is only at that end"point that the data stream is reconstr%cted/ The 6ay
%) PE+SONA; INTE+NET SEC3+IT@
in 6hich information is processed 6ithin the net6or7 as generic pac7ets means that different technologies 06ireless net6or7s< fi(re"optic ca(les< and so on2 can (e %sed interchangea(ly/
2/)/ -ac7et s6itching %nderpins the &nternet -rotocol< allo6ing a more efficient and ro(%st %se of comm%nications net6or7s/ &t has also contri(%ted to the astonishing creati:ity and inno:ation of the online 6orld< (y allo6ing the separation< or 3a(straction3< of the f%nctions of the :ario%s layers of the net6or7/ This 6as descri(ed in :ery clear terms in a (riefing paper 2 anne=ed to the 6ritten e:idence (y L&GJ< the London &nternet E=change'
3The principle of ,(straction of Get6or7 Layers states that there are different layers in a net6or7 and each one has a specific f%nction< 6ith clear (o%ndaries (et6een adFacent layers/ For e=ample< only the application layer %nderstands the content that is (eing carried o:er the net6or7/ The net6or7ing layer is only responsi(le for addressing and ro%ting< and %nderstands neither the data that it is transporting nor the physical characteristics nor location of the %nderlying physical layer/3
2/5/ Th%s the f%ndamental core of the net6or7< the 6ires< ca(les< and so on< can remain relati:ely sta(le 6hilst ne6 comm%nications technologies< s%ch as 6ireless net6or7ing< can (e %sed to s%pplement< 6itho%t needing to replace< e=isting infrastr%ct%re/ ,(o:e the physical and datalin7 layers is the net6or7 layer< 6hich deals 6ith the transmission of pac7ets< :ia intermediate ro%ters< to their intended destinations/ ,t the topmost layer are the applications that r%n on the end"%ser machines< interpreting data and pro:iding a %ser interface/ This layering is enormo%sly :al%a(le in allo6ing inno:ation at all le:els/ &n the 6ords of 4alcolm H%tty< of L&GJ<
Got p%(lished as e:idence/
35y 7eeping all these things separate and (y 7eeping all the comple=ity at the edges< 6e are a(le to create ne6 ser:ices and to %pgrade e=isting ser:ices o:er time< 6itho%t ha:ing to re6rite e:erything and 6itho%t needing the co" operation of e:ery single party in it /// This< to o%r mind< has (een the principle reason 6hy the &nternet has (een so s%ccessf%l /// (eca%se it allo6s e:ery(ody to (ring along their o6n contri(%tions 6itho%t needing e:ery(ody else@s co"operation3 0D #252/
2/!/ The most stri7ing e=ample of s%ch inno:ation 6as the de:elopment of the 8orld 8ide 8e(< (y Tim 5erners"Lee and his colleag%e Ro(ert Caillia% at CERG< 6hich %nloc7ed the potential of the &nternet for the general %ser/ Their proposals for a 8orld 8ide 8e(< p%(lished in +?? < descri(ed in o%tline a system that allo6ed (oth the location of pages of information (y means of Uniform Reso%rce Locators 0URLs< more correctly no6 7no6n as Uniform Reso%rce &dentifiers or UR&s2< and the creation of lin7s (et6een s%ch pages of information (y means of 3hyperte=t3/
2/#/ 4any terms that are commonplace today< s%ch as 36e( page3 and 36e(site3< not to mention acti:ities s%ch as 3(ro6sing3 or 3s%rfing3< deri:e from the 8orld 8ide 8e(/ &ndeed< the 8orld 8ide 8e( and the &nternet are often conf%sed< so that there is little distinction in pop%lar speech (et6een 3s%rfing the 8e(3 and 3s%rfing the &nternet3/ 5%t in reality< the 8orld 8ide 8e( is a system of lin7ed doc%ments and files< 6hich operates o:er and is accessi(le (y means of the &nternet< (%t is entirely distinct from the net6or7 of net6or7s< the &nternet itself/ &ndeed< many other forms of comm%nication< s%ch as &nternet Relay Chat 0&RC2< or $oice o:er &- 0$o&-2< %sing different protocols< co"e=ist 6ith the 8orld 8ide 8e( on the &nternet/ The fact that the 8orld 8ide 8e( co%ld (e introd%ced in the early +?? s 6itho%t re;%iring a f%ndamental redesign of the &nternet is the most stri7ing demonstration of the h%ge potential for inno:ation and gro6th inherent in the principle of a(straction of net6or7 layers/
2/C/ Ho6e:er< the a(straction of net6or7 layers has other conse;%ences as 6ell/ &t is sometimes said that the &nternet 6as (%ilt 6ith no 3identity layer3Hin other 6ords< the net6or7 le:el is designed to operate 6itho%t 7no6ing to 6hom and to 6hat yo% are connecting/ This is a necessary corollary of the a(straction of information into pac7ets and the a(stract layering of the &nternet@s design/ &n traditional
%* PE+SONA; INTE+NET SEC3+IT@
telecomm%nications the e=istence of a dedicated connection (et6een t6o identified end"points allo6s identity to (e 7no6n (y e:ery part of the system/ On the &nternet< ho6e:er< pac7ets are effecti:ely anonymo%sE they are simply ch%n7s of data< ro%ted highly efficientlyHtho%gh to all appearances indiscriminatelyH aro%nd the net6or7 of net6or7s/ The information is then reassem(led at the end point< (y means of applications installed on end"%ser machines/ &t is these applications< not the net6or7< that are concerned a(o%t the identity of the so%rce of the information/
2/?/ This creates f%ndamental pro(lems for end"%ser sec%rity< 6hich 6ere o%tlined for %s (y -rofessor *onathan Kittrain< of the O=ford &nternet &nstit%te' 3the 6ay the &nternet 6as (%ilt 6as to (e a(le to carry data from one ar(itrary point to another 6itho%t any gate"7eeping in the middle/ &t has (een a 6onderf%l feat%re< so"called end"to"end or net6or7 ne%trality/ This design principle means that any desire to control the flo6 of data< incl%ding data 6hich might (e harmf%l data< is not :ery easy to effect on today@s &nternet3 0D ?5#2/ Tracin! Internet tra((ic
2/+ / The pre:io%s section descri(es in general terms the str%ct%re of the &nternet and the diffic%lty of identifying and tracing the pac7ets of data that tra:erse it/ This section pro:ides more technical detail on tracea(ility/
2/++/ E:ery machine directly connected to the &nternet is gi:en a %ni;%e identity< a B2"(it :al%e called its 3&- address3/B The ro%ting systems ens%re that pac7ets are deli:ered to appropriate machines< (y cons%lting the destination &- address placed into the pac7et (y the sender/ To a:oid e:ery ro%ter ha:ing to 7no6 the location of e:ery machine< the address space is arranged in a hierarchical manner 6ith (loc7s of addresses 0of :arying siLes from h%ndreds to millions2 (eing allocated to &nternet Ser:ice -ro:iders 0&S-s2/ The &S-s then ma7e allocations from these (loc7s to their indi:id%al c%stomers/ Th%s ro%ters need only ascertain the address (loc7 and relay the pac7et to the appropriate &S-/ Once the pac7et arri:es at the &S-< it can %se more finegrained ro%ting information to deli:er it to the correct machine/
B ,ltho%gh B2"(it addresses are (y far the most pre:alent< some machines operate 6ith 3&-:!3< a more recent :ersion of the &nternet -rotocol< 6hich %ses +2C"(it addresses/
2/+2/ 8hen a ne6 connection is made to a comp%ter that is offering an &nternet ser:ice< it 6ill determine 6here to respond (y inspecting the 3so%rce address3 of the incoming pac7et/ &t sends a pac7et (ac7 to that so%rce< andH pro:ided that an accepta(le reply is recei:ed from that so%rce 0some random n%m(ers are incl%ded in these 3handsha7e pac7ets3 to pre:ent spoofing2Hit 6ill then open the connection and (e prepared to send and>or recei:e real data/
2/+B/ &f the connection t%rns o%t to (e a(%si:eHfor e=ample< it is an incoming spam email ad:ertising fa7e medicinesHthen the so%rce address can (e traced (ac7 (y determining 6hich (loc7 of addresses it comes from< and hence 6hich &Sallocated the address/ The records at that &S- can then identify the c%stomer to 6hom the &- address 6as iss%ed/ Since many &S-s allocate the same address to different c%stomers at different times< the e=act time of the connection 6ill (e often (e needed< in order to correctly identity the c%stomer 6ho 6as %sing these 3dynamic addresses3/
2/+)/ This 3tracea(ility3 of &- addresses therefore permits the identification of the so%rce &S-H6ho may (e prepared to act to pre:ent f%rther a(%se/ &t also permits the identification of the c%stomer acco%nt< altho%gh the &S- may not (e prepared to di:%lge this information %ntil the necessary legal paper6or7 has (een processed in the appropriate F%risdiction/
2/+5/ Ho6e:er< if the re;%irement is to identify 6ho is %ltimately responsi(le for the a(%si:e act< then considera(le f%rther in:estigation may (e re;%ired/ The so%rce may (e a machine in a cy(er"cafe< or a hotel< a:aila(le for many people to %se/ The so%rce may (e a 6ireless connection< in an airport< a company or an indi:id%al@s home that can (e %sed (y anyone 6ithin transmission range/ 4ost commonly of all< the so%rce 6ill (e an identifia(le cons%mer@s machineH(%t if it is insec%rely config%red or is inad:ertently r%nning a malicio%s program< then it may (e innocently relaying traffic from else6here and the tracing 6ill need to (e recommenced to determine 6here that might (e/ &n practice< 3m%lti"hop3 tracing is seldom attempted and e:en less often s%ccessf%l/ Security threats on the Internet today
2/+!/ The design of the &nternet -rotocol permits the mo%nting of 3denial of ser:ice3 attac7s/ Here< many machines r%nning malicio%s programs 6ill send pac7ets to a single machineH6hich is o:er6helmed (y the traffic and cannot respond to legitimate connections/ Since the senders are not interested in ret%rn traffic< they can fa7e the so%rce addresses in their pac7ets< ma7ing it m%ch harder to identify the so%rce of the attac7/ ,lternati:ely in a 3reflection attac73< they can send pac7ets to legitimate machines< (%t 6ith the so%rce address set to the machine to (e attac7edH6hich 6ill then recei:e responses from lots of machines that are perfectly identifia(le< (%t are merely pro:iding :alid responses to the pac7ets they are sent/
2/+#/ These types of attac7s are %s%ally called 3distri(%ted denial of ser:ice3 0DDoS2 attac7s< and there 6ill (e large n%m(ers< normally tho%sands< of machines participating in them/ &n some cases they can threaten the integrity not of indi:id%al machines< (%t of 9o:ernment or company net6or7s or top le:el domain names 0s%ch as 3/%73 or 3/com32/ On # Fe(r%ary 2 # a DDoS attac7< emanating from so%rces in the ,sia"-acific region< 6as la%nched on nine of the +B 3root ser:ers3 that s%pport the domain name system/ &t 6as %ns%ccessf%l< (%t as 6e heard 6hen :isiting $erisign< 6hich r%ns t6o of these root ser:ers< the le:el of (ad traffic is no6 pea7ing at +# times the (asic le:el of &nternet trafficE (y 2 + it is predicted to (e 5 times the (asic le:el/ 4assi:e o:er"capacity and red%ndancy is (%ilt into the net6or7 to allo6 eno%gh headroom to accommodate s%ch traffic/ This affects critical national infrastr%ct%re rather than personal &nternet sec%rity in the first instance< and 6e ha:e therefore not e=plored this iss%e in detail/
2/+C/ , maFor ca%se of a(%si:e traffic on the &nternet< (e it DDoS attac7s or the sending of email spam< is the presence of malicio%s code< or mal6are< on cons%mer machines/ &t %sed to (e considered to (e important to disting%ish (et6een 36orms3 that spread to :%lnera(le machines 6itho%t h%man inter:ention and 3:ir%ses3 that attach themsel:es to other traffic< s%ch as email/ Ho6e:er< the distinctions ha:e (l%rred considera(ly in recent years and 6e 6ill %se the generic term 3mal6are3/ This mal6are can still arri:e :ia email< or :ia direct connections from other machinesH(%t an important ne6 so%rce of infection is from :isiting a 6e(site and inad:ertently do6nloading the malicio%s code/ The 6e(site may ha:e (een specially de:ised to spread infection< or it may (e a legitimate site that is itself insec%re< the o6ner %na6are of its %n6anted ne6 f%nctionality/
%$ PE+SONA; INTE+NET SEC3+IT@
2/+?/ &n general terms< mal6are %sed to (e created (y indi:id%als 6ho 6anted to (ecome famo%s and gain the admiration of their peers/ The aim 6as to spread as far and as fast as possi(leHdemonstrated most famo%sly (y the 3&LO$EMOU3 6orm of 4ay 2 < created (y a disaffected st%dent in the -hilippines/ This has no6 changed< and the pre:ailing moti:ation for those creating mal6are is to ma7e %se of infected machines in order to ma7e money/ This means that considera(le effort is no6 p%t into creating mal6are that 6ill spread in a lo6"7ey manner/ &t is designed to (e hard for the infected machine@s o6ner to detect/
2/2 / ,ltho%gh traditional defences s%ch as :ir%s chec7ers 06hich determine 6hether a piece of code is 7no6n to (e malicio%s2 contin%e to (e %sef%l< they are no longer the %ni:ersal shield that they once 6ere/ *erry 4artin< of Team Cymr%< a net6or7 of researchers 6ho monitor %ndergro%nd traffic and s%pport &nternet sec%rity< told %s of the team@s data(ase of samples of malicio%s code< 6hich is c%rrently (eing added to at an a:erage rate of !<2 ne6 samples a day/ Of these samples< typically< aro%nd 2C percent 6ere immediately detected (y anti":ir%s soft6are/ They s%(mitted the samples to the anti":ir%s companies< and a month later the a:erage detection rate 6o%ld rise to aro%nd # percent/ &n face of the flood of ne6 mal6are the anti":ir%s companies ha:e little option (%t to adopt a ris7"(ased approach< prioritising the most dangero%s mal6are and the most 6idespread/
2/2+/ -%tting mal6are onto machines is often done in order to create a 3(otnet3/ The indi:id%al machines< %s%ally called 3Lom(ies3< are controlled (y a 3(otmaster3 6ho can command them to act as a gro%p/ 5otnets are hired o%t (y their (otmasters for the p%rpose of hosting illegal 6e(sites< for sending email spam< and for performing DDoS attac7s/ These acti:ities ta7e place 6itho%t the 7no6ledge of the indi:id%al machine@s o6nerHaltho%gh normal tracea(ility 6ill ena(le the so%rce of indi:id%al e=amples of the traffic to (e identified/ The total n%m(er of 3Lom(ies3 is %n7no6n< (%t in the co%rse of o%r :isit to the Center for &nformation Technology Research in the &nterest of Society 0C&TR&S2 at the Uni:ersity of California< 5er7eley< 6e heard an estimate that the n%m(er might (e of the order of fi:e percent of all machines< or %p to 2 million in total/ The cost of renting a platform for spamming is aro%nd B"# US cents per Lom(ie per 6ee7/
%, PE+SONA; INTE+NET SEC3+IT@
2/22/ 4al6are can also search the hard dis7 of the compromised machine to locate email addresses to add to spammers@ lists of 6here to send their emailHand< more significantly for the machine@s o6ner< it 6ill search the hard dis7 for CD 7eys or pass6ords for systems s%ch as online games/ ,dditionally< it may install a 37eylogger3 6hich 6ill record any pass6ords %sed for online (an7ing< permitting the criminal to access the acco%nt and steal the money it contains/
2/2B/ Online (an7ing or trading can also (e compromised (y so"called 3phishing3 attac7s/ The %ser is sent an email p%rporting to come from their (an7 or some other company 6ith 6hich they do (%siness< s%ch as e5ay/ &t contains some sort of %rgent messageHan imminent acco%nt s%spension< an apparently fra%d%lent payment that they 6ill 6ish to disa:o6< or e:en a monetary re6ard for ans6ering some mar7eting ;%estions/ Clic7ing on the lin7 6ithin the email 6ill res%lt in a :isit to a fra%d%lent 6e(site that 6ill record the %ser@s credentials 0name< acco%nt n%m(er< pass6ord< mother@s maiden name and so on2 so that the criminal canH once againHta7e o:er the acco%nt and transfer money/
2/2)/ ,ltho%gh phishing emails 6ere originally 6ritten in poor English and 6ere relati:ely easy to detect< they ha:e gro6n in sophistication< and millions of indi:id%als ha:e (een misled/) The n%m(er of phishing emails is enormo%s'
)See http'>>666/gartner/com>it>page/FspNidO)?C2)5/
)' PE+SONA; INTE+NET SEC3+IT@
in the second half of 2 ! ? "+< %ni;%e phishing messages< generating almost C million emails< 6ere (loc7ed (y Symantec soft6are alone on a typical 6or7ing day5H tho%gh according to 4essageLa(s phishing still represents F%st /B! percent of total emails/! 5an7 payments association ,-,CS recorded +<5+B %ni;%e phishing attac7s directed at United 1ingdom (an7s in Septem(er 2 !< %p from F%st +C in *an%ary 2 5 0p 2?2/
2/25/ United States (an7s are (y far the most targeted (y phishing< 6ith their losses estimated to (e aro%nd P2 (illion/ 4ost United 1ingdom (an7s ha:e also (een attac7ed< tho%gh losses ha:e (een m%ch lo6er< 6ith losses from direct online (an7ing fra%d reaching .BB/5 million in 2 !/ Ho6e:er< the United 1ingdom trend is firmly %p6ardsE losses 6ere .2B/2 million in 2 5 and F%st .+2/2 million in 2 )/ Total losses from 3card"not"present3 fra%d 0that is< the %se of stolen credit card n%m(ers for &nternet or telephone ordering of goods2 in 2 5 6ere .+CB/2 million 0%p 2+ percent from 2 )2< of 6hich some .++#/+ million 6ere estimated to (e &nternet"(ased 0p B 2/ 5%t these fig%res tell only part of the story< as in many cases the losses from credit card fra%d are off"loaded (y the (an7s onto merchants/
2/2!/ There has also (een some 3identity theft3< 6here significant amo%nts of information a(o%t indi:id%als is stolen and then %sed to impersonate them (y< for e=ample< o(taining loans in their name/ Ho6e:er< the scale of online identity theft is %nclear< 6ith 3card not present3 credit card fra%d also (eing treated as identity theft/ The scale o( the proble#
2/2#/ Fig%res on the scale of the pro(lem are hard to come (y/ &ndeed< the lac7 of data on identity theft is symptomatic of a lac7 of agreed definitions or detailed statistics on almost all aspects of &nternet sec%rity/ &n Fe(r%ary 2 ! the Financial Ser:ices ,%thority estimated the cost of identity fra%d to the United 1ingdom economy at
5Symantec Internet Security Threat Report, *%ly"Decem(er 2 !< http'>>e:al/symantec/com>m7tginfo>enterprise>6hite papers>ent" 6hitepaper internet sec%rity threat report =i B 2 #/en"%s/pdf/ 4essageLa(s 2 ! "nnual Security Report, !http'>>666/messagela(s/com>Threat 8atch>&ntelligence Reports>2 ! ,nn%al Sec%rity ReportQEmailR2 Sec%rity R2 TrendsR2 andR2 De:elopmentsR2 2 !/
)1 PE+SONA; INTE+NET SEC3+IT@
.+/# (illion per ann%m/# 5%t this incl%ded o:er .5 million losses reported (y ,-,CS< the United 1ingdom payments association< co:ering co%nterfeit cards< lost or stolen cards< card not present fra%d< thro%gh to f%ll acco%nt ta7eo:er 0the latter p%t at F%st .2B/C million2/ &t also incl%ded .2+5 million for missing trader $,T fra%d< .B?5 million for money"la%ndering and e:en .!B million for the anti" fra%d proced%res in the U1 passport office/ &t is impossi(le to ded%ce from these fig%res ho6 m%ch online identity theft costs the United 1ingdom economy/
2/2C/ Still less clear is the scale of online fra%d and theft/ The pro(lem here is compo%nded (y the lac7 of clear definitions that might help to differentiate online fra%d from 3traditional3 fra%d/ For e=ample< Tim 8right< of the Home Office< as7ed ho6 many prosec%tions there had (een for 3e"crimes3< responded< 3Got only do the police data(ases not disting%ish (et6een 6hether crimes are committed 5 electronically or not< (%t nor do the -rosec%tion or the Home Office fig%res disting%ish (et6een the t6o/ So 6e
!
#http'>>666/identitytheft/org/%7>&DR2 fra%dR2 ta(le/pdf /
)% PE+SONA; INTE+NET SEC3+IT@
do not 7no6 ho6 many people ha:e (een prosec%ted for e"crimes as distinct from offline crimes3 0D 252/
2/2?/ 8e %nderstand the logic of thisHfra%d is fra%d< child a(%se is child a(%se< regardless of 6hether offences are initiated in person or online/ 5%t in the a(sence of any attempt to identify crimes committed online it is simply impossi(le to assess the scale of the pro(lem/ Th%s 6hen 6e as7ed *ohn Carr< E=ec%ti:e Secretary of the Children@s Charities Coalition on &nternet Safety< a(o%t the relati:e fre;%ency of online a(%se and a(%se committed (y family mem(ers< he commented that 3the 6ay the crime fig%res are collected does not help %s 6ith pro:iding an o(Fecti:e ans6er /// e:en today in the crime statistics it is not recorded 6hether or not a comp%ter 6as a 7ey part of the 6ay in 6hich the crime 6as committed3 0D 25+2/ 5ill H%ghes< Director 9eneral of the Serio%s Organised Crime ,gency< arg%ed that there 36o%ld (e (enefit3 in identifying the e"component of con:entional crimes< 6hich 36o%ld help %s to pic7 %p on ;%antifying 6hat the act%al pro(lem is3 0D + )22/
2/B / 8here data are collected< they often lac7 conte=t/ &n the United States the Gational Cy(er Sec%rity ,lliance in 2 5C p%(lished a s%r:ey sho6ing that C+ percent of home comp%ters in that co%ntry lac7ed core protection s%ch as %p"to"date anti" :ir%s< fire6all or anti"spy6are soft6are/ This s%r:ey 6as (ac7ed %p (y scans of e;%ipment< 6hich sho6ed that +2 percent of %sers had some sort of :ir%s infection< and !+ percent some form of spy6are or ad6are installed on the system/ 5%t this s%r:ey 6as (ased on a sample of F%st B5) indi:id%als/ Gor is it possi(le to ded%ce from these fig%res the act%al le:el of economic damage that these sec%rity (reaches 6ere ca%sing to the indi:id%als concerned/
See http'>>666/staysafeonline/org>pdf>safety st%dy 2 5/pdf/
)) PE+SONA; INTE+NET SEC3+IT@
2/B+/ 8hat is a(%ndantly clear is that the %ndergro%nd economy li:ing off &nternet crime is flo%rishing< and shares information openly online/ Team Cymr% ha:e st%died this phenomenon in detail< and ha:e recently p%(lished some of their research/ ? Foc%sing on F%st one cond%it of comm%nication< &nternet Relay Chat 0&RC2< Team Cymr% sho6 that entire &RC net6or7s are de:oted to the %ndergro%nd economy< 6ith B5 to ) partic%larly acti:e ser:ers/ On a single ser:er in a typical month in late 2 5< compromised card details for sale incl%ded B+<?B2 $isa cards< +B<2+C 4asterCards< B+ ,merican E=press cards and +<2+B Disco:er cards 0an ,merican card company2/ 5asic card details are on sale to fra%dsters for P+ each 0or P2 for United 1ingdom cards2E the 3f%ll info3 for an acco%nt< incl%ding pass6ords< address details< dates of (irth< mother@s maiden names< and so on< can cost %p to P5 < allo6ing entire acco%nts to (e cleared/ The total :al%e of acco%nts on offer on a single &RC channel o:er a 2)"ho%r period 6as P+<5??<BB5/C /
2/B2/ 8ith money a:aila(le on this scale< it is hardly s%rprising that those responsi(le for e"crime< commonly 7no6n in the &T 6orld as the 3(ad g%ys3< incl%de maFor organised crime gro%ps< typically< tho%gh not e=cl%si:ely< (ased in eastern E%rope/ They are 6ell reso%rced< and employ specialists to perform partic%lar tas7s< s%ch as hac7ing :%lnera(le 6e(sites< cashing che;%es< recei:ing goods fra%d%lently p%rchased online< and so on/ &n s%mmary< the &nternet no6 s%pports a mat%re criminal economy/
2/BB/ 8e 6ere %na(le to get a clear ans6er to ;%estions regarding the o:erall cost to the United 1ingdom economy< let alone the glo(al economy< of e"crime/ One of the fe6 6itnesses prepared to ta7e a holistic approach to the ;%estion< and< in the a(sence of firm data< to indicate at least the sort of areas that 6o%ld ha:e to (e incl%ded in a comprehensi:e ans6er< 6as 5r%ce Schneier/ He dre6 attention< for instance< to identity fra%d< 6ith costs 3in the (illions3< and to the 3m%lti(illion po%nd ind%stry3 in comp%ter sec%rity< as 6ell as to %n7no6ns< s%ch as the costs to (an7ing< to companies 6hose rep%tation and share price are affected (y sec%rity (reaches< and so on/ &n concl%sion< he co%ld not gi:e an ans6er on the cost of e" crime< F%st a 3fla:o%r3 for 6hat it might (e 0D 52#2/
? The fig%res ;%oted are ta7en from The underground economy# priceless, (y Ro( Thomas and *erry 4artin< Decem(er 2 !< a:aila(le online at http'>>666/%seni=/org>p%(lications>login>2 !"+2>openpdfs>cymr%/pdf/
2/B)/ &t is not s%rprising therefore that p%(lic an=iety o:er e"crime is gro6ing/ , s%r:ey (y 9et Safe Online< a partnership of 9o:ernment and ind%stry< 6hich appeared shortly (efore o%r in;%iry started< prod%ced the startling and headline"gra((ing concl%sion that 2+ percent of people tho%ght e"crime 6as the type of crime they 6ere most li7ely to enco%nter/ &t also sho6ed that e" crime 6as feared more than m%gging< car theft or (%rglary/ Met 6hen 6e as7ed the 9o:ernment a(o%t these res%lts it 6as clear that they felt that this 6as an a(erration/ 9eoff Smith from the Department for Trade and &nd%stry 0DT&E no6 replaced (y the Department for 5%siness< Enterprise and Reg%latory Reform2 descri(ed it as 3co%nter"int%iti:e3< and added that his department had (een 3a (it %neasy a(o%t %sing that as o%r headline message3 0D BC2/
2/B5/ Despite the DT&@s do6n"playing of a s%r:ey they themsel:es had sponsored< the lac7 of hard data< com(ined 6ith the alarmist stories appearing day to day in the press< means that p%(lic an=iety 6ill pro(a(ly contin%e to gro6/ This raises the ;%estion< 6hether the 9o:ernment need to do more to help esta(lish a tr%e pict%re of the scale of the pro(lem< the ris7s to indi:id%als and the cost to the economy/ 8e (elie:e the ans6er is yes/ Unless the 9o:ernment ta7e actionHstarting 6ith the esta(lishment of a frame6or7 for collecting and classifying data on e"crime< and mo:ing on to a more rigoro%s and co"ordinated analysis of the incidence and costs of s%ch crimeHthey 6ill ne:er (e a(le to de:elop a proportionate and effecti:e response/ 8itho%t s%ch a response< the ris7 is that the enormo%s (enefits to society that the &nternet contin%es to offer 6ill (e 6asted/ +esearch and data collection
2/B!/ The &nternet is a relati:ely ne6 technology< and online sec%rity is a correspondingly ne6 academic discipline/ The e:idence from the Research Co%ncils 0RCU12 claimed that 3The U1 has a :ery strong &nformation and Comm%nications Technology Research Comm%nity< and the %nderpinning research into (oth hard6are and soft6are is of a high international standing/3 RCU1 also pro:ided a helpf%l anne= of maFor &T research proFects f%nded (y the Engineering and -hysical Sciences Research Co%ncil/ Ho6e:er< RCU1 also conceded that 3the U1 does not specifically ha:e a leading rep%tation for academic research on &T Sec%rity3/ &t dre6 attention to disc%ssions on impro:ing colla(oration (et6een academic researchers and ind%stry< (%t ga:e fe6 concrete e=amples/ The reality appears to (e that there are only a fe6 centres of &T sec%rity research in the United 1ingdomH indeed< o%r e:idence reflects the :ie6s of researchers from :irt%ally all these centres/
)* PE+SONA; INTE+NET SEC3+IT@
2/B#/ Despite the ;%ality of the research %nderta7en at these fe6 centres< o:erall the in:estment in &T sec%rity research does not appear to %s commens%rate to the importance of the &nternet to the economy or the serio%sness of the pro(lems affecting it/ D%ring o%r :isit to the United States in 4arch 6e 6ere fort%nate to (e a(le to :isit the Center for &nformation Technology Research in the &nterest of Society 0C&TR&S2< at 5er7eley/ C&TR&S recei:es a small amo%nt of f%nding from the State of California to co:er operating costs< (%t the (%l7 of its f%nding comes from partner organisations< either 6ithin federal go:ernment or ind%stry/ &t (rings together technologists< social scientists and other e=perts in a range of m%lti" disciplinary< time"limited research proFects/ 8hile there are se:eral research centres 6ithin the United 1ingdom 6or7ing on aspects of the s%(Fect< there is a clear need for the de:elopment of a large"scale< m%lti"disciplinary centre s%ch as C&TR&S to act as a foc%s for academic and ind%stry e=pertise/
2/BC/ &t is nota(le that 6hile the pri:ate sector partners s%pporting C&TR&S incl%de maFor companies in the &T and telecomm%nications ind%stries< companies from man%fact%ring< energy and other sectors also contri(%te/ + ,s comp%ting (ecomes e:er more per:asi:e< more and more pri:ate sector companiesHfor e=ample< those pro:iding financial ser:icesHrely on &T sec%rity< and 6ill ha:e an interest in sponsoring research into &T sec%rity/ There is therefore an opport%nity to attract a 6ide range of pri:ate sector partners< 6ith di:erse interests< to s%pport a maFor research initiati:e in this area/
2/B?/ ,t the same time< there are ne6 legal constraints affecting &T sec%rity researchers/ There has (een a strong tradition 6ithin the &T comm%nity of 3ethical3 hac7ersH e=perts< generally %npaid enth%siasts< 6ho test o%t net6or7s and sec%rity systems (y attempting to 3hac73 them/ 8e agree 6holeheartedly 6ith the remar7s of 5r%ce Schneier on the importance of their 6or7' 3Mo% learn a(o%t sec%rity (y (rea7ing things/ That is the 6ay yo% learn/ &f yo% cannot (rea7 things< yo% cannot learn/ The criminals are al6ays going to learn< al6ays going to (rea7 st%ff/ 8e need to (e smarter than them/ 8e are not going to (e smarter than them %nless 6e can (rea7 things too3 0D 5!52/
+ See http'>>666/citris"%c/org>partners>corporate
2/) / Ho6e:er< the amendments to the Comp%ter 4is%se ,ct +?? < 6hich 6ere introd%ced (y means of the -olice and *%stice ,ct 2 ! and are e=pected to come into force in ,pril 2 C< introd%ced a ne6 offence of ma7ing< s%pplying or o(taining articles li7ely to (e %sed to commit comp%ter crimesE there are also related pro:isions in the Fra%d ,ct 2 !/ ,s ,lan Co= told %s< these are 3%nfort%nately the same tools that yo% need to identify the sec%rity holes and test a sec%rity hole has (een fi=ed and so on3 0D B2#2/ ,t the time of 6riting< Cro6n -rosec%tion Ser:ice g%idance on the application of these pro:isions had yet to (e p%(lishedHthe 4inister< $ernon Coa7er 4-< promised that they 6o%ld appear 3(y the end of the s%mmer3 0D CC!2/
2/)+/ 4ore general iss%es< affecting &T sec%rity e=perts in many co%ntries< 6ere to%ched on in o%r disc%ssions at C&TR&S in California/ $ern -a=son dre6 attention to restrictions on 6ire tapping< as 6ell as to diffic%lties enco%ntered in monitoring the incidence of mal6areHthe only 6ay to monitor< say< the incidence of (otnets< 6as to set %p a platform that 6o%ld (oth recei:e and respond to messages from (otmasters/ This meant that the researchers co%ld
find themsel:es g%ilty of negligence in allo6ing their comp%ter to (e %sed to propagate mal6are or spam to other %sers/ Conclusions and reco##endations %>2%> The bene(its7 costs and dan!ers o( the Internet7 are poorly appreciated by the !eneral public> This is not surprisin!7 !i&en the lac o( reliable data7 (or "hich the Co&ern#ent #ust bear so#e responsibility> The Co&ern#ent are not the#sel&es in a position directly to !ather the necessary data7 but they do ha&e a responsibility to sho" leadership in pullin! to!ether the data that are a&ailable7 interpretin! the# (or the public and settin! the# in conte8t7 balancin! ris s and bene(its> Instead o( doin! this7 the Co&ern#ent ha&e not e&en a!reed de(initions o( ey concepts such as -e.cri#e-> %>2)> /e reco##end that the Co&ern#ent establish a cross.depart#ental !roup7 brin!in! in e8perts (ro# industry and acade#ia7 to de&elop a #ore co. ordinated approach to data collection in (uture> This should include a classi(ication sche#e (or recordin! the incidence o( all (or#s o( e.cri#e> Such a sche#e should co&er not Dust Internet. speci(ic cri#es7 such as 9istributed 9enial o( Ser&ice attac s7 but also e.enabled cri#es5that is to say7 traditional cri#es co##itted by electronic #eans or "here there is a si!ni(icant electronic aspect to their co##ission>
%>22> +esearch into IT security in the 3nited Ein!do# is hi!h in Buality but li#ited in Buantity> 4ore support (or research is needed5abo&e all7 (ro# industry> The de&elop#ent o( one or #ore #aDor #ulti. disciplinary research centres7 (ollo"in! the #odel o( CIT+IS7 is necessary to attract pri&ate (undin! and brin! to!ether e8perts (ro# di((erent acade#ic depart#ents and industry in a #ore inte!rated7 #ulti.disciplinary research e((ort> /e reco##end that the +esearch Councils ta e the lead in initiatin! discussions "ith Co&ern#ent7 uni&ersities and industry "ith a &ie" to the pro#pt establish#ent o( an initial centre in this country> ;e!iti#ate security researchers are at ris o( bein! cri#inalised as a result o( the recent a#end#ents to the Co#puter 4isuse Act 1,,'> /e "elco#e the 4inister?s assurance that !uidance on this point "ill appear later in the su##er7 but ur!e the Cro"n Prosecution Ser&ice to publish this !uidance as soon as possible7 so as to a&oid under#inin! such research in the interi# >C6APTE+ ): T6E NET/O+E The prospects (or (unda#ental redesi!n o( the Internet
B/+/ The &nternet as 6e 7no6 it today< the net6or7 of net6or7s %sing the &- protocol< 6as designed almost B years ago< 6hen the c%rrent %ses to 6hich it is p%t co%ld not ha:e (een imagined/ 5%t F%st as the road net6or7 6as not planned to accommodate the :ol%mes of traffic that no6 %se it< (%t gre6 incrementally o:er many years< so the net6or7s s%pporting the &nternet ha:e contin%ed to gro6 and de:elop/ ,nd F%st as a 6holesale redesign of the road net6or7 might in principle (e desira(le< (%t is in practice simply not feasi(le< so there are formida(le (arriers to a 6holesale redesign of the &nternet/
B/2/ The pro(lems that deri:e from the f%ndamental design of the &nternet are profo%nd/ 8hile the &nternet s%pports astonishing inno:ation and commercial gro6th< it is almost impossi(le to control or monitor the traffic that %ses it/ This leads in t%rn to many of the sec%rity pro(lems that 6e ha:e e=plored in this in;%iry/ So 6e ha:e had to as7 the ;%estion< 6hether it is possi(le to redesign the &nternet more sec%relyN &f not< are the incremental impro:ements that might ma7e it more fit for p%rpose (eing ta7en for6ard (y the ind%stry< or is inter:ention< (y 9o:ernment or reg%lators< neededN Or do 6e F%st ha:e to accept a certain le:el of insec%rity as the ine:ita(le corollary of the le:el of creati:ity and inno:ation< the 3generati:ity3 of the &nternet and the inn%mera(le ser:ices that rely on itN
)$ PE+SONA; INTE+NET SEC3+IT@
B/B/ The response of most of o%r 6itnesses 6as that ho6e:er desira(le it might (e in theory to redesign the &nternet from scratch< in practice< as 6ith the road net6or7< it 6as :ery %nli7ely to happen/ The &nternet has o:er a (illion %sers< and their e;%ipment and applications< their 7no6ledge of ho6 the net6or7 f%nctions< represent a h%ge capital in:estment/ ,s a res%lt< the &nternet 6ill ha:e to change (y means of grad%al e:ol%tion< not radical o:erha%l/
B/)/ -rofessor 4ar7 Handley s%mmed %p this point of :ie6' 3The idea of coming %p 6ith something different 6itho%t getting there incrementally from 6here 6e are here is simply not going to happen/3 He did concede that there 6ere t6o sets of circ%mstance in 6hich a more radical approach might (e re;%iredHeither 3if the c%rrent &nternet fell in a large heap for some reason and 6e had to re(%ild it from scratch /// or if something came along 6hich 6as radically (etter in terms of cheaper or co%ld do things the c%rrent &nternet cannot do3 0D !!B2/ 5%t (oth these scenarios are :ery %nli7ely/
B/5/ , similar point 6as made (y *ames 5lessing< of the &nternet Ser:ice -ro:iders ,ssociation 0&S-,2/ ,s7ed 6hether it 6o%ld (e possi(le to introd%ce an 3identity layer3 into the &nternet< he replied< 3The simple ans6er is that it 6o%ld (e incredi(ly diffic%lt to rectify that pro(lem (eca%se yo% are tal7ing a(o%t re6riting< on a glo(al scale< the entire &nternet3 0D #2)2/
B/!/ 8e are also conscio%s that there are many layers to the &nternet< and that f%ndamentally redesigning the core net6or7 may not (e the most economically efficient 6ay to impro:e sec%rity thro%gho%t the layers/ -rofessor Ross ,nderson ill%strated this point (y ret%rning to the analogy 6ith the road net6or7' 3Mo% do not e=pect that the 4+ itself 6ill filter the traffic / There are one or t6o sec%rity propertiesH6e do not 6ant terrorists to (lo6 %p the (ridgesH(%t many of the (ad things that happen as a res%lt of the 4+@s e=istence are dealt 6ith %sing other mechanisms/ &f a (%rglar from
), PE+SONA; INTE+NET SEC3+IT@
Leeds comes do6n and (%rgles a ho%se in London< then there are police mechanisms for dealing 6ith that3 0D !!B2/ The same general principleH that yo% need to find the most efficient< lo6est"cost sol%tion to a gi:en sec%rity pro(lemH applies to the &nternet/
B/#/ This is not to say that researchers are not loo7ing at the design of the net6or7/ -rofessor Handley conceded that he and others 6ere 3doing research into net6or7 architect%res 6hich are radically different3/ Ho6e:er< the p%rpose of s%ch research 6as to pro:ide pointers to 36here 6e might 6ant to go in the f%t%re3/ 9etting there 6o%ld (e an incremental process/ &n the meantime most of the sec%rity pro(lems (eing e=perienced 6ere 36ith systems connected to the &nternet and not 6ith the &nternet itself3E in the short to medi%m term 36hat 6e are going to ha:e is (asically a :ariation on the c%rrent &nternet3 0D !!B2/ Recommendation )>$> /e see no prospect o( a (unda#ental redesi!n o( the Internet in the (oreseeable (uture> At the sa#e ti#e7 "e belie&e that research into alternati&e net"or architectures is &ital to in(or# the incre#ental i#pro&e#ents to the e8istin! net"or that "ill be necessary in the co#in! years> /e reco##end that the +esearch Councils continue to !i&e such (unda#ental research priority> The -end.to.end principle- and content (ilterin!
B/?/ E:en if f%ndamental redesign of the &nternet is not feasi(le< it may still (e the case that specific sec%rity concerns are (est addressed at the net6or7 le:el/ Ho6e:er< this approach 6o%ld seem to r%n %p against the 3end"to"end principle3/ This 6as descri(ed (y L&GJ< along 6ith the a(straction of net6or7 layers< as one of the 7ey principles %pon 6hich past and f%t%re inno:ation on the &nternet depends/ The L&GJ policy paper defines the principle as re;%iring 3that the net6or7 core sho%ld simply carry traffic< and that additional ser:ices sho%ld al6ays (e deli:ered at the edges of the net6or7< (y end"points< not 6ithin the net6or7 core/3
B/+ / There can (e no do%(t that the 3end"to"end principle3 has ser:ed the &nternet 6ell< and goes a long 6ay to e=plaining 6hy the net6or7 is so fle=i(le and po6erf%l/
2' PE+SONA; INTE+NET SEC3+IT@
Ho6e:er< it has (ecome more than a practical or technological description of ho6 the net6or7 is (%ilt/ &n the 6ords of -rofessor Kittrain< in a paper p%(lished in 2 !< and 6hich he copied to the committee along 6ith his 6ritten e:idence< 34any cy(erla6 scholars ha:e ta7en %p end"to"end as a (attle cry for &nternet freedom< in:o7ing it to (%ttress arg%ments a(o%t the ideological impropriety of filtering &nternet traffic/3++
B/++/ The most o(:io%s application of the end"to"end principle is to the filtering of content/ Here it co%ld (e arg%ed that the p%rity of the principle has already (een tarnished (y the inter:entions of policy"ma7ers/ For e=ample< the 9o:ernment ha:e re;%ired that (y the end of 2 # all &S-s offering (road(and connecti:ity in the United 1ingdom sho%ld ha:e implemented systems to (loc7 access to child a(%se images and 6e(sites/ 4ost &S-s already pro:ide s%ch a (loc7ing ser:iceE this is achie:ed (y (loc7ing all sites listed on the data(ase maintained (y the &nternet 8atch Fo%ndation 0&8F2/ &n other 6ords< &S-s are not re;%ired acti:ely to screen images and filter o%t those 6hich are F%dged to (e child a(%se imagesE they simply ta7e a list of 6e(sites from a tr%sted so%rce and (ar direct access to them/
B/+2/ This is a far from perfect sol%tion to the 9o:ernment@s o(Fecti:e of pre:enting paedophiles from accessing child a(%se images online/ &t relies on the &8F list (eing 6holly acc%rate 0an impossi(le tas7< since in reality ne6 sites are posted online e:ery day2E the (loc7ing schemes contin%e to (e relati:ely simple to e:adeE and the approach also fails to address other types of comm%nication< s%ch as 3-eer" to"-eer3 file sharing (et6een paedophiles/ There is also a ris7< in the 6ords of 4atthe6 Henton of the &S-,< that it 6ill 3dri:e paedophile acti:ities %ndergro%nd into the so"called dar7 net 6here it is impossi(le to act%ally trace their acti:ities/ That co%ld ha:e conse;%ences in terms of trying to sec%re prosec%tions against s%ch people3 0D #!B2/
B/+B/ The threat to the end"to"end principle is clear< e:en tho%gh it may (e F%stified (y the need to protect the safety of children online/ ,t present the (loc7ing of 6e(sites listed in the &8F data(ase has (een accepted (y the ind%stryHlargely (eca%se of 6hat 4atthe6 Henton called 3the tr%st that &S-s ha:e in the &8F and in the a%thenticity of that data(ase and 6hat it contains/3 Ho6e:er< the principle that
++ *onathan L Kittrain< 3The 9enerati:e &nternet3< $ar%ard La& Re%ie&, ++? 02 !2< p 2 2?/
21 PE+SONA; INTE+NET SEC3+IT@
&S-s sho%ld (loc7 certain types of site co%ld potentially (e e=tended more 6idely Has *ames 5lessing commented< 3&n theory Syo%T can (loc7 anything as long as yo% 7no6 6hat yo% are (loc7ing/3 This co%ld incl%de 6e(sites (loc7ed for political reasonsH6hich< as 4r 5lessing arg%ed< 3completely destroys the end"to" end principle3 0D #!)2/
B/+)/ Still more contro:ersial 6o%ld (e a re;%irement for &S-s not merely to (loc7 6e(sites contained on a gi:en data(ase< (%t acti:ely to screen and appro:e the content of the traffic passing o:er their net6or7s/ This 6o%ld (e immeas%ra(ly more comple= technically< tho%gh in time it may (ecome more practicalHit is 6orth comparing< for instance< the latest :ersions of some anti":ir%s soft6are< 6hich ha:e mo:ed from recognition of samples held on a central data(ase to a more dynamic< 3(eha:io%ral3 analysis< intended to pic7 %p code that loo7s li7e mal6are< e:en if it has ne:er (een enco%ntered (efore/+2
B/+5/ &n addition< any re;%irement on &S-s to screen content 6o%ld also create the diffic%lties that are enco%ntered (y any email filtering system todayHnamely< the need to a:oid (oth false positi:es 0(loc7ing good traffic2 and false negati:es 0failing to (loc7 the (ad2/ &ne:ita(ly the &S- 6o%ld come across a lot of material that it did not recognise as either good or (ad< and it 6o%ld (e %na(le to ma7e an informed decision either 6ay/ ,s 4alcolm H%tty told %s< 3&f the &S- is held legally responsi(le for (loc7ing access to illegal material< of 6hate:er nat%re< then the only practical reco%rse for it as a (%siness 6o%ld (e to (loc7 that material that it does not recognise3 0D #!)2/ &n s%ch circ%mstances the &nternet co%ld (ecome %n%sa(le/
B/+!/ &t sho%ld (e emphasised that s%ch de:elopments are not c%rrently en:isaged in the United 1ingdom< or in most other co%ntries/ &ndeed< the reg%lation of content pro:ided across electronic net6or7s is specifically e=cl%ded from the remit of the reg%lator< Ofcom< (y :irt%e of section B2 of the Comm%nications
+2 For instance SOG,R 0Symantec Online Get6or7 for ,d:anced Response2/
2% PE+SONA; INTE+NET SEC3+IT@
,ct/ This ma7es the 9o:ernment@s insistence that cons%mer &S-s (loc7 sites listed on the &8F data(ase all the more stri7ing< in that it mar7s an inter:ention in an area specifically e=cl%ded from the remit of the ind%stry reg%lator (y -arliament/
B/+#/ The p%(lic and political press%re to protect children online contin%es to gro6 as &nternet %se gro6s< and Ofcom too has no6 demonstrated its interest in content< de:eloping in partnership 6ith the Home Office a 5ritish Standards &nstit%te 05S&2 7ite mar7 for &nternet content control soft6are/ This de:elopment of this standard 6as anno%nced (y the Home Secretary in Decem(er 2 !< and the first 7ite mar7s 6ill (e iss%ed in 2 #/
B/+C/ Clearly the de:elopment of a 7ite mar7 to help parents identify effecti:e and easy" to"%se content control soft6are that they can then install on their end" %ser machines< is :ery different from the reg%lation of content deli:ered across electronic net6or7s/ Ho6e:er< it does demonstrate the &nternet is not a static medi%mHthe goal"posts mo:e all the time< and Ofcom has as a res%lt (een o(liged to inter:ene in an area not directly en:isaged in its remit/ Ta7en in conF%nction 6ith the re;%irement placed %pon &S-s to (loc7 child a(%se images< the de:elopment of the 7ite mar7 demonstrates the gro6ing interest across the (oard in content screening< 6hich< if the emphasis mo:ed more to6ards (loc7ing 6ithin the net6or7< rather than on the end"%ser machines< co%ld %ltimately lead to the erosion of the end"to"end principle/
B/+?/ &nternationally< (loc7ing of content for political reasons 6as highly p%(licised 6ith the contro:ersial deal reached (et6een 9oogle and the go:ernment of the -eople@s Rep%(lic of China in *an%ary 2 !< in 6hich 9oogle agreed to censor certain information in e=change for access to the Chinese mar7et/ Less o:ert filtering is also applied (y search engines in other co%ntries< incl%ding the United 1ingdom/ Th%s< altho%gh the end"to"end principle contin%es to carry 6eight< glo(ally< adherence to it is increasingly challenged/ /ho is responsible (or Internet security0
2) PE+SONA; INTE+NET SEC3+IT@
B/2 / &n the pre:io%s section 6e disc%ssed content screening and (loc7ing/ Ho6e:er< this disc%ssion mas7s the fact 3content3 is not easily defina(le/ Common sense s%ggests a simple distinction (et6een 3content3Hthat is< te=t< so%nds or images< the presentation thro%gh a comp%ter or other de:ice of information that is easily %nderstood< and 6hich co%ld indeed (e presented in other formats< s%ch as (oo7s< speech< ne6spapers or tele:ision programmesHand 6hat< for lac7 of a (etter 6ord< co%ld (e descri(ed as 3code3Hcomp%ter programs< mal6are< and so on/ 5%t in the conte=t of &nternet traffic< this distinction collapses/ ,ll information that passes :ia the &nternet is disassem(led into pac7ets of data/ &n the 6ords of -rofessor &an 8alden< 3&t is all Leros and ones 6hich go across the net6or7< 6hether it is a :ir%s< a child a(%se image or a political statement3 0D B?+2/
B/2+/ This has profo%nd implications for personal &nternet sec%rity/ &t means that the end" to"end principle< if it is to (e f%lly o(ser:ed< re;%ires that sec%rity meas%res< li7e content filtering< sho%ld al6ays (e e=ec%ted at the edges of the net6or7< at end" points/ 8e ha:e already ;%oted 4alcolm H%tty@s assessment of the ris7s inherent in re;%iring &S-s to screen content/ Similar ris7s< (%t arg%a(ly still more f%ndamental< 6o%ld apply to any re;%irement that &S-s screen for sec%rity ris7s/ &f &S-s< to protect themsel:es against possi(le legal lia(ility< (loc7 %n7no6n code< this 6o%ld< in 4r H%tty@s 6ords< 3pre:ent
people from deploying ne6 protocols and de:eloping ne6 and inno:ati:e applications3 0D #!)2/
B/22/ Ho6e:er< the pres%mption that the net6or7 sho%ld simply carry traffic< and that end"points sho%ld apply sec%rity< along 6ith other additional ser:ices< carries< in the 6ords of -rofessor Kittrain a 3hidden premise3/ &t implies that 3the people at the end points can control those end points and ma7e intelligent choices a(o%t ho6 they 6ill 6or73/ Geither of these ass%mptions< he (elie:ed< 6as necessarily tr%e any longer' not only 6ere many de:ices that appeared to (e 3end points3 in fact controlled (y third parties 0for instance so"called 3tethered de:ices3< li7e mo(ile phones< that co%ld (e remotely re" programmed2< (%t it 6as %na:oida(le that 3people 6ill ma7e poor choices3/ He therefore arg%ed that it 6as time to adopt a 3more holistic approach to %nderstand the reg%latory possi(ilities 6ithin the collecti:e net6or73 0D ?#?2/
B/2B/ 4oreo:er< 6e heard o:er and o:er again in the co%rse of o%r in;%iry that the criminals attac7ing the &nternet are (ecoming increasingly organised and specialised/ The image of the attention"see7ing hac7er %sing email to la%nch destr%cti:e 6orms is o%t of date/ Today@s 3(ad g%ys3 are financially moti:ated< and ha:e the reso%rces and the s7ills to e=ploit any 6ea7nesses in the net6or7 that offer them openings/ For s%ch people the principle of 3a(straction of net6or7 layers3 c%ts no ice/ ,s Do%g Ca:it< Chief Sec%rity Strategist of 4icrosoft< told %s in Redmond< attac7s are no6 mo:ing (oth %p and do6n thro%gh the layersH e=ploiting on the one hand :%lnera(ilities in the application layer< and on the other 6or7ing do6n thro%gh the operating systems< to dri:ers< and into the chips and other hard6are %nderpinning the 6hole system/+B
B/2)/ 8e therefore as7ed almost all o%r 6itnesses< in one form or another< the ostensi(ly simple ;%estion< 36ho is responsi(le for &nternet sec%rity3N 8e 6ere hoping for a holistic ans6er< tho%gh 6e (y no means al6ays got one/
B/25/ The 9o:ernment< for e=ample< appeared to place responsi(ility firmly on the indi:id%al/ &n the 6ords of 9eoff Smith of the DT&< 3& thin7 certainly it is to a large e=tent the responsi(ility of the indi:id%al to (eha:e responsi(ly/3 He compared the safe (eha:io%rs that ha:e gro6n %p aro%nd crossing the road 6ith the a(sence of an 3instinct a(o%t %sing the &nternet safely3/ He ac7no6ledged that it 6as 3partly the responsi(ility of 9o:ernment and (%siness /// to create this c%lt%re of sec%rity<3 (%t reiterated that it 6as %ltimately an indi:id%al responsi(ility' 3if yo% gi:e o%t information o:er the &nternet to someone yo% do not 7no6 / and they ta7e all the money o%t of yo%r (an7 acco%nt< it is largely d%e to yo%r (eha:io%r and not the fail%re of the (an7 or a fail%re of the operating system< or 6hate:er3 0D !22/
B/2!/ &S-,< the trade association representing the net6or7 operators< e=pressed 6hole" hearted s%pport for the 9o:ernment@s position/ They e=pressed their 6illingness to s%pport ed%cation initiati:es< (%t there 6as no do%(t that they sa6 %ltimate responsi(ility residing 6ith end"%sers/ &n the 6ords of Camille de Stempel of ,OL< 3&S-, agrees :ery strongly 6ith the Department of Trade and &nd%stry approach to dealing 6ith cy(er sec%rity /// &S-, mem(ers are committed to 6or7ing 6ith their cons%mers to help address this
+B See ,ppendi= 5/
2* PE+SONA; INTE+NET SEC3+IT@
(y highlighting the 6ay in 6hich %sers can minimise the threat and informing their c%stomers ho6 they can (est protect themsel:es3 0D #+#2/
B/2#/ &n mar7ed contrast< the 6ritten e:idence from 4essageLa(s< a leading man%fact%rer of email filtering technology< arg%ed that sec%rity 6as 3f%ndamentally a technical pro(lem and as s%ch 6ill al6ays re;%ire a technical sol%tion< first and foremost3/ The pro(lem sho%ld (e addressed 3in the clo%d3 at &nternet le:el< thro%gh 3protocol independent defensi:e co%ntermeas%res 6o:en into the fa(ric of the &nternet itself3 0p +5C2/ &n oral e:idence< 4ar7 S%nner< Chief Sec%rity ,nalyst< repeated the arg%ment that relying on end"%sers to detect and defeat sec%rity threats 6as %nrealisticH3it has to (e done (y spotting the malicio%s code / 6hich yo% can only achie:e 6ith &nternet"le:el filtering3 0D )!)2/
B/2C/ The :ie6s of Symantec< 6hich man%fact%res anti":ir%s and fire6all soft6are 0s%pplied in large part to indi:id%al end"%sers2< 6ere s%(tly different again/ Roy &s(ell< $ice"-resident< agreed 6ith 4r S%nner that there had to (e 3technical co%ntermeas%res to technical attac7s3< (%t arg%ed in fa:o%r of 3a m%lti"layered defence /// to gi:e yo% some defence in depth3 0D )!)2/
B/2?/ Ge:ertheless< the pre:ailing :ie6 from 6ithin the &T ind%stry 06ith the e=ception of those representing the &S-s2< 6as one of scepticism o:er the capacity of end" %sers to ta7e effecti:e meas%res to protect their o6n sec%rity/ -rofessor ,nderson told %s< 3&n safety critical systems it is 6ell 7no6n on the (asis of longer e=perience than 6e ha:e here< that if yo% ha:e a system that is diffic%lt to %se the last thing yo% sho%ld do is @(lame and train@ as it is called/ 8hat yo% sho%ld do instead is to fi= the pro(lem3 0D # !2/
B/B / &n the co%rse of an informal disc%ssion 6ith ind%stry e=perts hosted at Cisco Systems in California< the &nternet 6as compared 6ith 6ater s%pply' cons%mers 6ere not re;%ired to p%rify or (oil 6ater< 6hen the so%rce of contamination 6as 6ithin the 6ater s%pply infrastr%ct%re itself/ &nstead s%ppliers 6ere re;%ired to
maintain a sec%re net6or7< and treated 6ater %p to e=acting standards/ The end" %ser simply had to s6itch on the tap to get p%re< drin7a(le 6ater/
B/B+/ The analogy 6ith the 6ater net6or7 is not< of co%rse< e=actHit 6as immediately pointed o%t to %s that there is no consens%s on 6hat< in the online 6orld< is 3poisono%s3/ Ge:ertheless< the analogy ill%strates the oddity of thr%sting so m%ch responsi(ility %pon end"%sers< 6ho may 6ell (e incapa(le of protecting themsel:es or others/ Th%s 5r%ce Schneier responded to o%r ;%estion on responsi(ility as follo6s' 3There is a lot of responsi(ility to go aro%nd/ The 6ay & often loo7 at it is 6ho can ta7e responsi(ilityN &t is all 6ell and good to say< @Mo%< the %ser< ha:e to ta7e responsi(ility@/ & thin7 the people 6ho say that ha:e ne:er really met the a:erage %ser3 0D 52?2/ He then proceeded to o%tline the many people and organisations 6ho might reasona(ly ta7e a share of responsi(ility for &nternet sec%rityHthe financial ser:ices ind%stry< the &S-s< the soft6are :endors 0a term 6hich 6e %se in the sense %ni:ersal 6ithin the &T ind%stry< namely the man%fact%rers of soft6are and other prod%cts< rather than the retailers2< and so on/
B/B2/ *erry Fishenden< of 4icrosoft< also o%tlined a 3collecti:e responsi(ility3 for end" %ser sec%rity< em(racing end"%sers themsel:es< the technology s%pplied to them< and the 6ays in 6hich the la6s go:erning &nternet %se 6ere enforced thro%gh the co%rts 0DD 2!+"2!22/ This :ie6 6as echoed (y Do%g
Ca:it< 6ho arg%ed that traditional defences< anti":ir%s soft6are and fire6alls< 6ere no longer ade;%ateHe:ery layer of the system had to (e defended/ 8e s%pport this (roader interpretation of responsi(ility for &nternet sec%rity/
B/BB/ &t is diffic%lt to escape the concl%sion that in the highly competiti:e mar7et for &nternet and &T ser:ices< in 6hich the importance and economic :al%e or cost of sec%rity are increasingly apparent< companies ha:e strong incenti:es either to promote sol%tions from 6hich they stand to profit< or< as the case may (e< to arg%e against sol%tions 6hich might impose additional costs %pon them/ 8e therefore
ha:e no choice (%t to treat the e:idence from the ind%stry 6ith a degree of scepticism/ 5%t this ma7es it all the more disappointing that the 9o:ernment appear to ha:e accepted so %n;%estioningly the :ie6s of one part of the ind%stry< the net6or7 operators and &S-s< and ha:e in the process lost sight of the technical realities of online sec%rity/ Conclusion )>)2> The current e#phasis o( Co&ern#ent and policy.#a ers upon end. user responsibility (or security bears little relation either to the capabilities o( #any indi&iduals or to the chan!in! nature o( the technolo!y and the ris > It is ti#e (or Co&ern#ent to de&elop a #ore holistic understandin! o( the distributed responsibility (or personal Internet security> This #ay "ell reBuire reduced adherence to the -end.to.end principle-7 in such a "ay as to re(lect the reality o( the #ass #ar et in Internet ser&ices> Net"or .le&el security
B/B5/ The remainder of this chapter loo7s at areas in 6hich practical impro:ements to personal sec%rity co%ld (e achie:ed thro%gh action at the le:el of the net6or7 or of the pro:ision of &nternet ser:ices/
B/B!/ One s%ch area is the sec%rity of ro%ters and ro%ting protocols/ Ro%ters are the main (%ilding (loc7 of the &nternetHthey determine 6here pac7ets are to (e for6arded/ Criminals 6ho gained control of maFor ro%ters 6o%ld (e a(le to (loc7 traffic< or for6ard traffic :ia ro%tes 6here %nencrypted content co%ld (e compromised< or to spoofed 6e(sites 6here phishing attac7s co%ld (e mo%nted/ &t is th%s essential that ro%ters are f%lly sec%re/ Cisco< a maFor man%fact%rer of ro%ters< told %s that they had still not ens%red that their ro%ters shipped 6itho%t fi=ed :al%es for defa%lt pass6ordsHpro(lematic (eca%se many %sers failed e:er to change this defa%lt/ 4ore positi:ely< they told %s that their (igger systems< s%ch as those %sed at &S-s and on (ac7(one net6or7s< pro:ided 3t6o factor3 a%thentication 0see paragraph 5/+#2 as standard/ Ho6e:er< altho%gh they recommended %se of t6o factor a%thentication as 3(est practice3 they 6ere not a(le to compel &S-s to %se it/
2$ PE+SONA; INTE+NET SEC3+IT@
B/B#/ Ro%ters %se the 5order 9ate6ay -rotocol 059-2 to s6ap information a(o%t ro%tes and 6hich &S- has (een allocated partic%lar (loc7s of &- addresses/ Ho6e:er< 59is some6hat insec%re< and it is possi(le for a rog%e &S- 0or one that has (een misled (y a fra%d%lent c%stomer2 to 3anno%nce3 someone else@s addresses and there(y rero%te traffic/ There e=ist :ariants of the 59- protocol 6hich permit the cryptographic signing of anno%ncements< (%t they are not generally %sed/ Cryptography can also (e %sed to ens%re that the friendly< h%man"reada(le names typed into 6e( (ro6sers are correctly translated into comp%ter addresses< that email is not (eing passed to a machine that impersonating a real ser:er@s identity< and to ens%re that email tra:els o:er the net6or7 in encrypted t%nnels/ Ho6e:er< none of these systems is 6idely deployed< despite the potential for email to (e intercepted< or 6e(sites to (e spoofed/
B/BC/ -rofessor Handley arg%ed that these net6or7 iss%es 6ere a matter primarily for the technical comm%nity< not the end"%ser' 3& thin7 that these mechanisms or similar ones 6ill e:ent%ally find their 6ay o%t there (eca%se the re;%irement really is there< (%t they are pro(a(ly not the largest part of the pro(lem< at least from the point of :ie6 of the end %ser/ From the point of :ie6 of those< there is a 6orry a(o%t 7eeping the net6or7 itself f%nctioning3 0D !!)2/ He (elie:ed that 3the ind%stry is mo:ing in the right direction to address them/3
B/B?/ Ho6e:er< 4alcolm H%tty< of L&GJ< descri(ed these systems as 3immat%re3 and 3e=perimental3< (efore adding< 3& hope yo% did not %nderstand my ans6er 6hen & 6as saying it is @e=perimental@ to mean it is not something that is important or coming or going to happenE & 6as not (eing dismissi:e of it3 0D #5?2/ *ames 5lessing of &S-, s%ggested that they 6ere not (eing %sed (eca%se of a lac7 of 3sta(le :endor s%pport3< 6hich 6e %nderstand to mean that the man%fact%rers of ro%ters and other net6or7 e;%ipment are not yet pro:iding systems s%ita(le for %se (y &S-s/ He also pointed o%t the need for co"ordination (et6een net6or7s' 3&f one side says @& am going to %se this@ and the other side 6ill not s%pport it< those t6o net6or7s 6ill not tal7 to one another3 0D #5#2/
B/) / 4alcolm H%tty also arg%ed that &S-s had e:ery incenti:e to in:est in more sec%re systems' 38hat more incenti:e co%ld yo% offer an &S- to protect themsel:es against an attac7 on their core infrastr%ct%re than the fact that if it is attac7ed and it
2, PE+SONA; INTE+NET SEC3+IT@
fails then they ha:e lost 6hat they are pro:idingN3 0D #5C2/ Ge:ertheless< 6e remain concerned that the systems that indi:id%als rely %pon to ha:e their traffic correctly ro%ted< to (ro6se the correct 6e(sites< and to 7eep their email sec%re< are relia(le only (eca%se no" one is c%rrently attac7ing them/ This seems to %s to (e an area 6here Ofcom sho%ld (e loo7ing to de:elop (est practice< if not reg%latory standards/ Internet ser%ice pro%ision
B/)+/ There appears to (e still greater scope for inter:ention at the le:el of the &nternet Ser:ice -ro:ider 0&S-2/ &S-s do not typically operate the net6or7E instead they sell access to the net6or7 to their c%stomers< often (%ndled together 6ith a range of other ser:ices< s%ch as 6e("(ased email< telephone 0con:entional or $o&-2< ca(le tele:ision and so on/ They sit< in other 6ords< near the edges of the net6or7< pro:iding a lin7 (et6een the end"%ser and the net6or7/
B/)2/ 8hile the (road(and infrastr%ct%re is largely in place< the mar7et for &nternet ser:ices contin%es to gro6 and is highly competiti:e/ &nternet ser:ices in the United 1ingdom are mar7eted largely on price' indeed< since 2 ! the ad:ent of 3free3 (road(and 0altho%gh in reality< as Da:id Hendon of DT& told %s< all the &S-s ha:e done is 3re"partition the costs in a certain 6ay32 has gi:en s%ch competition a ne6 intensity 0D # 2/
B/)B/ Reg%lation of &nternet ser:ices is the responsi(ility of Ofcom/ Ho6e:er< the e:idence 6e recei:ed from Ofcom 0e:idence 6hich 6as only pro:ided late in the in;%iry< as a res%lt of a direct approach (y the Committee2< s%ggests that there is :ery little reg%lation in practice/ This is not entirely the fa%lt of OfcomH6e ha:e already noted that content is specifically e=cl%ded from Ofcom@s remit (y :irt%e of the precise definitions of 6hat they reg%late in section B2 of the Comm%nications ,ct 2 B/ Ho6e:er< ;%estions remain o:er Ofcom@s interpretation of its resid%al remit/
*' PE+SONA; INTE+NET SEC3+IT@
B/))/ Ofcom appears to ha:e ta7en the (roadest possi(le :ie6 of 6hat constit%tes 3content3 %nder the ,ct< to em(race sec%rity prod%cts as 6ell as te=t or images/ &n the 6ords of their 6ritten e:idence' 3,ltho%gh sec%rity prod%cts are :al%a(le tools for cons%mers they are not a part of the reg%lated &nternet access ser:iceHany more than are the -Cs 6hich are typically %sed as the access de:ice/ ,nti:ir%s soft6are< fire6alls etc/ largely r%n on c%stomer e;%ipment and are in practice o%tside the control of the &nternet ser:ice pro:ider3 0p B2 2/ Else6here the memorand%m echoes the 9o:ernment@s position that 3%ltimately the choice of the le:el of sec%rity to apply to one@s data is a choice for the end %ser 6hich is 6hy some cons%mers choose to apply their o6n sec%rity at the application layer rather than relying on the net6or7 to maintain sec%rity and integrity3 0p B252/
B/)5/ 8e find Ofcom@s arg%ment entirely %ncon:incing/ &t simply descri(es the status 'uoHsec%rity prod%cts are at present largely r%n on c%stomer e;%ipment< and are th%s o%tside the control of the &S-s/ 5%t this falls 6ell short of a con:incing rationale for Ofcom@s concl%sion that sec%rity prod%cts 3are not a part of the reg%lated &nternet access ser:ice/3 8hy are they not a part of the reg%lated ser:iceN 8o%ld it not (e in the interests of cons%mers that they sho%ld (e made a part of the reg%lated ser:iceN Ofcom failed to pro:ide ans6ers to these ;%estions/
B/)!/ Ofcom 6ent still f%rther in resisting any s%ggestion that its responsi(ility for enforcing sec%rity standards sho%ld (e e=tended/ The Society for Comp%ters and La6 0SCL2 e=pressed concern o:er the enforcement of Reg%lation 5 of the -ri:acy and Electronic Comm%nications Reg%lations 2 B/ This re;%ires that &S-s sho%ld ta7e 3appropriate technical and organisational meas%res to safeg%ard the sec%rity3 of their ser:ices/ 5%t the SCL pointed o%t not only that the Reg%lations and the parent Directi:e offered 3no g%idance or standards3 on 6hat technical meas%res might (e appropriate< (%t that enforcement 6as the responsi(ility not of Ofcom (%t of the &nformation Commissioner@s Office 0&CO2< 6hich lac7ed (oth reso%rces and po6ers to act effecti:ely/ The SCL recommended that enforcement 3sho%ld (e a matter for Ofcom3 0p +2C2/
B/)#/ This proposal 6as firmly reFected in a letter from Ofcom< 6hich stated that 3Ofcom does not ha:e a remit in the 6ider area of personal &nternet sec%rity or indeed the necessary e=pertise/3 Ofcom insisted that the &CO 6as (est placed to enforce the
*1 PE+SONA; INTE+NET SEC3+IT@
Reg%lations< and dre6 o%r attention to a forthcoming 3letter of %nderstanding3 6hich 6o%ld set o%t ho6 the t6o reg%lators 6o%ld colla(orate in f%t%re 0p B+22/
B/)C/ Ofcom@s interpretation of 6hat constit%tes a 3reg%lated &nternet access ser:ice3 6as< perhaps %ns%rprisingly< echoed (y the &S-s themsel:es/ ,s7ed 6hether &S-s sho%ld not (e o(liged to offer :ir%s scanning as part of their ser:ice< *ohn So%ter< Chief E=ec%ti:e Officer of L&GJ< as7ed a ;%estion in reply< 38hat 6o%ld (e the a%thoritati:e so%rce that yo% 6o%ld mandate as the thing to chec7 againstN3 0D #BB2 This is a legitimate ;%estion< and 6o%ld (e :ery pertinent if &S-s 6ere gi:en a stat%tory d%ty to pro:ide a :ir%s scanning ser:ice< (%t in reality companies de:eloping and selling sec%rity soft6are ha:e to ans6er it e:ery day< so it is not immediately apparent 6hy &S-s sho%ld not ma7e %se of their 6ell"esta(lished e=pertise and pro:ide %sers 6ith a scanning ser:ice that is appropriate to their circ%mstances/ &ndeed< &S-s in the United States are o(liged to offer a (asic le:el of sec%rity as part of their ser:ice to c%stomers/
B/)?/ &n this co%ntry< on the other hand< it is left entirely to end"%sers< confronted as they are (y (e6ildering and often conflicting so%rces of information< to ta7e these cr%cial decisions/ ,s 6e ha:e noted< Ofcom treats sec%rity as an add"on< not an integral part of &nternet ser:ices/ ,s for long"term impro:ements in the le:el of sec%rity< it is ass%med that the mar7et 6ill pro:ide/ &n the 6ords of *ames 5lessing' 3&f it is a pro(lem & 6o%ld s%ggest that may(e it is time to change yo%r &S-/ That is simple ad:ice (%t from o%r mem(ers@ point of :ie6 they are o%t there to pro:ide yo% 6ith a ser:ice as a c%stomer that yo% 6o%ld 6ant/ &f yo% say & 6ant anti":ir%s< & 6ant anti"spam on my acco%nt and they do not pro:ide it< then they are not the &S- that yo% re;%ire3 0D #BC2/
B/5 / 4r 5lessing@s arg%ment is pla%si(le as far as it goes/ Ho6e:er< it o:erloo7s the fact that the indi:id%al choices that c%stomers ma7e regarding &nternet ser:ices affect not F%st themsel:es (%t society as a 6hole/ The Society for Comp%ters and La6< after ac7no6ledging the force of the free"mar7et arg%ment< pro:ided a con:incing re(%ttal' 3%sers 6ith %nprotected -Cs 6ho choose to o(tain access :ia an &S- that has no controls or sec%rity meas%res are more li7ely to (e attac7ed (y (otnet herders< 6ho can then e=pand their (otnet to the detriment of all other
*% PE+SONA; INTE+NET SEC3+IT@
0protected>sec%re2 %sers of the &nternet and of the p%(lic< if s%ch (otnets are %sed for criminal p%rposes3 0p +2!2/
B/5+/ ,t the opposite end of the spectr%m from the &S-s< 5r%ce Schneier arg%ed forcef%lly that &S-s sho%ld ta7e more responsi(ility for sec%rity/ 8e ha:e already ;%oted his (elief that the maFor players in the online 6orld sho%ld ta7e more responsi(ility for assisting the 3a:erage %ser3/ ,s far as the &S-s 6ere concerned< his arg%ments 6ere (ased not on a(stract principle< (%t on practicalities'
3& thin7 that the &S-s for home %sers :ery m%ch sho%ld (e responsi(le/ Got that it is their fa%lt< (%t that they are in an e=cellent position to mitigate some of the ris7/ There is no reason 6hy they sho%ld not offer my mother anti" spam< anti":ir%s< clean"pipe< a%tomatic %pdate/ ,ll the things & get from my helpdes7 and my &T department /// they sho%ld offer to my mother/ & do not thin7 they 6ill %nless the US 9o:ernment says< @Mo% ha:e to@3 0D 52?2/
B/52/ This prompts a 7ey ;%estion' is it more efficient for (asic sec%rity ser:ices s%ch as spam or :ir%s filtering to (e offered at the &S- le:el or at the le:el of the indi:id%al end"%serN &t is 6orth noting that altho%gh< according to a 2 ! s%r:ey cond%cted (y Symantec< some ? percent of end"%ser machines in the United 1ingdom ha:e anti":ir%s soft6are installed< this fig%re incl%des a significant n%m(er of %sers 6ho ne:er %pdate their soft6are< 6hich is therefore rendered %seless/ *ohn 8 Thompson< CEO of Symantec< told %s in the co%rse of a pri:ate disc%ssion that he tho%ght some 2 "25 percent of comp%ters 6orld6ide 6ere at ris7 (eca%se their %sers 6ere indifferent to sec%rity/ 8hate:er the attractions of placing responsi(ility %pon end %sers< the fact is that a h%ge n%m(er of them are not c%rrently e=ercising this responsi(ility/ That responsi(ility co%ld possi(ly (e more efficiently e=ercised< and 6ith economies of scale< (y &S-s/
B/5B/ , second ;%estion is< 6hether imposing %pon &S-s a responsi(ility to pro:ide a (asic le:el of sec%rity to c%stomers 6o%ld lead to the dire conse;%ences predicted
*) PE+SONA; INTE+NET SEC3+IT@
(y the &S-s< in partic%lar the stifling of inno:ation across the sector as a 6holeN 8e see no reason 6hy it sho%ld< as long as a 3light to%ch3 is maintained< rather than a (lan7et imposition of legal lia(ility for e:ery sec%rity (reach< ho6e:er ca%sed/
B/5)/ 8e ha:e already dra6n attention to de:elopments in the field of content reg%lation Hnot only the insistence that &S-s (loc7 6e(sites containing child a(%se images< listed on the &8F data(ase< (%t also the de:elopment of a 5S& 7ite mar7 for content control soft6are/ 9i:en that< as 6e ha:e also noted< the distinction (et6een 3content3 and other forms of &nternet traffic is (l%rred< 6e see a strong case for introd%cing similar initiati:es to co:er personal sec%rity/ E=isting anti":ir%s and fire6all technology is capa(le of (loc7ing all traffic containing samples of 7no6n malicio%s code 0%sing data(ases 6hich companies li7e Symantec %pdate daily2/ S%ch technology is not fool"proof< (%t it has pro:ed its :al%e o:er many years< 6itho%t stifling inno:ation< and 6e can see no reason 6hy it sho%ld not (e ro%tinely applied at &S- le:el/
B/55/ &ndeed< deployment of sec%rity soft6are at &S- le:el co%ld ha:e one cr%cial (enefit/ Fire6alls and spam filters generally 6or7 in one direction only' they are designed to pre:ent (ad traffic reaching the end"%ser< (%t they do not al6ays filter o%tgoing traffic/ &n partic%lar< once the end"%ser machine has (een infected< and is either propagating mal6are< or is (eing %sed as part of a (otnet to send o%t spam< the fire6all and anti":ir%s soft6are 6ill (e t%rned off (y the mal6are< and %pdating 6ill (e disa(led/ 4oreo:er< the end"%ser himself 6ill in all pro(a(ility not (e a6are that his machine has a pro(lem< and e:en if he is made a6are of the pro(lem 0for instance< that his machine is part of a (otnet2< he has no incenti:e to fi= itHhe himself s%ffers no significant harm if his machine is sending o%t spam/ The recipients of the spam< and the net6or7 as a 6hole< if the (otnet is %sed to la%nch DDoS attac7s< are the ones to s%ffer harm/
B/5!/ &S-s< on the other hand< are 6ell placed to monitor and< if necessary< filter o%tgoing traffic from c%stomers/ &f %n%s%al amo%nts of email traffic are o(ser:ed this co%ld indicate that a c%stomer@s machine is (eing controlled (y a (otnet sending o%t spam/ ,t the moment< altho%gh &S-s co%ld easily disconnect infected machines from their net6or7s< there is no incenti:e for them to do so/ &ndeed< there is a
disincenti:e< since c%stomers< once disconnected< are li7ely to call help"lines and ta7e %p the time of call"centre staff< imposing additional costs on the &S-/
B/5#/ This is not to say that some &S-s do not already act in this 6ay/ 4atthe6 Henton< of the &S- 5right:ie6< confirmed that his company 6ill 3disconnect San infected %ser@sT machine from the net6or7< 6e 6ill contact that %ser and normally they 6o%ld (e entirely %na6are / and 6e 6ill 6or7 6ith them to disinfect their machine and ens%re that they are ade;%ately protected against f%t%re infection3 0D #))2/ 8e appla%d this approachH(%t are conscio%s that it is not %ni:ersal/ Do%g Ca:it< at 4icrosoft< told %s that 6hile most 0tho%gh not all2 &S-s isolated infected machines< they generally fo%nd it too e=pensi:e act%ally to contact c%stomers to fi= the pro(lem/ Gor is this ser:ice 6ell ad:ertisedHindeed< any &S- 6hich ad:ertised a policy of disconnecting infected machines 6o%ld ris7 losing rather than gaining c%stomers/
B/5C/ There is th%s at present a fail%re in incenti:es< (oth for end"%sers and &S-s< to tac7le these pro(lems/ 8e do not therefore see any prospect of the mar7et deli:ering impro:ed sec%rity across the (oard/ ,t the same time< 6e see no reason 6hy the sort of good practice descri(ed (y 4r Henton sho%ld not< (y means of reg%lation if necessary< (e made the ind%stry norm/
B/5?/ 8e do not ad:ocate immediate legislation or hea:y"handed inter:ention (y the reg%lator/ Gor do 6e (elie:e that the time has yet come to a(andon the end"to"end principle once and for all/ 5%t the mar7et 6ill need to (e p%shed a little if it is to deli:er (etter sec%rity/ The e=ample of the Ofcom"sponsored 7ite"mar7 for content control soft6are indicates one possi(le 6ay for6ardE a similar scheme for &S-s offering sec%rity ser:ices 6o%ld gi:e cons%mers greater clarity on the standards on offer from s%ppliers< and 6o%ld help achie:e greater %niformity across the mar7et" place< partic%larly if (ac7ed %p (y the promise of to%gher reg%latory re;%irements in the longer"term/
** PE+SONA; INTE+NET SEC3+IT@
B/! / The 9o:ernment did in fact indicate that they 6ere disc%ssing options for impro:ing sec%rity 6ith the &nternet ser:ices ind%stry/ ,s 9eoff Smith< of the DT&< told %s' 38e are also in disc%ssion 6ith the &S- comm%nity a(o%t a ne6 initiati:e/ & am not s%re one 6o%ld descri(e it as self"reg%lation< (%t certainly to de:elop a (etter %nderstanding of 6hat &S-s can offer as< if yo% li7e< a minim%m ser:ice or 6hat 6e 6o%ld see as a code of practice aro%nd the sec%rity they are offering to their cons%mers3 0D # 2/
B/!+/ 8e 6elcome the fact that the 9o:ernment ha:e at least started to thin7 a(o%t these iss%es/ Ho6e:er< the disc%ssions descri(ed (y 4r Smith appear 6holly open" endedE the fact that he 6as not e:en prepared to descri(e 6hat 6as en:isaged as 3self"reg%lation3< let alone 3reg%lation3< inspires little confidence/ &n short< the 9o:ernment@s actions so far ha:e (een toothless/ The (mere conduit( defence
B/!2/ , specific legal conse;%ence of the approach 6e are recommending 6o%ld (e the erosion of the 3mere cond%it3 principle< em(odied in the E"Commerce Reg%lations of 2 2+)/ This principle pro:ides a defence for net6or7 operators against legal lia(ility for the conse;%ences of traffic deli:ered :ia their net6or7s/ The principle can (e caricat%red< in -rofessor Kittrain@s 6ords< as the a(ility of the &S- to say< 3&@m F%st the cond%it/ &@m F%st deli:ering the tic7ing pac7age/ Mo% can@t (lame me/3 8e 6o%ld not 6ish to see the mere cond%it defence< any more than the end"to"end principle< a(andoned/ Ho6e:er< 6e agree 6ith -rofessor Kittrain that it is no6 appropriate to 3ta7e a ni((le o%t of the (lan7et imm%nity3/ &n partic%lar< once an &S- has detected or (een notified that an end"%ser machine on its net6or7 is sending o%t spam or infected code< 6e (elie:e that the &S- sho%ld (e legally lia(le for any damage to third parties res%lting from a fail%re immediately to isolate the affected machine 0DD ?!+"?!B2/
B/!B/ This carries a ris7/ &t co%ld create a disincenti:e for &S-s proacti:ely to monitor the traffic emanating from their c%stomersHthey might concl%de that it 6as in their interests to remain ignorant of compromised machines on their net6or7 %ntil notified (y others/ This 6o%ld (e co%nter"prod%cti:e< and co%ld compo%nd e=isting
+) See Reg%lation +# of the Electronic Commerce 0EC Directi:e2 Reg%lations 2 2/
legal constraints to do 6ith data protection and interception of comm%nications< 6hich already affect sec%rity research/ To g%ard against s%ch an o%tcome< not only sho%ld &S-s (e enco%raged
proacti:ely to monitor o%tgoing traffic< (%t in so doing they sho%ld enFoy temporary imm%nity from legal lia(ility for damage to third parties/ )oice o%er Internet Protocol
B/!)/ 8e raise here one f%rther iss%e that emerged in o%t in;%iry< 6hich relates to the ro(%stness of the net6or7Haltho%gh it is largely distinct from the other iss%es disc%ssed in this chapter/ This is the reg%latory frame6or7 for $oice o:er &nternet -rotocol 0$o&-2 s%ppliers< and in partic%lar their a(ility to offer an emergency 3???3 ser:ice/ 8hen 6e spo7e to 1im Thesiger< of the &nternet Telephony Ser:ice -ro:iders@ ,ssociation 0&TS-,2< he said that 3& do not 7no6 of a single &TS-, mem(er 6ho does not 6ant to offer ??? ser:ices and 6o%ld li7e to do so as soon as possi(le< (%t there are some significant reg%latory and (%rea%cratic pro(lems3 0D #C22/ &n partic%lar< $o&- companies ha:e to satisfy the re;%irements imposed %pon -%(licly ,:aila(le Telephone Ser:ice 0-,TS2 pro:iders/
B/!5/ 1im Thesiger e=pressed partic%lar concern o:er the 3net6or7 integrity cla%se3 of the -,TS re;%irements/ &n a 3copper"(ased3 6orld it 6as clear 6hat 3net6or7 integrity3 meant/ &n the 6orld of the &nternetHin 6hich< as 6e ha:e noted< pac7ets of data tra:el across a net6or7 of copper< fi(re"optic ca(le< 6ireless signals< and so onHit is far less clear 6hat either 6hat constit%tes 3net6or7 integrity3< or 6hat control the $o&- pro:ider can ha:e o:er it/ He said that the message from Ofcom 6as that 3yo% m%st decide yo%rsel:es 6hether yo% ha:e net6or7 integrity or not3H6hich< if the 6rong decision 6as made< co%ld e=pose pro:iders to %naccepta(le ris7s in the e:ent of net6or7 fail%re/
B/!!/ $o&- is a relati:ely ne6 technology< and Ofcom@s position on emergency ser:ices is still e:ol:ing/ &n 6ritten e:idence< Ofcom dre6 attention to a ne6 Code of -ractice for $o&- pro:iders< 6hich 6o%ld re;%ire them to ma7e clear to potential c%stomers 36hether or not the ser:ice incl%des access to emergency ser:ices3< and the le:el of dependence on e=ternalities s%ch as po6er s%pply/ Ho6e:er< this does not address the iss%e of net6or7 integrity< or 1im Thesiger@s point that Ofcom (elie:ed that 3in order to offer ??? calls yo% m%st (e -,TS"compliant3/ &n fact 5en 8illis< Head of Technology &ntelligence at Ofcom< told %s that the reg%lator had recently< in effect< to%ghened the r%les< (ringing to an end a policy of for(earance on emergency ser:ices< 6hich had (een (ased on the principle that 3it 6as (etter to ha:e some ??? access than none at all3 0D + B 2/ &nstead Ofcom 6as initiating a ne6 ro%nd of cons%ltation< d%e to (e completed in s%mmer 2 #H(%t 6ith no apparent commitment to clarity the position/ +eco##endations )>67> The current assu#ption that end.users should be responsible (or security is ine((icient and unrealistic> /e there(ore ur!e the Co&ern#ent and O(co# to en!a!e "ith the net"or operators and Internet Ser&ice Pro&iders to de&elop hi!her and #ore uni(or# standards o( security "ithin the industry> In particular "e reco##end the de&elop#ent o( a BSI.appro&ed ite #ar (or secure Internet ser&ices> /e (urther reco##end that this &oluntary approach should be rein(orced by an underta in! that in the lon!er ter# an obli!ation "ill be placed upon ISPs to pro&ide a !ood standard o( security as part o( their re!ulated ser&ice> )>6$> /e reco##end that ISPs should be encoura!ed as part o( the ite #ar sche#e to #onitor and detect -bad- out!oin! tra((ic (ro# their custo#ers> )>6,> /e reco##end that the -#ere conduit- i##unity should be re#o&ed once ISPs ha&e detected or been noti(ied o( the (act that #achines on their net"or are sendin! out spa# or in(ected code> This "ould !i&e third parties har#ed by in(ected #achines the opportunity to reco&er da#a!es (ro# the ISP responsible> 6o"e&er7 in order not to discoura!e ISPs (ro# #onitorin! out!oin! tra((ic proacti&ely7 they should enDoy a ti#e.li#ited i##unity "hen they ha&e the#sel&es detected the proble#> The uncertainty o&er the re!ulatory (ra#e"or (or 1oIP pro&iders7 particularly "ith re!ard to e#er!ency ser&ices7 is i#pedin! this e#er!in! industry> /e see no bene(it in obli!in! 1oIP pro&iders to co#ply "ith a re!ulatory (ra#e"or shaped "ith copper.based telephony in #ind> /e reco##end instead that 1oIP pro&iders be encoura!ed to pro&ide a ,,, ser&ice on a -best e((orts- basis re(lectin! the reality o( Internet tra((ic7 pro&ided that they also #a e clear to custo#ers the li#itations o( their ser&ice and the possibility that it #ay not al"ays "or "hen it is needed >C6APTE+ 2: APP;IANCES AN9 APP;ICATIONS
*$ PE+SONA; INTE+NET SEC3+IT@
)/+/ Ha:ing a 6ell designed and maintained road net6or7 is one thingE (%t if the :ehicles dri:ing on the roads are (adly designed< there 6ill (e no (enefit to safety/ So in this chapter 6e t%rn from the &nternet itself< the net6or7 and the companies 6ho pro:ide &nternet ser:ices to end"%sers< to the appliances and applications< the -Cs and programs< that r%n on that net6or7/ 3sability &s security
)/2/ Despite the inno:ation and creati:ity that ha:e characterised the de:elopment of the &nternet< there is a remar7a(le %niformity in the prod%cts that most indi:id%als (%y and %se/ The introd%ction of &54@s 3personal comp%ter3 0or -C2 in +?C+ led to a standardisation of processors< components and o:erall system design that has contin%ed thro%gh n%mero%s generations to the present day/ &n recent time< 3laptops3 or 3note(oo7 comp%ters3 ha:e (ecome pop%lar as alternati:es to 3des7top3 machines< (%t their f%ndamentals are essentially identical/ 8hile there is intense competition for mar7et share (et6een companies s%ch as H-< Dell and a host of competitors< the technology they are selling is highly %niform/ -Cs are the 6hite goods of the &T 6orld/ The only really s%ccessf%l ri:al to the -C has (een the ,pple 4acintosh< introd%ced in +?C)< and its s%ccessors< (%t they ha:e ne:er (een dominant< and their c%rrent mar7et share is (et6een + and +5 percent/
)/B/ The operating systems r%nning on these comp%ters are e;%ally %niform/ 4icrosoft@s 8indo6s operating system is almost in:aria(ly pre"loaded on -Cs and laptopsE 4icrosoft controls %p to ? percent of the operating system mar7et/ Other :endors ha:e smaller shares/ The ,pple operating system has since 2 (een (ased on Uni=E ,pple@s o6n applications r%n on this platform/ Lin%=< an open" so%rce Uni= deri:ati:e< has a m%ch smaller share of the operating system mar7et< made %p largely of more e=pert %sers/
)/)/ The greatest di:ersity is in the applications that r%n on the operating systems/ Here 4icrosoft can claim some credit' the company has generally so%ght to ma=imise the interopera(ility of its operating systems< and this has 6itho%t do%(t contri(%ted to di:ersity and inno:ation in the de:elopment of applications/ Ho6e:er< 4icrosoft has not al6ays adopted this approachH indeed< the company@s decision in +??! to (%ndle &nternet E=plorer free of charge along 6ith its 8indo6s operating system
*, PE+SONA; INTE+NET SEC3+IT@
destroyed the mar7et dominance of its maFor ri:al at that time< Getscape/ 4oreo:er< many %sers of 4icrosoft operating systems do not loo7 (eyond 4icrosoft applications s%ch as the 4icrosoft Office s%ite/
)/5/ Ho6 has this %niformity come a(o%t< and 6hat (earing does it ha:e on personal sec%rityN The first point to (e made< 6hich 6as arg%ed forcef%lly (y Ross ,nderson in his presentation to o%r introd%ctory seminar< is that the economics of the fast"mo:ing &T mar7et in the +?C s and ? s< 6hich ena(led 4icrosoft to esta(lish its e=traordinary dominance< placed a high premi%m on speed and fle=i(ility/ Ge6 prod%cts had to (e r%shed o%t ;%ic7ly< and in an era 6hen the pro(lems no6 associated 6ith the &nternet 6ere almost %n7no6n< ease of %se and adapta(ility generally tr%mped sec%rity/ , similar point 6as made to %s (y La%ra 1 &psen and *ohn Ste6art at Cisco< 6ho arg%ed that 4icrosoft had (eg%n (y foc%sing on %sa(ility< later on relia(ility< and only no6 on sec%rity/
)/!/ &n today@s mar7et 6hat -rofessor ,nderson termed 3net6or7 e=ternalities3 contin%e to play a 7ey part/ For instance< the f%nctionality of< say< &nternet E=plorer< cannot (e decided (y 4icrosoft alone/ -rofessor ,nderson noted that 6e( (ro6sers can (e set to permit *a:aScript to r%n/ *a:aScript increases f%nctionality< ma7ing it simpler to constr%ct intricate e"commerce 6e(sites 6here %sers can p%rchase comple= prod%cts s%ch as airline tic7etsE (%t it also creates :%lnera(ilities< for e=ample allo6ing %sers to (e redirected from legitimate (an7 6e(sites to phishing sites/ He concl%ded that the &nternet 6as riddled 6ithH
3S%("optimal 6ays of 6or7ing /// (eca%se of h%ndreds of tho%sands of little design decisions ta7en (y third parties/ &t is these e=ternalities 6hich ca%se most of the stic7iness 6hich stops %s impro:ing things directly/ &f 5ill 9ates 6ere to ship 8indo6s from ne=t 6ee7 6ith *a:aScript t%rned off (y defa%lt there 6o%ld (e a h%ge o%tcry from people 6ho co%ld not (oo7 flights / &t is this 7ind of inertia that 6e are %p against3 0D !C!2/
)/#/ There is th%s< as ,dam La%rie told %s< 3al6ays a trade"off (et6een %sa(ility and sec%rity3 0D B++2/ Or as ,lan Co= p%t it< 3the really sec%re systems ha:e al6ays (een prod%ced for things li7e military %se 6here %sa(ility is not a factor3 0D B2B2/ &n mar7ed contrast< as *erry Fishenden of 4icrosoft told %s< 8indo6s 3is part of a comple= eco"system / the end %ser / can add on many tho%sands of different third party hard6are de:ices and many tho%sands of different applications that people ma7e a:aila(le3 0D 2!?2/ The *a:aScript e=ample demonstrates ho6 the e=istence of s%ch third party applications can harm sec%rity/
)/C/ The temptation therefore< partic%larly for 4icrosoft< gi:en its dominant position in the mar7et< is to impro:e the sec%rity of its prod%ct (y loc7ing o%t third party applications/ This 6o%ld red%ce the li7elihood that these applications< 6hose sec%rity they cannot :o%ch for< co%ld ha:e a damaging impact %pon c%stomer sec%rity/ 4icrosoft prod%cts< 6hich 6o%ld (e permitted to r%n< 6o%ld then (e p%rchased instead/ &n essence< as the e:idence from -rofessor ,nderson@s Fo%ndation for &nformation -olicy and Research 0F&-R2 said< companies that ha:e esta(lished a dominant position 3may then add e=cessi:e sec%rity in an attempt to loc7 in their c%stomers more tightly3 0p 2++2/
)/?/ There ha:e already (een some signs that the maFor companies are see7ing to 3loc7 in3 of c%stomers thro%gh sec%rity feat%res/ The recent high"profile disp%te (et6een 4icrosoft and the E%ropean Commission centred on sec%rity feat%res proposed for the $ista operating system< 6hich the Commission contended 6o%ld (e anti" competiti:e/ 4icrosoft@s appeal against some of the changes imposed (y the Commission is still to (e decided (y the Co%rt of First &nstance< and 6e are not in a position to comment on the merits of the disp%te/ 4att Lam(ert< of 4icrosoft< insisted that the company had 3al6ays 6or7ed 6ith other companies< incl%ding competitors< to try to ma7e o%r systems as inter"opera(le as possi(le/3 Ho6e:er< as the e=ample of Getscape 0itself s%(Fect to anti"tr%st litigation< tho%gh not %ntil it 6as too late to sal:age Getscape@s position in the mar7et2 demonstrates< the 8indo6s operating system can (e a po6erf%l tool to e=tend 4icrosoft@s dominance into ne6 sectors of the mar7et/
)/+ / &n contrast< 5%d Tri((le told %s that ,pple 6ent o%t of its 6ay not to as7 %sers sec%rity ;%estions to 6hich they 6o%ld not 7no6 the ans6ers/ 8hereas
4icrosoft might see7 to ma=imise fle=i(ility at the e=pense of possi(le insec%rity< ,pple 6o%ld sometimes ma7e decisions on (ehalf of %sers e:en if that made it more diffic%lt to do6nload and r%n third party applications/ ,t the time 6e tal7ed to 4r Tri((le< ,pple had decided that it 6o%ld go e:en f%rther 6ith the ne6 i-hone and ma7e it a 3closed platform3< so that it 6o%ld not (e possi(le to e=ec%te any non",pple applications/ Ho6e:er< at the time of 6riting this decision 6as (eing re:isited/ &t is arg%ed that ,pple@s approach ma7es its machines more sec%re< tho%gh the precise ca%se and effect (ehind the relati:ely lo6 rate of sec%rity (reaches on ,pple machines is %nclear/ There may (e many other factors at play as 6ell< not least the fact that the company@s limited mar7et share ma7es it a less attracti:e target/
)/++/ 8e (elie:e that it 6o%ld (e enormo%sly damaging if the maFor soft6are :endors 6ere to see7 to 3loc7 in3 c%stomers and pre:ent the %se of third party applications/ The interopera(ility of operating systems is a 7ey dri:er for inno:ation/ 8itho%t interopera(ility the constant stream of ne6 applications< many de:eloped (y the open so%rce comm%nity< 6o%ld dry %p< and the &nternet 6o%ld ossify/
)/+2/ 4oreo:er< as 6e ha:e already noted< and as ,lan Co= reminded %s< soft6are de:elopers 3gen%inely do not 7no6 ho6 to (%ild a perfectly sec%re< %sea(le operating system3 0D B++2/ 4r Co= regarded it as a research pro(lem 6hich 6o%ld one day (e sol:ed< (%t %ntil that day comes a (alance 6ill ha:e to (e str%c7< and end"%sers 6ill ine:ita(ly ha:e to manage a degree of insec%rity/ ,t the same time< they ha:e the right to e=pect that soft6are :endors 6ill ma7e e:ery effort possi(le to 7eep this insec%rity to a minim%m/ 4aintainin! security5patchin! and security so(t"are
)/+B/ Sec%rity< as 5%d Tri((le told %s at ,pple< (egins 6ith good design/ ,t the early stages of design< decisions 6ill ha:e to (e made on ne6 feat%res< and %sa(ility< relia(ility and sec%rity 6ill ha:e to (e (alanced and reconciled/ &n all maFor soft6are companies< sec%rity is no6 a top priority< and the latest :ersions of the maFor operating systems< 8indo6s $ista and ,pple 4ac@s Leopard< are generally accepted as (eing (y far the most sec%re yet/
)/+)/ 5%t soft6are is not< li7e a car< a complete prod%ct that is finished the moment it lea:es the prod%ction line/ Ge6 feat%res are rolled o%t all the time< fla6s identified and fi=es 0or 3patches32 prod%ced and distri(%ted/ 4oreo:er< the criminals operating onlineHthe 3(ad g%ys3Hare 6ell f%nded< typically (y organised crime gro%ps in eastern E%rope< and can call on the ser:ices of e=pert programmers 0often as a res%lt of (lac7mail or coercion2/ They are as s7illed in disassem(ling and analysing code as ,pple or 4icrosoft are in de:eloping it/ The phrase 6e heard o:er and o:er again in o%r in;%iry 6as that it 6as an 3arms race3Hne:er static or sta(le< (%t in:ol:ing a constant testing o%t of the opposition< a constant raising of the sta7es/
)/+5/ The res%lt is that ne6 sec%rity threats emerge at a startling rate/ Symantec< for e=ample< doc%mented 2<52! ne6 :%lnera(ilities in the second half of 2 !< higher than for any pre:io%s si="month period 0for comparison< the fig%re for the first half of 2 5 6as F%st +<2B#2/ F%rthermore< the :%lnera(ilities are (eing %sed (y the 3(ad g%ys3 far more ;%ic7ly/ The company@s e:idence notes that in late 2 5 3the a:erage :%lnera(ility"to" e=ploit 6indo6 6as F%st 5/C days3 0p +)?2/ So 7eeping sec%rity soft6are %p to date is cr%cial to maintaining good online sec%rity/ &f it is o%t of date it is
not F%st %seless< (%t arg%a(ly dangero%s< (eca%se it gi:es the %ser an %nF%stified sense of sec%rity/
)/+!/ &n addition< operating systems and appliances m%st (e f%lly patchedHin other 6ords< the sec%rity %pdates iss%ed (y :endors< 6ith a :ie6 to fi=ing :%lnera(ilities< need to (e reg%larly installed/ The responsi(ility for installing s%ch %pdates is shared (et6een :endors and end"%sers/ The 7ey ;%estion for this in;%iry is 6hether the :endors are doing eno%gh to help end"%sers/ &n the case of 4icrosoft< for e=ample< sec%rity %pdates are typically iss%ed on 3patch T%esday3< the second T%esday of each month/ &t %sed to (e the responsi(ility of %sers to do6nload patches from the 4icrosoft 6e(siteE if they failed to do so< the 3(ad g%ys3 co%ld ;%ic7ly disassem(le and analyse the patches< and design mal6are to e=ploit the :%lnera(ilities th%s identified/ This ga:e rise to the corresponding phrase 3e=ploit 8ednesday3/
)/+#/ Ho6e:er< all the maFor :endors< incl%ding 4icrosoft< no6 gi:e end"%sers the option to config%re their system to do6n"load sec%rity %pdates a%tomatically/ This 6as descri(ed (y 4icrosoft as their 3recommended option3Htho%gh the company also pro:ides other options< ranging from notification that patches are a:aila(le to s6itching off a%tomatic %pdates entirely 0see D 2C?2/
)/+C/ This prompts a n%m(er of ;%estions/ The first is 6hether a 3recommended option3 is s%fficiently ro(%st to protect cons%mers/ The Society for Comp%ters and La6 6ere clear that comp%ters sho%ld (e 3s%pplied 6ith the defa%lt sec%rity settings /// @t%rned on@< 6ith s%ita(le g%idance and 6arning to end"%sers on the ris7s associated 6ith red%cing the sec%rity settings3 0p +2!2/ 4icrosoft has itself slo6ly mo:ed to6ards a defa%lt 3on3 setting for sec%rity< and< as ,dam La%rie noted< 3are no6 shipping sec%re (y defa%lt settings3 0D B++2/ The open so%rce comm%nity has mo:ed in the same direction/
)/+?/ The pro:ision of sec%re settings (y defa%lt (egs a f%rther ;%estion< 6hich is 6hether end"%sers ade;%ately %nderstand either the limitations that a high le:el of sec%rity places on f%nctionality< or the implications of lo6ering that le:el from< say< 3high3 to 3medi%m3/ ,s ,dam La%rie contin%ed< :endors 3ha:e to pro:ide the tools< ad:ice< timely %pdates and ad:isories 6hen there is a pro(lem in order for the %ser to ma7e their o6n choice3 0D B++2/
)/2 / 4ore generally< sec%rity prompts are notorio%sly o(sc%re< and seem to (e 6idely ignored (y %sersHarg%a(ly F%stifying ,pple@s approach of eliminating prompts 6here:er possi(le/ Do%g Ca:it ass%red %s that 4icrosoft 6as ma7ing e:ery effort to ens%re that prompts and messages 6ere transparent< (%t it 6as clear that 4icrosoft@s (elief 6as that some %sers 6o%ld sometimes find it necessary to choose potentially ris7y (eha:io%r< and therefore 8indo6s 6o%ld contin%e to %se prompts and allo6 end"%sers to ma7e the final decision on sec%rity/ The %se of simple< Fargon"free lang%age is a(sol%tely critical if 4icrosoft@s approach is not to %ndermine sec%rity/
)/2+/ , f%rther concern is o:er the state in 6hich -Cs and operating systems are act%ally s%pplied to c%stomers/ &t is one thing e=pecting %sers to %pdate operating systems and sec%rity soft6are< (%t it is another matter is these systems are not %p"to"date at the time of p%rchase/ 8e ha:e not recei:ed clear e:idence that o%t"of"date soft6are is a maFor pro(lem< (%t can readily see that< as proposed (y the F&-R< a statement accompanying the -C< stating the date %p to 6hich the soft6are 6as f%lly patched Hin effect< a 3(est (efore3 dateH6o%ld (e of %se to p%rchasers 0p 2+ 2/ ,t the :ery least< 6e see no reason 6hy operating systems sho%ld not (e programmed to pro:ide s%ch information 6hen r%n for the :ery first time< and 6hy they sho%ld not a%tomatically %pdate themsel:es so as to fi= any sec%rity pro(lems 6hen they are first connected to the &nternet/ E#er!in! threats and solutions
)/22/ 8e ha:e already gi:en a short o:er:ie6 of the 7inds of threats facing &nternet %sers/ ,ttac7s contin%e to increase in sophistication/ 4essageLa(s< for instance< reported the emergence of 3targeted TroFans3< %ni;%e e=amples of mal6are targeted at partic%lar organisations or indi:id%als/ TroFans typically mas;%erade as innocent programs or files< and rely on social engineering to pers%ade the recipient to r%n the file< so installing the mal6are 3payload3/ This payload might (e< for instance< a 7eylogger< 6hich allo6s the a%thor of the TroFan to capt%re pass6ords and other data/ The targeted TroFan< (y definition a ne6 and %ni;%e piece of soft6are< is partic%larly diffic%lt for sec%rity soft6are< relying as it does largely on data(ases of 7no6n mal6are< to detect/
)/2B/ The n%m(er of s%ch (espo7e TroFans intercepted (y 4essageLa(s has risen from a(o%t t6o per 6ee7 in *an%ary 2 ! to one a day (y *an%ary 2 #/ This is still a :ery small n%m(er< (%t 4ar7 S%nner of 4essageLa(s noted that to6ards the end of 2 ! 3tool7its3 to ma7e s%ch TroFans appeared online< so that criminals co%ld 3(%y this capa(ility from certain nefario%s R%ssian 6e(sites3 0D )!+2/ S%ch de:elopments demonstrate that in the ongoing &nternet arms race the 3(ad g%ys3 6ill contin%e to search for and find 6ays to o%t6it the sec%rity professionals/
)/2)/ Ho6e:er< the 3arms race3 6or7s (oth 6ays/ Ge6 sec%rity technologies are li7ely to emerge in the coming years/ 5%d Tri((le< for e=ample< told %s that ,pple 6as
cond%cting research into the possi(ility of incl%ding 6ithin the operating system a 3sand"(o=3Ha sec%re area in 6hich %ntested programs can (e e=ec%ted/ The *a:a programming lang%age has %sed a sand"(o= to restrict indi:id%al programs for many years< (%t it is li7ely to (e t6o or three years (efore a more general form of sand"(o= appears in mass"mar7et operating systems designed for personal %se/ 1endor liability
)/25/ The preceding disc%ssion leads onto one of the 7ey iss%es raised in this in;%iryH lia(ility/ ,t present< e:en if soft6are is shipped 6ith maFor fla6s 6hich gi:e rise to sec%rity :%lnera(ilities< end"%sers 6ho s%ffer loss as a res%lt ha:e no legal reco%rse against the :endorsHend"%ser license agreements generally e=cl%de any legal lia(ility/ ,s -rofessor ,nderson p%t it< the &nternet 6ay of doing (%siness is that 3lia(ility gets d%mped as m%ch as possi(le on the end %ser3 0D !)!2/ The a(sence of lia(ility< in contrast< means that there is little incenti:e< partic%larly gi:en the high degree of %niformity across the mar7etplace< for :endors +5 to raise sec%rity standards/ , 7ey ;%estion therefore is 6hether a lia(ility regime 6o%ld create an incenti:e for :endors to raise standards/
)/2!/ Lia(ility is a h%gely contro:ersial iss%e 6ithin the &T ind%stry/ The 6itness to spea7 most forcef%lly in fa:o%r of a :endor lia(ility regime 6as 5r%ce Schneier/ He arg%ed that 38e are paying< as indi:id%als< as corporations< for (ad sec%rity of prod%cts3H(y 6hich payment he meant not only the cost of losing data< (%t the costs of additional sec%rity prod%cts s%ch as fire6alls< anti":ir%s soft6are and so on< 6hich ha:e to (e p%rchased (eca%se of the li7ely insec%rity of the original prod%ct/ For the :endors< he said< soft6are insec%rity 6as an 3e=ternality /// the cost is (orne (y %s %sers/3 Only if lia(ility 6ere to (e placed %pon :endors 6o%ld they ha:e 3a (igger impet%s to fi= their prod%cts3 0D 5B#2/ Th%s 4r Schneier had no do%(t that lia(ility 6as the 7ey to creating incenti:es for :endors to ma7e more sec%re soft6are/
)/2#/ 4ost other 6itnesses< ho6e:er< 6ere opposed to the introd%ction of any form of lia(ility regime/ *erry Fishenden< of 4icrosoft< insisted that his colleag%es 6ere
+5 Readers are reminded that the 6ord :endor is %sed in the sense %ni:ersal 6ithin the &T ind%stry< namely the man%fact%rers of soft6are and other prod%cts< rather than the general English sense of retailer/
3ma7ing o%r platform as sec%re as 6e possi(ly can 6ithin the comple= nat%re of soft6are3/ He dre6 an analogy 6ith the physical 6orld' 3-eople do not tend to immediately loo7 for lia(ility to6ards loc7 or 6indo6 companies (eca%se ho%ses are still (eing (%rgled/ The tendency is to 6ant to (lame the perpetrator3 0D 2#B2/
)/2C/ ,lan Co=< a de:eloper of open so%rce soft6are< foc%sed on the possi(ility that a lia(ility regime 6o%ld stifle interopera(ility and inno:ation' 3yo% (%y a -C< yo% add a 6ord processor< yo% add a media player< and yo% add a co%ple of games/ ,ll these can interact in strange and 6ondro%s 6ays and as yo% add more soft6are the com(ination increases/ The rational thing for a soft6are :endor to do faced 6ith lia(ility 6o%ld (e to for(id the installation of any third party soft6are on the system3 0D B+B2/ 5r%ce Schneier< on the other hand< arg%ed 3that the companies protest a little (it too m%ch / in fact inno:ation is so profita(le and so :al%a(le that yo% 6ill see it3 0D 5B 2/
)/2?/ Legal (arriers 6ere also raised/ Gicholas 5ohm arg%ed that those 6ho s%ffered harm as a res%lt of fla6s in soft6are often had no contract%al relationship 6ith the :endor that 6o%ld entitle them to claim damages' 3the ris7s and losses are diff%sed (y the &nternet and it is not an en:ironment in 6hich (eefing %p direct lia(ility is an easy thing to do3/ ,t the same time< he agreed that there 6as c%rrently an 3incenti:es pro(lem3< in that 3the s%ppliers and the creators (y and large do not s%ffer the ad:erse conse;%ences to the same e=tent as their c%stomers3 0D B?)2/
)/B / 4r 5ohm@s o(Fection to a lia(ility regime is certainly legitimate< tho%gh 5r%ce Schneier< 6hile ac7no6ledging the pro(lem< arg%ed that the co%rts 6o%ld ha:e to manage it< as they had done in other areas< 6here there 6ere already 3complicated case"histories of partial lia(ility3 0D 5) 2/ -rofessor ,nderson also concl%ded that 3yo% are going to end %p e:ent%ally 6ith some hard cases for co%rts to decide 6here ascri(ing lia(ility to this :endor or that :endor or to the %ser 6ho misconfig%red the machine 6ill (e a complicated ;%estion of fact3 0D !5C2/ ,nalysing s%ch ;%estions of fact and reaching a F%dgment is 6hat the co%rts do e:ery day/
)/B+/ ,t the same time< 6e accept that the pace of inno:ation and change in the ind%stry means that a comprehensi:e lia(ility regime may not yet (e feasi(le/ Ge6 6ays to %se the &nternetHfor instance< ne6 applications of 3-eer"to" -eer3 and or other types of file sharingHemerge at (e6ildering speed/ Online fashions and (eha:io%rs change F%st as fast/ -rofessor Kittrain@s comment on lia(ility 6as a ;%alified 3not yet3H3 & 6o%ld at least li7e to (%y %s another fi:e or ten years of the generati:e status 'uo and then see if it t%rns o%t that things ha:e slo6ed do6n and 6e pretty 6ell 7no6 the %ses to 6hich the net6or7 6ill (e p%t3 0D ?#+2/ ,lan Co=< 6hile arg%ing against lia(ility< did concede that there might (e 3an arg%ment in the longer term that as technology impro:es and as 6e get (etter at 6riting sec%re soft6are that the la6 does need to hold soft6are companies to higher standards< at least in terms of negligence3 0D B+B2/
)/B2/ &n principle< technological constraints co%ld slo6 the rate of inno:ation< creating a more sta(le and mat%re mar7et for soft6are< at any time/ 34oore@s La63< originally an empirical o(ser:ation that comp%ting po6er per %nit cost of silicon chips do%(led appro=imately e:ery 2) months< has contin%ed to hold good for o:er ) years< and has s%pported an astonishingly inno:ati:e ind%stryH(%t there is no g%arantee that this rate of progress 6ill (e s%stained in f%t%re/ ,s this Committee noted in 2 2< f%ndamental physical constraints 6ill at some point limit the miniat%risation potential of con:entional comp%ter chips/+!
)/BB/ 8e are not ho6e:er in a position to predict if and 6hen the pace of change in the online 6orld 6ill slo6/ Gor can 6e ans6er a related ;%estion< namely 6hen the ind%stry 6ill< in ,lan Co=@s 6ords< 3get (etter at 6riting sec%re soft6are3/ 5%t 6e ha:e no do%(t that at some point in the f%t%re the &T ind%stry< li7e other ind%stries< 6ill mat%re' more consistent standards for soft6are design 6ill emergeE the rate of inno:ation 6ill slo6/ ,t that point< if not (efore< clearer definitions of the responsi(ility of the ind%stry to c%stomersHincl%ding a comprehensi:e lia(ility regimeH6ill (e needed/
)/B)/ &n the meantime< there are many areas in 6hich :endor lia(ility is already appropriate/ One s%ch is 6here :endors are demonstra(ly negligent in selling
+! See Chips for *%erything# +ritain,s -pportunities in a .ey Global Mar/et 02nd Report< Session 2 )/+C ff/ 2" B2< paragraphs
prod%cts 6hich they 7no6 to (e insec%re< (%t 6hich they ad:ertise as sec%re/ &n ,dam La%rie@s 6ords< 3potentially there sho%ld (e some iss%e of lia(ility for companies shipping prod%cts that are 7no6n not to (e sec%re and selling them as sec%re prod%cts3 0D B+52/ ,s an e=ample< he mentioned 8iFi systems< 6here sec%rity protocols 6ere claimed to (e sec%re long after they had in fact (een (ro7en/
)/B5/ -rofessor Handley also arg%ed :ery s%ccinctly for imposing lia(ility 6here negligence co%ld (e sho6n' 3&f yo%r -C< for e=ample< gets compromised at the moment there is no real lia(ility for the soft6are :endors or the person 6ho sold them the -C or anything else/ The ;%estion then is' did the person 6ho sold yo% that soft6are or the person 6ho 6rote that soft6are or 6hate:er act%ally do the (est Fo( ind%stry 7no6s ho6 to do in 6riting that soft6areN &f they did then & really do not thin7 they sho%ld (e lia(le< (%t if they did not then & thin7 some lia(ility o%ght to (e there3 0D !5)2/ 8e agree/
)/B!/ ,ny imposition of lia(ility %pon :endors 6o%ld also ha:e to ta7e acco%nt of the di:ersity of the mar7et for soft6are< in partic%lar of the importance of the open so%rce comm%nity/ ,s open so%rce soft6are is (oth s%pplied free to c%stomers< and can (e analysed and tested for fla6s (y the entire &T comm%nity< it is (oth diffic%lt and< arg%a(ly< inappropriate< to esta(lish contract%al o(ligations or to identify a single 3:endor3/ 5r%ce Schneier dre6 an analogy 6ith 39ood Samaritan3 la6s< 6hich< in the United States and Canada< protect those attempting to help people 6ho are sic7 or inF%red from possi(le litigation/ On the other hand< he sa6 no reason 6hy companies 6hich too7 open so%rce soft6are< aggregated it and sold it along 6ith s%pport pac7agesHhe ga:e the e=ample of Red Hat< 6hich mar7ets a :ersion of the open so%rce Lin%= operating systemHsho%ld not (e lia(le li7e other :endors 0D 5)+2/
)/B#/ Finally< 6e note that mo:es to6ards esta(lishing :endor lia(ility 6o%ld (e m%ch more effecti:e if they 6ere made internationally rather than (y the United 1ingdom alone/ There is a significant cross"(order mar7et in soft6are prod%cts< so imposing lia(ility onto United 1ingdom companies< 6itho%t ma7ing foreign companies accept similar responsi(ilities< 6o%ld ris7 %ndermining competiti:eness/ &n addition< reg%latory inter:ention at United 1ingdom le:el
might ris7 creating distortions in the internal mar7et< so falling fo%l of E%ropean Union la6/ 8e 6ere therefore enco%raged (y the ca%tio%s 6elcome gi:en to the prospects of :endor lia(ility (y $i:iane Reding< Commissioner for &nformation Society and 4edia at the E%ropean Commission'
38e 6ill follo6 the de:elopment of the ind%stry"led initiati:es in this area / &f ind%stry< if the mar7et can sort o%t the pro(lem 6e lea:e the mar7et to do that< (%t 6e also say to the mar7et or to the ind%stry< @8e do not 6ant this to happen for a :ery long period of time< so if yo% can sort it o%t< do it< and if after one or t6o years yo% ha:e not managed to sort it o%t then 6e 6ill ha:e to come in 6ith reg%lation<@ (eca%se here 6e (elie:e that self"reg%lation is the (est 6ay o%t< if it is possi(le/ &f not< then 6e ha:e to go to a (inding reg%lation 6hich is potentially costly to the ind%stry3 0D ?)#2/ Conclusions and reco##endations 2>)$> The IT industry has not historically #ade security a priority> This is !radually chan!in!5but #ore radical and rapid chan!e is needed i( the industry is to eep pace "ith the in!enuity o( cri#inals and a&oid a disastrous loss o( con(idence in the Internet> The #aDor co#panies7 particularly the so(t"are &endors7 #ust no" #a e the de&elop#ent o( #ore secure technolo!ies their top desi!n priority> /e ur!e the industry7 throu!h sel(.re!ulation and codes o( best practice7 to de#onstrate its co##it#ent to this principle> 2>),> In particular7 "e ur!e the industry to endorse the (ollo"in! as best practice: I Increasin! the pro&ision o( security ad&ice to users "hen (irst bootin! up PCs or launchin! applications= I Auto#atic do"nloadin! o( security updates upon (irst connectin! #achines to the Internet= I Ensurin! that de(ault security settin!s are as hi!h as practicable7 e&en i( (unctionality is restricted "hile users are still learnin! about the ris s they (ace= and I An industry."ide code o( practice on the use o( clear and si#ple lan!ua!e in security #essa!es> 2>2'> 6o"e&er7 e((orts to pro#ote best practice are ha#pered by the current lac o( co##ercial incenti&es (or the industry to #a e products secure: co#panies are all too easily able to du#p ris s onto consu#ers throu!h licensin! a!ree#ents7 so a&oidin! payin! the costs o( insecurity> This #ust chan!e> )/)+/ /e there(ore reco##end that the Co&ern#ent e8plore7 at European le&el7 the introduction o( the principle o( &endor liability "ithin the IT industry> In the short ter# "e reco##end that such liability should be i#posed on &endors :that is7 so(t"are and hard"are #anu(acturers<7 not"ithstandin! end user licensin! a!ree#ents7 in
circu#stances "here ne!li!ence can be de#onstrated> In the lon!er ter#7 as the industry #atures7 a co#prehensi&e (ra#e"or o( &endor liability and consu#er protection should be introduced >C6APTE+ *: 3SINC T6E INTE+NET: B3SINESSES O&er&ie"
5/+/ O%r foc%s in this in;%iry has (een on indi:id%al &nternet %sers/ Ho6e:er< once indi:id%als ha:e made personal information a:aila(le online< 6hether (y sending an email< or %sing a search engine< or opening an online (an7 acco%nt< they no longer ha:e direct control o:er the %ses to 6hich that information is p%t/ So< (efore loo7ing at the indi:id%al< 6e e=amine the steps that (%sinesses and other organisations processing or storing personal information in electronic form can ta7e to impro:e personal &nternet sec%rity/
5/2/ 4yriad (%sinesses and other organisations operate online/ For many the &nternet is a cheap and efficient alternati:e to more traditional 6ays of doing (%siness/ The (an7s< for instance< ma7e sa:ings in staff and (ranches< and can afford to offer online c%stomers (etter interest rates/ Dedicated online traders< s%ch as ,maLon< ha:e profo%ndly changed the 6ay people shop< allo6ing them to search for items and compare prices more or less instantaneo%sly/ Trading sites s%ch as e5ay are still more f%ndamentally dependent on the &nternet< relying on feat%res s%ch as mem(er feed(ac7 that 6o%ld not (e possi(le in a con:entional for%m/
5/B/ 8hat all these (%sinesses ha:e in common< along 6ith other organisations 6ith an online presence< s%ch as go:ernment agencies< is that they hold personal information that indi:id%al %sers ha:e disclosed to them/ This information may (e confidential< s%ch as acco%nt details and pass6ords< or it may (e more directly and personally sensiti:e< s%ch as health records/ &n either case< its loss 6o%ld e=pose the indi:id%al to the ris7 of serio%s harm< 6hether financial or personal/
5/)/ &t 6o%ld therefore seem to (e inc%m(ent on (%sinesses operating online to protect their c%stomers@ sec%rity and safety (y ens%ring that the information they hold is not lost/ 5%t as the Fo%ndation for &nformation -olicy Research noted< 3Sec%rity fail%res are often d%e to misplaced incenti:esE 6hen the people g%arding a system are not the people 6ho s%ffer 6hen it fails< then one may e=pect less than the socially optim%m le:el of diligence3 0p 2 ?2/ There is c%rrently no direct commercial incenti:e for (%sinesses to ma7e the sec%rity of pri:ate indi:id%als a high priority< gi:en that it is those indi:id%als 6ho typically (ear the losses res%lting from sec%rity (reaches/
5/5/ Gor is the legal regime 6ithin 6hich (%sinesses operate online partic%larly onero%s/ The stat%tory frame6or7 for protection of personal information online is fo%nd in the Data -rotection ,ct +??C< in partic%lar in the se:enth 3data protection principle3 in Sched%le + of that ,ct/ This pro:ides that 3,ppropriate technical and organisational meas%res shall (e ta7en against %na%thorised or %nla6f%l processing of personal data and against accidental loss or destr%ction of< or damage to< personal data/3 Enforcement of (reaches of the ,ct is the responsi(ility of the &nformation Commissioner/
5/!/ The pro:isions of the Data -rotection ,ct are s%pplemented (y the -ri:acy and Electronic Comm%nications 0EC Directi:e2 Reg%lations 2 B< 6hich implemented the e-ri:acy Directi:e/+# The Reg%lations co:er a range of iss%es s%ch as calling line identification< (illing and other ser:ices pro:ided (y &S-sE (%t for the p%rposes of this chapter the 7ey areas are %nsolicited comm%nications and email 3spam3/
5/#/ O%r 7ey ;%estions< therefore< ha:e (een'
I 8hat sec%rity standards are or sho%ld (e o(ser:ed (y (%sinesses and other organisations operating onlineN
+# Directi:e 2 2>5C>EC of the E%ropean -arliament and of the Co%ncil of +2 *%ly 2 2 concerning the processing of personal data and the protection of pri:acy in the electronic comm%nications sector/
I ,re additional incenti:es needed< and if so of 6hat 7ind< to raise standardsN
I Does the enforcement regime pro:ide a strong eno%gh deterrent to those 6ho fail to o(ser:e ade;%ate sec%rity standardsN Security standards
5/C/ The &nternet offers (%siness a h%ge and fast"changing mar7et"place/ One conse;%ence is that no acc%rate data e=ist on the le:el of losses s%ffered (y indi:id%als (%ying and selling online/ There is no %niformity of reporting< and p%(lished fig%res are correspondingly %nrelia(le/ There is< for e=ample< no precise (rea7"do6n of the proportion of online fra%d perpetrated (y means of phishing< card"not"present fra%d< and so on/ Colin 8hitta7er of ,-,CS estimated that 3phishing acco%nts for any6here (et6een 25 and 5 percent of the attac7s that 6e see that ca%se losses on c%stomer acco%nts3 0D ? 2/ ,n estimate as imprecise as this contri(%tes little to o%r %nderstanding of 6hat is happening/
5/?/ Gor are data a:aila(le on the n%m(ers of attac7s on partic%lar (an7s or (%sinesses/ ,-,CS ref%sed to di:%lge any data on the n%m(ers of attac7s on (an7s< 4r 8hitta7er merely insisting that 3there is no e:idence that one (an7 is any 6orse or any (etter off than any others3 0D ?!2/ 8here there are p%(lic reporting systems< s%ch as the F5&"r%n &CB 6e(site in the United States< the :agaries of reporting still ma7e it diffic%lt to read m%ch into the data/ Th%s 6e 6ere told at the Federal Trade Commission in 8ashington that some !B percent of online fra%ds reported to &CB concerned online a%ctions+C/ &t 6as only 6hen 6e :isited e5ay in Silicon $alley that 6e 6ere a(le to p%t this startling fig%re into perspecti:e' not only are e5ay and its s%(sidiary -ay-al< in the 6ords of 4atthe6 -em(le< 3the primary targets 6orld6ide for phishing3 0D + C2< (%t they also< %n%s%ally< report all fra%ds to the 6e(site and enco%rage c%stomers to do the same/
+C This fell to ))/? percent in 2
!/
5/+ / The 7ey point a(o%t phishing is that it 6or7s (y means of social engineeringH :ictims are pers%aded to go to a fra%d%lent site< on 6hich they themsel:es enter their acco%nt details and other personal information/ Go mal6are needs to (e in:ol:ed< and standard technical meas%res s%ch as anti" :ir%s soft6are are of no %se/ -hishing< and the social engineering techni;%es employed (y criminals< (ecome more s%(tle all the time< and a certain proportion of indi:id%als 6ill al6ays (e fooled/ ,s 6e 6ere told at e5ay< some :ictims simply do not learn from their mista7es< (%t 6ill gi:e o%t acco%nt details to phishers time after time/
5/++/ &t follo6s that action (y the companies 6hose c%stomers are targeted and 6hose 6e(sites are spoofed (y the phishers is essential to limit the threat to e"commerce/ , 7ey meas%re is the rapid closing do6n of phishing sites/ Card operator $isa< for instance< told %s that it maintained 3a dedicated reso%rce /// for in:estigating the phishing emails and contacting the host to get sites sh%t do6n3 0p B52/ This proacti:e approach is of co%rse 6elcome< (%t $isa is the target of only a small proportion of phishing emails/ Gor is the process of getting hosts to close do6n phishing sites straightfor6ard< gi:en that these hosts may (e (ased any6here in the 6orld/ ,s the E%ropean &nformation Society 9ro%p 0EUR&42 noted'
3There is a need to (ring the c%rrent proliferation of fragmented local and national reporting operations together into international reporting net6or7s that cross p%(lic"pri:ate (o%ndaries and to collate and ro%te information to those 6ho are in a position to ta7e action3 0p B!?2/
5/+2/ Simple administrati:e meas%res co%ld also help/ For instance< the s%ccess of phishing emails is %ndo%(tedly (oosted (y the fact that (an7s contin%e to email c%stomers/ Sandra D%inn of ,-,CS made m%ch of the fact that 36e ha:e made some :ery clear messages< s%ch as yo%r (an7 6ill ne:er as7 yo% to access yo%r 6e(site thro%gh a lin7 in an email3 0D +B)2/ Th%s to ta7e an e=ample at random< the page of the Lloyds TS5 6e(site offering ad:ice on phishing states< 38hile 6e may email yo% from time to time< 6e 6ill ne:er send yo% emails as7ing for yo%r &nternet (an7ing or telephone (an7ing information either thro%gh an email or a 6e(site/3+? 5%t 6hile this seems clear< the fact that emails are sent at all lea:es an opening for the phishersH once the possi(ility that (an7s 6ill contact their
+? See http'>>666/lloydsts(/com>sec%rity>phishing/asp
c%stomers (y email is admitted< the social engineering s7ills of the 3(ad g%ys3 6ill do the rest/
5/+B/ Th%s the demands of mar7eting and those of sec%rity appear to (e in direct conflict/ ,s -hilip Ro(inson of the Financial Ser:ices ,%thority as7ed< 3if there are :ery large n%m(ers of mar7eting material hitting yo%r in(o= / ho6 do yo% determine 6hich are real and 6hich are not 6hen they all often loo7 the sameN3 0D +#?2/ &n the present circ%mstances< 6e do not (elie:e it is appropriate that (an7s sho%ld send %nsolicited emails to c%stomers %nder any circ%mstances/
5/+)/ Technical meas%res might also red%ce the impact of phishing/ , f%ndamental element of online transactions is that (an7s and merchants ha:e to esta(lish that the c%stomer p%rporting to %se their ser:ices is 6ho he or she claims to (e/ ,t present they typically rely on 6hat might (e called 3shared secrets3Hinformation 7no6n to c%stomer and< say< (an7< (%t no" one else/ S%ch secrets incl%de pass6ords< or ;%estions and ans6ers 0for instance< mother@s maiden name or first primary school2/ ,ll these secrets are lost if the indi:id%al can (e pers%aded to log onto the phishing site/ Th%s the system of shared secrets is< as Gicholas 5ohm commented< 3inherently 6ea73 0D B522/ &ts 6ea7ness has contri(%ted< partic%larly since the introd%ction of 3chip and pin3< to a h%ge increase in the pre:alence of 3card not present3 fra%d/
5/+5/ One 6ay to com(at this 6ea7ness 6o%ld (e to introd%ce a system 6here(y 6e(sites operated (y (an7s or other (%sinesses offering financial ser:ices a%thenticated themsel:es to c%stomers< rather than simply re;%iring c%stomers to a%thenticate themsel:es (y entering acco%nt information< card details and pass6ords/ &n the field of online shopping< $isa@s ne6 3$erified (y $isa3 system introd%ces a personalised sec%rity page 06hich they told %s
co%ld not (e spoofed (y a phishing 6e(site2 (efore re;%esting pass6ords 0see D + B2/
5/+!/ Similar systems co%ld (e introd%ced (y (an7s< (%t at present there is no %niformity across the sector/ ,ltho%gh s%ch a system is employed (y ,lliance and Leicester< Colin 8hitta7er@s comment 6as that 3That 6as their response to their cost"(enefit in:estment decisions for their re;%irements for their c%stomers/ O:er time indi:id%al instit%tions 6ill ma7e their o6n decisions and those decisions 6ill e:ol:e as and 6hen the cost"(enefit case changes o:er time3 0D ++52/ &n other 6ords< the mar7et 6ill deli:er/
5/+#/ ,nother sol%tion that has (een proposed is 3t6o factor a%thentication3/ This means< as Ro(ert Littas of $isa p%t it< that the (an7 or merchant as7s for 3something yo% ha:e and something yo% 7no63 0D ++B2/ &n other 6ords< not only are 3shared secrets3 re;%ested< (%t the c%stomer is re;%ired to demonstrate they are in possession of something 0typically a to7en or 7ey fo( generating a random series of si="digit n%m(ers2/ This offers a degree of protection< partic%larly against phishingHas -a%l 8ood of 4essageLa(s noted< phishing increasingly 3targets (an7s and organisations 6hich do not deploy /// @t6o factor a%thentication@3 0D )!+2/
5/+C/ Ho6e:er< t6o factor a%thentication also has its limits/ The first is practical/ &ndi:id%als are already o:er(%rdened (y the need to remem(er a range of pin n%m(ers and pass6ords< to s%ch an e=tent that they ha:e little choice (%t to 6rite them do6n< so negating their :ery p%rpose/ &t is %nli7ely that they 6o%ld 6elcome ha:ing to 7eep safe< and< potentially< carry aro%nd a similar n%m(er of 7ey fo(s/
5/+?/ There are also technical limitations/ For instance< t6o factor a%thentication is still s%scepti(le to 3man in the middle3 attac7s< 6here the attac7er places himself (et6een the cons%mer and the (an7/ &n addition< the emergence of ne6 types of 3TroFan horse3 co%ld %ndermine its %sef%lness/ 8e ha:e already descri(ed the threat posed (y 7eyloggers< mal6are installed (y means of TroFans< 6hich allo6 criminals to monitor and record 7eystro7es 0and e:en mo%se mo:ements2/ 8hile t6o factor a%thentication might appear to offer a degree of protection< -a%l 8ood noted that the more sophisticated mal6are no6 (eing installed (y TroFans means that 3the TroFan 6ill potentially ta7e o:er yo%r (ro6ser session after yo% ha:e completed the a%thentication3 0D )!+2/ &n other 6ords< the TroFan remains dormant and in:isi(le %ntil the :ictim has logged onto a 0legitimate2 site< for instance to
chec7 his (an7 acco%nt/ The TroFan then allo6s the criminal to ta7e control of the 6e( (ro6ser remotely< emptying the (an7 acco%nt/
5/2 / This is a relati:ely ne6 de:elopment< al(eit one 6itnessing 6hat 4r 8ood called 3increasing acti:ity3/ &t is diffic%lt to see 6hat (%sinesses %sing the &nternet< s%ch as (an7s< can do to co%nter it/ Their most promising defence 6ill (e in monitoring transactions and detecting s%spicio%s acti:ity patterns/ Ho6e:er< the concl%sion of 4essageLa(s 0al(eit one in their o6n commercial interest2< 6as that the threat co%ld only (e co%ntered (y 3&nternet"le:el filtering3 0D )!)2< screening o%t the TroFans (efore they reached end"%sers/
5/2+/ Got6ithstanding 6hat 6e ha:e F%st said a(o%t TroFans< there are many simple steps that (%sinesses %sing the &nternet co%ld ta7e to impro:e sec%rity for their c%stomers/ Sec%rity meas%res ha:e to (e proportionate to the ris7< and need not (e o:er"complicated or (%rdensome/ F%rthermore< online sec%rity m%st (e seen 6ithin the conte=t of general sec%rity/ ,s 5r%ce Schneier commented< 3& ha:e a comp%ter at home that has no pass6ord< (eca%se & consider it is in the sec%re perimeter of my home/ &t is different from a laptop comp%ter< 6hich is right no6 in my hotel room/ There is a :ery different set of sec%rity ass%mptions going on there3 0D 5552/
5/22/ Some of the maFor sec%rity lapses of recent times ha:e come a(o%t not (eca%se of the actions of online criminals< (%t (eca%se of simple carelessness< s%ch as the loss of laptops/ &n the case of the laptop lost (y Gation6ide 5%ilding Society in 2 ! not only 6ere the data of ++ million c%stomers stored on the laptop in %nencrypted form< (%t< according to the F%dgment deli:ered (y the Financial Ser:ices ,%thority 0FS,2 in Fe(r%ary 2 #< 6hen the laptop 6as stolen Gation6ide 6as %na6are 6hat data it contained and too7 no action for three 6ee7s/2 Incenti&es
See http'>>666/fsa/go:/%7>p%(s>final>n(s/pdf/
5/2B/ &f (%sinesses and financial instit%tions are to ta7e the sorts of meas%res o%tlined a(o:e< if the mar7et is to deli:er< they 6ill need to sho6 commitment at the highest le:el/ This leads %s to the ;%estion of incenti:es/
5/2)/ ,re the (an7s in partic%lar s%fficiently committed to the sec%rity of c%stomers to in:est in appropriate technical and other meas%res to protect themN The response from ,-,CS< the trade association representing the payments ind%stry< 6as disco%raging/ &n Colin 8hitta7er@s 6ords< 3it is not so m%ch that the (an7s themsel:es or the (an7s@ systems are insec%re (eca%se those (an7s are not (eing attac7edE it is their c%stomers that are (eing attac7ed %nfort%nately3 0D +2 2/ This demonstrates e=traordinary complacency/ The (an7s ma7e profits (eca%se they are deemed to (e a safe repository for their c%stomers@ money< and ine:ita(ly that money< not the (an7s@ o6n< is the target of criminals/ ,-,CS might as reasona(ly claim that a (an7 6hich left its doors open and dispensed 6ith safes 6as not insec%re (eca%se 3it is their c%stomers that are (eing attac7ed3/
5/25/ &ncenti:es are needed to o:ercome this complacency/ They are c%rrently lac7ing< (eca%se the (an7s in partic%lar are a(le to offload ris7s onto c%stomers and merchants/ The legal (ac7gro%nd 6as helpf%lly e=plained to %s (y Gicholas 5ohm/ He dre6 attention first to the common la6 principle that 3if someone see7s to hold me to a (argain 6hich he says & made and & say & did not ma7e it< it 6as someone pretending to (e me< he has to pro:e it 6as me in order to pro:e his case and if he cannot pro:e it 6as me then he stands the res%lting loss3/ This principle has (een (%ttressed (y stat%te la6 in certain areasHfor e=ample< the 5ills of E=change ,ct +CC2 specified that if a (an7 hono%red a forged che;%e the (an7< not the c%stomer %pon 6hose acco%nt the che;%e 6as dra6n< 6o%ld (e lia(le 0D B522/
5/2!/ Go s%ch stat%tory codification has (een applied to the 6orld of online (an7ing/ &nstead< c%stomers m%st fall (ac7 on the common la6 principle< 6hich Gicholas 5ohm interpreted in this conte=t as signifying that 3those 6ho deploy sec%rity systems for the p%rpose of chec7ing that the c%stomer is the one ma7ing the transaction are the ones 6ho sho%ld stand the ris7 of it failing3/ 4r 5ohm concl%ded that he 36o%ld li7e to see the (an7ing system Om(%dsman< the Office of Fair Trading and any(ody else concerned 6ith %nfair contract terms enco%raged to ta7e a ro(%st line3 0D B522/ Ho6e:er< in practice this has yet to happen< and the
(an7s do not formally accept lia(ility for losses inc%rred 6hen c%stomers are impersonated (y criminals 6ho ha:e stolen acco%nt details/ ,t present the (an7s generally meet s%ch losses< (%t they are %nder no o(ligation to do so< and as losses rise< the temptation for the (an7s to disclaim lia(ility 6ill gro6/
5/2#/ 8hen these points 6ere p%t to the 4inister< 4argaret Hodge 4-< her response 6as as follo6s' 3There 6ill (e some circ%mstances 6here 6e co%ld p%t in primary legislation and there co%ld (e other circ%mstances 6here it is cons%mer (eha:io%r rather than the (an7s 6hich is at fa%lt / and it is diffic%lt to get those parameters right/ 8hat /// 6e are trying to do all the time< is to try and impro:e the a(%se of fra%d (y a%thentication schemes and 6or7ing 6ith the (an7s in that regard/ 8e can go 6ith the hea:y hand of the la6 rather than the more self"reg%latory ro%te do6n 6hich 6e are tending to tra:el and it is a matter of F%dgment for this Committee 6hich it thin7s is more appropriate3 0D C!)2/
5/2C/ The 4inister@s comments are deeply disappointing/ There is a time to rely on the in:isi(le hand of the mar7et< and a time to gi:e o%t signals to the mar7et that< in order to offer proper protection to cons%mers< it sho%ld mo:e in a partic%lar direction/ ,s 5r%ce Schneier commented< 3& do not thin7 that @diffic%lt@ is a reason not to try3 0D 5B?2/ &n mar7ed contrast to the position in the United 1ingdom< in the United States Reg%lation E of the Federal Reser:e 5oard ma7es (an7s lia(le for all (%t the first P5 of any loss inc%rred as a res%lt of an %na%thorised electronic f%nd transfer< as long as the :ictim notifies the (an7 in timely fashion/ Gat%rally< in the case of first party fra%dH6hen a c%stomer disa:o6s a transaction dishonestly Hthe (an7 can reco:er its money and prosec%te thro%gh the co%rts/
5/2?/ Ho6e:er< (ringing online (an7ing into line 6ith the r%les applying to forged che;%es 6o%ld affect only one part of the (%siness 6orld/ , more f%ndamental change< raising the profile of online sec%rity across the (oard< is re;%ired/ , 7ey iss%e is the fact that (%sinesses are not c%rrently re;%ired to report or p%(licise sec%rity (reaches/ The pro(lems this creates 6ere descri(ed in scathing terms (y the F&-R'
3, company 6hose systems ha:e (een compromised has e:ery incenti:e to 7eep ;%iet a(o%t it< and 6ill pro(a(ly recei:e legal ad:ice against notifying affected indi:id%als / Th%s sec%rity (reaches affecting the indi:id%al are typically detected 6hen the indi:id%al complains of fra%d/ S%ch complaints are often met 6ith hostility or denial (y financial instit%tions< or 6ith a demand that the c%stomer e=plain ho6 the disp%te might ha:e arisen3 0p 2+ 2/
5/B / The state of affairs descri(ed (y the F&-R is self"defeating/ For instance< in 2 5" ! hac7ers< e=ploiting :%lnera(ilities in 8iFi systems< stole the details of o:er )5 million payment cards from retailer T14a==/ ,ltho%gh the company disclosed this massi:e sec%rity (reach< it 6as< %nder United 1ingdom la6< %nder no o(ligation so to doHand no do%(t many smaller (%t other6ise compara(le (reaches ha:e gone %nreported/ Still less 6as the company o(liged to ta7e steps to inform the indi:id%al c%stomers concerned/ These c%stomers< if informed of the (reach< might ha:e (een pers%aded to e=amine credit card and (an7 statements more closely< so identifying minor fra%ds or thefts they 6o%ld other6ise ha:e missed/ 4oreo:er< the fact of
disclos%re 6o%ld ha:e gi:en them e:idence to s%pport a prime facie case that they had (een :ictims of fra%d/
5/B+/ Th%s the a(sence of a d%ty of disclos%re red%ces the li7elihood that c%stomers 6ill identify< complain of and pro:ide proof of fra%dE it also< since s%ch complaints are in t%rn the most li7ely means of prompting disclos%re< leads to a :icio%s circle of %nder"reporting/ ,s the F&-R concl%ded< the a(sence of a d%ty of disclos%re is a 7ey reason 6hy 36e ha:e no really dependa(le statistics3 regarding the incidence of online fra%d/ , %nified< centralised reporting system for sec%rity (reaches 6o%ld (e a 7ey element of any legislation< 6hich 6o%ld yield h%ge (enefits for researchers in the field/
$' PE+SONA; INTE+NET SEC3+IT@
5/B2/ The position in the United States stands in mar7ed contrast to that in the United 1ingdom/ 8hile there are no federal data sec%rity (reach la6s c%rrently in place< state la6s< introd%ced first in California< no6 apply in B5 states/ 8hen 6e :isited the Federal Trade Commission< officials 6ere emphatic that these la6s had had a mar7ed impact< dri:ing n%mero%s in:estigations< and leading in the Choicepoint case to the company paying P+ million in ci:il penalties for sec%rity (reaches and P5 million in redress to c%stomers/ 5oth the prospect of to%gh penalties< and< more importantly< the prospects of p%(lic em(arrassment and loss of share :al%e< pro:ide strong incenti:es to companies to prioritise data sec%rity at the highest le:el/
5/BB/ 4oreo:er< 6hen 6e :isited the F5& in California< 6e 6ere told of another (eneficial side"effect of sec%rity (reach notification la6s/ 8hereas in the past companies 6o%ld often conceal attac7s on their systems so as not to damage their rep%tation< no6< since indi:id%als had to (e informed any6ay< they 6ere far more 6illing to report s%ch e:ents to la6 enforcement/
5/B)/ &n contrast< in this co%ntry< despite the principles em(odied in the Data -rotection ,ct +??C< there is no practical incenti:e for those holding c%stomer data to ta7e steps to protect itHother than in the e=ceptional circ%mstances that they are already s%(Fect to an enforcement notice from the &CO< and are th%s at ris7 of prosec%tion and a .5< fine/ -hil *ones< of the &CO< p%t the pre:ailing sit%ation in a n%tshell' 3ho6e:er irresponsi(ly the data controller (eha:es he does not commit an offence3 0D B!!2/
5/B5/ The la6s pertaining in the United States are far from perfectHand the di:ersity across the states is a significant handicap/ ,s Dr Chris Hoofnagle< a la6yer 6or7ing at the C&TR&S research instit%te< told %s< different definitions of 6hat constit%ted a sec%rity (reach< and differences in re;%irements as far as demonstrating potential harm< and in reporting re;%irements< to some e=tent %ndermined their effecti:eness< as 6ell as the relia(ility of the data generated/ There 6ere also specific pro(lems 6ith letters that did not ma7e it clear 6hat steps indi:id%als might ta7e 6hen their data had (een stolenH indeed< in some cases notification and ad:ice 6ere so (%ried in ad:ertising that recipients might 6ell miss them altogether/ , federal la6 is c%rrently %nder consideration< 6hich aims to correct these inconsistencies and deficiencies/
$1 PE+SONA; INTE+NET SEC3+IT@
5/B!/ &n addition< 5r%ce Schneier s%ggested to %s that 6hile the la6s had done 3a lot of good3< they might also ha:e 3o%tli:ed their %sef%lness3/ The 7ey to the :al%e of data sec%rity (reach notification< in his :ie6< 6as the 3p%(lic shaming3 of offenders/ 5%t this relied on p%(licity< and the p%(licity 6as atten%ated o:er time H3it is no longer ne6s 6hen someone@s inno:ation is stolen/ &t happens too often3/ , related ris7 6as that indi:id%als 6o%ld (e o:er6helmed (y (reach notifications< and< lac7ing the information to ena(le them to assess the act%al ris7s< 6o%ld ;%ic7ly lose interest/ Ge:ertheless< he concl%ded that 3& thin7 that it sho%ld still (e done< (eca%se forcing companies to go p%(lic 6ith the information is :ery :al%a(le Hto researchers< to policyma7ers3 0D 5)#2/
5/B#/ The position of the 9o:ernment 6as l%7e6arm/ 4argaret Hodge descri(ed sec%rity (reach notification as 3an enticing (it of legislation3< (%t then foc%sed on 3the diffic%lty of framing that intent in a practical 6ay (eca%se yo% 6o%ld ha:e to decide 6hat (reaches 6o%ld yo% report precisely< 6hat is the trigger for a report< those sorts of iss%es< and yo% do not 6ant to end %p in a sit%ation 6here people either (ecome really (lase a(o%t it (eca%se they get so many reports of (reaches or they (ecome so scared that they do not ta7e ad:antage of the ne6 information comm%nication technology / The de:il is in the detail3 0D C)?2/
5/BC/ 8e f%lly ac7no6ledge the 4inister@s pointsHit is essential< in partic%lar< that any o(ligation to disclose sec%rity (reaches sho%ld set a sensi(le threshold in terms of the potential ris7 to those affected/ For instance< if a laptop is lost< (%t the data are sec%rely encrypted< or if the laptop 6as contained in the (oot of a car that has dri:en off a (ridge into a deep ri:er< the ris7 of data (reach may (e minimal/ The detail m%st (e got right/ 5%t 6e (elie:e that the United 1ingdom is no6 ideally placed to learn from the s%ccesses and fail%res of the many state la6s in force in the United States and get this detail right< esta(lishing a 6or7a(le and effecti:e legislati:e frame6or7/
5/B?/ Ho6e:er< 6e find it alarming that the 4inister appeared to regard 6ith e;%animity a sit%ation in 6hich sec%rity (reaches 6ere so common that if companies 6ere to (e o(liged to inform indi:id%als of sec%rity (reaches affecting their personal data< these indi:id%als 6o%ld respond either 6ith (ored indifference or fear/ &n the Fore6ord to his latest ,nn%al Report< the &nformation Commissioner noted that
$% PE+SONA; INTE+NET SEC3+IT@
3The roll call of (an7s< retailers< go:ernment departments< p%(lic (odies and other organisations 6hich ha:e admitted serio%s sec%rity lapses is fran7ly horrifying3 2+/ The e:idence heard in this in;%iry f%lly (ears o%t this description/ The sheer :ol%me of (reaches m%st not (e %sed as an e=c%se for inaction/
5/) / 4rs Hodge also dre6 attention to proposals emerging from the E%ropean Commission on data (reach notification in the conte=t of its ne6 Reg%latory Frame6or7 for Electronic Comm%nications/ Ho6e:er< as the title of this initiati:e implies< the Commission@s proposals 6o%ld place re;%irements solely on companies in the comm%nications sector/ They 6o%ld th%s omit the many (%sinesses in (an7ing and financial ser:ices< retailing and else6here< that hold confidential personal data/
5/)+/ The reason for this limitation appears to (e (%rea%cratic rather than reasoned/ ,s ,chim 1la(%nde< of the Directorate 9eneral &nformation Society< said 6hen as7ed 6hy the proposals 6ere limited to the comm%nications sector< companies in other sectors< s%ch as payment ser:ices< 6ere o%tside his 3organisational competence3 0D ?+ 2/ &n other 6ords< D9 &nformation Society has no a%thority to initiate proposals co:ering< for instance< the payment ser:ices ind%stry/ This is an inescapa(le fact< and ine:ita(ly means that the la6s c%rrently proposed in 5r%ssels 6ill
ha:e little impact in raising the incenti:es for (%siness to ta7e the necessary steps to protect personal &nternet sec%rity/ The en(orce#ent re!i#e
5/)2/ 8e ha:e o%tlined a(o:e the role of the &nformation Commissioner@s Office 0&CO2 in enforcing the stat%tory pro:isions that protect the sec%rity of personal data online/ &n a pre:io%s chapter 6e ha:e also o%tlined the :ery limited remit of the
2+ &nformation Commissioner@s Office< "nnual Report 2 !0 1, + *%ly 2 # 0HC!)!2< p #/
$) PE+SONA; INTE+NET SEC3+IT@
comm%nications ind%stry reg%lator< Ofcom< 6ith regard to &nternet Ser:ice -ro:iders/
5/)B/ ,n e=tra layer of reg%lation is pro:ided (y the Financial Ser:ices ,%thority 0FS,2< 6hich reg%lates the (an7s and the rest of the financial ser:ices sector/ &ts tas7< set o%t in the Financial Ser:ices and 4ar7ets ,ct 2 < is to ens%re that reg%lated companies in the sector meet the 3threshold conditions3 set o%t in Sched%le ! of the ,ct' in the 6ords of the FS,< this incl%des 3assessing 6hether their systems and controls are ade;%ate to pre:ent them (eing %sed for p%rposes connected 6ith financial crime< incl%ding fra%dE it also incl%des the ade;%acy of their information sec%rity meas%res3 0p 5)2/
5/))/ &n the field of &nternet trading< the Office of Fair Trading 0OFT2 has a general responsi(ility to reg%late the ad:ertising ind%stry/ Spam< insofar as it contains misleading ad:ertising< falls %nder the remit of the OFT< 6hich also co"ordinates international action on spam thro%gh the London ,ction -lan/ Ho6e:er< 4i7e Haley of the OFT conceded that the enforcement mechanisms 6ere too cl%msy to deal 6ith the fast"mo:ing and glo(alised mar7et for spam'
3O%r po6ers are still (ased on the offline 6orld of 7no6ing 6here a trader is< (eing a(le to go and spea7 to him< ha:e premises inspected and then ta7e action appropriately/ &f 6e 7no6 a spamming campaign is coming o:er the 6ee7end / 6e ha:e to go and apply for a co%rt order and the spam 6o%ld ha:e (een sent o%t to millions of people (efore 6e had e:en had a chance to mo:e/ So & thin7 there is a need to loo7 at not F%st the international infrastr%ct%re (%t also for ade;%ate po6ers and sanctions to apply in a fast"mo:ing en:ironment3 0D )2?2/
5/)5/ Finally< enforcement 6ith regard to specific online scams is the responsi(ility of Local Trading Standards Ser:ices 0LTSS2/ , recent OFT report ac7no6ledges that the priority afforded to online fra%ds is :aria(leE that no specific re;%irements
relating to the &nternet are contained 6ithin the Gational -erformance Frame6or7 for LTSSE and that enforcement 6as generally 3reacti:e to complaints3/22
5/)!/ There are th%s many di:isions of responsi(ility and apparent o:erlaps/ On there one hand there is< as the 4inister 4argaret Hodge 4- told %s< a 3cr%de di:ision of la(o%r3 (et6een Ofcom and the &CO' 3Ofcom reg%lates the ind%stryHit is a (it too cr%de to p%t it li7e this< (%t & 6ill say it any6ayH and the &nformation Commissioner 6ill loo7 after the interests of the indi:id%al3 0D C!52/ On the other hand< 6hile the &CO has a general d%ty to enforce the data protection principles< incl%ding the se:enth principle< that 3appropriate technical and organisational meas%res shall (e ta7en against %na%thorised or %nla6f%l processing of personal data3< in the :ital financial
ser:ices sector the FS, also has responsi(ility for assessing s%ch systems and controls/
5/)#/ 8hat this complicated di:ision of responsi(ility (et6een reg%latory and enforcement (odies demonstrates is that the online 6orld< as a medi%m that offers a constantly e=panding range of %ses to (%siness< has no dedicated reg%lator/ &nstead< discrete areas of acti:ity< s%ch as ad:ertising or (an7ing< are reg%lated< 6ith the di:isions of responsi(ility (et6een reg%lators (eing modelled on the offline 6orld/
5/)C/ The only enforcement agency 6ith a general responsi(ility for personal &nternet sec%rity< insofar as it relates to the sec%rity of personal data< is the &CO/ Ho6e:er<
22 See Internet Shopping# an -2T Mar/et Study, *%ne 2 #< p + +'
5/+/
http'>>666/oft/go:/%7>shared oft>reports>cons%mer protection>oft?2+/pdf /
$* PE+SONA; INTE+NET SEC3+IT@
of all the reg%latory a%thorities< the &CO@s enforcement po6ers appear c%rrently to (e the 6ea7est/ ,s -hil *ones of the &CO told %s< 36hat 6e do ha:e is the po6er to iss%e a formal enforcement notice< 6hich p%ts an organisation on notice to amend their practices/ &f they are act%ally in (reach of the notice< at that stage it is a criminal offence (%t not (efore3 0D B!52/
5/)?/ ,s a res%lt< 6hen the &CO fo%nd in 4arch 2 # that ++ (an7s and other financial instit%tions had (reached data protection principles (y discarding personal information in 6aste (ins< it 6as a(le only to re;%ire the companies 3to sign a formal %nderta7ing to comply 6ith the -rinciples of the Data -rotection ,ct/3 F%rther (reaches 3co%ld res%lt in prosec%tion3H6ith the ma=im%m fine on s%mmary con:iction c%rrently standing at F%st .5< / 2B &n s%mmary< the Society for Comp%ters and La6 0SCL2 concl%ded that the se:enth data protection principle 6as 3not rigoro%sly enforced3 0p +2C2/
5/5 / &n mar7ed contrast< in Fe(r%ary 2 #< follo6ing the 2 ! loss of a laptop containing confidential c%stomer information 0already referred to a(o:e< paragraph 5/222< the FS, fined the Gation6ide 5%ilding Society .?C < for 3failing to ha:e effecti:e systems and controls to manage its information sec%rity ris7s3/2)
5/5+/ &n late 2 ! the Department for Constit%tional ,ffairs 0no6 the 4inistry for *%stice2 la%nched a cons%ltation on increasing the ma=im%m penalty a:aila(le to the co%rts for 6ilf%l mis%se of personal data to si= months@ imprisonment/ 25 The Home Office 4inister< $ernon Coa7er 4-< confirmed that follo6ing this cons%ltation 3the 9o:ernment is no6 loo7ing at is a :ehicle to act%ally loo7 at increasing some of the penalties a:aila(le for the mis%se of data3 0D C#!2/
2B &CO press release'
5/2/ http'>>666/ico/go:/%7>%pload>doc%ments>pressreleases>2 #>(an7s in %naccepta(le data protection (rea ch/pdf/ 2) FS, press release' http'>>666/fsa/go:/%7>pages>Li(rary>Comm%nication>-R>2 #> 2+/shtml/ 25 See http'>>666/dca/go:/%7>cons%lt>mis%se data>cons%ltation ? !/pdf/
5/52/ Ho6e:er< the 2 ! cons%ltation does not contain any proposals to change the c%m(ersome enforcement regime< incl%ding the re;%irement that offenders first sign %nderta7ings to comply 6ith the Data -rotection -rinciples 6ith legal action only possi(le if f%rther (reaches occ%r/ 4rs Hodge told %s that 3the ad:ice to %s from the &nformation Commissioner is that speed is more important to him/ ,t the moment the in:estigations F%st ta7e too long and & thin7 if he 6o%ld prioritise any iss%e he 6o%ld go for speed more than fine le:els3 0D C#C2/ Ho6e:er< 6e are not a6are of any meas%res planned 6hich might meet the concern of the SCL< that 3the reso%rces made a:aila(le to the S&COT contin%e to (e inade;%ate3 0p +2C2/ Conclusions and +eco##endations *>*)> The steps currently bein! ta en by #any businesses tradin! o&er the Internet to protect their custo#er?s personal in(or#ation are inadeBuate> The re(usal o( the (inancial ser&ices sector in particular to accept responsibility (or the security o( personal in(or#ation is disturbin!7 and is co#pounded by apparent indi((erence at Co&ern#ent le&el> Co&ern#ents and le!islators are not in position to prescribe the security precautions that should be ta en= ho"e&er7 they do ha&e a responsibility to ensure that the ri!ht incenti&es are in place to persuade businesses to ta e the necessary steps to act proportionately to protect personal data> *>*2> /e there(ore reco##end that the Co&ern#ent introduce le!islation7 consistent "ith the principles enshrined in co##on la" and7 "ith re!ard to cheBues7 in the Bills o( E8chan!e Act 1$$%7 to establish the principle that ban s should be held liable (or losses incurred as a result o( electronic (raud> *>**> /e (urther belie&e that a data security breach noti(ication la" "ould be a#on! the #ost i#portant ad&ances that the 3nited Ein!do# could #a e in pro#otin! personal Internet security> /e reco##end that the Co&ern#ent7 "ithout "aitin! (or action at European Co##ission le&el7 accept the principle o( such a la"7 and be!in consultation on its scope as a #atter o( ur!ency> *>*6> /e reco##end that a data security breach noti(ication la" should incorporate the (ollo"in! ey ele#ents: I /or able de(initions o( data security breaches7 co&erin! both a threshold (or the sensiti&ity o( the data lost7 and criteria (or the accessibility o( that data= I A #andatory and uni(or# central reportin! syste#= I Clear rules on (or# and content o( noti(ication letters7 "hich #ust state clearly the nature o( the breach and pro&ide ad&ice on the steps that indi&iduals should ta e to deal "ith it> *>*7> /e (urther reco##end that the Co&ern#ent e8a#ine as a #atter o( ur!ency the e((ecti&eness o( the In(or#ation Co##issioner?s O((ice in en(orcin! !ood standards o( data protection across the business co##unity> The Co##issioner is currently handicapped in his "or by lac o( resources= a cu#berso#e -t"o stri e- en(orce#ent process= and inadeBuate penalties upon con&iction> The Co&ern#ent ha&e e8pressed readiness to address the Buestion o( penalties (or one type o( o((ence= "e reco##end that they
reconsider the tari((s (or the "hole o( the data protection re!i#e7 "hile also addressin! resources and en(orce#ent procedures as "ell> These should include the po"er to conduct rando# audits o( the security #easures in place in businesses and other or!anisations holdin! personal data> C6APTE+ 6: 3SINC T6E INTE+NET: T6E IN9I1I93A; O&er&ie"
!/+/ Enormo%s reliance is c%rrently (eing placed (y 9o:ernment %pon ed%cation< information and training/ ,rg%a(ly the 7ey ;%estion in o%r Call for E:idence 6as 38hat can and sho%ld (e done to pro:ide greater comp%ter sec%rity to pri:ate indi:id%alsN3 The 9o:ernment@s response (egan as follo6s'
35oth 9o:ernment and ind%stry ha:e roles in ens%ring that people are a6are of the general ris7s online/ 5oth also ha:e a critical role to play in ens%ring that the p%(lic are cond%cting online transactions 6ith them safely/ The nat%re of the &nternet means that it is o%r collecti:e responsi(ility to ens%re that people are doing 6hat they can to ma7e themsel:es and their families safe online so that they can enFoy the real (enefits of the &nternet3 0p )2/
!/2/ The tone is typical of the 9o:ernment@s e:idence to this in;%iry/ 8hile there is a passing ac7no6ledgement that 9o:ernment and the ind%stry ha:e a 3collecti:e responsi(ility3 in the area of personal &nternet sec%rity< in practice their roles appear to (e limited to ma7ing people 3a6are3 of the ris7s online< and pro:iding them 6ith the tools 3to ma7e themsel:es and their families3 sec%re/
!/B/ The tenor of o%r Report th%s far is clear' 6e ha:e arg%ed thro%gho%t for 9o:ernment< reg%lators< the &T ind%stry and online (%sinesses to ta7e more acti:e steps to impro:e personal &nternet sec%rity/ 8e ha:e recommended a range of incenti:es designed to ens%re that those (est placed and most competent to impro:e
$$ PE+SONA; INTE+NET SEC3+IT@
personal &nternet sec%rityHthe &S-s< soft6are and hard6are :endors< and the companies 6ho cond%ct (%siness onlineHare moti:ated to do so/
!/)/ 5%t at the same time< F%st as dri:ers are re;%ired to meet certain standards< not F%st for their o6n protection< (%t for the protection of other road"%sers< so indi:id%als in the online 6orld m%st ta7e a meas%re of responsi(ility for their o6n sec%rity and that of others/ 8e therefore (egin this chapter (y e=amining 6here the (alance lies (et6een indi:id%al responsi(ility and 9o:ernment< reg%latory or corporate action/
!/5/ 8e also consider in this chapter the largely self"contained iss%e of online safety< the pre:ention of act%al physical or psychological harm to indi:id%als/ This is a matter in large part of personal (eha:io%r< tho%gh here too the &T ind%stry and (%sinesses operating online (ear a significant responsi(ility/ Indi&idual s ills
!/!/ There are those 6ho arg%e that the astonishing rate of change and inno:ation 6hich the &nternet contin%es to 6itness 6ill ine:ita(ly o%tstrip the indi:id%al@s a(ility to 7eep pace 6ith technology/ &n the 6ords of the Fo%ndation for &nformation -olicy Research 0F&-R2'
3The typical comp%ter %ser can do little to identify or mitigate technical ris7s/ He (%ys a comp%ter as a cons%mer electronic appliance< pl%gs it in and %ses itE attempts to t%rn %p the @sec%rity le:el@ of his (ro6ser 6ill ca%se some 6e( sites to not 6or7E he has no 6ay of telling good sec%rity
$, PE+SONA; INTE+NET SEC3+IT@
soft6are from (adE and many of the pro(lems are completely o%tside the control of e:en technically sophisticated %sers3 0p 2++2/
!/#/ There 6ere many other e=pressions of a similar :ie6/ 8e ha:e already dra6n on 5r%ce Schneier@s arg%ments that &S-s sho%ld do more to protect indi:id%als/ He s%mmed %p his position (y reference to his mother' 3& al6ays %se my mother as an e=ample/ She is not st%pidE she is :ery intelligent< (%t this is not her area of e=pertise/ &f & tell her< @Mo% ha:e to (e responsi(le for yo%r &nternet sec%rity@< she 6ill not (e a(le to/ &t is too technical< in 6ays she cannot deal 6ith3 0D 52?2/
!/C/ Elderly parents cropped %p se:eral times in o%r in;%iry/ -rofessor Handley said< 3& do %se e"(an7ing (%t & ha:e specifically told my parents not to /// & do not respond to any (an7 e"mail no matter 6hether it is legitimate or not (%t & do not tr%st my parents@ a(ility to ma7e those same 7ind of decisions3 0D !?)2/ -rofessor ,nderson 06ho chairs the F&-R2< commenting on the comple=ities of soft6are design< said 3Ultimately< 6hen trying to design s%ch things< yo% are not designing for gee7s (eca%se gee7s can loo7 after themsel:es/ & al6ays as7 myself /// @8ell< 6hat a(o%t my m%mN@3 0D !?+2/ 4ore optimistically< ,ndre6 Cormac7 said that 3& ta%ght my parents ho6 to %se Sthe &nternetT safely and that 6as fairly painless3 0D ??22/
!/?/ S%ch comments mas7 a real demographic change of the last decade< follo6ing on from the de:elopment of the 8orld 8ide 8e(< and 4icrosoft@s incl%sion in the late +?? s of an easy"to"%se 6e( (ro6ser as standard 6ith its operating systems/ 8e (egan this Report (y noting that &nternet %se in the United 1ingdom gre6 from 2 "2 # (y +))/2 percent/ , significant part of this gro6th is made %p of older peopleHaccording to the -3ford Internet Sur%ey, from 2 B"2 5< &nternet %se among p%pils and the 6or7ing pop%lation remained almost entirely flat< (%t among the retired it rose from 22 to B percent2!/ ,s the pop%lation contin%es to age there is e:ery li7elihood that 3sil:er s%rfers3 6ill ma7e %p an e:en larger proportion of &nternet %sers/ Ed%cation< as Roy &s(ell of Symantec noted< 6ill increasingly need to 3target that demographic3 0D )522/
2! The &nternet in 5ritain' The O=ford &nternet S%r:ey 04ay 2 http'>>666/oii/o=/ac/%7>microsites>o=is>/
52< p 5+'
,' PE+SONA; INTE+NET SEC3+IT@
!/+ / This is not to say that the stereotype of the elderly< g%lli(le and technically incompetent &nternet %ser is F%stifiedHg%lli(ility and lac7 of technical 7no6" ho6 6ill (e fo%nd in indi:id%als in e:ery age cohort/ The 7ey point is that the rate of gro6th in &nternet %se across society means that there are (o%nd to (e many indi:id%als< of all ages< %sing the &nternet to (an7< shop< or send and recei:e email< 6itho%t ha:ing high le:els of &T s7ills/ A"areness &s no"led!e
!/++/ There are t6o 7ey aspects to impro:ing the a(ility of indi:id%als to manage online sec%rity/ One is to promote a6areness of the ris7s onlineE the second is to instil 7no6ledge of ho6 practically to manage them/ 5oth are necessaryH one 6itho%t the other is of little %se/
!/+2/ C%rrently the pict%re is disFointed/ E:idence from -rofessor Ste:en F%rnell and Dr ,ndy -hippen< of the Get6or7 Research 9ro%p at -lymo%th Uni:ersity< highlighted a :ery high le:el of %nderstanding of (asic terms s%ch as 3:ir%s3< 3fire6all3 or 3TroFan horse3/ Ho6e:er< it is less clear ho6 far this self"reported 3%nderstanding3 of general ris7s translates into detailed %nderstanding of specific ris7s and co%nter"meas%res/ &n hands"on trials the -lymo%th s%r:ey sho6ed that only #B percent of %sers 6ere a(le to determine the sec%rity settings le:el 6ithin their 6e( (ro6ser< 6hile only BB percent 6ere a(le to determine 6hether comm%nication 6ith a specific 6e( page 6as %sing a sec%re connection 0p BCB2/ E:en those 6ho descri(ed themsel:es as 3ad:anced3 &nternet %sers 0and had academic ;%alifications relating to &T and e=perience of &nternet sec%rity2 6ere (y no means %niformly a(le to perform these tas7s/
!/+B/ S%ch findings 6ere echoed (y se:eral 6itnesses/ ,ccording to the Royal ,cademy of Engineering< 3despite fairly high le:els of a6areness and concern a(o%t threats in general< the le:el of a6areness of the act%al threats is fairly lo63 0p )2#2/ EUR&4 concl%ded that 3a6areness is less of a pro(lem than conflicting and impractical ad:ice and g%idance3< and e=pressed concern at the 3:ery real ris7 that f%rther raising a6areness 6itho%t ma7ing it :ery m%ch easier for cons%mers to protect themsel:es and their children and to report malpractice 6ill lead to a serio%s loss of confidence3 0p B# 2/
,1 PE+SONA; INTE+NET SEC3+IT@
!/+)/ 8e f%lly endorse EUR&4@s point< that raising a6areness or ris7s 6itho%t de:eloping the 7no6ledge and s7ills needed to manage s%ch ris7s co%ld %ndermine confidence in the &nternet/ The 9o:ernment@s e:idence< ho6e:er< (l%rs this distinction/ &t identifies 3information< %nderstanding and appropriate training3 as 3among the primary challenges in tac7ling the gro6ing ris7 of &nternet sec%rity threats3/ &t also dra6s attention to initiati:es 3to raise p%(lic a6areness of e"crime and the (asic steps %sers can ta7e to protect themsel:es3 0p 52/
!/+5/ 8e ha:e already dra6n attention to the findings of a s%r:ey sponsored (y the 9o:ernment@s 39et Safe Online3 6e(site< sho6ing that 2+ percent of people tho%ght e"crime 6as the type of crime they 6ere most li7ely to enco%nter< and that e"crime 6as feared more than m%gging< car theft or (%rglary/ These findings are clearly o%t of proportion to the real ris7H(%t it may (e that the 9o:ernment@s 6ell" intentioned efforts to raise 3a6areness3 of e"crime< 6itho%t paying eno%gh attention to the 6ays in 6hich indi:id%als or (%sinesses can protect themsel:es against it< are act%ally ma7ing the pro(lem 6orse/ Sources o( in(or#ation and ad&ice
!/+!/ To meet the challenges of p%(lic %nderstanding< according to the 9o:ernment< 3simple< clear ad:ice from one so%rce is re;%ired3/ They go on to identify the 39et Safe Online3 6e(site< (ringing together 9o:ernment< ind%stry and la6 enforcement< as pro:iding s%ch a so%rce/ Ho6e:er< a fe6 paragraphs f%rther on< the 9o:ernment also note that 3There are a range of p%(lic and pri:ate sector initiati:es %nder6ay to raise p%(lic a6areness of e" crime and the (asic steps %sers can ta7e to protect themsel:es/ These incl%de 9et Safe On Line 09SOL2 SsL@cT< 5an7 Safe On Line< &T Safe and Fra%d ,lert3 0p 52/
!/+#/ There is th%s a contradiction in the 9o:ernment@s position/ On the one hand they are rightly conscio%s of the need to pro:ide a single< integrated so%rce of information and ad:ice on &nternet sec%rityH$ernon Coa7er descri(ed co" ordination of information as 3something 6e need to (ecome smarter at3 0D C?B2/ 5%t at the same time the so%rces of information are di:erse and o:erlapping'
,% PE+SONA; INTE+NET SEC3+IT@
I 9et Safe Online2# is the closest thing in this co%ntry to a comprehensi:e< %nified so%rce of information on online sec%rity and safety/ &t is sponsored Fointly (y the 9o:ernment< the Serio%s Organised Crime ,gency< maFor &T companies s%ch as 4icrosoft and 5T< and companies from the financial ser:ices sector s%ch as HS5C/
I The 9o:ernment also pro:ide other ser:ices< incl%ding &T Safe 2C< 6hich sends email alerts to home and (%siness %sers< and a Home Office 6e(site dedicated to identity theft2?/
I The (an7ing ind%stry< thro%gh payments ser:ice ,-,CS< sponsors 5an7 Safe OnlineB < as 6ell as a separate 6e(site de:oted to card fra%d< Card 8atchB+/
I The 4etropolitan -olice Ser:ice has created the Fra%d ,lert site B2< to 6hich :ictims of e"crime can for6ard complaints and fra%d%lent emailsH tho%gh this is directed primarily at residents of London/
!/+C/ The &nternet is open to allHit 6ill ne:er (e possi(le 6holly to pre:ent the m%ltiplication of so%rces of ad:ice on sec%rity/ Ho6e:er< it is clear that the 9o:ernment sho%ld (e see7ing< in colla(oration 6ith p%(lic and pri:ate sector partners< to pro:ide a single< coherent so%rce not F%st of information< (%t of realistic ad:ice on the practical steps that indi:id%als can ta7e to manage ris7/ &n many respects the 9et Safe Online 6e(site already pro:ides s%ch ad:ice in e=emplary fashion/ Ho6e:er< since its la%nch in late 2 5 a n%m(er of the original
2# 2C 2? B B+ B2 http'>>666/getsafeonline/org>/ http '>>666/ itsafe/ go:/ %7>/ http'>>666/ identitytheft/ org/ %7>/ http'>>666/(an7safeonline/org/%7>/ http '>>666/ c ard6atc h/ org/ %7>/ http'>>666/met/police/%7>fra%dalert>/
,) PE+SONA; INTE+NET SEC3+IT@
sponsors 0incl%ding companies listed in the 9o:ernment memorand%m< s%ch as Lloyds TS5< Dell and 4essageLa(s2 appear to ha:e 6ithdra6n their sponsorship/ This is 6orrying' the site needs a higher profile and the a%thority that 6o%ld come from a 6ider range of pri:ate sector sponsors/ To achie:e this it needs stronger< high"le:el political endorsement/ The role o( O(co#
!/+?/ The reg%lator of the comm%nications ind%stry< Ofcom< is nota(le (y its a(sence from the list of sponsors of 9et Safe Online< despite the fact that Section ++ of the Comm%nications ,ct 2 B gi:es Ofcom a stat%tory d%ty to promote 3media literacy3/ Ofcom defines media literacy as 3the a(ility to access< %nderstand and create comm%nications in a :ariety of conte=ts3 0p B222Ha definition 6ith 6hich 6e ha:e no ;%arrel/ Ho6e:er< Ofcom@s action hitherto appears to ha:e (een limited to a 3media literacy a%dit3< foc%sing on iss%es s%ch as attit%des to the disclos%re of personal information online and the (loc7ing of inappropriate content/ Ofcom@s e:idence did< ho6e:er< state that 3in 2 #" C Ofcom 6ill place a m%ch greater emphasis on media literacy3 0p B2B2/
!/2 / &n oral e:idence Tim S%ter< Ofcom -artner for Content and Standards< accepted that it 6as part of the reg%lator@s remit 3to help cons%mers to (oth access and %nderstand the comm%nication ser:ices 6hich are a:aila(le to them and that 6ill incl%de ma7ing s%re< as far as possi(le< that they 7no6 of the tools 6hich are a:aila(le to help them manage that en:ironment in a 6ay they 6ant to manage it3 0D + 252/ 5%t 6hen pressed on ho6 Ofcom had in fact gone a(o%t this tas7< he referred only to the s%r:ey and to the ne6 7ite mar7 on content control soft6are 0for 6hich see a(o:e< paragraph B/+#2/
!/2+/ Th%s Ofcom@s formal definition of 3media literacy3 03the a(ility to access< %nderstand and create comm%nications in a :ariety of conte=ts32 is e=tremely (road< and 6o%ld certainly encompass technical sec%rity online 0for e=ample< the a(ility to spot a phishing email2/ Met its interpretation of 3media literacy3 in practice is far narro6er< and 6holly content"foc%sed/ &t appears to ha:e ta7e no steps at all in the area of technical &nternet sec%rity/ Got only does it not sponsor
9et Safe Online< (%t anyone see7ing information from the Ofcom 6e(site on< for instance< spy6are< 6ill simply (e told to 3as7 yo%r &S- for more ad:ice3BB/
!/22/ Ofcom@s narro6 interpretation of 3media literacy3 is p%LLling/ Section ++ of the Comm%nications ,ct 2 B defines 3media literacy3 in terms of the p%(lic@s %nderstanding of 3material p%(lished (y means of the electronic media3/ 4aterial is f%rther defined as (eing 3p%(lished3 if it is 3distri(%ted (y means of an electronic comm%nications net6or7 to mem(ers of the p%(lic or of a section of the p%(lic3/
!/2B/ 8e ha:e already noted that the 6ay in 6hich information transmitted :ia the &nternet is (ro7en do6n into pac7ets of data means that the s%perficially pla%si(le distinction (et6een 3content3 and 6hat can loosely (e descri(ed as 3code3 collapses/ &t follo6s that Section ++ can (e interpreted to co:er a :ery (road range of data distri(%ted (y means of the &nternet< not F%st 6hat might (e loosely defined as 3content3/ Ofcom@s remit is th%s in reality so (road as to encompass all aspects of media literacyHtechnical competence in managing operating systems and sec%rity soft6are as 6ell as the a(ility to control 3content3 safely/
!/2)/ &n light of these considerations< 6e can only agree 6hole"heartedly 6ith the 6ords of the 4inister< 4argaret Hodge 4-' 3Co%ld 6e ha:e a step change in Ofcom@s performance aro%nd its media literacy d%tiesN & thin7 the ans6er has to (e< yes3 0D C!C2/ Education
!/25/ There is a clear need for information and ad:ice to (e made a:aila(le (y means of 6e(sites s%ch as 9et Safe Online/ Ho6e:er< the pro:ision of s%ch information has its limitations' as the 5ritish Comp%ter Society commented< 38e("sites r%n (y (oth
BB See http'>>666/ofcom/org/%7>cons%merad:ice>internet>sec%rity>spy6are>/
,* PE+SONA; INTE+NET SEC3+IT@
9o:ernment and the pri:ate sector / are @p%ll technology@ and re;%ire the %ser to go loo7ing for the information they contain3 0p B522/ Ed%cation too is needed/
!/2!/ &nformation comm%nications technology 0&CT2 is already a comp%lsory element of the school c%rric%l%m in 1ey Stages +")< 6ith national ;%alifications< incl%ding 9CSEs and a 9G$D< a:aila(le at age +!Htho%gh no part of the national &CT c%rric%l%m has hitherto incl%ded a sec%rity component B)/ This omission is c%rrently (eing rectified< and< as Home Office
4inister $ernon Coa7er 4- told %s< the D%alifications and C%rric%l%m ,%thority 0DC,2 is 3loo7ing at ens%ring that online safety is part of the &CT st%dy arrangements for 1ey Stage B from Septem(er 2 C3 0D C?22/ This is a 6elcome< al(eit arg%a(ly o:erd%e< de:elopment/ ,s 4r Coa7er contin%ed< it is essential 3to teach Sp%pilsT that this is a fantastic tool 6hich opens %p all sorts of opport%nities and ed%cational possi(ilities< (%t it is also something /// 6hich can (e mis%sed3/
!/2#/ ,t the same time< it is essential that schools themsel:es sho%ld ha:e sec%re &T systems in place< so that children are not e=posed to ris7s in the school en:ironment/ The arrangements for achie:ing s%ch sec%rity are impro:ing< and the Gational Ed%cation Get6or7 0GEG2 commented that the 9o:ernment"sponsored agency 5ecta 6as 3%nderta7ing e=cellent 6or7 in mo:ing U1 schools to6ards a standards"(ased approach to the design of &T systems3 0p ) #2/ Get6or7 connections for schools are typically pro:ided (y the + Regional 5road(and Consortia< formed as part of the Department for Ed%cation and S7ills@ Regional 5road(and initiati:e/ East 4idlands 5road(and Consorti%m< 6hich s%(mitted e:idence to this in;%iry< pro:ides connecti:ity to 2<+ schools 0p B!52/
!/2C/ Ho6e:er< GEG also e=pressed concern at possi(le inconsistencies in interpretation of net6or7 design (y technical staff in schools< as 6ell as at the implications of increased de:ol%tion of f%nding to local le:el/ ,ndre6 Cormac7< 6ho has (een
B) See http'>>666/nc/%7/net>6e(da:>harmoniseN-age>AidO! )US%(Fect>AidOBBB+
in:ol:ed in re:ising the &CT c%rric%l%m< noted that 39etting teachers< not F%st to teach &nternet sec%rity one ho%r a 6ee7 (%t to themsel:es (eha:e correctly< that is hard3 0D ??22/ ,s in other areas of the c%rric%l%m< achie:ing consistently good practice across all schools 6ill (e a h%ge challenge/
!/2?/ 4oreo:er< teaching online sec%rity to school p%pils as part of the &CT c%rric%l%m 6ill not in itself (e s%fficient/ &t is 6orth recalling that the e=plosion in %se of the 8orld 8ide 8e( dates (ac7 only to the mid"+?? sE anyone (eyond their late 2 s is li7ely to ha:e learned to %se the &nternet not at school< (%t as an ad%lt/ 8hile the DC, reg%lates co%rses in &CT targeted at ad%lts< reaching the (%l7 of the ad%lt pop%lation is a far greater challenge/
!/B / The scale of this challenge 6as highlighted (y a 2 ! s%r:ey (y GCH 0formerly Gational Children@s Homes2/ Foc%sing on child safety 0an iss%e 6hich 6e disc%ss in more detail (elo62< GCH highlighted 6hat it called 3alarming discrepancies3 (et6een the le:el of %nderstanding of the &nternet of children and that of their parents/ For instance< it claimed that a third of children %sed (logs< 6hile t6o thirds of parents did not e:en %nderstand 6hat a (log 6as< and only + percent of parents (elie:ed their children %sed
(logs/B5
!/B+/ ,ttempts ha:e already (een made to close these gaps/ For instance< Tim 8right< of the Home Office< as7ed 6hether schools co%ld r%n :ol%ntary e:ening classes for parents< told %s that 3Some schools ha:e tried (%t< anecdotally< ta7e"%p amongst parents has often (een poor / Some parents 6ill come and do it (%t they are the parents 6ho already %nderstand the iss%es/ &t is a good idea (%t 6e ha:e not fo%nd a 6ay of doing it s%ccessf%lly/3 *im 9am(le< Chief E=ec%ti:e of the Child E=ploitation and Online -rotection Centre 0CEO-2< 6hich has close lin7s to
B5 9et &/T/ safe' Children< parents and technology s%r:ey 2 ! 0GCH2Hsee http'>>666/nch/org/%7>%ploads>doc%ments>9etR2 &TR2 safeR2 report/pdf/
schools< 6as in fa:o%r of 3demystifying3 the technology for parents/ For him the ;%estion 6as 3ho6 do 6e engage them in a 6ay that helps them de:elop a (etter %nderstandingN3 He s%ggested %sing the technology itself to comm%nicate 6ith parents< for instance (y sending school reports (y email as 6ell as in 6riting 0D 2 +2/
!/B2/ 4ore generally< 6e f%lly endorse the statement (y U1ERG, 06hich operates the *,GET net6or7 lin7ing %ni:ersities< Research Co%ncils and regional schools net6or7s2 that 3all opport%nities to raise a6areness< s7ill and confidence le:els of %sers of all ages need to (e ta7en3/ U1ERG, 6ent on to highlight the possi(ility that 3children 6ho learn safe practice at school sho%ld (e enco%raged to teach their parents and grandparents at home3 0p 2??2/ S%ch approaches 6ill re;%ire creati:ity on the part of indi:id%al comm%nities< schools< (%sinesses and charitiesHit is not necessarily an area for direct 9o:ernment inter:ention/ U1ERG,< for instance< singled o%t for praise the interacti:e 31no6 &T ,ll3 site de:eloped (y the charity Childnet &nternational/B! Personal sa(ety online
!/BB/ 8e (egan this Report (y disting%ishing (et6een &nternet sec%rityHthe means of controlling the %ses to 6hich -Cs or other interconnecti:e de:ices< and the information stored on them< are p%tHand &nternet safetyHthat is< personal safety< the a:oidance of direct physical or psychological harm that may affect indi:id%als as a res%lt of their actions online/ The first of these iss%es 6as from the start the foc%s of this in;%iry< and of most of the e:idence 6e recei:ed/ Ho6e:er< 6e also recei:ed e:idence on the second iss%e< 6hich is disc%ssed (riefly in the follo6ing paragraphs/
!/B)/ This distinction is of co%rse to some e=tent artificial< as any :ictim of crime< incl%ding online fra%d or identity theft< may s%ffer personal harmHstress and an=iety< at the :ery leastHin addition to financial loss/ ,t the same time it allo6s %s to separate o%t from the main s%(Fect"matter of this Report partic%lar iss%es to do 6ith online (eha:io%r< child protection< and social net6or7ing online/
B! See http'>>666/childnet"int/org>7ia>defa%lt/asp=/
,$ PE+SONA; INTE+NET SEC3+IT@
!/B5/ The first point to (e made is that the &nternet has (een of enormo%s :al%e in facilitating ne6 forms of comm%nication/ Go"one 6o%ld ha:e predicted 2 years ago the 6ay in 6hich email has (ecome a mainstay of social interactionE in the mid"+?? s fe6 had heard of S4S< no6 an ind%stry 6orth o:er PC (illion per ann%mE fi:e years ago no"one 6o%ld ha:e predicted the e=plosion of social net6or7ing< &nstant 4essaging and $o&-/ Ge6 technologies and opport%nities contin%e to emerge/
!/B!/ 5%t this rate of inno:ation has also (een (e6ildering/ &t ta7es time for people to de:elop norms of (eha:io%r appropriate to ne6 forms of comm%nication/ &n the physical 6orld many s%ch norms are 6ell"esta(lished' 6hen meeting someone for the first time< an indi:id%al identifies :ario%s signals to do 6ith facial e=pression< eye contact< tone of :oice< or physical gest%res< and< according to the partic%lar c%lt%ral conte=t< 7no6s ho6 to react appropriately/ Or< 6hen crossing the road< the indi:id%al o(ser:es familiar r%les to a:oid accidents/ ,ltho%gh norms ha:e e:ol:ed in the online 6orld<
they are nothing li7e as sensiti:e or as effecti:e/ The ris7 of mis%nderstanding< misrepresentation or e=ploitation is constant/
!/B#/ 4oreo:er< e:en tho%gh 6e li:e in an era of increasing concern o:er data protection and pri:acy< the 6holesale disclos%re of personal information online has (ecome commonplace/ ,ltho%gh attention hitherto has foc%sed on the ris7 to children of s%ch indiscriminate disclos%re of personal information< in reality e:ery &nternet %ser< yo%ng or old< faces a degree of ris7 that this information 6ill (e a(%sed (y others/
!/BC/ Soft6are designers are increasingly foc%sing on the iss%e of identity management online/ &n the co%rse of o%r :isit to Redmond 6e met 1im Cameron< 4icrosoft@s &dentity and ,ccess ,rchitect< and disc%ssed 8indo6s CardSpace< 6hich see7s to pro:ide a %nified system for online identity management :ia end"%ser machines/
,, PE+SONA; INTE+NET SEC3+IT@
This is no6 a:aila(le in the 8indo6s $ista operating system/ The e:idence s%(mitted to this in;%iry (y the small soft6are de:elopment company Edentity Ltd o%tlines a 6e("(ased system of identity management 7no6n as 3-ersonal &nformation 5ro7erage3H6hile also lamenting the lac7 of interest in the concept sho6n (y the 9o:ernment/
!/B?/ 5%t not6ithstanding the technological sol%tions that might (e de:eloped to facilitate identity management online< f%ndamental aspects of online (eha:io%r 6ill also need to change/ The 7ey contri(%tors to online ris7s 6ere %sef%lly s%mmarised in pri:ate (riefings gi:en to %s (y &nternet safety cons%ltant Linda Criddle'
Lac7 of 7no6ledgeE
CarelessnessE
Unintentional e=pos%re of or (y othersE
Fla6s in technologyHfor instance< in the ser:ices offered onlineE
Criminal acts/
1'' PE+SONA; INTE+NET SEC3+IT@
!/) / Linda Criddle 6as emphatic that the &T ind%stry and (%sinesses operating online sho%ld ta7e their share of responsi(ility for red%cing ris7 in all these areas/ E:en ris7s arising from carelessness< 6hich might seem to (e a p%rely indi:id%al responsi(ility< co%ld (e mitigated if soft6are prod%cts 6ere designed 6ith detection tools that co%ld spot and alert %sers to characteristic acts of carelessness< s%ch as disclos%re of personal information 6itho%t ade;%ate sec%rity/ The 7ey 6as that prod%cts sho%ld (e de:eloped in s%ch a 6ay as to ed%cate cons%mers a(o%t ris7s and to pro:ide them 6ith the tools to manage these ris7s/
!/)+/ 4s Criddle@s most scathing criticisms of corporate fail%re 6ere directed at social net6or7ing sites/ For instance< she identified se:eral points in the sign" on process for social net6or7ing site 4ySpace 0no6 o6ned (y Ge6s Corp2< 6hich appeared to enco%rage or re6ard the disclos%re of personal informationHreal names< email addresses< photographs< and so on/ 5%t social net6or7ing sites 6ere not the sole offenders/ Sec%rity tools on the 4icrosoft Get6or7 04SG2 6ere also inade;%ateH for instance< content filtering offered (y the 4SG net6or7 screened only e=ternal content< not content generated (y the net6or7 itself/
!/)2/ The sorts of iss%es raised (y Linda Criddle are of partic%lar concern to parents/ *im 9am(le< Chief E=ec%ti:e of CEO-< noting that 3a parent may not %nderstand 6hat a social net6or7ing site is3< as7ed< 36o%ld yo% allo6 yo%r child to 6ear a (ill(oard / 6ith their home telephone n%m(er< all of their personal details on it< and some hando%t photographs that they 6o%ld 6al7 from $ictoria Station do6n to O=ford Street 6ith 6hilst e:ery Tom< Dic7 and Harry in the street co%ld see themN Mo% 6o%ld not/3 He too arg%ed that the sol%tion 6as ed%cation' 3ed%cating people and simplifying and demystifying /// the technology3 0D 2222/
!/)B/ *im 9am(le foc%sed in partic%lar on the formal ed%cation system/ CEO- has not only de:eloped e=tensi:e lin7s 6ith schools< (%t has also rolled o%t an ed%cation campaign targeted at one million p%pils/ *ohn Carr< E=ec%ti:e Secretary of the Children@s Charities@ Coalition on &nternet Safety< also foc%sed on schools< tho%gh highlighting the diffic%lties in reaching parents (y this means< and concl%ding that 36e also need to find other 6ays of reaching parents3 0D 2)B2/ 8e agree/ &t is essential to reach yo%ng people thro%gh schools/ Ho6e:er< 6e also (elie:e that the more holistic approach descri(ed (y Linda Criddle< (%ilding ed%cation into the
1'1 PE+SONA; INTE+NET SEC3+IT@
prod%cts de:eloped (y ind%stry and (%siness< is :ital to s%pplement formal ed%cation/
!/))/ 8e are pleased to o(ser:e that to some e=tent the 9o:ernment are already mo:ing in this direction/ For e=ample< 6e ha:e pre:io%sly noted that the reg%lator Ofcom< 6ith 9o:ernment (ac7ing< has de:eloped a 5S& 7ite mar7 for content control soft6are< and 6e ha:e recommended that f%rther 7ite mar7s (e de:eloped for sec%re &nternet Ser:ices/ This approach< emphasising ind%stry self"reg%lation< (%t pro:iding incenti:es (y means of formal recognition of (est practice< co%ld also (e e=tended in the field of personal safety online/
!/)5/ The 9o:ernment@s :ie6< s%mmarised (y Tim 8right< is that 3self"reg%lation is the (est approach3 0D 2 B2/ *ohn Carr also arg%ed that 3self"reg%lation is al6ays going to (e a (etter approach (eca%se it is more fle=i(le and ;%ic7er3Htho%gh conceding that if self"reg%lation did not deli:er< 3the 9o:ernment 6ill step in and legislate3 0D 2)C2/ 8e agree/ 9o:ernments are not 6ell"placed to inter:ene directly in an area as fast"mo:ing and di:erse as social (eha:io%r onlineHthey cannot design or identify technological sol%tions< and they cannot F%dge the rights and 6rongs of the personal (eha:io%r of indi:id%als/ Ho6e:er< they can colla(orate 6ith ind%stry in agreeing general standards of (est practice in s%ch areas as the design of social net6or7ing sites< and in a6arding recognition 0in the form of 7ite mar7s2 to those that o(ser:e these standards/ +eco##endations 6>26> The Co&ern#ent.sponsored Cet Sa(e Online "ebsite already pro&ides use(ul in(or#ation and practical ad&ice to Internet users7 but its i#pact is under#ined by the #ultiplication o( other o&erlappin! "ebsites> /e reco##end that the Co&ern#ent pro&ide #ore e8plicit hi!h.le&el political support to the Cet Sa(e Online initiati&e and #a e e&ery e((ort to recruit additional pri&ate sector sponsors> I( necessary7 the site should be re.launched as a sin!le Internet security -portal-7 pro&idin! access not only to the site itsel( but actin! as a (ocus and entry.point (or other related proDects> 6>27> /e a!ree "ith the 4inister that there needs to be a -step chan!e- in the "ay the re!ulator O(co# approaches its duties in relation to #edia literacy> /e reco##end that O(co# not only co.sponsor the Cet Sa(e Online proDect7 but that it ta e on responsibility (or securin! support (ro# the co##unications industry (or the initiati&e>
1'% PE+SONA; INTE+NET SEC3+IT@
6>2$> /e (urther reco##end that7 in addition to the ne" ite #ar (or content control so(t"are7 O(co# "or "ith the industry partners and the British Standards Institute to de&elop additional ite #ar s (or security so(t"are and social net"or in! sites= and that it continue to eep under re&ie" possible areas "here codes o( best practice7 bac ed up by ite #ar s7 #i!ht be appropriate> /e reco##end that the 9epart#ent (or Children7 Schools and Aa#ilies7 in reco!nition o( its re&ised re#it7 establish a proDect7 in&ol&in! a "ide ran!e o( partners7 to identi(y and pro#ote ne" "ays to educate the adult population7 in particular parents7 in online security and sa(ety >C6APTE+ 7: PO;ICINC T6E INTE+NET O&er&ie"
#/+/ 8e ha:e made many recommendations designed to impro:e the sec%rity of those %sing the &nternet/ 5%t 6hate:er impro:ements are made< there 6ill al6ays (e those 6ho 6ill a(%se the &nternet and its %sers/ Go sec%rity system is e:er perfect< and certain indi:id%als 6ill ine:ita(ly see7 to profit either from poor technical sec%rity or the ignorance and g%lli(ility of other %sers/ The lastH(%t arg%a(ly most potentHdefence against these 3(ad g%ys3 is effecti:e la6 enforcement/ &f they can (e ca%ght< prosec%ted< con:icted and p%nished appropriately< then the 3(ad g%ys3< instead of operating 6ith imp%nity< 6ill face a gen%ine deterrent< and the h%ndreds of millions of la6" a(iding &nternet %sers aro%nd the 6orld sho%ld (e a(le to comm%nicate or cond%ct their (%siness online 6ith less fear that they 6ill (ecome :ictims of crime/
#/2/ Ho6e:er< 6e ha:e heard considera(le scepticism o:er the capacity of the police and the criminal F%stice system in this co%ntry to enforce the la6/ &n the 6ords of the Federation of Small 5%sinesses< 3,necdotal e:idence from mem(ers tells %s that the police do not seem to ha:e any6here near the capa(ility necessary to respond to these types of crime effecti:ely3 0p B##2/ &t is essential that this perception (e corrected< (%t for this some f%ndamental pro(lems< legal< technical and administrati:e< 6ill ha:e to (e o:ercome'
I There is< as 6e ha:e already noted< no legal definition of 3e"crime3< nor are data on the incidence< in:estigation or prosec%tion of e"crimes 0that is to say< crimes
1') PE+SONA; INTE+NET SEC3+IT@
committed (y means of or 6ith the assistance of the %se of electronic net6or7s2 collected/
I There are h%ge technical challenges in in:estigating e"crimes/ The e=amination of &T e;%ipment< hard dis7s< mo(ile phones or other de:ices< is highly specialised< time"cons%ming and reso%rce"intensi:e/ 4oreo:er< the str%ct%re of the &nternet and the diffic%lty of tracing the tr%e so%rce of partic%lar pac7ets of data present h%ge challenges in in:estigating offences/
I The glo(al nat%re of the &nternet means that fra%ds committed on indi:id%als in the United 1ingdom may (e perpetrated (y criminals in Eastern E%rope< %sing ser:ers (ased in Gorth ,merica or the far East< and so on/ Go la6 enforcement agency can com(at e"crime effecti:ely in isolation< (%t the mechanisms for international co"operation are inefficient and slo6"mo:ing/ The le!al (ra#e"or
#/B/ &n Chapter 2< 6hile considering data collection< 6e dre6 attention to the lac7 of an agreed definition of 3e"crime3/ 8e recommended that the Home Office esta(lish a system to identify 6ithin o:erall crime statistics offences committed (y means of or 6ith the assistance of electronic net6or7s< so as to facilitate data collection in f%t%re/ &n the follo6ing paragraphs 6e e=amine the legal frame6or7 for e"crime in more detail/
#/)/ There is general agreement that crimes committed onlineHe"crimesHmay (e considered %nder t6o (road headings/ ,s Sharon Lemon< of the Serio%s
Organised Crime ,gency 0SOC,2< told %s< there is 3the type of crime that can no6 (e committed (eca%se technology e=ists 6hich formerly co%ld not (e committed3< and then there is 3traditional crime mo:ing on"line / traditional criminals %sing and e=ploiting technology3 0D + B)2/ The maFority of crimes committed online fall into this second category of old crimes %sing ne6 technologyHas Tim 8right of the Home Office told %s< 34ost e"crime is a form of traditional crime li7e fra%d< theft or e=tortion3
0D 22/
#/5/ &t follo6s from this that most crimes committed online constit%te 6ell" esta(lished offences %nder the criminal la6/ -ro(lems in the application these e=isting offences to the online 6orld ha:e (een addressed as they arose/ For instance< the Fra%d ,ct 2 ! rectified one nota(le lac%na< s%mmarised (y -rofessor 8alden as 3the fact that yo% co%ld not decei:e a machine< and therefore gi:ing credit card details to a 6e(site and o(taining a ser:ice dishonestly 6as not considered to (e a criminal offence of fra%d3 0D B!C2/
#/!/ Crimes falling %nder Sharon Lemon@s first headingHcrimes that can only (e committed (eca%se the technology e=istsHno6 also appear to (e co:ered (y the criminal la6/ &n partic%lar< the recent amendments to the Comp%ter 4is%se ,ct +?? 0C4,2 %pdated offences relating to %na%thorised access to comp%ter material< actions intended to impair the operation of comp%ters< and the man%fact%re or s%pply of e;%ipment intended to (e %sed for s%ch p%rposes/ These offences no6 co:er comp%ter"specific offences s%ch as distri(%ted denial of ser:ice 0DDoS2 attac7s< 6hich 6ere not pre:io%sly in themsel:es criminal offences 0altho%gh %sing the threat of a DDoS attac7 to e=tort money 6o%ld ha:e (een an offence2/ Ho6e:er< in light of f%rther amendments to (e introd%ced (y the Serio%s Crime 5ill< c%rrently (efore -arliament< the 9o:ernment ha:e decided not to (ring these changes into force %ntil 2 C/
1'* PE+SONA; INTE+NET SEC3+IT@
#/#/ &n light of these recent changes to the legislati:e frame6or7< there 6as (road agreement among o%r 6itnesses that the criminal la6 no6 ade;%ately co:ered the range of offences that co%ld (e committed online/ Commander S%e 8il7inson of the ,ssociation of Chief -olice Officers descri(ed the legal frame6or7 as 3entirely ade;%ate3 0D + BC2E Gicholas 5ohm 6as also 3not conscio%s of significant legal gaps3 0D B!C2/
#/C/ Ho6e:er< 6e ha:e t6o reser:ations/ The first of these concerns the legal stat%s of (otnetsH6hich are typically the :ehicle for deli:ering spam or DDoS attac7s/ 8e as7ed the 4inister< $ernon Coa7er 4-< 6hether it 6as illegal to p%rchase the %se of a (otnet/ He s%mmarised the position as follo6s' 3Go< it is not illegal to act%ally p%rchase it / 8hat is illegal is the ma7ing< adapting or s%pplying of articles for %se in comp%ter mis%se offences/ &n the same 6ay that 7ni:es can (e %sed illegally (%t yo% 6o%ld not (an all 7ni:es< that is in part the logic 6e are applying to this partic%lar scenario as 6ell3 0D CB#2/
#/?/ &n s%pplementary 6ritten e:idence< the Home Office refined the 4inister@s ans6er/ &n essence the analogy 6ith 7ni:es 6as confirmedHhiring a (otnet is illegal if it is done in order to commit one of a n%m(er of possi(le offences< either %nder the C4, 0as amended2< the Fra%d ,ct 2 !< or a range of other stat%tes/ Ho6e:er< hiring a (otnet for legal p%rposes is not in itself a stat%tory offence< altho%gh the person hiring the (otnet for ostensi(ly legal p%rposes 0s%ch as spamming2 might in principle (e prosec%ted either %nder
the general conspiracy pro:ision fo%nd in section + of the Criminal La6 ,ct +?##< or %nder the common la6 offence of incitement 0p 2##2/
#/+ / On the other hand< 3recr%iting3 a (otnetHthat is< installing code on a comp%ter 6itho%t the 7no6ledge or a%thorisation of the o6ner< and there(y modifying its operationHconstit%tes an offence %nder one or more sections of the C4,/ Ho6e:er< the degree to 6hich< 6ithin the criminal %nder6orld< those 6ho recr%it
(otnets are the same or differ from those 6ho s%(se;%ently operate them and offer them o%t for hire< is %nclear/
#/++/ 4ore generally< 6e ;%estion the 4inister@s analogy 6ith 7ni:es/ , 7nife per se can (e %sed for many legitimate p%rposes< (%t the sale or possession of certain 7inds of 7nife 0essentially those designed 6ith criminal %ses in mind2< or the sale of 7ni:es to certain categories of people 0typically those %nder +! years of age2 co%ld (e illegal %nder one of a range of stat%tes< incl%ding the Dangero%s 8eapons ,ct +?5?< the Criminal *%stice ,ct +?CC and the 1ni:es ,ct +??#/ The fact that s%ch 7ni:es co%ld in principle (e %sed for la6f%l p%rposes does not ma7e their sale legal/
#/+2/ Similarly< altho%gh a (otnet co%ld in principle (e %sed for legal p%rposes< it is inherently designed for criminal %ses< and can only e=ist (y :irt%e of criminal acts (y those 6ho recr%ited it/ 8e 6o%ld therefore see considera(le ad:antages if the criminal la6< for the a:oidance of all do%(t< 6ere e=plicitly to criminalise the sale or p%rchase of the ser:ices of a (otnet< regardless of the %se to 6hich it is p%t/
#/+B/ O%r second< o:erlapping reser:ation< is o:er the frame6or7 for prosec%ting spammers< 6ho are typically the c%stomers for (otnet operators/ From disc%ssions in Redmond 6ith ,aron 1orn(l%m< Senior ,ttorney at 4icrosoft< it 6as clear that 4icrosoft< ,OL and others ha:e made significant progress in the United States in prosec%ting spammers< assisted (y the fact that (oth federal and state la6s permit companies to la%nch third"party actions on (ehalf of their c%stomers/ Gicholas 5ohm also commented that s%ch actions 6ere 3s%staina(le on a m%ch more simple (asis3 in the United States than in the United 1ingdom< and s%ggested that 3if the r%les a(o%t class actions or representati:e actions 6ere easier and if the costs r%les 6ere different so that yo% did not ha:e to pay costs 6hen yo% lost< and indeed if yo% co%ld reco:er something s%(stantial 6hen yo% 6on< then yo% might see a litigation sol%tion to the pro(lem3 0D ) !2/
#/+)/ 8ritten e:idence s%pplied (y the 9o:ernment s%(se;%ently s%ggested that 4icrosoft had in fact (ro%ght t6o 3third"party3 actions in the United 1ingdom against spammers/ Ho6e:er< neither appeared to (e a third"party action in the ,merican sense< that is to say< an action (ro%ght (y the company on (ehalf of and in the name of its c%stomers'
I &n one case< (ro%ght %nder reg%lation 22 of the -ri:acy and Electronic Comm%nications 0EC Directi:e2 Reg%lations 2 B< 4icrosoft esta(lished that as a pro:ider of email ser:ices it had itself s%ffered damage as a res%lt of the spammers actions/ The iss%e of 6hether 4icrosoft 6as entitled to (ring an action %nder the reg%lation 6as e=plicitly co:ered (y the F%dge in this case< 4r *%stice Le6ison' 3the domestic reg%lations 6ere made in order to conform 6ith the pro:isions of the Directi:e and part of the policy of the Directi:e 6as< in my F%dgment< to protect the pro:iders of electronic comm%nications@ systems/ Conse;%ently< & am satisfied that
4icrosoft is 6ithin the class of persons for 6hose (enefit the stat%tory re;%irement 6as imposed/3B#
I &n the second case the spammer< (y %sing spam to attract c%stom to a pornographic 6e(site< 6as in direct contra:ention of 4icrosoft@s terms and conditions/
8e are therefore not pers%aded (y the 9o:ernment@s concl%sion that 3third party legal action is another :ia(le approach to addressing the spam pro(lem3 0p 2#52/
B# Microsoft Corporation % Paul Martin Mc4onald S2 !T E8HC B)+ 0Ch2< S2 !T ,ll ER 0D2 +5B 0Dec2/ See http'>>666/F%riscom/net>doc%ments>highco%rtFce2 !+2+2/pdf/
1'$ PE+SONA; INTE+NET SEC3+IT@
#/+5/ The 9o:ernment also pointed o%tH6hich 6e f%lly ac7no6ledgeHthat the n%m(er of spammers (ased in the United 1ingdom is small compared 6ith that in the United States/ They dre6 attention to research (y the anti"spam initiati:e Spamha%s< sho6ing that only one United 1ingdom"(ased spammer appears on the Register of 1no6n Spam Operations 0a list 6hich at the time of 6riting contains +BB spam operations2/ Ho6e:er< 6e see no reason for complacency in s%ch a fast" mo:ing sector/ 6i!h &olu#e7 lo" deno#ination cri#e
#/+!/ Since the e=isting legislati:e frame6or7 co:ers 3traditional3 offences committed (y electronic means< it follo6s that the 3(ad g%ys3< if ca%ght< can (e prosec%ted for offences s%ch as fra%d or e=tortion/ Ho6e:er< this reliance on traditional offences has some possi(ly %nintended conse;%ences/ For instance< the %se of electronic net6or7s for the commission of an offence< and implications of this< are not necessarily factored in either (y the police< 6hen initiating in:estigations< or (y the co%rts< 6hen sentencing those fo%nd g%ilty/
#/+#/ To ta7e a hypothetical e=ample< if an indi:id%al ma7es a complaint to the police that they ha:e (een the :ictim of online fra%d< losing a fe6 tens or h%ndreds of po%nds< it may appear to (e a minor crime< not meriting in:estigationHpartic%larly as the offender co%ld (e any6here in the 6orld/ The pro(lem 6as :i:idly descri(ed (y 9arreth 9riffith< of e5ay' 38hat happens on e5ay tends to (e lo6er":al%e< higher":ol%me types of things/ 8hen 6e try to get police engaged< sometimes they say /// &f it is not o:er @=@ thresholdHtho%sands of po%nds< or 6hate:er it isH6e can@t help yo%3 0D ! +2/
#/+C/ 5%t if the crime has (een committed online< the chances are that tho%sands or millions of other indi:id%als ha:e (een similarly targeted/ This is a conse;%ence of the (asic economics of e"crime/ ,s -rofessor ,nderson noted< the 3(ad g%ys3 engage in 3:ol%me crime for lo6 denomination transactions3 0D # B2/ Email is free' anyone 6ho hires the %se of a (otnet can< at :ery lo6 cost< send millions of phishing emails or ad:ertisements for (og%s medications/ &f only a tiny proportion of recipients respond the operation ;%ic7ly (ecomes h%gely profita(le/ &n other
1', PE+SONA; INTE+NET SEC3+IT@
6ords< the indi:id%al crime< as reported to the police< has to (e scaled %p (y a factor of se:eral tho%sand (efore the tr%e scale of criminality can (e g%essed at/
#/+?/ &t is therefore cr%cial that the criminal F%stice system< at e:ery le:el< possesses the information and the %nderstanding to (e a(le to see7 and detect patterns
of criminality< and< 6here necessary< to aggregate tho%sands of indi:id%ally small crimes to (%ild %p a pict%re of the tr%e scale of criminality/ +eportin! procedures
#/2 / The hypothetical e=ample F%st cited highlights the first stage of an in:estigation< the initial report of a crime< 6hich the :ictim is normally re;%ired to ma7e at their local police station/ Ho6e:er< it is clear from the pre:io%s section that in the case of e"crime local police forces are not 6ell placed< on the (asis of isolated reports of 6hat may appear to (e petty fra%ds< either to assess acc%rately the scale of criminality in:ol:ed or to reach a F%dgment on 6hether to la%nch an in:estigation and 6hat reso%rces to de:ote to it/ One 6ay to o:ercome this pro(lem 6o%ld (e to %se the &nternet itself to de:elop a central online reporting system for e"crimeHas has happened in the United States/
#/2+/ ,t the Department of *%stice in 8ashington 6e heard the familiar story of indi:id%ally minor crimes (eing reported to local police< typically not meriting in:estigation or federal prosec%tion/ &n response the Federal 5%rea% of &n:estigation 0F5&2< ha:ing identified e"crime as its n%m(er three priority< after international terrorism and espionage< has de:eloped a central referral mechanism for &nternet related crime< (y means of the &nternet Crime Complaint Center 0&CB2 BC 6e(site/ This facilitates central logging of crime reports< 6hich are then analysed and correlated/ &ndi:id%ally minor crimes can (e aggregated %ntil they reach the threshold for la%nching federal prosec%tions/
BC See http'>>666/icB/go:>/
#/22/ O%r disc%ssions at the F5&@s Regional Comp%ter Forensic La(oratory in Silicon $alley f%lly endorsed the :al%e of the 5%rea%@s approach/ Special ,gent Shena Cro6e told %s that the &CB site 6as logging an a:erage of some 2 < complaints a month/ 4edian losses reported in 2 5 6ere F%st P)2)< (%t total losses reported on the site in that year totalled P+CB/+2 million/ S%(se;%ently these data 6ere %pdated in the &CB &nternet Crime Report for 2 !< 6hich confirmed a total of F%st o:er 2 #< complaints in that yearE o:er C!< of these 6ere referred to federal< state or local la6 enforcement agencies for f%rther in:estigation/ Losses from the latter 6ere p%t at P+?C/)) million< 6ith median losses rising to P#2) B?/ This so%nds li7e a small s%mH(%t to the indi:id%als concerned it may (e a maFor loss/
#/2B/ Reports to the &CB site are still :ol%ntary< nor are they confined to crimes perpetrated in the United States 0and 6e ha:e already noted a reporting (ias in paragraph 5/ ? a(o:e2< so the relationship (et6een these fig%res and the act%al scale of e"crime is %nclear/ Ho6e:er< the &CB fig%res do demonstrate the :al%e of a central system that can 3triage3 large n%m(ers of complaints< prioritise them and finally allocate them to the appropriate agencies for f%rther in:estigation/
#/2)/ Go compara(le system e=ists in the United 1ingdom/ &nstead the responsi(ility for logging reports of e"crime remains 6ith indi:id%al police forces/ 8e ha:e referred pre:io%sly to the 4etropolitan -olice Ser:ice@s 04-S2 3Fra%d ,lert3 6e(site< (%t 6e learnt in the co%rse of o%r :isit to the 4etropolitan -olice at Co(alt S;%are that %nli7e &CB the Fra%d ,lert site does not ha:e an a%tomated system for processing reports of fra%dHthe soft6are to a%tomate the site 6o%ld cost of the order of .) < / &n the a(sence of this modest f%nding< all reports are collated man%ally< and any attempt to p%(licise the site 6o%ld ris7 attracting more reports than the staff co%ld process/ The impression 6e dre6 from o%r :isit 6as of highly committed and s7illed staff doing their (est to cope in an %nder"reso%rced and %nder":al%ed en:ironment/
#/25/ This co%ld change/ Earlier this year senior officers from the police and SOC, :isited &CB/ One of these officers< Commander S%e 8il7inson of the 4-S< accepted that 6e had 3a lot to learn3 from &CB 0D + 522/ ,t the same time< the introd%ction of a compara(le ser:ice in this co%ntry 6o%ld need to (e managed in
B? See http'>>666/icB/go:>media>ann%alreport>2 ! &CBReport/pdf/
s%ch a 6ay as to a:oid o:erlap 6ith 3the ne6 strategic fra%d a%thority and the ne6 potential national fra%d reporting centre that is c%rrently (eing scoped (y the City of London -olice3/ Similar :ie6s 6ere e=pressed (y 4r Coa7er/ He confirmed that the 9o:ernment 6ere 3happy to loo7 at3 the &CB model< (%t also dre6 attention to the prospect of a central reporting system for fra%d/ His irreproacha(le concl%sion 6as that 3there needs to (e some co"ordination across the 6hole of this3 0D C C2/
#/2!/ Ho6e:er< in certain 7ey areas the 9o:ernment@s actions appear to ha:e ta7en %s if anything f%rther a6ay from a co"ordinated approach to e"crime reporting/ ,nyone logging onto the Fra%d ,lert site is faced 6ith the follo6ing instr%ctions on the homepage' 3-lease send all (an7ing related phishing emails to reportsA<(an7safeonline/org/%7/ D%eries related to -aypal or E(ay sho%ld (e sent to spoofApaypal/co/%7 and spoofAe(ay/co/%7 respecti:ely/3 This is follo6ed (y an optimistic re;%est to 3-lease copy %s into any emails that are sent to these organisations3Haltho%gh it is necessary to na:igate to another page to locate the 4etropolitan -olice email address/
#/2#/ The fact that those see7ing to report online fra%ds are specifically disco%raged from reporting these crimes to the police is attri(%ta(le to ne6 g%idelines iss%ed to police forces (y the 9o:ernment 6ith effect from + ,pril 2 #/ The 4inister< spea7ing (efore the ne6 g%idelines came into force< e=plained them as follo6s' 3from + ,pril people e=periencing / online fra%d< 6ill (e as7ed to report that in the first instance to ,-,CS< 6ho 6ill then ma7e the decision 6hether to report it on to the police / ,-,CS 6ill get a (igger pict%re of 6hat has happened and then report (ac7 to the police< 6ho can then ha:e a more intelligent o:erall pict%re of 6hat is act%ally going on3 0D C2!2/
#/2C/ This is an e=traordinary arg%ment< placing the on%s on the (an7ing ind%stry to ta7e decisions on 6hich crimes sho%ld or sho%ld not (e reported to the police 0and if so< to 6hich force2Hand 6hat 6ill or 6ill not< as a res%lt< appear on the crime statistics/ &t appears to o:erloo7 the o(:io%s possi(ility that commercial factors might infl%ence the (an7s@ decisions on 6hether or not to report crimes to the policeHthat< in the 6ords of Ross ,nderson< they ha:e 3an instit%tional incenti:e to do6nplay the amo%nt of fra%d3 0D !#C2/
#/2?/ , slightly more pers%asi:e arg%ment in defence of the 9o:ernment@s position 6as ad:anced (y 9eoff Smith< of the DT&/ He claimed that the iss%e 6as 3essentially a(o%t real"time stopping the money flo6ing< (eca%se if the (an7 is alerted :ery ;%ic7ly then they can see the pattern of the phishing attac7 and they can / try and stop the cash transfers and they try and limit the damage thro%gh that/ So /// the (an7s ha:e got to come into this :ery< :ery ;%ic7ly/ & thin7 that going to a police station< yes< it is great for getting a
crime n%m(er and it is great for the (ac7 end of the process< (%t it p%ts delay into act%ally trying to sol:e it3 0D CBB2/
#/B / 8e also ac7no6ledge that la6 enforcement agencies ha:e thro6n their 6eight (ehind the ne6 g%idelines/ Commander 8il7inson descri(ed them as 3:ery helpf%l3/ She contin%ed< 3indi:id%al reports to indi:id%al police forces a(o%t s%ch phishing offences really do not gi:e %s a good pict%re of 6hat is going on and it is impossi(le to get a proper crime pattern analysis as things stand at the moment/ Ho6e:er< if all these reports are collated (y the (an7s< 6ho ha:e :ery good s%pport in terms of intelligence analysis< they are a(le to refer to %s partic%lar trends and patterns (y collating right the 6ay across the (oard and 6e get a m%ch (etter o:erall pict%re3 0D + ?C2/
#/B+/ Commander 8il7inson@s comments are re:ealingHthey demonstrate that the do%(ts e=pressed (y a n%m(er of 6itnesses to this in;%iry 0for instance< (y 9arreth 9riffiths of e5ay< 6hose remar7s are ;%oted a(o:e2< o:er the capa(ility of the police to collect< collate and in:estigate reports of e"crime< are f%lly F%stified/ The proper response< 6e (elie:e< 6o%ld (e to in:est in de:eloping the capacity of the police and la6 enforcement agencies< so that they co%ld ta7e on this cr%cial tas7H instead of 6hich< the Fra%d ,lert team at the 4etropolitan -olice cannot e:en afford to spend .) < on soft6are to a%tomate the processing of e"crime complaints/
#/B2/ &n mar7ed contrast< the United States is mo:ing in the opposite direction/ 8hen 6e :isited the Federal Trade Commission 0FTC2< 6hich recei:es o:er )5 < complaints of identity theft alone each year< 6e 6ere told that a ne6 reporting system 6as (eing introd%ced< re;%iring :ictims of identity theft 06hich 6o%ld incl%de thefts from online (an7 acco%nts2 to file a police report as the first step in ma7ing a complaintE this 6o%ld in t%rn trigger an in:estigation (y financial instit%tions/ &ndeed< the &nterim Recommendations of the -resident@s &dentity Theft Tas7 Force< 6hich appeared in late 2 !< proposed that the FTC sho%ld de:elop 3a %ni:ersal police report< 6hich an identity theft :ictim can complete< print< and ta7e to any local la6 enforcement agency for :erification3/)
#/BB/ 8e see no reason 6hy a similar system in this co%ntry sho%ld (e partic%larly (%rea%cratic< time"cons%ming or costly to implement/ The logging of a complaint (y the police co%ld sim%ltaneo%sly alert the (an7s/ ,t the same time< :ictims 6o%ld (e reass%red that the crimes committed against them had (een formally ac7no6ledged and recorded< rather than disappearing into the (an7ing system/
#/B)/ Ultimately the ne6 reporting system is li7ely to (e F%dged (y its res%lts/ &t is too early to tell 6hat these 6ill (eH(%t the omens are not good/ On 2+ *%ne< for e=ample< the 55C reported a dramatic fall in reports of fra%d to police forces< 6ith t6o smaller forces< 96ent and Gorth Mor7shire< ha:ing recei:ed no reports since the ne6 g%idelines came into effect/)+ &t is :ery %nli7ely that this drop in reported fra%ds reflects a real change in criminalityHthe ris7 is that 6hile lo6er reporting 6ill ma7e the crime statistics loo7 (etter< e"crime 6ill contin%e to gro6 o%t of sight of the police and the p%(lic/
The structure o( la" en(orce#ent
) )+
See http'>>666/idtheft/go:>a(o%t/html/ See http'>>ne6s/((c/ co/%7>+>hi>(%siness>!22)?+2/stm/
#/B5/ ,ss%ming that a complaint is made and recorded (y the police< do they< or other la6 enforcement agencies< ha:e the s7ills< reso%rces and po6ers necessary to in:estigate itN
#/B!/ The first 7ey point is that the )B police forces across England and 8ales are essentially a%tonomo%s/ Chief Consta(les report to police a%thorities< and ine:ita(ly respond to local needs and priorities/ The siLe of police forces also :aries h%gely< from the 4etropolitan -olice Ser:ice< 6ith o:er B < officers< to forces 6ith fe6er than +< officers< s%ch as the City of London -olice or 8ar6ic7shire -olice/ The reso%rces a:aila(le to tac7le e"crime< as 6ell as the priority gi:en to it< :ary 6idely from force to force/
#/B#/ ,longside the police forces is the Serio%s Organised Crime ,gency 0SOC,2< 6hich in 2 ! too7 o:er the responsi(ilities pre:io%sly e=ercised (y the Gational Criminal &ntelligence Ser:ice< the Gational Crime S;%ad< along 6ith other agencies/ ,mong the f%nctions a(sor(ed into SOC, 6ere those of the Gational High Tech Crime Unit 0GHTCU2< formed in 2 + as part of the Gational Crime S;%ad specifically to com(at e"crime/ ,t the same time< the creation of the Child E=ploitation and Online -rotection Centre 0CEO-2< 6hich is affiliated to SOC, and acco%nts to the SOC, 5oard< meant that online child a(%se< formerly handled (y the GHTCU< no longer fell 6ithin SOC,@s operational remit/
#/BC/ These organisational changes ha:e raised a n%m(er of concerns/ The Confederation of 5ritish &nd%stry foc%sed on 3the percei:ed red%ction in dedicated police reso%rces to com(at comp%ter crime3 res%lting from the disappearance of the GHTCU 0p +?)2/ 4icrosoft s%ggested that it 6as no6 3%nclear ho6 cy(er crime and reporting mechanisms are (eing systematically addressed3 0p ?)2/ The F&-R claimed that 3the a(sorption of the GHTCU into SOC, has left a gap in the co:erage of le:el 2 comp%ter crime3 0p 2+22Hthat is to say< crime that has impacts across force (o%ndaries< (%t not necessarily at national or international le:el/
#/B?/ Some of these concerns 6ere ans6ered in the co%rse of o%r in;%iry/ 8e note< for instance< that SOC,@s (oard has determined that of the order of ten percent of the ,gency@s operational effort sho%ld (e directed against fra%d/ )2&n e:idence 5ill H%ghes< Director 9eneral of SOC,< 6hile ac7no6ledging that the changes might ha:e appeared to sho6 3a lac7 of interest in e"crime3< arg%ed that 3the re:erse is the case3/ The creation of a dedicated e"Crime Unit 6ithin SOC, 0headed (y Sharon Lemon< formerly head of the GHTCU2< along 6ith the creation of CEO0than7s to 6hich the Unit@s reso%rces 6ere no longer at ris7 of (eing di:erted into child a(%se cases2< meant that reso%rces had (een 3marshalled /// in a (etter 6ay3 0D + BB2/
#/) / The sit%ation on le:el 2 crime is less clear/ The first point to (e madeHp%t :ery clearly (y 5ill H%ghesHis that there is no neat di:iding line (et6een le:els +< 2 and B crime' 3There is a danger 6hen tal7ing a(o%t le:els one< t6o and three / people seem to thin7 that crimes fall into nice con:enient slots and that the la6 enforcement response can follo6 that same ro%te/ &t does notE it has to (e a contin%%m of acti:ity and %nderstanding3 0D + 5)2/ 5%t at the same time< there ha:e to (e ro(%st proced%res and organisational arrangements in place for this 3contin%%m3 to (e 6or7a(le in practice/
#/)+/ Local le:el + crime falls to indi:id%al police forcesE le:el B< national or international crime< is the responsi(ility of SOC,/ ,s7ed 6ho 6as primarily responsi(le for in:estigating le:el 2 crime< S%e 8il7inson< the ,ssociation of Chief -olice Officers 0,C-O2 lead on e"crime< dre6 attention to the recent proposal (y ,C-O to esta(lish a national e"crime %nit to s%pport indi:id%al police forces/ ,t the time of o%r in;%iry this remained %nder disc%ssion (et6een ,C-O and the Home OfficeH$ernon Coa7er commented that the Home Office had 3not had the (%siness case yet3< and at the time he ga:e e:idence 0on 2C 4arch2 the Department had 3made no commitment 6ith reso%rces3 0D C+)2/
#/)2/ 8hen 6e spo7e to Commander 8il7inson a month later< she told %s that ,C-O no6 had 3the go ahead3 from the Home Office/ Ho6e:er< no 9o:ernment f%nding had (een appro:ed< and she 6as still 3in the throes3 of preparing a detailed (%siness case/ She 6as optimistic that 3a considera(le amo%nt of sponsorship 6ill
)2 See http'>>666/soca/go:/%7>a(o%tUs>aims/html/
(e forthcoming3Hindeed< she 6ent so far as to say that potential sponsors 6ere 3ready 6ith the money no6 and 6e ha:e no6 entered the phase of act%ally going (ac7 to them and saying< @Sho6 %s the colo%r of yo%r moneyE sho6 %s ho6 yo% are prepared to s%pport %s@3 0D + C#2/ Ho6e:er< 6hen as7ed repeatedly 6hether a commitment (y the Home Office to pro:ide f%nding 6o%ld (e necessary to %nloc7 this pri:ate sector (ac7ing< she declined to gi:e a direct ans6er< simply repeating that she had 3no %nderta7ings c%rrently of 9o:ernment s%pport3 0DD + 5?"+ !B2/
#/)B/ *%st (efore o%r Report 6as agreed< on +? *%ly< the name of the ne6 %nit 6as anno%nced 0the 3-olice Central ecrime Unit32 and its proFected (%dget 0.)/5 million2/ Ho6e:er< it appeared that the 9o:ernment had still made no commitment as to f%nding/ 5%t ass%ming the ne6 %nit does sec%re f%nding from 9o:ernment and pri:ate sector sponsors< its role 6ill essentially (e to help esta(lish the contin%%m of 6hich 5ill H%ghes spo7e< (et6een the 6or7 of local police forces and that of SOC, and its international partners/ S%e 8il7inson confirmed that she and Sharon Lemon 6ere 3c%rrently 6or7ing on p%tting together a protocol 6here(y the nat%re of e"crime is s%ch that any small local report can t%rn o%t to (e the end prod%ct of a m%lti"national crime iss%e3 0D + 5)2/ The s%ccessf%l esta(lishment of the -olice Central ecrime Unit< and the agreement of s%ch protocols< appear to (e essential if 5ill H%ghes@ :ision of a contin%%m of policing of e"crime is to (e achie:ed/ Police s ills and resources
#/))/ E:en if the organisational arrangements descri(ed a(o:e fall into place< la6 enforcement agencies at e:ery le:el 6ill need s7ills< 7no6ledge and reso%rces if e" crime is to (e in:estigated effecti:ely/ On the one hand< the p%(lic ha:e a right to e=pect that if they report an e"crime at their local police station the officer at the des7 6ill ha:e a general %nderstanding of the 7ind of crime that has (een committedE on the other hand< comp%ter forensics are h%gely e=pensi:e and la(orio%s< and police in:estigating maFor e"crimes 6ill need access to specialised and 6ell"e;%ipped forensic la(oratories/
#/)5/ ,t a (asic le:el< training and information for all police officers 6ill (e increasingly important as interconnecti:e de:ices proliferate< and their %se< 6hether to commit
crime or in normal life< (ecomes all (%t %ni:ersal/ ,t crime scenes< officers need to o(ser:e 7ey r%les to ens%re that the e:idence stored on comp%ters or other de:ices is not contaminated/ Comp%ters or laptops sho%ld not (e started %p or searched< they sho%ld (e disconnected
from ro%ters and modems< mo(ile telephones sho%ld (e 7ept charged so as not to lose data< and so on/
#/)!/ &n the United States 6e 6ere gi:en copies of an impressi:e 3poc7et g%ide for first responders3< iss%ed (y the Department of Homeland Sec%rity and the United States Secret Ser:ice< s%mmarising (est practice in a compact< readily accessi(le form/ S%e 8il7inson ass%red %s that ,C-O also p%(lished 3good practice g%ides3< incl%ding one co:ering 3comp%ter (ased electronic e:idence and e:idence retrie:al3 0D + C52/ Ho6e:er< 6e note that the online :ersion of this g%ide r%ns to 5+ ,) pages)B< in mar7ed contrast to the ,merican g%ide< 6hich is ring"(o%nd< poc7et"siLed and 6aterproofH intended specifically for %se (y officers at a crime" scene/
#/)#/ ,ss%ming the police ha:e la%nched an in:estigation< there is also the ;%estion of the reso%rces and s7ills re;%ired for detailed forensic analysis of comp%ters and other materials that ha:e (een seiLed/ Here again 6e 6ere impressed (y the approach adopted in the United States< 6here the F5& has co"ordinated the de:elopment of a national net6or7 of +) Regional Comp%ter Forensic La(oratories/ These recei:e federal f%nding to s%pport r%nning costs< s%ch as &T e;%ipment and premises< (%t the staff are largely pro:ided and f%nded (y local la6 enforcement/ &n ret%rn< the la(oratories pro:ide forensic analysis to local police free of charge/
#/)C/ Clearly< +) la(oratories in a co%ntry the siLe of the United States is not a large n%m(er/ 5%t at least the model of central pro:ision of the highly specialised
)B See http'>>666/acpo/police/%7>asp>policies>Data>gpg comp%ter (ased e:idence :B/pdf/
facilities recognises the %ni;%e challenge posed (y comp%ter forensics/ Chris 5eeson< Director of the Silicon $alley la(oratory< told %s that the :ol%me of data processed had increased from ) Tera(ytes in 2 to o:er +<) Tera(ytes )) in 2 5/ 8e ;%estion 6hether it 6ill (e possi(le for all of the )B police forces in England and 8ales to maintain the le:el of s7ills and e;%ipment necessary to 7eep pace 6ith this rate of gro6th/
#/)?/ S%e 8il7inson descri(ed the creation of s%ch a national net6or7 in the United 1ingdom as the 3ideal scenario3H(%t conceded it 6o%ld 3ta7e some time to achie:e3/ &n the meantime< ,C-O had cond%cted a 3:ery pro:isional capa(ility assessment3 of the )B police forces< and had 3p%(licised 6ho is 6here< 6ho has got 6hat capa(ility so that police forces aro%nd the co%ntry 7no6 6here to go to get s%pport and help3 0D + CB2/ &n the longer term< ho6e:er< the proposed ,C-O national e"crime %nit 6as 3needed to get standards< policy< training and s7ills le:els standardised across the co%ntry3 0D + C52/ 8hen the esta(lishment of a national net6or7 6as p%t to the 4inister< he simply reiterated that he 6as 36aiting for Commander S%e 8il7inson and others to come for6ard 6ith the proposals3 0D C+#2/
#/5 / -ending the de:elopment of a national %nit or net6or7 specialising in e" crime and comp%ter forensics< ,C-O@s approach is to 3mainstream3 e"crime 6ithin con:entional policing/ The rationale (ehind this approach is to escape from 6hat Sharon Lemon descri(ed as 3the pro(lem 6ith policing S6hichT is that anything in:ol:ing a comp%ter or the slightest (it of technology is p%t into a specialist (rac7et and it is conf%sing the iss%e and lea:ing a smaller n%m(er of specialist reso%rces dealing 6ith 6hat is traditional crime3 0D + B)2/
#/5+/ 4ainstreaming< on the other hand< means adopting an e=tremely 6ide definition of e"crime 03the %se of net6or7ed comp%ters< telephony or &nternet technology to commit or facilitate crime3HD + B!2< to emphasise that e"crime is in reality F%st crime< re;%iring all police officers< not F%st the specialists< to ac;%ire a (asic le:el of s7ills/ The o(Fecti:e 6as s%mmarised (y S%e 8il7inson as 3not to try to shift e:erything into specialist %nits (%t to raise the le:el of a6areness and capa(ility right the 6ay across the (oard3 0D + B#2/
)) + Tera(yte O + million 4ega(ytes< or +
+2
(ytes/
#/52/ The intention (ehind mainstreaming is la%da(le< (%t there is a f%ndamental contradiction' as 6e noted in Chapter 2< treating e"crime as con:entional crime means that it is impossi(le to assess its rate of gro6th< or the cost to indi:id%als or the economyE it also ma7es it impossi(le to set policing targets or priorities relating to e"crime/ The logical conse;%ence of 3mainstreaming3 e"crime is that the (%l7 of e"crime 6ill (e s%(s%med into con:entional crime< in 6hich case it 6ill no longer (e a distinct policing priority/ ,ll that 6ill (e left 6ill (e the r%mp of e"crimes that e=ist only (eca%se the technology e=istsHtypically< offences co:ered (y the Comp%ter 4is%se ,ct +?? < as amended/
#/5B/ , (alance has to (e str%c7/ 8e ha:e considera(le sympathy 6ith Sharon Lemon@s :ie6 that specialists are called in %nnecessarily to in:estigate traditional crimes that F%st happen to in:ol:e a comp%ter/ 5%t 6e also (elie:e that if there is eno%gh in:estment in s%ch specialist reso%rces< the s7ills de:eloped 6ill (e of enormo%s %se in com(ating not F%st Comp%ter 4is%se ,ct offences< (%t the e=tortion< the fra%ds< the thefts and all the other con:entional offences 6hich c%rrently thri:e in the fertile soil of the &nternet/
#/5)/ ,nother iss%e raised in the co%rse of o%r in;%iry 6as the e=tent to 6hich the police ha:e the reso%rces< and< more critically< the po6ers to in:estigate e" crime proacti:ely< thro%gh monitoring &nternet traffic/ ,s 6e noted in Chapter 2< and as the F5& confirmed 6hen 6e :isited Silicon $alley< h%ge :ol%mes of criminal acti:ity are cond%cted online< sometimes openly< on &nternet Relay Chat< -eer"to" -eer 0- 2-2 or other net6or7s/ Ho6e:er< 6hile researchers in the United States< s%ch as Team Cymr%< are entitled to monitor s%ch traffic for the p%rposes of research< US la6 enforcement agencies are for(idden from doing so %nless they ha:e 3pro(a(le ca%se3/
#/55/ &n this co%ntry< the police are a(le to monitor online comm%nications< pro:ided that their acti:ity is permitted %nder the s%r:eillance pro:isions of -art && of the Reg%lation of &n:estigatory -o6ers ,ct 2 / On o%r :isit to the 4etropolitan -olice Comp%ter Crime Unit 6e met officers 6ho 6ere acti:ely monitoring the online (eha:io%r of paedophiles< a n%m(er of 6hom they had already arrested/ Ho6e:er< at present there does not seem to (e any monitoring 6ithin the U1< e:en
1%' PE+SONA; INTE+NET SEC3+IT@
for (asic intelligence p%rposes< of the 3%ndergro%nd economy3 identified (y Team Cymr%/
#/5!/ ,n alternati:e approach< p%t for6ard (y Ross ,nderson< might simplify the process 6here(y in:estigations are la%nched/ This 6as for 3randomised enforcement3/ &n other 6ords< the :ol%me of e"crime is s%ch that if the police decide to in:estigate one randomly selected and apparently minor offence< s%ch as a petty online fra%d< each month< 3yo% ens%re that someone 6ho perpetrates millions of .+ fra%ds comes into the police sight e:ent%ally3 0D # B2/
International action
#/5#/ The nat%re of e"crime is to cross national F%risdictions/ The :ictim may li:e in the Home Co%ntiesH(%t the perpetrator co%ld (e any6here in the 6orld/ &nternational co"operation (et6een la6 enforcement agencies and F%dicial systems is therefore :ital/
#/5C/ 8e 6ere not a(le to esta(lish a clear or consistent pict%re of the state of international co"operation/ On the one hand< Sharon Lemon told %s that SOC,@s e" crime %nit had 3esta(lished some e=ceptional 6or7ing relationships 6ith o%r international partners3/ She also mentioned a range of international tas7"forces for partic%lar offences< 6hile 5ill H%ghes dre6 attention to the 3international liaison net6or73 6ithin SOC,/ He also cited 3good e=amples of 6or7 for e=ample 6ith the R%ssian and the Chinese3 0D ++ C2< 6hile ref%sing to identify any pro(lem co%ntries/
1%1 PE+SONA; INTE+NET SEC3+IT@
#/5?/ &n mar7ed contrast< Shena Cro6e at the F5& la(oratory in Silicon $alley told %s that international action 6as diffic%lt and slo6< 6ith re;%ests for assistance often either ignored or s%(Fect to (arter/ She noted that R%ssia and China 6ere often cited as maFor so%rces of international e"crimeHShane Te6s at $erisign in 8ashington also told %s that states in eastern E%rope and ,sia 6ere t%rning a (lind eye to organised criminals operating on the &nternet/ To add to the conf%sion< Sharon Lemon also told %s that 3the c%rrent proced%res for sharing information and intelligence can (e e=tremely sl%ggish3< 6hile S%e 8il7inson said that 3in:estigations can fall do6n (eca%se of the fact that legislation does not really co:er the international challenge3 0D + BC2/
#/! / , more concrete description of the diffic%lties of international action 6as pro:ided at e5ay/ The :ie6 of Ro( Chesn%t< Senior $ice -resident for Tr%st and Safety< 6as clearHthe (est 6ay to deter e"crime 6as to p%t the fra%dsters in Fail/ The main impediment to achie:ing this 6as the fact that the a%thorities in some co%ntries simply 6ere not interested in helping in:estigations/ e5ay de:oted considera(le effort to de:eloping relationships 6ith international la6 enforcement agencies< and had s%pported o:er + con:ictions in Romania alone< (y pro:iding materials and in some cases (y paying for :ictims to go there to gi:e e:idence in person/ One of the company@s 7ey recommendations 6as that la6s of e:idence sho%ld (e rela=ed to ma7e it easier for testimony to (e gi:en from o%tside the co%ntry concerned< for instance %sing 6ritten statements or :ideo lin7s/
#/!+/ &t 6as clear from o%r :isit to the United States that the United 1ingdom is seen as a 3good partner3 in international action on e"crime/ Despite this< the United 1ingdom has yet to ratify the Co%ncil of E%rope@s 2 + Con:ention on Cy(ercrime/ This is a matter of concern< partic%larly as among the pro:isions in the Con:ention is a re;%irement that parties sho%ld 3afford one another m%t%al assistance to the 6idest e=tent possi(le for the p%rpose of in:estigations or proceedings concerning criminal offences related to comp%ter systems and data< or for the collection of e:idence in electronic form of a criminal offence3 0,rticle 252/
#/!2/ 8hen 6e as7ed the 4inister a(o%t the delay in ratification< he confirmed that the 9o:ernment 6ere 3committed to ratifying the /// Con:ention3 0D C )2/ Certain minor legislati:e changes 6ere re;%ired< and these 6o%ld (e completed (y means
1%% PE+SONA; INTE+NET SEC3+IT@
of the Serio%s Crime 5ill 06hich at the time of 6riting 6as (eing considered (y the Ho%se of Commons2/ Ho6e:er< 6hen as7ed a(o%t m%t%al assistance he deferred to his official Stephen 8e((< 6ho told %s that 6hile the 9o:ernment had 3(een generally loo7ing at m%t%al legal assistance re;%ests3 there 6as 3nothing specific in this partic%lar area 6hich is (eing done3 0D C 52/ The courts
#/!B/ &ss%es of s7ills and reso%rces permeate e:ery le:el of the criminal F%stice system/ 9i:en the rate at 6hich e"crime contin%es to e:ol:e it 6as perhaps not s%rprising that 6e heard some concerns e=pressed o:er the capa(ility of co%rts to %nderstand the technology %nderpinning it/ -rofessor 8alden< on the (asis of se:eral years@ e=perience training prosec%tors< claimed that prosec%tors had e=perienced 3(ad F%dgments< (ad case la6< 6hich may ha:e (een corrected (%t 6e ha:e pro(lems in e=plaining the technology to F%rors and e=plaining the technology to F%dges3 0D B#52/
#/!)/ Gicholas 5ohm arg%ed that 3ens%ring that the police ha:e the intellect%al infrastr%ct%re to deal 6ith crimes in:ol:ing electronics and comp%ters and that the co%rts can readily grasp 6hat they are a(o%t3 6o%ld (e the most effecti:e 6ay to impro:e the 6ay the F%stice system deals 6ith e"crime 0D B!C2/ 4ore concretely< 5ill H%ghes reflected on 3ho6 (etter 6e can present the case in co%rt / &n the same 6ay that yo% ha:e a technological ad:isor here it may (e %sef%l to do the same in some of the co%rts 6hen 6e are dealing 6ith some of these cases3 0D + BC2/ Ho6e:er< this proposal might (e diffic%lt to reconcile 6ith fact that co%rt proceedings< %nli7e those of Select Committees< are ad:ersarial/ E:en e=pert 6itnesses< tho%gh notionally 6or7ing for the co%rt< in practice appear on (ehalf of< and are paid (y< either prosec%tion or defence/
#/!5/ Ge:ertheless< 5ill H%ghes@ s%ggestion of a e=pert ad:iser to assist the co%rts in assessing &T"(ased e:idence is attracti:e/ , case in point is the 6eight placed (y the co%rts %pon the illegal %se of credit cards online/ ,s 6e ha:e pre:io%sly noted< the introd%ction of 3chip and pin3 has led to a rapid increase in online card"not" present fra%d/ 8e ha:e also seen Team Cymr%@s research< sho6ing h%ge :ol%mes of stolen credit card details (eing (o%ght and sold online/ &n the conte=t of data
1%) PE+SONA; INTE+NET SEC3+IT@
sec%rity (reach notification 6e ha:e also noted that one retailer alone< T1 4a==< has since 2 5 lost the details of some )5 million cards to hac7ers/ -otentially any one of these cards< (elonging to innocent indi:id%als< co%ld (e %sed online for illegal p%rposesH in transactions relating to terrorism< or to p%rchase child a(%se images/
#/!!/ This iss%e led to an e=change of letters (et6een the Committee and< on the one hand< *im 9am(le< Chief E=ec%ti:e of CEO-< and< on the other hand< D%ncan Camp(ell< an in:estigati:e Fo%rnalist< regarding the cond%ct of Operation Ore< the in:estigation of o:er #< indi:id%als in this co%ntry 6hose credit card details 6ere fo%nd on a data(ase held (y an ,merican company< Landslide &nc< 6hich %ntil it 6as closed do6n in +??? offered access to a n%m(er of child a(%se 6e(sites/ 8hen *im 9am(le ga:e e:idence on + *an%ary< he 6as as7ed 6hether the pre:alence of credit card fra%d raised any pro(lems in the cond%ct of s%ch in:estigations/ His response 6as as follo6s' 38e ne:er prosec%te someone simply on the (asis of their credit card (eing %sed/ Mo% are going to loo7 at all of the circ%mstantial e:idence 6hich 6hen ta7en together pro:ides o:er6helming e:idence3 0D 22+2/
#/!#/ The Committee then recei:ed a letter from D%ncan Camp(ell< 6ho has appeared as a defence e=pert 6itness in a n%m(er of Operation Ore cases< flatly contradicting 4r 9am(le@s statement/ The letters that follo6ed< from (oth 4r Camp(ell and 4r 9am(le< are printed as e:idence 6ith this Report 0see pp ##"C+< B!B"B!52/
#/!C/ This e=change of correspondence strayed far (eyond the remit of this in;%iry< and 6e ha:e no 6ish to comment on the 6ider iss%es raised/ Ho6e:er< 4r 9am(le did confirm that the Cro6n -rosec%tion Ser:ice had de:eloped a 3response for occasions 6here no images 6ere fo%nd3< ma7ing %se of the common la6 offence of incitement/ He f%rther noted that in s%ch cases 3the e:idential connection (et6een the personal details pro:ided< the identity of the %ser and a direct lin7 to a site offering child a(%se images is clearly 7ey3/ S%ch iss%es 6ere assessed 3on a case (y case (asis3 0p #C2/
#/!?/ Th%s s%ch cases of alleged 3incitement3 0of 6hich< according to 4r 9am(le< there had (een +!+< 6ith F%st ten o%tstanding< tho%gh 4r Camp(ell claimed there 6ere still 2< o%tstanding2 rely hea:ily on e:idence of electronic transactions (et6een a s%spected indi:id%al and a site offering child a(%se images online/ &t is clear %s that in assessing s%ch e:idence the 6eight placed %pon online credit card transactions 6ill (e f%ndamental/ &t is essential therefore that F%dges< prosec%tors and magistrates 06ho decide on applications for search 6arrants2 are a(le to ma7e intelligent and informed assessments of s%ch e:idence/ Sentencin!
#/# / Finally 6e t%rn to sentencing/ Once criminals are con:icted of e"crimes it is essential that sentences are ro(%st eno%gh to ser:e as a deterrent to others/ The sentences for technology specific crimes 0partic%larly those %nder the Comp%ter 4is%se ,ct2 are defined in stat%te/ 5%t 6here 3traditional3 crimes are committed online< once again the phenomenon of high :ol%me< lo6 denomination crime< creates diffic%lties/ S%ch crimes are not one"off incidentsHif someone is con:icted of one online fra%d< it is e=tremely li7ely that they 6ill ha:e committed many more/ 8e therefore as7ed a n%m(er of 6itnesses 6hether the %se of a comp%ter to commit an offence co%ld (e recognised (y the co%rt 6hen sentencing< for instance as an aggra:ating factor/
#/#+/ &n response< 5ill H%ghes too7 the :ie6 that the commission of crimes online co%ld feasi(ly (e 3reflected in the sentencing< depending on the aggra:ation factor3/ He cited as an e=ample the lottery scams 6hich target 3the more :%lnera(le in society3Hthose 6ho (y responding to (og%s emails ha:e fo%nd themsel:es on the criminals@ 3s%c7er list3 0D + ) 2/ The 9o:ernment 6ere less sympathetic to this idea< and Stephen 8e((< of the Home Office< s%ggested that 3Mo% ha:e to ma7e a case for 6hy it 6as 6orse to defra%d someone o:er the &nternet rather than sending them the )+? letter)5 (y post< or scamming them and meeting them face to face on the street3 0D 2C2/
)5 The 3)+? fra%d3 is a form of ad:ance fee fra%d< in 6hich the :ictim is pers%aded to p%t do6n a s%m of money in anticipation of a m%ch larger gain< 6hich then fails to materialise/ The modern manifestation of this ancient fra%d emerged in Gigeria in the +?C sHthe n%m(er )+? refers to the rele:ant article of the Gigerian criminal code/
1%* PE+SONA; INTE+NET SEC3+IT@
#/#2/ Other aggra:ating factors that co%ld infl%ence sentencing might incl%de the high le:el of intr%sion in:ol:ed in crimes committed :ia electronic net6or7sHfor instance< the co%rts co%ld recognise that ma7ing threats (y means of te=t messages or &nstant 4essaging constit%ted an in:asion of the
home on top of the (asic offence committed/ 5ill H%ghes again offered some sympathy< if not direct s%pport< for this :ie6'
3This ta7es me (ac7 to 6hen 6e started doing dr%g in:estigations and often yo% 6o%ld find co%rts 6ho 6ere not familiar 6ith the effects of a partic%lar dr%g or ho6 large or 6hat the significance of the sort of seiL%re 6as that had (een made (y police or c%stoms officers and ho6 m%ch money and ho6 m%ch damage that co%ld ca%se/ 8e may act%ally (e in that same type of en:ironment / ho6 do yo% present this in a co%rt case 6here yo% can realise the aggra:ating factors and the damage that this can ca%se3 0D + )+2/
#/#B/ &n s%mmary< o%r concern is 6hether the criminal F%stice system as a 6hole has a s%fficiently high and consistent le:el of %nderstanding of e"crime to (e a(le to ma7e (alanced< e:idence"(ased decisions/ Do police officers across the )B forces o(ser:e consistent (est practice in the 6ay in 6hich they handle s%ch in:estigationsN Do magistrates %nderstand the :al%e and the limitations of electronic e:idence< in partic%lar e:idence of online credit card transactions< so as to (e a(le to F%dge the appropriateness or other6ise of iss%ing search 6arrantsN ,re F%dges in the cro6n co%rts competent to direct F%ries in s%ch cases< or to hand do6n ade;%ate sentences to those fo%nd g%iltyN On the (asis of the e:idence recei:ed in this in;%iry< the ans6er to all these ;%estions c%rrently seems to (e 3no3/ Conclusions and reco##endations 7>72> /e reco##end that the Co&ern#ent introduce a#end#ents to the cri#inal la"7 e8plicitly to cri#inalise the sale or purchase o( the ser&ices o( a botnet7 re!ardless o( the use to "hich it is put> 7>7*> /e reco##end that the Co&ern#ent7 in partnership "ith the Association o( Chie( Police O((icers and the Serious Or!anised Cri#e A!ency7 de&elop a
7>76>
7>77>
7>7$>
7>7,>
7>$'>
uni(ied7 "eb.based reportin! syste# (or e.cri#e> The public (ace o( this syste# should be a "ebsite desi!ned to (acilitate public and business reportin! o( incidents> The bac .end so(t"are should ha&e the capacity to collect and collate reports o( e. cri#e7 identi(y patterns7 and !enerate data on the incidence o( cri#inality> The "ebsite could also ser&e as a portal to other #ore specialised sites7 (or instance on online child abuse or identity the(t> It "ould be an in&aluable source o( in(or#ation (or both la" en(orce#ent and researchers> As a corollary to the de&elop#ent o( an online reportin! syste#7 "e reco##end that the Co&ern#ent re&ie" as a #atter o( ur!ency their decision to reBuire online (rauds to be reported to the ban s in the (irst instance> /e belie&e that this decision "ill under#ine public trust in both the police and the Internet> It is essential that &icti#s o( e.cri#e should be able to lod!e a police report and ha&e so#e (or#al ac no"led!e#ent o( the (act o( a cri#e ha&in! been co##itted in e8chan!e> /e see no reason "hy such reports should not be #ade online7 processed and (or"arded to the ban s auto#atically> I( these reco##endations are to be acted upon7 the police ser&ice "ill need to de&ote #ore resources to e.cri#e> /e ac no"led!e the !ood "or underta en by SOCA and on behal( o( ACPO7 but "ithin the police s ills and (orensic capability still &ary (ro# (orce to (orce> /hile it is &ital to raise police s ills across the board7 rather than Dust those o( specialists7 -#ainstrea#in!- is only part o( the ans"er> /e there(ore reco##end the establish#ent o( a net"or o( co#puter (orensic laboratories7 under the ae!is o( the proposed ACPO national e.cri#e unit7 but "ith si!ni(icant central (undin!> /e (urther ur!e the 6o#e O((ice7 "ithout delay7 to pro&ide the necessary (unds to ic .start the establish#ent o( the Police Central ecri#e 3nit7 "ithout "aitin! (or the pri&ate sector to co#e (or"ard "ith (undin!> It is ti#e (or the Co&ern#ent to de#onstrate their !ood (aith and their co##it#ent to (i!htin! e.cri#e> These reco##endations "ill all cost #oney> But e.cri#e is e8pandin! rapidly: the choice is either to inter&ene no" to #a e the necessary in&est#ent7 and perhaps to eep the threat to the Internet under control7 or to let it !ro" unchec ed7 and ris an econo#ically disastrous7 lon!.ter# loss o( public con(idence in the Internet as a #eans o( co##unication (or business and Co&ern#ent ali e> /e ur!e the Co&ern#ent to (ul(il its co##it#ent to rati(y the Council o( Europe CyberCri#e Con&ention at the earliest possible opportunity> At the sa#e ti#e7 in order to ensure that the 3nited Ein!do# (ul(ils the spirit as "ell as the letter o( Article %* o( the Con&ention7 "e reco##end that the Co&ern#ent re&ie" the procedures (or o((erin! #utual le!al assistance in response to reBuests (or help (ro# other countries in in&esti!atin! or prosecutin! e.cri#e>
7>$1> Ainally7 "e reco##end that the Co&ern#ent ta e steps to raise the le&el o( understandin! o( the Internet and e.cri#e across the court syste#> In particular: I In the conte8t o( the pre&alence o( identity the(t and online card (raud7 "e ur!e the Co&ern#ent to issue ne" !uidance to the courts7 includin! #a!istrates? courts7 on the reliability o( unsupported credit card e&idence as an indicator o( !uilt= I /e reco##end that the Co&ern#ent re&ie" the a&ailability to the courts o( independent specialist ad&ice in cases o( Internet.related cri#e= /e belie&e that the sentence should (it the cri#e> The nature o( e. cri#e is such that #ostly :but not e8clusi&ely< s#all cri#es are co##itted in &ery lar!e nu#bers= they also !enerally in&ol&e a hi!h le&el o( intrusion into personal li(e> Sentencin! !uidelines should be re&ie"ed in reco!nition o( these realities >C6APTE+ $: S344A+@ OA CONC;3SIONS AN9 +ECO44EN9ATIONS
C/+/ &n this Chapter 6e set o%t o%r recommendations and concl%sions in f%ll/ The n%m(ers in (rac7ets refer to the rele:ant paragraphs in the te=t/ O&er&ie": The Internet and Personal Security
C/2/ The (enefits< costs and dangers of the &nternet< are poorly appreciated (y the general p%(lic/ This is not s%rprising< gi:en the lac7 of relia(le data< for 6hich the 9o:ernment m%st (ear some responsi(ility/ The 9o:ernment are not themsel:es in a position directly to gather the necessary data< (%t they do ha:e a responsi(ility to sho6 leadership in p%lling together the data that are a:aila(le< interpreting them for the p%(lic and setting them in conte=t< (alancing ris7s and (enefits/ &nstead of doing this< the 9o:ernment ha:e not e:en agreed definitions of 7ey concepts s%ch as 3e"crime3/ 02/)22
C/B/ 8e recommend that the 9o:ernment esta(lish a cross"departmental gro%p< (ringing in e=perts from ind%stry and academia< to de:elop a more coordinated approach to data collection in f%t%re/ This sho%ld incl%de a classification scheme for recording the incidence of all forms of e"crime/ S%ch a scheme sho%ld co:er not F%st &nternet"specific crimes< s%ch as Distri(%ted Denial of Ser:ice attac7s< (%t
1%$ PE+SONA; INTE+NET SEC3+IT@
also e"ena(led crimesHthat is to say< traditional crimes committed (y electronic means or 6here there is a significant electronic aspect to their commission/ 02/)B2
C/)/ Research into &T sec%rity in the United 1ingdom is high in ;%ality (%t limited in ;%antity/ 4ore s%pport for research is neededHa(o:e all< from ind%stry/ The de:elopment of one or more maFor m%lti"disciplinary research centres< follo6ing the model of C&TR&S< is necessary to attract pri:ate f%nding and (ring together e=perts from different academic departments and ind%stry in a more integrated< m%lti"disciplinary research effort/ 8e recommend that the Research Co%ncils ta7e the lead in initiating disc%ssions 6ith 9o:ernment< %ni:ersities and ind%stry 6ith a :ie6 to the prompt esta(lishment of an initial centre in this co%ntry/ 02/))2
C/5/ Legitimate sec%rity researchers are at ris7 of (eing criminalised as a res%lt of the recent amendments to the Comp%ter 4is%se ,ct +?? / 8e 6elcome the 4inister@s ass%rance that g%idance on this point 6ill appear later in the s%mmer< (%t %rge the Cro6n -rosec%tion Ser:ice to p%(lish this g%idance as soon as possi(le< so as to a:oid %ndermining s%ch research in the interim/ 02/)52 The net"or
C/!/ 8e see no prospect of a f%ndamental redesign of the &nternet in the foreseea(le f%t%re/ ,t the same time< 6e (elie:e that research into alternati:e net6or7 architect%res is :ital to inform the incremental impro:ements to the e=isting net6or7 that 6ill (e necessary in the coming years/ 8e recommend that the Research Co%ncils contin%e to gi:e s%ch f%ndamental research priority/ 0B/C2
C/#/ The c%rrent emphasis of 9o:ernment and policy"ma7ers %pon end"%ser responsi(ility for sec%rity (ears little relation either to the capa(ilities of many indi:id%als or to the changing nat%re of the technology and the ris7/ &t is time for 9o:ernment to de:elop a more holistic %nderstanding of the distri(%ted responsi(ility for personal &nternet sec%rity/ This may 6ell re;%ire red%ced
1%, PE+SONA; INTE+NET SEC3+IT@
adherence to the 3end"to"end principle3< in s%ch a 6ay as to reflect the reality of the mass mar7et in &nternet ser:ices/ 0B/B)2
C/C/ The c%rrent ass%mption that end"%sers sho%ld (e responsi(le for sec%rity is inefficient and %nrealistic/ 8e therefore %rge the 9o:ernment and Ofcom to engage 6ith the net6or7 operators and &nternet Ser:ice -ro:iders to de:elop higher and more %niform standards of sec%rity 6ithin the ind%stry/ &n partic%lar 6e recommend the de:elopment of a 5S&"appro:ed 7ite mar7 for sec%re &nternet ser:ices/ 8e f%rther recommend that this :ol%ntary approach sho%ld (e reinforced (y an %nderta7ing that in the longer term an o(ligation 6ill (e placed %pon &S-s to pro:ide a good standard of sec%rity as part of their reg%lated ser:ice/ 0B/!#2
C/?/ 8e recommend that &S-s sho%ld (e enco%raged as part of the 7ite mar7 scheme to monitor and detect 3(ad3 o%tgoing traffic from their c%stomers/ 0B/!C2
C/+ / 8e recommend that the 3mere cond%it3 imm%nity sho%ld (e remo:ed once &S-s ha:e detected or (een notified of the fact that machines on their net6or7 are sending o%t spam or infected code/ This 6o%ld gi:e third parties harmed (y infected machines the opport%nity to reco:er damages from the &S- responsi(le/ Ho6e:er< in order not to disco%rage &S-s from monitoring o%tgoing traffic proacti:ely< they sho%ld enFoy a time"limited imm%nity 6hen they ha:e themsel:es detected the pro(lem/ 0B/!?2
C/++/ The %ncertainty o:er the reg%latory frame6or7 for $o&- pro:iders< partic%larly 6ith regard to emergency ser:ices< is impeding this emerging ind%stry/ 8e see no (enefit in o(liging $o&- pro:iders to comply 6ith a reg%latory frame6or7 shaped 6ith copper"(ased telephony in mind/ 8e recommend instead that $o&- pro:iders (e enco%raged to pro:ide a ??? ser:ice on a 3(est efforts3 (asis reflecting the reality of &nternet traffic< pro:ided that they also ma7e clear to c%stomers the limitations of their ser:ice and the possi(ility that it may not al6ays 6or7 6hen it is needed/ 0B/# 2
1)' PE+SONA; INTE+NET SEC3+IT@
Appliances and applications
C/+2/ The &T ind%stry has not historically made sec%rity a priority/ This is grad%ally changingH(%t more radical and rapid change is needed if the ind%stry is to 7eep pace 6ith the ingen%ity of criminals and a:oid a disastro%s loss of confidence in the &nternet/ The maFor companies< partic%larly the soft6are :endors< m%st no6 ma7e the de:elopment of more sec%re technologies their top design priority/ 8e %rge the ind%stry< thro%gh self" reg%lation and codes of (est practice< to demonstrate its commitment to this principle/ 0)/BC2
C/+B/ &n partic%lar< 6e %rge the ind%stry to endorse the follo6ing as (est practice'
&ncreasing the pro:ision of sec%rity ad:ice to %sers 6hen first (ooting %p -Cs or la%nching applicationsE
I ,%tomatic do6nloading of sec%rity %pdates %pon first connecting machines to the &nternetE
Ens%ring that defa%lt sec%rity settings are as high as practica(le< e:en if f%nctionality is restricted 6hile %sers are still learning a(o%t the ris7s they faceE and
1)1 PE+SONA; INTE+NET SEC3+IT@
I ,n ind%stry"6ide code of practice on the %se of clear and simple lang%age in sec%rity messages/ 0)/B?2
C/+)/ Ho6e:er< efforts to promote (est practice are hampered (y the c%rrent lac7 of commercial incenti:es for the ind%stry to ma7e prod%cts sec%re' companies are all too easily a(le to d%mp ris7s onto cons%mers thro%gh licensing agreements< so a:oiding paying the costs of insec%rity/ This m%st change/ 0)/) 2
C/+5/ 8e therefore recommend that the 9o:ernment e=plore< at E%ropean le:el< the introd%ction of the principle of :endor lia(ility 6ithin the &T ind%stry/ &n the short term 6e recommend that s%ch lia(ility sho%ld (e imposed on :endors 0that is< soft6are and hard6are man%fact%rers2< not6ithstanding end %ser licensing agreements< in circ%mstances 6here negligence can (e demonstrated/ &n the longer term< as the ind%stry mat%res< a comprehensi:e frame6or7 of :endor lia(ility and cons%mer protection sho%ld (e introd%ced/ 0)/)+2 3sin! the Internet: businesses
C/+!/ The steps c%rrently (eing ta7en (y many (%sinesses trading o:er the &nternet to protect their c%stomer@s personal information are inade;%ate/ The ref%sal of the financial ser:ices sector in partic%lar to accept responsi(ility for the sec%rity of personal information is dist%r(ing< and is compo%nded (y apparent indifference at 9o:ernment le:el/ 9o:ernments and legislators are not in position to prescri(e the sec%rity preca%tions that sho%ld (e ta7enE ho6e:er< they do ha:e a responsi(ility to ens%re that the right incenti:es are in place to pers%ade (%sinesses to ta7e the necessary steps to act proportionately to protect personal data/ 05/5B2
C/+#/ 8e therefore recommend that the 9o:ernment introd%ce legislation< consistent 6ith the principles enshrined in common la6 and< 6ith regard to che;%es< in the 5ills of E=change ,ct +CC2< to esta(lish the principle that (an7s sho%ld (e held lia(le for losses inc%rred as a res%lt of electronic fra%d/ 05/5)2
1)% PE+SONA; INTE+NET SEC3+IT@
C/+C/ 8e f%rther (elie:e that a data sec%rity (reach notification la6 6o%ld (e among the most important ad:ances that the United 1ingdom co%ld ma7e in promoting personal &nternet sec%rity/ 8e recommend that the 9o:ernment< 6itho%t 6aiting for action at E%ropean Commission le:el< accept the principle of s%ch a la6< and (egin cons%ltation on its scope as a matter of %rgency/ 05/552
C/+?/ 8e recommend that a data sec%rity (reach notification la6 sho%ld incorporate the follo6ing 7ey elements'
I 8or7a(le definitions of data sec%rity (reaches< co:ering (oth a threshold for the sensiti:ity of the data lost< and criteria for the accessi(ility of that dataE
I , mandatory and %niform central reporting systemE
I Clear r%les on form and content of notification letters< 6hich m%st state clearly the nat%re of the (reach and pro:ide ad:ice on the steps that indi:id%als sho%ld ta7e to deal 6ith it/ 05/5!2
C/2 / 8e f%rther recommend that the 9o:ernment e=amine as a matter of %rgency the effecti:eness of the &nformation Commissioner@s Office in enforcing good standards of data protection across the (%siness comm%nity/ The Commissioner is c%rrently handicapped in his 6or7 (y lac7 of reso%rcesE a c%m(ersome 3t6o stri7e3 enforcement processE and inade;%ate penalties %pon con:iction/ The 9o:ernment ha:e e=pressed readiness to address the ;%estion of penalties for one type of offenceE 6e recommend that they reconsider the tariffs for the 6hole of the data protection regime< 6hile also addressing reso%rces and enforcement proced%res as 6ell/ These sho%ld incl%de the po6er to cond%ct random a%dits of the sec%rity
1)) PE+SONA; INTE+NET SEC3+IT@
meas%res in place in (%sinesses and other organisations holding personal data/ 05/5#2 3sin! the Internet: the indi&idual
C/2+/ The 9o:ernment"sponsored 9et Safe Online 6e(site already pro:ides %sef%l information and practical ad:ice to &nternet %sers< (%t its impact is %ndermined (y the m%ltiplication of other o:erlapping 6e(sites/ 8e recommend that the 9o:ernment pro:ide more e=plicit high"le:el political s%pport to the 9et Safe Online initiati:e and ma7e e:ery effort to recr%it additional pri:ate sector sponsors/ &f necessary< the site sho%ld (e rela%nched as a single &nternet sec%rity 3portal3< pro:iding access not only to the site itself (%t acting as a foc%s and entry"point for other related proFects/ 0!/)!2
C/22/ 8e agree 6ith the 4inister that there needs to (e a 3step change3 in the 6ay the reg%lator Ofcom approaches its d%ties in relation to media literacy/ 8e recommend that Ofcom not only co"sponsor the 9et Safe Online proFect< (%t that it ta7e on responsi(ility for sec%ring s%pport from the comm%nications ind%stry for the initiati:e/ 0!/)#2
C/2B/ 8e f%rther recommend that< in addition to the ne6 7ite mar7 for content control soft6are< Ofcom 6or7 6ith the ind%stry partners and the 5ritish Standards &nstit%te to de:elop additional 7ite mar7s for sec%rity soft6are and social net6or7ing sitesE and that it contin%e to 7eep %nder re:ie6 possi(le areas 6here codes of (est practice< (ac7ed %p (y 7ite mar7s< might (e appropriate/ 0!/)C2
C/2)/ 8e recommend that the Department for Children< Schools and Families< in recognition of its re:ised remit< esta(lish a proFect< in:ol:ing a 6ide range of partners< to identify and promote ne6 6ays to ed%cate the ad%lt pop%lation< in partic%lar parents< in online sec%rity and safety/ 0!/)?2
Policin! the Internet
C/25/ 8e recommend that the 9o:ernment introd%ce amendments to the criminal la6< e=plicitly to criminalise the sale or p%rchase of the ser:ices of a (otnet< regardless of the %se to 6hich it is p%t/ 0#/#)2
C/2!/ 8e recommend that the 9o:ernment< in partnership 6ith the ,ssociation of Chief -olice Officers and the Serio%s Organised Crime ,gency< de:elop a %nified< 6e(" (ased reporting system for e"crime/ The p%(lic face of this system sho%ld (e a 6e(site designed to facilitate p%(lic and (%siness reporting of incidents/ The (ac7" end soft6are sho%ld ha:e the capacity to collect and collate reports of e"crime< identify patterns< and generate data on the incidence of criminality/ The 6e(site co%ld also ser:e as a portal to other more specialised sites< for instance on online child a(%se or identity theft/ &t 6o%ld (e an in:al%a(le so%rce of information for (oth la6 enforcement and researchers/ 0#/#52
C/2#/ ,s a corollary to the de:elopment of an online reporting system< 6e recommend that the 9o:ernment re:ie6 as a matter of %rgency their decision to re;%ire online fra%ds to (e reported to the (an7s in the first instance/ 8e (elie:e that this decision 6ill %ndermine p%(lic tr%st in (oth the police and the &nternet/ &t is essential that :ictims of e"crime sho%ld (e a(le to lodge a police report and ha:e some formal ac7no6ledgement of the fact of a crime ha:ing (een committed in e=change/ 8e see no reason 6hy s%ch reports sho%ld not (e made online< processed and for6arded to the (an7s a%tomatically/ 0#/#!2
C/2C/ &f these recommendations are to (e acted %pon< the police ser:ice 6ill need to de:ote more reso%rces to e"crime/ 8e ac7no6ledge the good 6or7 %nderta7en (y SOC, and on (ehalf of ,C-O< (%t 6ithin the police s7ills and forensic capa(ility still :ary from force to force/ 8hile it is :ital to raise police s7ills across the (oard< rather than F%st those of specialists< 3mainstreaming3 is only part of the ans6er/ 8e therefore recommend the esta(lishment of a net6or7 of comp%ter forensic
1)* PE+SONA; INTE+NET SEC3+IT@
la(oratories< %nder the aegis of the proposed ,C-O national e"crime %nit< (%t 6ith significant central f%nding/ 0#/##2
C/2?/ 8e f%rther %rge the Home Office< 6itho%t delay< to pro:ide the necessary f%nds to 7ic7"start the esta(lishment of the -olice Central ecrime Unit< 6itho%t 6aiting for the pri:ate sector to come for6ard 6ith f%nding/ &t is time for the 9o:ernment to demonstrate their good faith and their commitment to fighting e"crime/ 0#/#C2
C/B / These recommendations 6ill all cost money/ 5%t e"crime is e=panding rapidly' the choice is either to inter:ene no6 to ma7e the necessary in:estment< and perhaps to 7eep the threat to the &nternet %nder control< or to let it gro6 %nchec7ed< and ris7 an economically disastro%s< long"term loss of p%(lic confidence in the &nternet as a means of comm%nication for (%siness and 9o:ernment ali7e/ 0#/#?2
C/B+/ 8e %rge the 9o:ernment to f%lfil its commitment to ratify the Co%ncil of E%rope Cy(erCrime Con:ention at the earliest possi(le opport%nity/ ,t the same time< in order to ens%re that the United 1ingdom f%lfils the spirit as 6ell as the letter of ,rticle 25 of the Con:ention< 6e recommend that the 9o:ernment re:ie6 the proced%res for offering m%t%al legal assistance in response to re;%ests for help from other co%ntries in in:estigating or prosec%ting e"crime/ 0#/C 2
C/B2/ Finally< 6e recommend that the 9o:ernment ta7e steps to raise the le:el of %nderstanding of the &nternet and e"crime across the co%rt system/ &n partic%lar'
I &n the conte=t of the pre:alence of identity theft and online card fra%d< 6e %rge the 9o:ernment to iss%e ne6 g%idance to the co%rts< incl%ding magistrates@
co%rts< on the relia(ility of %ns%pported credit card e:idence as an indicator of g%iltE
I 8e recommend that the 9o:ernment re:ie6 the a:aila(ility to the co%rts of independent specialist ad:ice in cases of &nternet"related crimeE /e belie&e that the sentence should (it the cri#e> The nature o( e.cri#e is such that #ostly :but not e8clusi&ely< s#all cri#es are co##itted in &ery lar!e nu#bers= they also !enerally in&ol&e a hi!h le&el o( intrusion into personal li(e> Sentencin! !uidelines should be re&ie"ed in reco!nition o( these realities> :7>$1 2APPEN9IF 1: 4E4BE+S AN9 9EC;A+ATIONS OA INTE+EST 4e#bers:
Lord 5roers 0Chairman2 t Earl of Erroll t Lord Harris of Haringey t 5aroness Hilton of Eggardon
Lord Ho6ie of Troon t Lord 4itchell
Lord O@Geill of Clac7mannan Lord -atel Lord -a%l
5aroness Sharp of 9%ildford Lord S%therland of Ho%nd6ood t Lord Mo%ng of 9raffham
t Co"opted 4em(ers 9eclared Interests:
Lord 5roers
Main +oard Member, )odafone Earl of Erroll Member, 5ominet Policy "d%isory +oard Member Information Systems Security "ssociation +oard President, e6 +usiness Regulatory "lliance Lord Harris of Haringey Member, Metropolitan Police "uthority Toby $arris "ssociates is doing business &ith The "nite Group, and 7nisys Limited
5aroness Hilton of Eggardon
5one
Lord Ho6ie of Troon
1)$ PE+SONA; INTE+NET SEC3+IT@
5one Lord 4itchell
Chairman, eLearning 2oundation Shareholder, Syscap $oldings Ltd 8a pri%ate company9, an IT ser%ices pro%ider
Shareholder, "pple Inc Lord O@Geill of Clac7mannan
5one Lord -atel
5one
Lord -a%l
5one
1), PE+SONA; INTE+NET SEC3+IT@
5aroness Sharp of 9%ildford
5one
Lord S%therland of Ho%nd6ood
5one
Lord Mo%ng of 9raffham
Chairman and Shareholder, Pixology Plc, Spectra Interactive Plc and Eurotel Plc :APPEN9IF %: /ITNESSES
The follo6ing 6itnesses ga:e e:idenceE those mar7ed 6ith an V ga:e oral e:idence'
-rofessor Ross ,nderson ,OL
,p ach e ,,C S
4s Sandra D%inn
4r Colin 8hitta7er 5ritish Comp%ter Society 5T 9ro%p
4r D%ncan Camp(ell
Child E=ploitation and Online -rotection Centre
4r *im 9am(le 4s Sharon 9irling
Children@s Charities@ Coalition on &nternet Safety
4r *ohn Carr Confederation of 5ritish &nd%stry
4r *eremy 5eale
4r ,lan Co=
Department of Trade and &nd%stry
Rt Hon 4argaret Hodge 4-
4r Da:id Hendon
4r 9eoffrey Smith
East 4idlands 5road(and Consorti%m e5ay
4r 9areth 9riffith
4r ,lasdair 4c9o6an EUR&4
E%ropean Commission< Directorate"9eneral for &nformation Society and 4edia
4r ,chim 1la(%nde
4r ,ndrea Ser:ida
4r 4eriFn Schi7
4s 4argareta Tra%ng
4s Ginaida @udin
a4r ,nthony 5isch
4s $alerie 9ayra%d
4r Rogier Holla
Commissioner $i:iane Reding Federation of Small 5%sinesses Financial Ser:ices ,%thority
4r -hilip Ro(inson
4r Ro( 9r%ppetta 4r 4i7e Forster
-rofessor Ste:en F%rnell U Dr ,ndy -hippen
-rofessor 4ar7 Handley He6lett -ac7ard Home Office
4r $ernon Coa7er 4-
4r Tim 8right
4r Stephen 8e(( 4r Gic7 H%((ard &l7ley Comp%ter Cl%( &nformation Commissioner@s Office
4r -hil *ones
&nstit%te for the 4anagement of &nformation Systems &nstit%te of &nformation Sec%rity -rofessionals
&nternet Ser:ices -ro:iders@ ,ssociation
4s Camille de Stempel
4r 4atthe6 Henton
4r *ames 5lessing
&nternet Telephony Ser:ices -ro:iders@ ,ssociation
4r 1im Thesiger
4r ,dam La%rie La6 Society
4r Gicholas 5ohm London &nternet E=change
4r 4alcolm H%tty
4r *ohn So%ter 4essageLa(s
4r 4ar Sunne r4r -a%l 8ood 4etropolitan -olice
Commander S%e 8il7inson 4icrosoft
4r *erry Fishenden
4r 4att Lam(ert Gational Comp%ting Centre Gational Ed%cation Get6or7 Ofcom
4r Tim S%ter
4r 5en 8illis
4r *eremy Oli:ier Office of Fair Trading
4r 4i7e Haley 4r -a%l O@Golan Orange U1 -,O9,
-ay-al
4r 4ichael 5arrett Ready Technology Research Co%ncils U1 Royal ,cademy of Engineering Royal 5an7 of Scotland
4r 4atthe6 -em(le
4r 5r%ce Schneier Sec%reTrading
Serio%s Organised Crime ,gency
4r 5ill H%ghes
4s Sharon Lemon 4s 4argaret Smith
Society for Comp%ters and La6
-rofessor &an 8alden Symantec
4r Roy &s(ell
4r &lias ChantLos THUS
4r Brian To#pset tU1ERG,
Dr ,ndre6 Cormac7 $&S,
4s Sandra ,lLetta
4r Ro(ert Littas 4r -a%l 8instone
-rofessor *onathan Kittrain
The follo6ing e:idence has not (een printed (%t is a:aila(le for inspection at the -arliamentary ,rchi:e 0 2 #2+? 5B+)2'
4r 5rian Catt
Edentity
Terence 9range< ,C-O
Institution o( En!ineerin! and Technolo! yAPPEN9IF ): CA;; AO+ E1I9ENCE
1*' PE+SONA; INTE+NET SEC3+IT@
The in;%iry in:ites e:idence on sec%rity iss%es affecting pri:ate indi:id%als 6hen %sing comm%nicating comp%ter"(ased de:ices< either connecting directly to the &nternet< or employing other forms of inter"connecti:ity/
&n partic%lar< the Committee in:ites e:idence on the follo6ing ;%estions' 4efining the problem
I 8hat is the nat%re of the sec%rity threat to pri:ate indi:id%alsN 8hat ne6 threats and trends are emerging and ho6 are they identifiedN
I 8hat is the scale of the pro(lemN Ho6 are sec%rity (reaches affecting the indi:id%al %ser detected and recordedN
I Ho6 6ell do %sers %nderstand the nat%re of the threatN Tac/ling the problem
I 8hat can and sho%ld (e done to pro:ide greater comp%ter sec%rity to pri:ate indi:id%alsN 8hat< if any< are the potential concerns and tradeoffsN
1*1 PE+SONA; INTE+NET SEC3+IT@
I 8hat is the le:el of p%(lic a6areness of the threat to comp%ter sec%rity and ho6 effecti:e are c%rrent initiati:es in changing attit%des and raising that a6arenessN
I 8hat factors may pre:ent pri:ate indi:id%als from follo6ing appropriate sec%rity practicesN
I 8hat role do soft6are and hard6are design play in red%cing the ris7 posed (y sec%rity (reachesN Ho6 m%ch attention is paid to sec%rity in the design of ne6 comp%ter"(ased prod%ctsN
I 8ho sho%ld (e responsi(le for ens%ring effecti:e protection from c%rrent and emerging threatsN
I 8hat is the standing of U1 research in this areaN Go%ernance and regulation
I Ho6 effecti:e are initiati:es on &T go:ernance in red%cing sec%rity threatsN
I Ho6 far do impro:ements in go:ernance and reg%lation depend on international co"operationN
1*% PE+SONA; INTE+NET SEC3+IT@
I &s the reg%latory frame6or7 for &nternet ser:ices ade;%ateN
I 8hat< if any< are the (arriers to de:eloping information sec%rity systems and standards and ho6 can they (e o:ercomeN Crime pre%ention
I Ho6 effecti:e is 9o:ernment crime pre:ention policy in this areaN ,re enforcement agencies ade;%ately e;%ipped to tac7le these threatsN
I &s the legislati:e frame6or7 in U1 criminal la6 ade;%ate to meet the challenge of cy(er"crimeN
H 6o" e((ecti&ely does the 3E participate in international actions on cybercri#e NAPPEN9IF 2: SE4INA+ 6E;9 AT T6E INSTIT3TION OA ENCINEE+INC AN9 TEC6NO;OC@7 SA1O@ P;ACE7 ;ON9ON %$ No&e#ber %''6
4em(ers of the S%("Committee present 6ere Lord 5roers 0Chairman2< Lord 4itchell< Lord O@Geill of Clac7mannan< Lord -atel< 5aroness Sharp of 9%ildford< Lord S%therland of Ho%nd6ood< Lord Mo%ng of 9raffham< Dr Richard Clayton 0Specialist ,d:iser2< Christopher *ohnson 0Cler72 and Cathleen Sch%lte 0Committee Specialist2/
1*) PE+SONA; INTE+NET SEC3+IT@
-articipants 6ere 4aria 5%rro%ghs 0DT&2< -rofessor 5rian Collins 0-rofessor of &nformation Systems< Cranfield Uni:ersity2< Cordella Da6son 0Home Office2< Ro(ert 9r%ppetta 0FS,2< 4alcolm H%tty 0Head of -%(lic ,ffairs< L&GJ2< 4att Lam(ert 09o:ernment ,ffairs Director< 4icrosoft2< ,dam La%rie 0The 5%n7er2< 5en La%rie 0The 5%n7er2< Sharon Lemon 0Dep%ty Director of e"crime< SOC,2< Detecti:e Chief &nspector Charlie 4c4%rdie 04etropolitan -olice2< -hilip $irgo 0EUR&42< Tim 8right 0Home Office2/ Personal Internet security 6 /ey themes 84r Richard Clayton9
Dr Clayton ga:e an o:er:ie6 of the s%(Fect"matter for the in;%iry/ There 6as a general perception that people 6ere %nsafe on the &nternet< and that things 6ere getting 6orse/ 8hose fa%lt 6as thisN There 6as a long list of potential candidates 6ho co%ld ta7e a share of responsi(ility'
Operating system :endors 6ere shipping prod%cts (efore they 6ere sec%reE
End"%sers 6eren@t patching their systems to fi= sec%rity holesE
I ,pplication programmers 6ere paying no attention to sec%rityE
5%sinesses r%nning applications 6eren@t patching their systems to 7eep them %p"to"dateE
Retailers 6ere selling %n"patched systems and not gi:ing %sers eno%gh s%pport in setting %p a comple= prod%ctE
&S-s 6ere letting (ad traffic reach end"%ser machines and not insisting their c%stomers 6ere sec%reE
Hard6are man%fact%rers 6eren@t ma7ing ro%ters and modems 3sec%re (y defa%lt3E
I Get6or7s 6eren@t pro:iding sec%re DGS 0name ser:ices2 or 59- 0ro%ting2E
Companies 6ere mar7eting $o&- as if 6as F%st as relia(le as con:entional telephonyE
Reg%lators 6eren@t setting minim%m sec%rity standards or trying to fi= mar7et fail%resE
Criminals 6ere doing (ad thingsE
1** PE+SONA; INTE+NET SEC3+IT@
I The police 6eren@t (othering to catch themE
Legislators 6eren@t enacting s%ita(le la6sE
I The 9o:ernment 6eren@t ma7ing s%re that o:erseas croo7s 6ere dealt 6ithE
I The &nformation Commissioner 6asn@t dealing 6ith spamE
I End"%sers 6ere going to %ns%ita(le 6e(sites and do6nloading pirated materialE
I Ed%cators 6eren@t teaching 3media literacy3 effecti:ely eno%ghE
I 5an7s 6eren@t gi:ing c%stomers sec%rity de:icesE
I Credit card companies 6ere d%mping their ris7s onto merchantsE
I 8e( (%sinesses 6eren@t 7eeping c%stomer records sec%reE
I ,nd perhaps it 6as all state"sponsored &nfo8arW
&n reality most of the people in the areas listed a(o:e 6ere doing their (est and impro:ing their o6n little part of the p%LLle/ 5%t it 6as not a simple pro(lem 6ith a simple sol%tion/ The important thing 6as to (etter align incenti:es so that things (egan to impro:e rather than contin%ing to get 6orse/ The nature and scale of the threat to pri%ate indi%iduals 8Mar/ $arris, Global 4irector, SophosLabs9
4r Harris noted that :ir%ses no6 tended not to replicate 6idelyHof the o:er B< ne6 :ir%ses reported each month< the maFority 6ere TroFans< installed on -Cs :ia spam< 6hich installed other %n6anted soft6are< (%t did not replicate/ They 6ere designed to ma7e money< not to :andalise the &nternet< and 6ere targeted at %n"patched machines/ 4achines 6hich 6ere patched %p to date 6ere %nli7ely to (e infected/
Users tended to loo7 on comp%ters as 6hite goodsHsec%rity 6as the last thing on their mind/ They 6ere completely %na6are of the ris7s of clic7ing on pop"%ps or hyperlin7s/ &n some cases e:en %nopened emails co%ld no6 infect machines if they 6ere (eing pre:ie6ed/
&n ans6er to ;%estions< 4r Harris said the &T sec%rity (%siness 6as 6or7ing ro%nd the cloc7 to 7eep %p 6ith the changing threats/ Ho6e:er< there 6as still %ncertainty as to the
policing response to cy(er"crimeHthere 6as no alert system in place for reporting fra%d%lent 6e(sites etc/ Public education and engagement 8Professor +ill 4utton, 4irector, -3ford Internet Institute9
-rofessor D%tton descri(ed the O=ford &nternet s%r:eys< (ased on inter:ie6s 6ith aro%nd 2< people/ These re:ealed that home 6as the 7ey location for &nternet %seE people learnt a(o%t the &nternet from friends and family rather than thro%gh formal teaching or doc%mentation/ 4ost %sers< e:en e=perienced %sers< had no e=perience of 6riting programmes or creating 6e( pages/ Ge:ertheless< people seemed to (e coping someho6 Hnot F%st indi:id%als< (%t man%fact%rers and &S-s/ Regulation and legislation 8Professor Ian ;alden, Reader in Information and Communications La&, <ueen Mary, 7ni%ersity of London9
-rofessor 8alden dre6 attention to the :ariety of criminal acti:ity< from teenage hac7ers to organised crime/ Large n%m(ers 6ere in:ol:ed< and this created challenges for the criminal F%stice system< 6hich str%ggled to cope 6ith large n%m(ers of s%spects/
There 6ere essentially three 7inds of criminal cond%ct on the &nternet'
I Traditional crime< s%ch as fra%d< %sing comp%ters as a tool 0e/g/ phishing2< co:ered (y e=isting criminal la6E
1*$ PE+SONA; INTE+NET SEC3+IT@
Content"related crime< 6here the content 0e/g/ child a(%se images2 6as illegal/ Traditionally the la6 differentiated (et6een s%pplying and possessing content< (%t this 6as harder to s%stain in the comp%ting en:ironmentE
Crimes against confidentiality and the integrity of comp%tersHthe Comp%ter 4is%se ,ct +?? had recently (een amended so as to co:er denial of ser:ice attac7s/
Legislation in recent years had tended to change and e=tend the 6ay in 6hich offences 6ere in:estigated 0online child a(%se sometimes (eing %sed as a prete=t2 rather than creating ne6 offences/ &n addition< the international dimension of cy(er"crime had led to harmonisation of legal regimes at EU and Co%ncil of E%rope le:els/ Ho6e:er< there 6as no6 a need to thin7 a(o%t la6s to promote sec%rity< rather than F%st penalising and in:estigating offences/ Policing the Internet 84etecti%e Superintendent Russell 4ay, Metropolitan Police Specialist and *conomic Crime 4irectorate9
DS Day< 6hile dra6ing attention to the :ariety of criminal acti:ities online< arg%ed that there 6ere fe6 ne6 crimes/ The Gational e"Crime Coordination Unit 6as (eing de:eloped as a centre of e=cellence in com(ating s%ch crime/
4ost of the 4etropolitan -olice@s reso%rces 6ere c%rrently (eing ta7en %p (y forensic 6or7< analysis of hard dri:es etcHthe reso%rces a:aila(le for in:estigating criminal net6or7s s%ch as (otnets 6ere :ery limited/ Training 6as :ery reso%rce" intensi:eH tho%gh the 4et co%ld call on some +5 special consta(les 6ith &T s7ills to assist in partic%lar in:estigations/ The security of operating systems 8*d Gibson, Chief Security -fficer, Microsoft 7.9
1*, PE+SONA; INTE+NET SEC3+IT@
4r 9i(son dre6 attention to 4icrosoft@s responsi(ility to ens%re that anyone logging onto the &nternet %sing a 4icrosoft platform 6as as sec%re as possi(le/ Th%s the ne6 &nternet E=plorer # incl%ded a phishing filter/ Ho6e:er< h%man nat%re 6as s%ch that people 6o%ld ine:ita(ly :isit %ns%ita(le sites regardless/
,ll 4icrosoft prod%cts 6ent thro%gh a cycle of sec%rity re:ie6s< incl%ding a 3final sec%rity re:ie63< cond%cted in the immediate r%n"%p to la%nching a ne6 prod%ct/ Internet ser%ice pro%ision 8=ohn Souter, C*-, LI5>9
4r So%ter noted that fi:e companies s%pplied #5 percent of (road(and c%stomers' 5T< GTL< ,OL< Tiscali and Orange/ 5%t in addition there 6ere h%ndreds of smaller companies< selling mainly on price/ ,t the same time< there 6as no p%(lished e:idence to sho6 that any one &S- 6as more sec%re than any other/
,s7ed 6hether &S-s co%ld (loc7 (ad traffic< 4r So%ter arg%ed that they co%ld not/ &t 6as diffic%lt to identify (ad traffic 0e/g/ 6hen it 6as encrypted2< and it 6as :ery mo(ile and :aria(le< ma7ing it :ery hard to maintain %p"to"date filters/
Commerce o%er the Internet 85icholas +ohm, La& Society9
Sec%rity 6as a(o%t personal and commercial relationships/ 3Sec%rity3 in the old senseH e/g/ sec%rity for a loanH6as a 6ay to offer g%arantees to partic%lar creditors/ 5%t more sec%rity for one creditor might mean less for another/ Typically in an online fra%d there 6o%ld (e t6o innocent parties 0say< a (an7 and a c%stomer2< and a fra%dster in the middle/ The t6o innocent parties 6o%ld (e left in disp%te o:er meeting the costH sec%rity 6as a(o%t stri7ing a (alance (et6een them/
-Cs 6ere not sec%re/ &nstead responsi(ility for sec%rity 6as shared o%t :ia contracts so as to manage the ris7/ 8ith credit cards c%stomers 6ere in a good positionHthe (an7s met the cost of fra%d in c%stomer"not"present transactions/ 5%t 6here s%ch ris7s 6ere passed onto merchants the sit%ation 6as less fa:o%ra(le/
C%stomers co%ld not (e held lia(le if their (an7 hono%red a che;%e 6ith a forged signat%reHho6e:er< this did not apply online/ ,t the moment (an7s@ sec%rity protocols relied on shared secrets/ This 6as no longer accepta(le/ The 7ey 6as to create incenti:es to in:est in impro:ed sec%rityHthis meant ens%ring that ris7s fell 6here it 6as most e=pedient for the 6hole comm%nity that they sho%ld fall/ 5e& technologies and emerging threats 8Professor Ross "nderson, Cambridge 7ni%ersity9
-rofessor ,nderson o%tlined the s%(Fect of 3sec%rity economics3/ The traditional :ie6 of info"sec%rity 6as that fail%res 6ere do6n to a lac7 of technical feat%res s%ch as fire6alls/ Ho6e:er< in recent years it had (ecome clear that systems 6ere insec%re 6hene:er those 6ho co%ld fi= them had no incenti:e to do so/ U1 (an7s 6ere less lia(le for fra%d than US (an7sH(%t s%ffered more fra%d as a res%lt/
The economics of the &T (%siness 6ere s%ch that competition to get to the top 6as fierce< sidelining sec%rity/ Once a company had reached the top 0as 4icrosoft had done2< the sit%ation 6as different< and increased sec%rity co%ld (e %sed to loc7 o%t competition/
O:erall< 6e 6ere spending more or less the right amo%nt on sec%rity/ 5%t spending 6as s7e6ed' (ig companies 6ere spending too m%ch< 9o:ernment far too m%ch< (%t small companies too little/ 4iscussion
Disc%ssion initially foc%sed on policing/ -olice forces 6ere foc%sed on local crime< not on the international co"ordination needed to com(at cy(er"crime/ SOC, had a more o%t6ard foc%s< inheriting good relationships 6ith international partners from the Gational High"Tech Crime Unit< and targeting (oth the co%ntries from 6hich cy(er"crime mostly originated and the fi:e main target co%ntries/ ,t the same time SOC, aimed to identify o:erlaps and gaps in the 6or7 of indi:id%al police forces/
There 6as a perception that 3le:el 23 crime 6as (eing o:erloo7ed/ This had in fact (een the case e:en (efore the a(sorption of the GHTCU into SOC,< and la6 enforcement still had not got it right/ There had to (e confidence that 6hen le:el 2 crime 6as reported it 6o%ld (e pic7ed %p< and at the moment this 6as not happening/ Ho6e:er< the police 6ere no6 6or7ing 6ith ,-,CS to de:elop a reporting system from (an7s to the police/
&t 6as arg%ed that there 6ere discrepancies (et6een the amo%nts spent on la6 enforcement< the relati:ely small act%al losses< and the h%ge amo%nts spent (y indi:id%al %sers on &T sec%rity/ ,ttempts to change (eha:io%rs 6ere hampered (y 6ea7 incenti:es< leading to players p%shing ris7 %p or do6n the chain/ ,t the same time political mo:es to create specialised %nits to com(at cy(er"crime might (e less prod%cti:e than less :isi(le efforts to raise s7ills across the (oard/
, partic%lar pro(lem 6as the distortion prod%ced (y child a(%se casesHthe press%re to de:ote reso%rces to in:estigating child a(%se 6as irresisti(le< and co%ld compromise other policing priorities/ Operation Ore had (ro%ght la6 enforcement ser:ices to their 7nees/
Disc%ssion then t%rned to data protection and the sec%rity (reach notification la6s in some US states/ &t 6as arg%ed that a sec%rity (reach notification la6 6o%ld (e a potent incenti:e to impro:e sec%rity/ &n a recent case in the U1< a maFor s%permar7et< one of 6hose ,T4s had (een compromised (y a 3s7immer3< ref%sed to co"operate in contacting c%stomers 6ho had %sed the ,T4< and police had had to p%t an ad:ertisement in the local paper to reach them/ &n the US the s%permar7et 6o%ld ha:e (een o(liged to 6rite to
e:ery c%stomer< in effect admitting negligence and 6arning them to chec7 (an7 statements/ This pro:ided protection for c%stomers 6ho 6ere s%(se;%ently :ictims of fra%d and 6ho co%ld %se s%ch notification to help pro:e this to their (an7/
&n contrast< the position in the U1 6as that companies 6hose sec%rity had (een compromised 6ere %nder no o(ligation to disclose the fact< and 6ere in fact ad:ised to 7eep ;%iet and 6ait to (e s%ed/ , sec%rity (reach notification la6 in the U1 6o%ld (e a maFor help to la6 enforcement< not least in helping to identify the scale of the pro(lem/ &t sho%ld not (e limited to telecomm%nications companies< (%t sho%ld (e tied to data protection< co:ering all instit%tions holding personal data/ Ainally discussion (ocused on e#er!in! technolo!ies> Increasin! nu#bers o( appliances incorporated co#puters7 and relied on the Internet to co##unicate> Thus the Internet could be used to co#pro#ise an e&er."idenin! ran!e o( technolo!ies> Aor instance7 in(or#ation collected (ro# airline "ebsites could be used to co#pro#ise I9 cards and e.passports> Aurther#ore society as a "hole "as increasin!ly reliant on the Internet to support critical ser&ices7 such as hospitals> The ti#e "as rapidly approachin! in "hich a (ailure o( the Internet "ould lead directly to deaths> There "as an issue o&er "hether reliance on the Internet (or critical ser&ices "as prudent /APPEN9IF *: 1ISIT TO T6E 3NITE9 STATES
4em(ers of the S%("Committee ta7ing part in the :isit 6ere Lord 5roers 0Chairman2< Lord Harris of Haringey< 5aroness Hilton of Eggardon< Lord Ho6ie of Troon< Lord 4itchell< Dr Richard Clayton 0Specialist ,d:iser2 and Christopher *ohnson 0Cler72/ /ashin!ton 9C7 4onday * 4arch 2ederal Trade Commission
The Committee 6as 6elcomed (y H%gh Ste:enson< ,ssociate Director for &nternational Cons%mer -rotection< and colleag%es 1aty Ratte< Gat 8ood and *ennifer Leach/ The FTC had aro%nd +<+ staff< incl%ding some B in the 5%rea% of Cons%mer -rotection/
&t 6as noted that the US had no comprehensi:e< o:er"arching data protection or pri:acy legislation/ There 6as ho6e:er a re;%irement for all companies to p%t in place reasona(le processes to ass%re sec%rity of personal dataHthis approach 6as preferred to the setting of detailed technical re;%irements/ The assessment of 3reasona(leness3 6as fle=i(le< depending on the siLe of the company< the sensiti:ity of data< and so on/
The role of the FTC 6as to monitor proacti:ely the sec%rity meas%res p%t in place (y financial instit%tions 0incl%ding all companies pro:iding financial ser:ices< (%t e=cl%ding the maFor national (an7s< 6hich 6ere reg%lated (y the Federal Reser:e2< and to in:estigate specific complaints 6ith regard to other companies/ The FTC had discretion to decide 6hich complaints to p%rs%e< (ased on the serio%sness of the iss%es raised/ &f companies did not ha:e 3reasona(le3 processes in place< the FTC co%ld either ma7e an order re;%iring impro:ements< or co%ld see7 ci:il penalties/ The FTC had yet to enter into litigation on the scope of reasona(leness< (%t :ol%ntary enforcement orders had (een entered into (y a n%m(er of companies< incl%ding 4icrosoft< 6ith regard to its -assport programme/
The FTC recei:ed o:er )5 < complaints of identity theft each year< and s%r:eys p%t the total n%m(er of cases at C"+ million a year in the US/ 8or7 to disaggregate &D theft from simple card fra%d 6as ongoing/ The FTC no6 re;%ired a police report to (e filed< 6hich in t%rn triggered in:estigation (y financial instit%tions/ Ho6e:er< the n%m(ers of cases in:estigated 6ere :ery small/
Data (reach notification la6s in o:er B states had had a mar7ed impact< dri:ing many in:estigations< nota(ly the Choicepoint case< 6hich res%lted in the company paying P+ million in ci:il penalties and P5 million in redress to c%stomers/ Ho6e:er< the inconsistency (et6een state la6s created some diffic%lties< and Congress 6as no6 loo7ing at a federal data (reach notification la6/
On spam< the 3Can"Spam3 ,ct had pro:ided for s%its (y pri:ate indi:id%als or companies< and 4icrosoft and other companies had (ro%ght casesE the FTC itself had
(ro%ght aro%nd + cases/ The approach 6as normally to foc%s on 6hat spam 6as ad:ertising< and th%s 6ho profited from it< rather than see7ing to identify the so%rce of spam emails themsel:es/ State 4epartment
The Committee 6as 6elcomed (y 4r Richard C 5eaird< Senior Dep%ty Coordinator for &nternational Comm%nications U &nformation -olicy/ The role of the
State Department 6as to co"ordinate international initiati:es on cy(ersec%rity< s%ch as the 3&nformation Society Dialog%e3 6ith the E%ropean Commission/ The State Department also ad:ocated the Co%ncil of E%rope@s Con:ention on Cy(ercrime< 6hich the US had no6 ratified/
Co"ordinated action 6as diffic%lt< gi:en the asymmetry (et6een legal systems aro%nd the 6orld/ Ho6e:er< cy(ersec%rity 6as an increasingly high priority internationally/ 5odies s%ch as the OECD< the &nternational Telecomm%nications Union 0&TU2 and ,sia" -acific Economic Cooperation 0,-EC2< 6ere engaging 6ith iss%es s%ch as spam and mal6are< and 6ith capacity (%ilding designed to help less de:eloped co%ntries confront these pro(lems/ The U1 6as a strong partner in s%ch international initiati:es/
The top priority 6as to de:elop la6s 6ithin domestic legislation that p%t people in Fail/ &n so doing< technical meas%res to help identify so%rces of< for e=ample< spam< 6o%ld (e :al%a(le/
On m%t%al legal assistance< 6hich fig%red in the Co%ncil of E%rope Con:ention< the US participated acti:ely in the 6or7 of the first UG Committee on police cooperation/
Ho6e:er< in p%rs%ing cases internationally there had to (e a (alance (et6een p%rs%ing criminality and protecting freedom of speech/ Lunch
The Committee attended a l%nch hosted (y the Dep%ty Head of 4ission< ,lan Charlton/ 9%ests incl%ded Stephen 5al7am< CEO of the &nternet Content Rating ,ssociationE -eter Fonash< Department of Homeland Sec%rityE Liesyl FranL< &T ,merican ,ssociationE 4ichael R Gelson< &nternet SocietyE and ,ndy -%rdy< -resident of DR, Enterprises< &nc/ Team Cymru
The Committee spo7e to *erry 4artin< Research Fello6< 6ho said that Team Cymr% had (eg%n as a thin7"tan7< (efore (eing incorporated in 2 5/ &t no6 employed a net6or7 of researchers dedicated to s%pporting the &nternet comm%nity in maintaining sec%rityE it 6as f%nded (y grants and a small n%m(er of commercial contracts< (%t 6as non"profit ma7ing/
On one day< the preceding Sat%rday< 4r 4artin had detected o:er #< malicio%s URLs< o:er half of these hosted in China/ These 6ere identified thro%gh a data(ase of malicio%s code samples< c%rrently (eing added to at an a:erage rate of !<2 a day/ Of these samples aro%nd 2C percent 6ere typically (eing identified (y anti":ir%s soft6areE the information 6as then made a:aila(le to Symantec< and (y the end of the month the a:erage detection rate increased to # percent/
&f all the e=amples of malicio%s code 6ere to (e reported to the police< they 6o%ld (e o:er6helmed/ There 6ere legal process in place< (oth nationally and internationally< to in:estigate themHthe pro(lem 6as one of time and reso%rces/ The F5& cy(ercrime di:ision employed relati:ely fe6 people/ 8ell ;%alified staff soon fo%nd they co%ld earn a lot more in the pri:ate sector< leading to large n%m(ers of :acancies in go:ernment agencies/
4r 4artin then ill%strated the 6or7ing of the %ndergro%nd economy in stolen identities< credit card details etc/< %sing e=amples from &nternet Relay Chat 0&RC2 rooms/
The official reported loss to (an7s of P2/# (illion a year 6as %nder"reportedHthere 6as an incenti:e in the financial comm%nity to do6n"play the pro(lem/ Ed%cation of cons%mers 6as not really a sol%tionHyo% 6o%ld ne:er (e a(le to stop people from clic7ing on lin7s to corr%pt 6e(sites/ The 7ey for (an7s and others 6as'
I To introd%ce t6o"factor a%thenticationE
I To ens%re that companies 6ere familiar 6ith all their address space< rather than (olting on ne6 areas< for instance 6hen ac;%iring ne6 s%(sidiariesE
I To (e more demanding of soft6are man%fact%rers/ Progress and 2reedom 2oundation
The Committee met Tom Lenard< Senior $ice -resident for Research< and colleag%es/ 4r Lenard approached the iss%es as an economist< recognising the h%ge (enefits deri:ed from the &nternet< and as7ing 6hether there 6as mar7et fail%re or harm to cons%mers< and 6hether go:ernment action 6as needed to remedy any s%ch pro(lems/
The (est a:aila(le statistics 0e/g/ *a:elin and the 5%rea% of *%stice2 indicated that le:els of identity theft had on most meas%res (een in decline in the last three years< and that the o:erall pro(lem 6as smaller than normally represented/ On the other hand< the retention of information (y companies 6as 6hat often allo6ed them to identify anomalo%s transactions so ;%ic7ly< and so (enefited cons%mers/ 4r Lenard accepted that the relia(ility of the a:aila(le data 6as open to ;%estion< (%t ca%tioned against ass%ming that a lac7 of data meant an increasing pro(lem/
On the sec%rity of operating systems< companies s%ch as 4icrosoft and ,pple 6ere spending a h%ge amo%nt on sec%rity< and there 6as no e:idence that ne6 incenti:es 6ere needed/ 9o:ernments 6ere not 6ell placed to decide le:els of sec%rity< encryption and so on/ The approach of the FTC< re;%iring reasona(le standards of sec%rity< 6as a (etter approach/ &n addition< the FTC had la%nched maFor litigation< for instance against Choicepoint/ These had created a significant deterrent to pri:ate sector companies from persisting 6ith poor sec%rity practices/ Ho6e:er< 9o:ernment 6as almost certainly not spending eno%gh on sec%rity< and this 6o%ld (e an appropriate area to reg%late/
On spam< the Can"Spam ,ct had had no effect on le:els of spam/ &nter:ention on spam 6as technically diffic%lt< (%t the &nternet 6as yo%ng and e:ol:ing ne6 technical sol%tions/ 9o:ernment inter:ention had not helped/ /ashin!ton 9C7 Tuesday 6 4arch 4epartment of =ustice
The Committee met *ohn Lynch< Dep%ty Chief< Comp%ter Crime and &ntellect%al -roperty< and colleag%es Chris -ainter and 5etty"Ellen Sha:e/ The Department of *%stice itself had aro%nd ) attorneys 6or7ing on cy(ercrime and intellect%al property/ &t also s%pported a net6or7 of 2 federal prosec%tors aro%nd the US specialising in high"tech crime< 6or7ing closely 6ith the F5& and local la6 enforcement/
The F5& no6 had cy(ercrime as its n%m(er three priority< after international terrorism and espionage/ ,t the same time the US< li7e all co%ntries< lac7ed reso%rces to deal 6ith cy(ercrimeE in partic%lar many local police forces had diffic%lty cond%cting comp%ter forensics/ These pro(lems 6ere compo%nded (y the loss of ;%alified in:estigators to the pri:ate sector/
4oreo:er< there 6ere no %nified definitions or reporting systems for cy(ercrime or identity theft< and stat%tes :aried from state to state/ $ictims 6ho reported small cy(ercrimes to local police< 6ho lac7ed e=pertise< 6ere %nli7ely to get any6here/ This created partic%lar pro(lems in in:estigating small crimesHsay< %nder P+< H6hich 6o%ld not F%stify federal prosec%tions/ Ho6e:er< if :ictims reported small crimes to the 3&CB3 0&nternet Crime Complaint Center2< the F5& 6o%ld 3triage3 them< 6hich meant there 6as a chance of lin7ing %p many small cases so as to t%rn them into larger< potentially federal< cases/
The -resident had as7ed for a report on identity theft< and the Do* 6as cooperating 6ith the FTC< F5& and Secret Ser:ice in considering the iss%es/ The report 6as li7ely to appear in the ne=t t6o or three months/ The FTC 6as pressing for %niform reporting proced%res for &D theft< and this might 6ell fig%re in the report/
Reporting rates 6ere lo6< and many crimes 6ere s6allo6ed %p (y the credit card companies/ The general feeling 6as that la6 enforcement 6as not 7eeping %p 6ith cy(ercrime< and this appeared to (e ha:ing a damaging effect on the gro6th of e" commerce/ 8hile there 6ere prosec%tions< only a small percentage of crimes ended %p in co%rt/ 8hereas ten years ago cy(ercrime 6as the domain of e=perts< no6 the general criminal< 6ith no special a(ilities< co%ld commit crimes online/
The U1 had (een prominent in m%lti"lateral actions< and 6as pro(a(ly ahead of the US in protecting critical &T infrastr%ct%re/ Ho6e:er< 6hereas the US had ratified the Co%ncil of E%rope con:ention< it 6as still %rging other states 0incl%ding the U12 to ratify/ The creation of a 2)># emergency net6or7 meant that la6 enforcement officers from aro%nd
5 co%ntries co%ld at any time re;%est assistance from US e=pertsE there 6as no g%arantee that re;%ests 6o%ld (e granted< (%t they 6o%ld (e considered 6itho%t delay/
,s for the 4%t%al Legal ,ssistance and hot p%rs%it pro:isions of the con:ention< the US 6as slo6er than some other co%ntries in closing do6n rog%e 6e(sites/ &n partic%lar< the +st ,mendment< g%aranteeing freedom of speech< dictated a ca%tio%s approach/ ,t the same time< la6 enforcement had de:eloped good relations 6ith &S-s< 6ho co%ld close sites that (reached their terms and conditions/
The 7ey recommendations 6ere< first< for the U1 to ratify the Co%ncil of E%rope con:ention< and< second< to increase reso%rces for la6 enforcement/ )erisign
The Committee 6as 6elcomed (y Shane Te6s< Senior 8ashington Representati:e< 6ho o%tlined the role of $erisign/ The company ran t6o of the thirteen top"le:el roots 0the 3,3 and 3*3 roots2 of the &nternet/ &t also s%pported the data(ase registry for the /com and /net domains/ &t employed F%st %nder )< people glo(ally< and maintained ser:ers aro%nd the 6orld/ This allo6ed regional resol%tion of 3(ad traffic3Hin effect< (ad traffic emanating from< say< R%ssia< co%ld (e s%n7 in a regional 3gra:ity 6ell3< rather than slo6ing do6n the &nternet as a 6hole/
$erisign co%ld not specifically identify the &- addresses of the originators of (ad traffic< s%ch as spoof emails< (%t it co%ld identify the &- addresses of ser:ersHin effect< the 6holesalersHand engage 6ith them/
-ersonal &nternet sec%rity co%ld not (e separated from the integrity of the infrastr%ct%re as a 6hole/ The :ol%me of (ad traffic< m%ch of it targeted ostensi(ly at indi:id%al %sers< affected the entire net6or7/ The originators 6ere :ario%sly organised criminals< terrorists and rog%e states/ Sec%re< go:ernment"r%n financial net6or7s no6 handled aro%nd PB trillion of traffic e:ery day/ These net6or7s did not interact directly 6ith the p%(lic &nternet< (%t s%ch transactions 6o%ld not (e possi(le if p%(lic sites< s%ch as the Ge6 Mor7 Stoc7 E=change< or the 5an7 of England< 6ere not operating/ The &nternet had to (e :ie6ed holisticallyHthe costs of insec%rity 6ere potentially h%ge/
The le:el of (ad trafficHfor instance< the DOS attac7 on the /%7 root ser:er in Fe(r%ary 2 #H6as no6 pea7ing at +# times the (asic le:el of &nternet trafficE (y 2 + it 6as li7ely to (e 5 times the (asic le:el/ 4assi:e o:er"capacity and red%ndancy 6as needed to allo6 eno%gh headroom in the net6or7 to accommodate s%ch traffic/ $erisign alone 6as no6 a(le to handle fo%r trillion resol%tions per day on its section of the net6or7< some eight times the normal c%rrent :ol%me across the entire net6or7/
4ore (roadly< $erisign 6as a pri:ate sector company< in effect performing a p%(lic ser:ice in maintaining the net6or7/ The &nternet had not (een designed to s%pport the c%rrent le:el of financial trafficHit had F%st happened that 6ay/ ,%thentication of 6e(sites 6as a ser:ice offered (y $erisign< and the process of sec%ring a%thentication for maFor companies s%ch as 4icrosoft 6as :ery thoro%gh/ 5%t in the longer term the ;%estion 6o%ld arise of 6hether< and if so 6hen< indi:id%als 6o%ld (e prepared to pay for a%thentication of &nternet"(ased ser:ices< s%ch as email< 6hich 6ere c%rrently free/
&nternationally< certain states in eastern E%rope and ,sia 6ere t%rning a (lind eye to organised crime operating :ia the &nternet from 6ithin their (orders/ ,ltho%gh the Co%ncil of E%rope con:ention 6as a h%ge step for6ard< it 6as essential to engage local a%thorities and agencies in com(ating this phenomenon/ Cali(ornia7 /ednesday 7 4arch 7ni%ersity of California, +er/eley Center for Information Technology Research in the Interest of Society 8CITRIS9 Introduction
The Committee 6as 6elcomed (y 9ary 5ald6in< E=ec%ti:e Director of C&TR&S/ C&TR&S had (een esta(lished some si= years ago< on the initiati:e of former 9o:ernor 9ray Da:is/ &t 6as an independent research centre< reporting directly to the -resident of the Uni:ersity/ , small amo%nt of money< s%fficient to co:er operating costs< came from the State of California/ F%nding for research came from partner organisations in ind%stry and federal go:ernment 0s%ch as the Gational Science Fo%ndation2/ Of the staff< o:er half 6ere from electrical engineering and comp%tingE engineering< other sciences< and social sciences< made %p the remainder/ Shan/ar Sastry
-rofessor Sastry said that the point of C&TR&S 6as to (ring together technologists 6ith e=perts in the social science field to de:elop a co"ordinated approach to cy(ersec%rity research/ C&TR&S itself 6as an %m(rella organisation< 6hich sheltered a n%m(er of different research priorities/
4any companies had made pledges 0typically P+/5 million a year2 to s%pport research< ma7ing good these pledges (y (%ying mem(ership in partic%lar research centres< s%ch as TRUST< rather than (y contri(%ting to a central pot/ These centres< 6ith 5"+ researchers< 6ere fl%id< normally (rea7ing %p and re"forming o:er a fi:e"year cycle/
C&TR&S too7 the :ie6 that ne6 technologies sho%ld (e p%t in the p%(lic domain/ The res%lts of research 6ere p%(lished and made a:aila(le (y means of free licensing agreements 0in other 6ords< not open so%rce2/ &nd%stry partners had to lea:e their intellect%al property (ehind 6hen engaging in C&TR&S research proFectsE ho6e:er< they 6ere free to ma7e %se of the res%lts of these proFects to de:elop ne6 prod%cts 6ith their o6n &-/
TRUST 0the Team for Research in U(i;%ito%s Sec%re Technology2 6as one of the research centres< and organised its 6or7 on three planes' component technologiesE social challengesE and the 3integrati:e3 layer (et6een them/ &ss%es in:estigated incl%ded
phishing and &D theft< 6ith partic%lar emphasis on the collection of relia(le data/ Statistics 6ere c%rrently (ased largely on self"selected s%r:eys< and (an7s still regarded &D theft as marginal/ Ho6e:er< the gro6th rate 6as e=ponential< and in recent years< thro%gh a 3Chief Sec%rity Officer For%m3< a n%m(er of companies< s%ch as 8ells Fargo< 5an7 of ,merica and Sch6a(< 6ere ta7ing the iss%e more serio%sly/
TRUST had esta(lished a test"(ed for net6or7 defence systems< in 6hich different 7inds of attac7 co%ld (e sim%lated/ Technological transfer incl%ded anti"phishing prod%cts s%ch as Spoof9%ard< -6dHash and Spy5loc7/
C&TR&S research centres 6ere constantly loo7ing for international partners< and a symposi%m 6as (eing organised in London in *%ly/ The ;%estion 6as raised as to 6hether 5ritish %ni:ersities sho%ld esta(lish a similar research centre< in colla(oration 6ith ind%stry/ )ern Pa3son
Dr -a=son o%tlined his research detecting and collating net6or7 intr%sions/ The goal of information sec%rity policy 6as ris7 management/ False positi:es and false negati:es 6ere the ,chilles@ heel of all intr%sion detection< and< scaled %p< %ndermined assessment of the ris7s/ His la(oratory foc%sed on real &nternet traffic< rather than sim%lations< and in so doing detected from the high + s to lo6 +< s of attac7s each day/
,nalysis of pac7ets as they passed re;%ired highly specialised hard6are< 6hich &S-s did not ha:e access to/ This meant that &S-s 6ere simply not in a position to filter &nternet traffic and achie:e an ade;%ate le:el of false positi:es and false negati:es/
4ass attac7s 6ere targeted at large parts of the net6or7 at onceHthey 6ere not targeted/ 5otnets 6ere the 7ey pro(lemHthe cost of renting a compromised platform for spamming 6as c%rrently F%st B"# cents a 6ee7/ The total n%m(er of compromised machines 6as %n7no6nHa g%ess 6o%ld (e aro%nd fi:e percent< or + "2 million/ There 6as no e:idence to s%ggest that some co%ntries 6ere significantly 6orse than others/
The research raised legal pro(lems/ One 6as the restriction on 6ire tapping/ 4ore f%ndamental 6as the fact that a platform that allo6ed incoming traffic (%t (arred o%t(o%nd traffic co%ld (e easily finger"printed (y the 3(ad g%ys3E (%t to allo6 o%t(o%nd traffic ris7ed infecting other platforms< and co%ld ma7e the centre lia(le for negligence/
Chris $oofnagle
4r Hoofnagle noted that the US no6 had B) state la6s on sec%rity (reach notification< and a federal la6 co:ering the $eterans@ ,gency/ 8ithin these there 6ere :ario%s definitions of 6hat constit%ted a sec%rity (reach< 6ith the California la6 the most demanding/ &n contrast< some states re;%ired e:idence of potential for harm/ There 6as no6 press%re for a federal la6 on sec%rity (reach notification< 6hich 6as li7ely (y the end of 2 #/ &t appeared that the FTC 6o%ld (e responsi(le for implementation/
The Center had collected 2 ! e=amples of notification letters< and 6as coding them %nder :ario%s criteria/ Ho6e:er< the collection 6as (y no means completeH only a fe6 states 0aro%nd fi:e2 re;%ired centralised notification to a specified reg%lator/ These also re;%ired the %se of standardised forms< 6hich 6ere cr%cial to pro:iding good data/
There 6as some e:idence that the media had lost interest in sec%rity (reach notification< red%cing the incenti:e to raise sec%rity le:els to a:oid tarnishing company image/
Ho6e:er< a central reporting system< (ringing together information on company performance in a generally accessi(le form< 6o%ld help co%nteract this/
Data on &D theft 6ere also :ery poor/ The *a:elin s%r:ey estimated C million cases in 2 !< (%t relied on telephone s%r:eys/ Online polling p%t the fig%re at nearer +5 million/ Estimates of the damage ranged from P)C"2# (illion in 2 B/ Data 6ere also lac7ing on 3synthetic &D theft3< 6here a stolen social sec%rity n%m(er 6as com(ined 6ith a made" %p name/ ,ssertions that most &D theft 6as perpetrated (y persons close to the :ictim 0family mem(ers etc/2 6ere (ased on :ery small samples/ Paul Sch&art?
-rofessor Sch6artL dre6 attention to the split in the US< as in most co%ntries< (et6een la6 enforcement and intelligence agencies/ 8hile there 6as good information on the former< little 6as 7no6n a(o%t the latter/
There 6ere t6o le:els of la6' constit%tional and stat%tory or reg%latory/ The main constit%tional la6 deri:ed from the Fo%rth ,mendment< on the re;%irement for a 6arrant for searches and seiL%res< (ased on pro(a(le ca%se/ Until +?!# there had (een no pri:acy for telecomm%nications< (%t at that point the S%preme Co%rt had esta(lished the re;%irement for a search 6arrant for tapping< on the (asis of the indi:id%al@s 3reasona(le e=pectation of pri:acy3/ This had since (een c%rtailed (y r%lings that the Fo%rth ,mendment did not apply either to information held (y third parties 0e/g/ (an7 records2 or to 3non"content3< s%ch as lists of n%m(ers dialled/
4odern comm%nications meant that e:er more information 6as (eing held (y third parties< s%ch as emails stored on ser:ers/ &n addition< information is not comm%nicated in real time 0as telephone con:ersations 6ere in +?!#2< 6ith the res%lt that the Fo%rth ,mendment does not apply/ The res%lt 6as that there 6as little protection %nder the US Constit%tion/
Maryanne McCormic/
4s 4cCormic7 dre6 attention to the need for the technology companies that operate the net6or7 to lead in tac7ling the pro(lems/ , common complaint 6as that %ni:ersities 6ere not training eno%gh grad%ates to s%pport these companies< and Science< Technology and Society Center 6as therefore de:eloping an ind%stry"(ac7ed sec%rity c%rric%l%m< 6ith 6e("(ased mod%les co:ering s%ch iss%es as ris7 management< policy and la6/
,ro%nd C5 percent of the critical infrastr%ct%re 6as de:eloped< o6ned and maintained (y the pri:ate sector/ The Center 6as e=ploring ho6 decisions 6ere ta7en (y the companies in:ol:ed< the roles of Chief Sec%rity Officers and Chief -ri:acy Officers< ho6 they 6ere ;%alified< 6hat sorts of technologies they ac;%ired< and ho6 internal sec%rity policies 6ere set/ Sec%rity and pri:acy 6ere not profit" generating< (%t dre6 on reso%rces generated (y other profit"ma7ing sectors/ The Center 6as loo7ing at ho6 sec%rity (reach notification la6s impacted on decision" ma7ing in this area/
Finally< researchers 6ere loo7ing at the (arriers< in partic%lar the diffic%lty of accessing net6or7 traffic data/ The US legal regime 0e/g/ the Stored Comm%nications ,ct2 6as ha:ing a chilling effect on research/ *lectronic 2rontier 2oundation
The Committee met 96en HinLe< Daniel O@5rien< Seth Schoen and Lee Tien from the Electronic Frontier Fo%ndation< a not"for"profit organisation fo%nded in +?? < 6ith +B< paying mem(ers< dedicated to representing inno:ators and s%pporting ci:il li(erties for the cons%mer on the &nternet/
The foc%s of the EFF 6as increasingly on litigation and ed%cation< rather than policy" ma7ing/ The (iggest case c%rrently (eing %nderta7en 6as a class"action la6s%it against ,TUT for their in:ol:ement in the Gational Sec%rity ,gency@s programme of 6ire" tapping comm%nications/ The EFF employed +2 attorneys< (%t also le:eraged s%pport from other organisations/ Cases 6ere ta7en on a pro (ono (asis/
There EFF had three positi:e recommendations' to foc%s on prosec%ting real &nternet crimeE to e=plore possi(le changes to incenti:e str%ct%res to address mar7et fail%res in the field of &nternet sec%rityE to empo6er and ed%cate %sers< rather than follo6ing the emerging trend to loc7 do6n de:ices/
On the last of these< the EFF 6as concerned (y the increasing tendency to ta7e control o:er their o6n systems a6ay from %sers/ 8hile s%ch control< e=ercised (y< say< net6or7 operators< might (e e=ercised from (enign moti:es< it effecti:ely imposed a soft6are monopoly %pon %sers< limiting inno:ation/ ,t the same time< insec%rities often resided 6ithin operating systems and applications themsel:es< so that the c%rrent foc%s on fire6alls and anti":ir%s soft6are 6as misplaced/ The 7ey 6as to empo6er and ed%cate %sers to manage their o6n sec%rity intelligently< rather than to adopt a paternalistic approach 6hich 6o%ld only store %p pro(lems for the f%t%re/
There 6ere many 6ell"doc%mented sec%rity pro(lems that the mar7et had not fi=ed/ Ge6 incenti:es 6ere therefore needed/ $endor lia(ility ris7ed enco%raging companies to shift lia(ility to %sers< (y e=erting e:er more control o:er end %sers< and the EFF 6as therefore e;%i:ocal on the desira(ility of s%ch a regime/ &t 6o%ld also impact on inno:ation< open so%rce soft6are< small companies and so on/ 4ore research and analysis of ne6 incenti:es 6as needed/
, significant percentage of comp%ters had already (een compromised (y organised crime/ Ho6e:er< (otnets 6ere not affecting end %sers directly< (%t 6ere (eing %sed for spam and DOS attac7s/ ,s a res%lt end %sers needed more information< not less< so that they co%ld e:al%ate the position more intelligently/ They needed a reason to care/
4inner
The Committee attended a dinner hosted (y 4artin Uden< the Cons%l 9eneral/ The g%ests 6ere 8hit Diffie< CSO< S%n 4icrosystems< *ohn 9ilmore< Fo%nder< Electronic Frontier Fo%ndation< *ennifer 9ranic7< E=ec%ti:e Director of the Stanford Center for &nternet and Society< and *ohn Ste6ard< CSO< Cisco Systems/ Cali(ornia7 Thursday $ 4arch Silicon )alley Regional Computer 2orensic Laboratory
The Committee 6as 6elcomed (y 4r Chris 5eeson< Director of the La(oratory< and then heard a presentation from Special ,gent Shena Cro6e of the F5&/ She (egan (y commenting on the a:aila(ility of data/ The FTC led on &D theft< and indi:id%als 6ere re;%ired to report theft to local police in the first instance/ The F5& ran the &nternet Crime Complaint Center 0&CB2< and indi:id%als 6ere enco%raged to report offences to this site (y other agencies and police< (%t the police report 6as the f%ndamental re;%irement/ Reporting to &CB 6as :ol%ntary/
&n 2 ! complaints to &CB reached 2 < a month/ Losses reported in 2 5 6ere P+CB/+2 million< 6ith median losses of F%st P)2)/ O:er !2 percent of complaints related to online a%ctions/
Cy(ercrime 6as a mat%ring mar7et/ There 6as a lot of money to (e made< and altho%gh there 6ere some indi:id%al criminals organised crime led the 6ay/ Underneath this le:el there 6ere many specialists in s%ch areas as root7its/ Comm%nications 6ithin the criminal 6orld 6ere cond%cted thro%gh &RC 0&nternet Relay Chat2< -2- 0-eer"to"-eer2< and tor 0The Onion Ro%ter2/ Typically first contacts 6o%ld (e made :ia &RC< and deals 6o%ld then (e made in other fora/ Team Cymr% and other :ol%nteer gro%ps played a critical part in monitoring this trafficHthe F5&< as a 9o:ernment agency< co%ld not la6f%lly monitor or collect s%ch data< 6hereas researchers 6ere a(le to do so/
&n terms of sec%rity< the 7ey players 6ere the ind%stry itself< the Department for Homeland Sec%rity< F5&< &T &nformation Sharing and ,nalysis Centers 0&T"&S,C< in 6hich company sec%rity specialists shared (est practice2< and the Secret Ser:ice/ 8ithin the F5& the cy(ercrime di:ision 6as esta(lished si= years ago< and staff and reso%rces had in recent years shifted from con:entional criminal 6or7 to the top priorities of co%nter"intelligence< terrorism and cy(ercrime/
&nternational action 6as diffic%lt and often informal/ Re;%ests for help co%ld (e ignored or s%(Fect to (arter/ There 6ere fe6 relia(le data on the main centres of organised cy(ercrime< tho%gh R%ssia and China 6ere commonly cited as maFor so%rces/
Sec%rity (reach notification la6s had (een (eneficial in helping companies to normalise the iss%es/ Rather than s6eeping (reaches %nder the carpet they 6ere no6 more li7ely to assist in:estigations/ Ho6e:er< the reality of in:estigations 6as that from an attac7 on a partic%lar target< to trac7ing do6n the drones and the (otnet< to reaching the so%rce< co%ld ta7e months/ &n:estigations 6ere not operating in digital time/ 4s Cro6e then too7 the committee thro%gh the :ario%s stages of one partic%lar in:estigation< 6hich had ta7en a(o%t a year to complete/
&S-s 6ere no6 (eginning to sand"(o= infected comp%ters %sed to send spam and so on/ Ho6e:er< the reality 6as that criminal inno:ation 6as a step ahead of enforcement/ &n 2 5 si= maFor US companies e=perienced theft of personal identifying information< 6ith insiders increasingly (eing implicated/ These cases 6ere all reported to the F5& (y the companies concerned/
4r 5eeson then told the Committee that there 6ere +) Regional Comp%ter Forensic La(oratories/ The :ol%me of data processed had increased from some ) T( in 2 to o:er +<) T( in 2 5/ -rocessing this :ol%me of data re;%ired specialised la(oratories< foc%sing solely on comp%ter forensics/ The RCFLs 6ere set %p in partnership 6ith local la6 enforcement< 6ho pro:ided personnel/ &n ret%rn< the RCFL 6o%ld pro:ide forensic
analysis< at no cost to the local police/ Federal f%nding s%pports r%nning costs< s%ch as premises and e;%ipment/
4r 5eeson then ga:e the Committee a short g%ided to%r of the facility/ "pple
The Committee met 5%d Tri((le< $ice -resident< Soft6are Technology< and Don Rosen(erg< Senior $ice -resident and 9eneral Co%nsel/ Dr Tri((le noted that 6hile in the +?C s no"one had anticipated the sec%rity iss%es associated 6ith the &nternet< sec%rity 6as no6 a top priority not F%st for ,pple (%t for e:ery other company in the ind%stry/ &n 2 ,pple had replaced its e=isting operating system 6ith a Uni="(ased system< 6hich had (een co:ered 6ith a %sa(le top layer to create a sec%re platform/
Sec%rity started 6ith good design/ Sec%rity had to (e easy to %se< or else people 6o%ld not %se it/ ,pple 6ent o%t of its 6ay not to as7 %sers sec%rity ;%estions< to 6hich they 6o%ld not 7no6 the ans6ers/ There 6as no simple fi= for sec%rity< no 3seat (elt3 for &nternet %sers< (%t o:erall sec%rity contin%ed to impro:e incrementally/
,s7ed a(o%t :endor lia(ility< Dr Tri((le arg%ed that there 6ere many ca%ses for< say< a :ir%s infectionHthe :ir%s 6riter< the %ser 6ho do6nloaded the :ir%s< and so on/ &t 6as diffic%lt to assign responsi(ility or lia(ility/ The 7ey 6as to incenti:ise contin%ing inno:ationHit 6as not clear that :endor lia(ility 6o%ld create s%ch an incenti:e/
Ho6e:er< (y ta7ing decisions a6ay from %sers ,pple 6as implicitly ta7ing on more lia(ility/ The company too7 decisions 6hich co%ld pre:ent %sers from do6nloading and r%nning materialHindeed< on the i-hone it 6o%ld not (e possi(le to do6nload any
1$' PE+SONA; INTE+NET SEC3+IT@
applications/ -eople had protested< and 4icrosoft systems certainly allo6ed more freedom< (%t they also created more pro(lems/ Loo7ing to the f%t%re< ,pple 6as cond%cting research into the possi(ility of incl%ding a sand"(o= in 6hich applications co%ld (e r%n sec%rely< (%t this 6as t6o or three years a6ay/
Ultimately the mar7et 6o%ld decide/ The pro(lem 6as that at present there 6as not eno%gh transparency or information 6ithin the mar7et to ena(le cons%mers to ta7e s%ch decisions/ Sec%rity and %sa(ility had to (e (alanced/ There 6ere technical fi=es to sec%rity iss%esH-9- encryption< to address the tracea(ility of email< had (een aro%nd for more than + yearsH(%t they 6ere not %sa(le for general %sers/
Spam 6as a maFor iss%e/ The reason there 6as so m%ch spam 6as that there 6as an economic incenti:e to create it/ &n addition< Can"Spam had (een ineffecti:eHit 6as not enforcea(le< and many of the spammers 6ere operating o%tside the la6 any6ay/ ,pple %sed a filtering technology to filter o%t spam/ ,ltho%gh there 6ere reports of 4acs in (otnets< they appeared to (e :ery rare< and the e:idence 6as largely (ased on hearsay/ The company had yet to see a 4ac (otnet/ The most fr%itf%l a:en%es for dealing 6ith (otnets appeared to (e technologies that< first< pre:ented (ots getting onto end"%ser systems< and< second< detected (ots r%nning and alerted %sers to the pro(lem/
The latest 4ac operating system< Leopard< 6o%ld raise the (ar for sec%rity/ Technologically it 6as on a par 6ith 8indo6s $ista< ass%ming $ista did e:erything it 6as s%pposed to doH(%t it 6as ahead on ease of %se/ Cisco Systems
The Committee met La%ra 1 &psen< $- of 9lo(al -olicy and 9o:ernment ,ffairs< and *ohn Ste6art< $- and Chief Sec%rity Officer/ They arg%ed that the ind%stry 6as still ine=perienced in %nderstanding 6hat the &nternet meant for society/ -ractice :aried' 4icrosoft had (eg%n (y foc%sing on %sa(ility< later on relia(ility< and no6 on sec%rity/ &n this respect the mar7et had pro:ed effecti:eHthe danger 6as that reg%lation 6o%ld not
1$1 PE+SONA; INTE+NET SEC3+IT@
(e a(le to 7eep %p as effecti:ely 6ith the de:eloping threats/ The mar7et 6as :ery different to that for cars< 6here the technology< and the ris7s< 6ere :ery sta(le and 6ell" 7no6n/
There 6ere only si= or se:en operating system :endors< and their sec%rity 6as impro:ing/ The challenge 6o%ld (e to reach the tho%sands of application :endors< 6hose prod%cts 6ere increasingly targeted (y the (ad g%ys/ The 9o:ernment sho%ld foc%s on setting and applying penalties for those 6ho a(%sed the systemE the role of ind%stry sho%ld (e to ed%cate %sers/ Time< and the de:elopment of the yo%nger generation< 6o%ld sol:e many of the pro(lems/ ,t the same time< standards of pri:acy 6o%ld change/
&ncreasing :ol%mes of data on the &nternet 6ere good for Cisco@s (%siness< (%t :ol%mes of (ad traffic carried a cost in red%cing the %sa(ility of many parts of &nternet/ On internal Cisco sec%rity< 4r Ste6art confirmed that ro%ters did pro:ide facility of t6o"factor a%thentication< (%t that this 6as only ad:ised as (est practice< mandated/ Cisco@s approach 6as to pro:ide the capa(ility< (%t not to dictate implementation (y &S-s/
the the the not the
4ore (roadly< the moti:es and incenti:es to fi= sec%rity pro(lems 6ere :ery in:ol:ed/ 4ost %sers did not 7no6 6hat a (otnet 6as/ &f they got a message saying they 6ere lin7ed to a (otnet they 6o%ld F%st ring the helpline< so impacting on< for instance< ,pple@s profits/ The (est approach 6as not to foc%s on technological ris7s in piecemeal< 6hen these 6ere constantly changing< (%t to trac7 do6n and prosec%te the criminals/ Lunch
Cisco Systems hosted a l%nch for the Committee and the Cy(erSec%rity &nd%stry ,lliance 0CS&,2/ ,ttendees 6ere -at S%eltL< 4a= Rayner< 4att Horsley and ,my Sa:age 0all from S%rfControl2< 1en Jie 0Fortinet2< 1it Ro(inson 0$ont%2< ,dam Ra7 0Symantec2 and Thomas $arghese 05harosa2/
1$% PE+SONA; INTE+NET SEC3+IT@
&n disc%ssion< attention 6as dra6n to the n%m(er of reports of &nternet crime on the &CB 6e(site< and it 6as arg%ed that this represented the tip of the ice(erg/ The only relia(le thing a(o%t the data 6as the rate of increaseHthe act%al fig%res 6ere grossly %nder" reported/ O:erall< the position appeared to (e getting 6orse rather than (etter/ ,ltho%gh there had (een no maFor o%t(rea7s in the last year or t6o< this 6as attri(%ted to the fact that criminals increasingly chose to remain o%t of sight< %sing (otnets to ma7e money rather than distri(%ting high"profile :ir%ses/
,s7ed 6hether there 6as a do6n"side to sec%rity (reach notification la6s< it 6as s%ggested that some companies might not monitor (reaches in order to a:oid a d%ty to report themHthe la6 sho%ld incl%de a d%ty to monitor as 6ell as to report/ &n addition< those recei:ing notifications sho%ld (e gi:en (etter information on 6hat to do a(o%t them/ 4ore (roadly< the effect of (reach notification la6s 6as seen as positi:e< (%t there 6as a :ie6 that they sho%ld (e e=tended to co:er printed as 6ell as electronic material/ 4ost sec%rity (reaches remained physical< for instance employees losing laptops etc/ Finally< it 6as arg%ed that any s%ch la6s in the U1 sho%ld not repeat the mista7es made in some US states< (y ma7ing it clear that the d%ty to notify 6as %ni:ersal< rather than (eing foc%sed on U1 citiLens/
There 6as some disc%ssion on o:erall responsi(ility for sec%rity/ On the one hand it 6as arg%ed that too m%ch responsi(ility 6as (eing placed on end %sersHas if they 6ere to (e re;%ired to (oil or p%rify 6ater to a:oid (eing poisoned< 6hen in fact the infrastr%ct%re itself 6as the so%rce of contamination/ &S-s in partic%lar sho%ld ta7e a greater role in filtering traffic/ On the other hand< it 6as arg%ed that the analogy 6ith 6ater 6as misleading< as there 6as no consens%s in the &nternet field on 6hat 6as 3to=ic3/ e+ay
4att Carey< Chief Technology Officer< 6elcomed the Committee/ Ro( Chesn%t< Senior $ice -resident< Tr%st and Safety< said that he had formerly (een a federal prosec%torE se:eral other former federal la6 enforcement officers 6or7ed for the company/ He arg%ed that e5ay had a :ery strong incenti:e to impro:e sec%rity< as the company@s 6hole (%siness model 6as (ased on tr%st and the fact that c%stomers had a good e=perience of the site/
1$) PE+SONA; INTE+NET SEC3+IT@
La6 enforcement 6as a 7ey challenge' scammers might (e deterred if they tho%ght there 6as a chance of going to Fail/ The fact that &nternet fra%d crossed F%risdictions created diffic%lties< and a%thorities in some co%ntries simply 6eren@t interested in p%rs%ing offenders/ e5ay de:oted considera(le reso%rces to (%ilding %p relationships 6ith la6 enforcement aro%nd the 6orld< pro:iding ad:ice< records and testimony as re;%ired/ The company had played a part in o:er + con:ictions in Romania alone/
e5ay also reported all fra%ds to the &CB 6e(site< and enco%raged c%stomers to do the sameHthis meant that the &CB data 0sho6ing !B percent of complaints related to online a%ctions2 6ere s7e6ed/ Ho6e:er< this reporting 6as essential to allo6 indi:id%ally small indi:id%al cases to (e aggregated/ &n addition< the company pro:ided training to la6 enforcement< and hotlines that officers co%ld call/
The n%m(er one pro(lem facing e5ay 6as phishing< 6hich %ndermined confidence in the company and in e"commerce/ e5ay 6as targeted (eca%se it had the highest n%m(er of acco%nt holders< and therefore the (est rate of ret%rn< and (eca%se holding an e5ay acco%nt generated tr%stH6hich the scammers co%ld ma7e %se of/ e5ay 6as 6or7ing to ma7e stolen acco%nts 6orthless< (y detecting them and loc7ing them do6n/ Ho6e:er< the :ictims did not seem to learn from their mista7esHthey 6o%ld gi:e %p acco%nt details time after time/ 4ost cases in:ol:ed cash payments< e/g/ :ia 8estern Union< rather than credit cards or -ay-al/
The most 6orrying trend 6as the increased pop%larity of file"sharing/ -eople did not appreciate the ris7 that the (ad g%ys co%ld then go on to search all the data in their personal files for acco%nt details< pass6ords and so on/
The company@s maFor recommendations 6o%ld (e as follo6s'
-ro:ision of (etter training for la6 enforcement/
Di:ersion of reso%rces 6ithin la6 enforcement to6ards com(ating e" crime/
Reappraisal of the penalties applied to those con:icted of e"crime/
Rela=ation of the la6s of e:idence< to ma7e the gi:ing of affida:its or testimony (y :ictims in different F%risdictions more straightfor6ard/
I ,ggregating of offences across F%risdictions/
I , re;%irement that money transfer companies pro:e the &D of those %sing their ser:ices/
+ed#ond7 Ariday , 4arch Microsoft Security
1$* PE+SONA; INTE+NET SEC3+IT@
Do%g Ca:it< Chief Sec%rity Strategist< dre6 attention to the po6erf%l economic moti:ation to enco%rage &nternet %se/ Sec%rity 6as 7ey to this/ ,t the same time< soft6are de:elopment differed from< say< car man%fact%re< in that soft6are 6as adapti:e Hit 6as not F%st a case of adding feat%res at a fi=ed cost< (%t of an incremental process of de:elopment and man%fact%re/
,s7ed 6hether &S-s co%ld do more< he noted that most &S-s c%rrently isolated machines detected as (elonging to (otnets/ Ho6e:er< act%ally contacting o6ners to fi= the pro(lem 6as too e=pensi:e/ 4icrosoft offered a 3malicio%s soft6are remo:al tool3 04SRT2 free of charge< 6hich had (een a:aila(le for a year/ Data on %se 6ere p%(lished/
The nat%re of the threat had changed/ &t 6as no6 a(o%t ma7ing money and< to some e=tent< attac7ing national sec%rity/ Those (ehind the threat 6ere e=pert and specialised/ ,ttac7s 6ere mo:ing (oth %p and do6n the 3stac73He=ploiting on the one hand :%lnera(ilities in the application layer< and on the other 6or7ing do6n thro%gh chips and dri:ers to hard6are e=ploits/ ,s a res%lt traditional defences< anti":ir%s soft6are and fire6alls< 6ere no longer ade;%ateHe:ery layer of the system no6 had to (e defended/ 4SRT data also sho6ed that there 6ere no6 relati:ely fe6 :ariants on :ir%sesE on the other hand there 6ere tho%sands of :ariants on (ac7"door or 7ey"logger e=ploits< designed to get aro%nd anti"mal6are programmes/
4ore (roadly< the 4icrosoft platform had al6ays (een designed to ena(le interopera(ility and inno:ation/ This 6o%ld contin%e< tho%gh 6ithin $ista e:ery effort had (een made to ens%re that the prompts and ;%estions for end"%sers 6ere more transparent/ Identity Management
1im Cameron< &dentity and ,ccess ,rchitect< said that he remained optimistic a(o%t the &nternet/ The more :al%e 6as transferred thro%gh the medi%m the more criminals 6o%ld target it< (%t the ind%stry co%ld stay of top of the pro(lems/ The maFor companies 6ere
increasingly realising that they needed to 6or7 together and 6ith go:ernmentsH sol%tions to the pro(lems 6ere not p%rely technical/ There had in many cases (een a disconnect (et6een the technology ind%stry and go:ernments/ &n the U1< for instance< the original< centralised proposals for &D cards had (een :ery %nfort%nate< and the mo:ement to6ards a more decentralised< compartmentalised system 6as :ery 6elcome/
&t 6as possi(le to prod%ce de:ices 6hich 6ere + percent sec%re/ The pro(lem came 6ith the interaction (et6een those de:ices and their h%man %sers/ There 6ere things that %sers sho%ld not ha:e to 7no6Hthe technical approach had to adapt to them/ For instance< 8indo6s had translated comple= and< to most %sers< meaningless tas7s into easily grasped :is%al analogies/ The 7ey challenge he faced 6as to translate identity management into similarly transparent :is%al terms/ The image (eing %sed in CardSpace 6as of a 6allet< containing m%ltiple identities< from 6hich< li7e credit cards< %sers co%ld choose 6hich one to %se in partic%lar circ%mstances/
The &nternet had (een (%ilt 6itho%t an identity layer< and filling this hole retrospecti:ely 6as a h%gely comple= tas7/ The need to ta7e on this tas7 had to (e accepted across the ind%stry< and across national and political (o%ndaries/ Dr Cameron@s paper on the La6s of &dentity so%ght to achie:e this (y setting o%t 7ey principles/
Emerging technologies s%ch as RF&D tags 6o%ld ha:e many potentially dangero%s applications/ &t 6as essential that all s%ch de:ices (e set %p in s%ch a 6ay that the indi:id%al had a choice o:er 6hether or not to (roadcast his or her indi:id%al identity/ The company 6as 6or7ing on &-"free approaches to these iss%es< 6hich 6o%ld (e a:aila(le for other companies to de:elop in order to pl%g into their systems/ Pri%acy
S%e 9l%ec7< Senior ,ttorney< and Gicholas *%dge< Senior Sec%rity -rogram 4anager< arg%ed that sec%rity and pri:acy 6ere t6o sides of the same coin/ ,s 6ell as impro:ing
sec%rity 4icrosoft had to in:est in pri:acy< (oth to protect itself legally and to ma7e deployments more straightfor6ard/
4icrosoft@s p%(lic g%idelines for de:eloping pri:acy"a6are soft6are and ser:ices had (een made p%(lic in an effort to help the comp%ter ind%stry< partic%larly smaller companies 6ho co%ld not afford to ha:e f%ll"time pri:acy and sec%rity staff< %se a common set of r%les and 6ay of doings things/ &n this 6ay some of the data (reaches and other pri:acy pro(lems that 6ere c%rrently 6idespread co%ld (e a:oided/ The g%idelines 6ere a:aila(le for do6nload at http'>>go/microsoft/com>f6lin7>NLin7&DO#5 )5/
The company@s 7ey principle 6as that 4icrosoft c%stomers (e empo6ered to control the collection< %se and distri(%tion of their personal information/ The company employed 25 staff to implement this principle< assessing each feat%re of soft6are at an early stage of de:elopment against core pri:acy criteria/ &n the case of $ista< there 6ere aro%nd 52 teams 6or7ing on feat%res< of 6hich a(o%t +2 had pri:acy impacts/ The re;%irement for pri:acy dro:e aro%nd B significant design changes/ The pri:acy team 6as formerly seen as a n%isance< (%t increasingly designers and de:elopers had (o%ght into the :al%e of pri:acy/
On the %se of lang%age< messages 6ere tested against stringent %sa(ility criteria< incl%ding in:ented personae 6ith :arying 7no6ledge of comp%ters/ Ho6e:er< the team did not ha:e the reso%rces to test messages against foc%s gro%ps/
D%estioned on the pri:acy implications of the 4icrosoft phishing filter< it 6as noted that the data sent to 4icrosoft 6ere stripped of all log"in details and 6ere only preser:ed for + days on a separate ser:er/ Spam
1$$ PE+SONA; INTE+NET SEC3+IT@
,aron 1orn(l%m< Senior ,ttorney< said that 4icrosoft@s Legal and Corporate ,ffairs Department had o:er !5 staff 6orld6ide< see7ing to %se ci:il litigation to enforce &nternet safety r%les/ The staff 6ere in some cases recr%ited from go:ernment agencies< s%ch as the F5&< the 4etropolitan -olice etc/< (%t o%tside co%nsel 6ere also %sed to (ring cases/
Under federal and state la6s &S-s co%ld (ring cases against spammers on (ehalf of their c%stomers/ 4icrosoft< thro%gh its &S-< 4SG< had (ro%ght s%ch cases/
&n order to pre:ent phishing sites %sing the 4icrosoft identity< all ne6ly registered domain names held (y the registrars 6ere scanned against 7ey te=t< s%ch as 3msn/com3/ ,s a res%lt of this 6or7< along 6ith a proacti:e approach to in:estigating< prosec%ting and ta7ing do6n phishing sites< the n%m(er of spoof 4SG sites had fallen considera(ly/ -rosec%tions in s%ch cases 6ere la%nched %nder trademar7 la6/
-artnerships 6ith la6 enforcement 6ere cr%cial< s%ch as 3Digital -hishGet3< set %p in 2 )/ &n:estigations 6ere fre;%ently 6orld6ide< in:ol:ing m%ltiple lines of in;%iryHfor instance< in:estigating 6here phished data 6ere sent< 6here phishing sites 6ere hosted< and so on/
Loo7ing for6ard< the 7ey iss%es of concern 6ere the pre:alence of (otnets to distri(%te malicio%s code< and the introd%ction of 6ireless technologies/ Linda Criddle, Loo/ +oth ;ays
,t a separate meeting< Linda Criddle dre6 attention to fi:e factors that increased the ris7s to personal safety online'
1$, PE+SONA; INTE+NET SEC3+IT@
Lac7 of 7no6ledgeE
CarelessnessE
Unintentional e=pos%re of 0or (y2 othersE
I Technological fla6sE
Criminal acts/
Soft6are 6as not c%rrently contri(%ting to safety< and in many cases 6as %ndermining it/ Get6or7ing sites s%ch as 4ySpace or espinthe(ottle did not defa%lt to safe options< enco%raged the disclos%re of personal information< the %se of real names< and so on/
&n addition< m%ch content filtering technology only filtered e=ternal content/ For e=ample 4SG content filtering did not filter the 0often age"inappropriate2 content of the 4SG net6or7 itself/ This left %sers 6holly e=posed/
1,' PE+SONA; INTE+NET SEC3+IT@
-rod%cts sho%ld not carry a defa%lt ris7 setting/ 8here:er a choice 6as in:ol:ed %sers sho%ld (e f%lly apprised of the ris7s so that informed choices co%ld (e made/
APPEN9IF 6: 1ISIT TO 4ET+OPO;ITAN PO;ICE SE+1ICE7 COBA;T SI3A+E 1, April %''7
4em(ers of the S%("Committee present 6ere Lord 5roers 0Chairman2< Lord Harris of Haringey< the Earl of Erroll< 5aroness Hilton of Eggardon< Lord 4itchell< Lord O@Geill of Clac7mannan< Dr Richard Clayton 0Specialist ,d:iser2< Christopher *ohnson 0Cler72 and Cathleen Sch%lte 0Committee Specialist2/
The Committee 6as 6elcomed (y Detecti:e Chief &nspector Charlie 4c4%rdie< Head of the 4-S Comp%ter Crime Unit/ The Committee then heard presentations from'
Detecti:e Sergeant Cli:e 5la7e 0Comp%ter Crime Unit2E
Detecti:e Sergeant Stephen Tr%ic7< 0the 3Fra%d ,lert3 site2E
4ar7 8ilson 0E:idential ,nalysis2E
1,1 PE+SONA; INTE+NET SEC3+IT@
I *ohn *ac7 0Comp%ter Systems La(oratory2E
Detecti:e &nspector Da:id -erryman 0-rofessional Standards2E
Detecti:e Sergeant Sha%n Reardon 0Co%nter Terrorism Command2/
The Co##ittee then toured the Co#puter Cri#e 3nit and Child Abuse Co##and /APPEN9IF 7: C;OSSA+@ @AB fraud
Form of ad:ance fee fra%d< in 6hich the :ictim is pers%aded to p%t do6n a s%m of money in anticipation of a m%ch larger gain< 6hich then fails to materialise/ Gamed after the rele:ant article of the Gigerian criminal code/ "bstraction Cof net&or/ layersD
-rinciple that there are different layers in a net6or7 and each one has a specific f%nction< 6ith clear (o%ndaries (et6een adFacent layers/ +otmaster
Controller of a (otnet/
1,% PE+SONA; INTE+NET SEC3+IT@
+otnet
Collection of compromised comp%ters 0indi:id%ally called ro(ots or Lom(ies2 r%nning malicio%s programs that allo6 them to (e controlled remotelyE commonly %sed to distri(%te spam or la%nch Distri(%ted Denial of Ser:ice attac7s/ +ro&ser
Comp%ter program 6hich permits the :ie6ing of material on the 8orld 8ide 8e(/ Can6Spam "ct
B ,ct of the United States Congress designed to reg%late the %se of spam/
Cybercrime See e"crime/ 4istributed 4enial of Ser%ice attac/
,ttac7 la%nched (y means of compromised systems 0typically controlled :ia (otnets2< designed to o:er6helm a partic%lar ser:ers or net6or7s (y flooding them 6ith pac7ets of information/ 4omain
1,) PE+SONA; INTE+NET SEC3+IT@
Game identifying a comp%ter or comp%ters (elonging to a single organisation on the &nternet/ *6crime
Crime committed against or 6ith significant %se of electronic net6or7s/ *nd6to6end CprincipleD
-rinciple that the net6or7 core sho%ld only carry traffic< and that additional ser:ices sho%ld (e deli:ered at the edges of the net6or7< (y end"points< not 6ithin the net6or7 core/
*3ploit
1no6n 6ay of ta7ing ad:antage of a sec%rity pro(lem 6ith a system on the &nternet/ 2ile sharing
-ractice of ma7ing files a:aila(le for others to do6nload o:er the &nternet/ 2ire&all
De:ice controlling the passage of data (et6een areas of a net6or7 that are more or less tr%st6orthy/ $ac/er
-erson 6ho tests o%t comp%ter sec%rity< 6hether la6f%lly or %nla6f%lly 0e/g/ for research< or for criminal p%rposes2/ $yperte3t
Te=t on a comp%ter that leads the %ser to other information< e/g/ (y means of a 3hyperlin73/ Instant Messaging
Real"time comm%nication (et6een %sers of a net6or7< (y means of typed te=t/ Internet
The glo(al net6or7 of interconnected net6or7s that transmits data (y means of the &nternet -rotocol/ Internet Protocol
-rotocol for comm%nicating data :ia the &nternet %sing pac7et"s6itching/ Internet Relay Chat
1,* PE+SONA; INTE+NET SEC3+IT@
Form of real"time &nternet comm%nication :ia dedicated channels/ .eylogger
-rogram that s%rreptitio%sly capt%res a %ser@s 7eystro7es so that a remote attac7er may learn pass6ords etc/ Le%el A020E crime
Crime that affect a local police force only 0le:el +2E that crosses force (o%ndaries 0le:el 22E or that is committed nationally or internationally 0le:el B2/
Mal&are 4alicio%s code/
Man in the middle
,ttac7 in 6hich the attac7er places himself (et6een t6o parties< e/g/ the indi:id%al end" %ser and his (an7< 6itho%t those parties (eing a6are that the lin7 (et6een them has (een compromised/ 5et&or/
&nterconnected gro%p of comp%ters/
5ode
De:ice 6ithin a net6or7/ -perating system
-rogram that manages the hard6are and soft6are reso%rces of a comp%ter/ -peration -re
-olice in:estigation into o:er #< indi:id%als in the United 1ingdom 6hose details 6ere fo%nd on a data(ase held (y Landslide &nc< an ,merican company offering access to child a(%se 6e(sites/ Pac/et
5loc7 of data carried (y a comp%ter net6or7/ Pac/et s&itching
-aradigm for comm%nicating information (y 6hich comm%nications (et6een end" points are (ro7en do6n into pac7ets< and then ro%ted (et6een the nodes ma7ing %p the net6or7< (efore (eing reconstr%cted at the destination end"point/ Patch
-iece of soft6are designed to fi= a soft6are :%lnera(ility/ Peer6to6peer
Get6or7 in 6hich participants share files or (and6idth< all participants (eing e;%als< rather than comm%nicating thro%gh a central ser:er/ Phishing
Criminal acti:ity that relies on social engineering to pers%ade :ictims to enter %ser names< pass6ords etc on a spoof 6e(site/ Protocol
Set of g%idelines go:erning comm%nication (et6een comp%ters/ Root Cname ser%erD
One of the thirteen ser:ers that ans6er re;%ests for the 3root domain3 0the empty se;%ence at the end of e:ery domain name2 and redirect s%ch re;%ests to the 3top le:el domain3 0e/g/ 3/%73 or 3/com32 name"ser:ers/
Router
1,$ PE+SONA; INTE+NET SEC3+IT@
De:ice that determines the proper path for data to tra:el (et6een net6or7s/ Sand6bo3
$irt%al container in 6hich programs that are not tr%sted can safely r%n 6ithin infecting the rest of the comp%ter or net6or7/ Spam
Unsolicited (%l7 email messages/ Spoofing
La%nching an attac7 (y mas;%erading as someone else/ Tool/it
, set of inter"related programs for a partic%lar p%rpose< s%ch as the prod%ction of mal6are or the incorporation of e=ploits into a TroFan/ Tor
The Onion Ro%ter< a system allo6ing %sers to comm%nicate anonymo%sly on the &nternet/ TroFan ChorseD
1,, PE+SONA; INTE+NET SEC3+IT@
-rogram that installs malicio%s soft6are< %nder the g%ise of doing something else/ T&o factor CauthenticationD
,%thentication re;%iring t6o different methods to (e %sed< typically something 7no6n 0a pass6ord2 and something o6ned 0often a 7ey"fo( generating a random se;%ence of si=" digit n%m(ers2/ )endor
4an%fact%rer of soft6are or some other prod%ct/ )irus
4alicio%s program< attaching itself to an e=isting program< 6hich can copy itself and infect or corr%pt comp%ters 6itho%t the 7no6ledge or permission of their o6ners/ )ulnerability
8ea7ness in a system that e=poses it to attac7/ ;i2i
8ireless comm%nications medi%m %sed (y mo(ile comp%ting de:ices/
%'' PE+SONA; INTE+NET SEC3+IT@
;orld ;ide ;eb
System of doc%ments< identified or located (y means of Uniform Reso%rce &dentifiers 0that is< strings of characters %sed to specify partic%lar reso%rces or pages2< interlin7ed (y means of hyperte=t< and accessed :ia the &nternet/ ;orm
4alicio%s program that replicates itself and sends copies to other comp%ters< so endangering the net6or7 (y cons%ming (and6idth< (%t 6hich does not need to attach itself to an e=isting program and may or may not corr%pt the host comp%ter itself/ Gombie Co#pro#ised #achine controlled by an e8ternal source7 typically (or#in! part o( a botnet /APPEN9IF $: ;IST OA AC+ON@4S AN9 ABB+E1IATIONS
,C-O
,ssociation of Chief -olice Officers
,-,CS
,ssociation for -ayment Clearing Ser:ices
,R-,GET ,d:anced Research -roFects ,gency Get6or7
%'1 PE+SONA; INTE+NET SEC3+IT@
,T4
,%tomated Teller 4achine
CD
Compact Disc
C4,
Comp%ter 4is%se ,ct +??
59-
5order 9ate6ay -rotocol
5S&
5ritish Standards &nstit%te
CEO-
Child E=ploitation and Online -rotection Centre
CERG
Central E%ropean Research Get6or7
C&TR&S
Center for &nformation Technology Research in the &nterest of Society
%'% PE+SONA; INTE+NET SEC3+IT@
CSO
Chief Sec%rity Officer
DDoS
Distri(%ted Denial of Ser:ice
D9
Directorate 9eneral
DoS
Denial of Ser:ice
DT&
Department ofTrade and &nd%stry
EFF
Electronic Frontier Fo%ndation
EUR&4
E%ropean &nformation Society 9ro%p
F5&
Federal 5%rea% of &n:estigation
%') PE+SONA; INTE+NET SEC3+IT@
F&-R
Fo%ndation for &nformation -olicy and Research
FS,
Financial Ser:ices ,%thority
FTC
Federal Trade Commission
&CB
&nternet Crime Complaint Center
&CO
&nformation Commissioner@s Office
&CT
&nformation and Comm%nication Technologies
&-
&nternet -rotocol
&RC
&nternet Relay Chat
&S-
&nternet Ser:ice -ro:ider
&S-,
&nternet Ser:ice -ro:iders@ ,ssociation
&T
&nformation Technology
&TS-,
&nternet Telephony Ser:ice -ro:iders@ ,ssociation
&8F
&nternet 8atch Fo%ndation
*,GET
*oint ,cademic GET6or7
;INF
;ondon Internet E8chan!
eLTSS
Local Trading Standards Ser:ices
%'* PE+SONA; INTE+NET SEC3+IT@
4-S
4etropolitan -olice Ser:ice
4SG
4icrosoft Get6or7
4SRT
4alicio%s Soft6are Remo:al Tool
GEG
Gational Ed%cation Get6or7
GHTCU
Gational High Tech Crime Unit
OFT
Office of Fair Trading
-,TS
-%(licly ,:aila(le Telephone Ser:ice
-C
-ersonal Comp%ter
-9-
-retty 9ood -ri:acy
DC,
D%alifications and C%rric%l%m ,%thority
RCFL
Regional Comp%ter Forensic La(oratory
%'$ PE+SONA; INTE+NET SEC3+IT@
RCU1
Research Co%ncils U1
RF&D
Radio Fre;%ency &dentification
SCL
Society for Comp%ters and La6
S4S
Short 4essage Ser:ice
%', PE+SONA; INTE+NET SEC3+IT@
SOC,
Serio%s Organised Crime ,gency
T(
Tera(yte 0+
+2
(ytes2
UR&
Uniform Reso%rce &dentifier
URL
Uniform Reso%rce Locator
%1' PE+SONA; INTE+NET SEC3+IT@
$o&-
$oice o:er &nternet -rotocol

Cyber Crime

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Cyber Crime

Hochgeladen von

Copyright:

Verfügbare Formate

HOUSE OF LORDS Science and Technology Committee 5th Report of Session 2 !

Personal Internet Security

$ol%me &' Report

-%(lished (y the ,%thority of the Ho%se of Lords

&Science and Technology Committee

Information about the Committee and Publications

Contacts for the Science and Technology Committee

Chapter 1: Introduction Bac !round and ac no"led!#ents

Tracin! Internet tra((ic

Security threats on the Internet today

The scale o( the proble#

+esearch and data collection

Conclusions and reco##endations

The -end.to.end principle- and content (ilterin!

/ho is responsible (or Internet security0

Net"or .le&el security

Internet ser&ice pro&ision

The -#ere conduit- de(ence

1oice o&er Internet Protocol

Chapter 2: Appliances and applications 3sability &s security

4aintainin! security5patchin! and security so(t"are

E#er!in! threats and solutions

Conclusions and reco##endations

Chapter *: 3sin! the Internet: businesses O&er&ie"

The en(orce#ent re!i#e

Conclusions and +eco##endations

Chapter 6: 3sin! the Internet: the indi&idual O&er&ie"

A"areness &s no"led!e

Sources o( in(or#ation and ad&ice

The role o( O(co#

Personal sa(ety online

Chapter 7: Policin! the Internet O&er&ie"

The le!al (ra#e"or

6i!h &olu#e7 lo" deno#ination cri#e

The structure o( la" en(orce#ent

Police s ills and resources

Conclusions and reco##endations

Appliances and applications

3sin! the Internet: businesses

3sin! the Internet: the indi&idual

Policin! the Internet

Appendi8 2: Se#inar held at the Institution o( En!ineerin! and

Personal Internet Security

So%rce' &nternet 8orld Stats 0http'>>666/internet6orldstats/com>stats/htm2/

%' PE+SONA; INTE+NET SEC3+IT@

%1 PE+SONA; INTE+NET SEC3+IT@

%% PE+SONA; INTE+NET SEC3+IT@

%) PE+SONA; INTE+NET SEC3+IT@

Got p%(lished as e:idence/

%2 PE+SONA; INTE+NET SEC3+IT@

%* PE+SONA; INTE+NET SEC3+IT@

%6 PE+SONA; INTE+NET SEC3+IT@

%7 PE+SONA; INTE+NET SEC3+IT@

%$ PE+SONA; INTE+NET SEC3+IT@

%, PE+SONA; INTE+NET SEC3+IT@

)' PE+SONA; INTE+NET SEC3+IT@

)1 PE+SONA; INTE+NET SEC3+IT@

#http'>>666/identitytheft/org/%7>&DR2 fra%dR2 ta(le/pdf /

)% PE+SONA; INTE+NET SEC3+IT@

See http'>>666/staysafeonline/org>pdf>safety st%dy 2 5/pdf/

)) PE+SONA; INTE+NET SEC3+IT@

)2 PE+SONA; INTE+NET SEC3+IT@

)* PE+SONA; INTE+NET SEC3+IT@