Publications on the internet
UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 1 537 -i
House of COMMONS
TAKEN BEFORE the
Science and Technology Committee
Malware and Cyber-crime
Wednesday 9 November 2011
Dr Richard Clayton, Professor Peter Sommer and Dr Michael Westmacott
Evidence heard in Public Questions 1 - 26
USE OF THE TRANSCRIPT
This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Science and Technology Committee
on Wednesday 9 November 2011
Andrew Miller (Chair)
Examination of Witnesses
Witnesses: Dr Richard Clayton, Research Assistant, University of Cambridge, Professor Peter Sommer, Visiting Professor in the Department of Management, London School of Economics, and Dr Michael Westmacott, BCS, The Chartered Institute for IT, but also representing the Royal Academy of Engineering and the Institution of Engineering and Technology, gave evidence.
Q1 Chair: Welcome, gentlemen, to the session. Dr Clayton, I thank you for advising us previously, but today you are here formally as a witness. For the record, would you all kindly introduce yourselves?
Dr Clayton: I am Dr Richard Clayton. I am a security researcher at the university of Cambridge and the National Physical Laboratory.
Professor Sommer: I am Professor Peter Sommer, from the London School of Economics and the Open university.
Dr Westmacott: I am Michael Westmacott; I am a security consultant and also a member of BCS.
Q2 Chair: In their written evidence, the Government define malware as software written with malicious intent. Is that a useful definition, or do you have a better one?
Dr Clayton: It is a useful definition. We used to call things viruses, worms or Trojans and all sorts of other technical terms that were to do with the way in which they spread. In practice, however, most sorts of malicious software can be delivered in a number of ways, and precisely how they propagate has become less important than what they do to people. The term "malware" has grown up and become a much more mainstream way of generally indicating what is going on.
Professor Sommer: I concur. There are bigger problems in defining the cyber-crime aspect of your investigation, but the malware description given by Richard is just fine.
Dr Westmacott: Absolutely. In fact, I believe that the original definition "malicious software" applies.
Q3 Chair: I was listening to a radio interview with Ross Anderson just before last week’s summit, and he argued that the problem in this area is, to use his phrase, that it’s no good shooting a few alligators; you have got to drain the swamp. In other words, you have to address the whole spectrum of potential causes and the various players in the field who all have different intent. If the Government want to make substantial progress in a short period, where should they concentrate their efforts? Should it be on individual users, on ISPs or just dealing with the law enforcement side? Where would you concentrate your resources?
Professor Sommer: Are you talking about the resources of the Committee in carrying out its investigation, or the resources of the nation?
Chair: The resources of the nation.
Professor Sommer: Malware is a convenient description of things that behave badly, but they can be used for a very wide range of purposes. Perhaps you need to look at the spectrum of circumstances and make a refinement from that, but there are many different actions. Ross’s phrase about it being a swamp, I suppose, is correct, but that is partly the problem with this wider phrase "cyber-crime". We should bear it in mind that three quarters of the population now has at least one personal computer in the home permanently connected to the internet. Very large numbers of activities that would previously have been called conventional crime now have some sort of cyber element. Perhaps one needs to look at the difficulty that businesses and members of the public have in understanding the nature of the new threats. That would probably be rather more useful, although there are individual sectoral aspects that one would have to look at as well.
Dr Westmacott: I believe that we need to be able to define where malware sits within crime and to look at the different types of actors involved in it. In our responses, all three of us have started to examine some of them. We also need to understand better who are the specific targets of malware. There is a lack of appreciation of exactly what types of targets there are; it could be individual members of the public, or organisations and certain aspects of Government. Once this is completed, we can start to understand where malware is generally moving toward from its current position.
D r Clayton: A range of things needs to be done. There are two key areas. The first is that there has to be more policing, and more policing worldwide, because the people deploying the malware and doing the cyber-crime basically feel that they are not likely to get caught. Essentially, they are correct. We, therefore, have to change the balance so that there is a higher likelihood of them getting caught. That means spending more money on police and training, and having more cross-border co-operation in order to investigate these crimes.
The other thing that we can do, which we are doing very badly at the moment, is that, when individual machines are caught up in cyber-crime, as part of a botnet or whatever, people in the community should be aware of that and pass the information on to the ISPs. The best ISPs pass that information on to their users and tell them that they have a problem. But, on many occasions, the ISPs throw those reports away; they certainly do not go out seeking more reports because it is very expensive for them to communicate with their users-particularly if it is quite a complicated message to put across-to tell them that they have a problem and that they will have to spend some money to sort out their machines. They do not like being the bearer of bad news.
Professor Sommer: There is also a wider dimension. If you look at the things that make cyber-crime possible, one of the other aspects of it is what is called social engineering. People are taking advantage of the fact that many members of the public do not have an inbuilt detector that allows them to recognise that things coming up on their computers may be fraudulent. In fact, many cyber-crimes, as they occur in the real world, show a combination of social engineering and malware. Part of the general problem is the rate of change. People have got used to the idea of detecting regular crime, but the astonishing rate of change in computers, and the social, economic and cultural environments that they generate, means that they have not had a long period of learning to spot what is bad. That is the really big problem. Richard espouses the need for more policing. I do not disagree with him, but one of the areas I hope that you will be looking at is the role of education and how far the nation should be spending money on various forms of education to help people not to become victims.
Q4 Chair: In the meantime, because of the risk to individuals, organisations and, indeed, to the nation state, Dr Clayton’s point about policing is relevant, and what you said about education, Professor Sommer, is clearly relevant. We need people with your skills to look over our shoulders to ensure that we do not make silly mistakes. There are bound to be tensions in this area between security and freedom. Is that inevitable and will internet users inevitably have to see their freedoms diminished to enable them to be more protected?
Dr Westmacott: Are you possibly talking about the automated monitoring of ISPs of individuals’ broadband connections to see whether their systems are being infected, or whether they are browsing websites that are known to be of ill repute? Is that the sort of invasion of privacy that you mean?
Dr Westmacott: This argument has been made a number of times.
Professor Sommer: Indeed. I should think that at least three quarters of the speeches that I heard during my visit to the London conference on cyberspace last week were along the lines of "a balance must be struck", without a great deal of explanation of how to strike that balance. The dilemma really is this. Many people are not terribly interested in computers. They have computers in their homes, but they think that the computer is just another appliance; it is like a video machine or a Skybox or whatever and a series of services comes along.
The great advantage of the computer is that it is almost infinitely programmable to do all sorts of things; the same box that you use for your e-mails and your social networking can also be used for designing and developing complex programmes and so on. In a sense, there is a great benefit from having that very open structure, because it gives innovation not only technically but socially, culturally and economically. But that very openness means that nasty stuff can come in as well as the good stuff. It is easy to make rude remarks about people who say that a balance must be struck and who are not clear about it; but, if you said to me, "Let’s hear your balance", I would not have a clear answer either. We have to recognise that it is a dilemma.
Coming back to the point about education, one of the elements of education that you have to get over to the public is that computers are not appliances. You have to spend a bit of time looking after yourself, and, although there can be help from the nation state and from policing, you have to take responsibility for it yourself.
Dr Clayton: On the privacy issue, it is possible to monitor without it being necessarily privacy-invasive. It is privacy-invasive if you monitor and keep the records for many months just in case someone from the police or Cheltenham needs to come along and have a look at them, whereas most of what we are talking about when monitoring for malware and so forth is instantaneous stuff. It is whether or not your machine is looking up a particular domain name because the malware on your machine is trying to phone home and needs to look up the domain name in order to find out where home is today. Therefore, you can monitor for activities surrounding that particular domain name without checking which particular social network you are using or which particular flavour of porn site you are going to. I would say that you do not have to record everything in order to detect the bad things.
Dr Westmacott: The technical challenges of attempting to monitor traffic for malicious activity are difficult. I operate a network forensics service, and I have to spend a lot of time manually looking through data because the automated systems in place are not sufficient. They can provide too much information and, therefore, throw up far too many false positives, or they do not provide enough information and do not identify genuine malicious activity. To place that on ISPs would be a great burden, and it is possibly a burden that they would not be able to deliver. I fully agree with Peter that education of individuals is far and away the most important factor that we need to consider.
Professor Sommer: I do not think there is a single route. It is a combination of things. You can do things as a nation state, and you can ask the ISPs or the police to do certain things. It is not a total package, and I am afraid that some of it will be down to the individual.
Q5 Chair: The tensions between individual privacy and security are very real, and we need to take them into account.
Professor Sommer: Yes, but that is true throughout law enforcement.
Q6 Roger Williams: You say that, to a great extent, responsibility lies with the individual, but the individual is often the weakest link in online security. But many individuals and small organisations do not have the resources or the will to take advantage of what is there. Do you believe that sufficient information resources are accessible to the average internet user to allow them to make informed decisions about their activities and protection?
Professor Sommer: If you look across the internet for websites that are hosted in the United Kingdom, a pretty good range of advice is given, but it is all separated out and some of it may appear to be tainted. Good advice on websites is produced by the antivirus companies, but obviously they are also trying to sell you their products. Good advice is provided on the banking sites, but you get the feeling that the banks are trying to minimise their responsibilities in these areas.
There is a case for having a central Government-sponsored education facility. We have one; it is called Get Safe Online. It is having its activity week this week, as it happens. In fact, they had their meeting in a room not a million miles from where we are today. As an example of the sort of things that it could be doing, it was talking about malware on mobile phones. The trouble is that it is not well resourced; it is a bit of a gesture. It is run by a former police officer whom I have known for years. But it is a virtual organisation, with no premises, and it does not have people permanently in London ready to produce instant comments for the press because the website is generic and does not necessarily always reflect the latest range of risks.
You could say that one needs to spend more money on it. In fact, the money that is being spent could almost be wasted because below a certain level it is not likely to be as effective as it could be. It has put in a bid for part of the £650 million of real new money that has been promised for cyber-security in general, but I do not know how much of that it will be getting. We shall not know until the end of the month, when Francis Maude stands up in the House, but I would sooner see the odd million or two going from the GCHQ budget in the direction of Get Safe Online than what I fear might happen.
Dr Westmacott: Yes, the resources are there. Get Safe Online is a very good resource. Peter has just described some of the problems with the organisation itself, but there is also a problem with the public, in particular, which is a lack of awareness of security in general and a lack of understanding of the security implications there are in using computers. Further, this can be split into a generational difference. The older generation, which may not have used computers regularly, are now starting to use them and have a lack of technical awareness but perhaps have a different view of security. The younger generation is possibly quite the opposite, having far more experience of technology but perhaps being less aware of the need to be secure.
BCS recently updated its security top tips. One thing that we tried to do was to segregate it into different areas; for instance, you would be looking at tips for the elderly and vulnerable, and for the young. We need to target specific areas of the population with different types of information. In terms of Get Safe Online, there are different areas of information, but this is certainly something that could be given more attention.
Dr Clayton: There is a wide range of websites, and, if you collect all of their top 10 tips, you can get a list of 100 or more good things you should do. It shows how complicated this area is.
Professor Sommer: I did some work two or three years ago for the National Audit Office-for a variety of internal reasons it did not complete it-on a value-for-money study of the supply of Government information in this particular sector. I was asked to do the literature review. I do not represent the NAO, but I looked at the various websites that were available. As we have both said, the information is out there. However, in some ways public money is being spent on duplicated websites-it certainly was two years ago-and on partial initiatives. One rather wished that there was bit more consolidation of public funds in a central place.
Q7 Roger Williams: You seem to be putting a huge burden on individuals. Should there be an internet-user test, rather like the driving test, that you have to take before you venture into these dangerous areas?
Professor Sommer: I would be interested to hear you introducing such a law in Parliament.
Q8 Roger Williams: We are in the middle of Get Safe Online week. Have there been any surveys on the public’s awareness of it?
Professor Sommer: The National Audit Office did some investigations of that, but I do not have the figures; I was merely asked to do a specific job for them. It carried out a survey, but I do not know whether it was ever published; it may have been thought to be too incomplete to put before Parliament, but the NAO did some work at the time. That is all I can tell you.
Q9 Roger Williams: Is it your feeling that awareness is not very good?
Professor Sommer: It is difficult to say. You must bear in mind how I earn my living. I am a specialist in this sort of area, and a magnet for a wide range of friends and acquaintances who come along to me with particular problems. I am probably not terribly well placed to gauge the general situation of awareness.
Q10 Chair: Picking up the point about consolidation, Get Safe Online is clearly under-resourced. It is a public-private partnership. Some big companies have bought into it, and others are talking about the possibility of joining the show. At the same time, taking Dr Clayton’s point that there are plenty of resources out there, other companies are doing their own thing. Only this week, for instance, we have seen Google going to bed with the Citizens Advice Bureau. Is that beneficial, or would it be better if there was consolidation, with a much bigger thrust through a bigger public-private next-generation operation?
Professor Sommer: My own preference would be for consolidation-for a single, obvious and authoritative source on which people could rely. The question is how to organise it, given that you would still want private funding in public things. The private companies will want a bit of glory for what they do; they are not entirely public spirited. That is almost a political philosophy, but my own inclination is this. We are all agreed that the stuff is out there, but there would be a good argument for it if it was not for a huge amount. Get Safe Online does not need a gleaming skyscraper full of people, but it is probably under-resourced for delivering a useful service.
Dr Clayton: I am from a university, and I am really in favour of education. I am also in favour of training, which is different from education. There are limitations on what can be done in this area. We cannot teach the whole population to read the URL and understand what it means, but in order to understand many of the threats out there you do need to be able to read URLs. We, therefore, rely on those who make the software to adapt it in such a way that you no longer need to read the URL in order to be safe. We need a better understanding among users that the software on their machines needs constant updating in order to keep it safe, but many people are unaware of that and do not realise the significance of it.
Microsoft has gone to great efforts lately to make it very clear. If you have a modern version of Windows, you can hardly avoid seeing that it insists you update it, but that was not true until relatively recently, and it is not true of many other sorts of software. It is basically the really simple messages, such as saying that you have to update your machine. You have to pay attention to what turns up, including explanations of how some of the scams work. We would not expect anyone these days to fall for the three-card trick; how it works and the fact that you are going to lose your money is part of our culture. Equally, we need to train people on how stranded traveller or lottery scams work, so that at least halfway through they would think, "Oh, my goodness, I’ve been conned. I’d better stop now." That is the sort of thing that we can do, but teaching people the technical details is way beyond society’s capabilities.
Professor Sommer: Two issues arise from that. The first comes back to your earlier question, Chairman, on how to balance privacy and security. One of the things that you can think about is a semi-walled garden or a safer internet. People have been talking about the possibility of internet service providers providing higher levels of security as an additional service, blocking nasty websites and so on. It has been discussed not only in this area of malware but also in connection with unpleasant material. Over the years a number of internet service providers have tried to launch such services, but because additional costs are involved they have had to charge more. As I understand it, the experience has overwhelmingly been that people will not buy it or not in sufficient quantities to make it viable. That is a real difficulty.
The second element is the rather useful statistic, which I believe is roughly correct, that was cited by Iain Lobban, the director of GCHQ. He was talking about protecting businesses from cyber-attack, but he said that about 80% of it is routine hygiene. Most of the attacks, including malware attacks, I guess, are known; there is nothing novel about them. You can assist people in protecting themselves against them because you can semi-automate it. By doing it reliably, you are at least making life more difficult for the cyber-criminal, or the more malicious cyber-attackers that he was talking about, because they will have to keep looking for more advanced techniques as the simple techniques are no longer available to them.
Q11 Pamela Nash: Dr Clayton, you spoke about trying to build up a knowledge of scams among the public, but it will be a while before we reach that critical mass on the same level as the three-card trick. But, in the meantime, the Government have said that they are developing a digital identity assurance scheme to protect against phishing scams. Do you think that this will improve on what is already available? Do you think that this could significantly contribute to the fight against malware?
Dr Clayton: Not in the slightest. That is nothing to do with it. Digital identities matter to Government because you can do better in society if you pretend to be two people-for instance, by getting two tax breaks and in all sorts of other ways. By being two people, or by being no people, you can win against the Government. Basically, industry does not care. Amazon does not care who you are; it only cares whether you can pay. In general, if you use someone else’s credit card, it tends not to be Amazon that loses out, because it pays attention to where the orders are being placed, where they are being delivered, and the sort of goods being ordered. It fights crime in that sort of way, and your identity is very low on the list of things that it considers.
Professor Sommer: If you are looking at digital identity as a means of reducing the quantity of malware, you would require that digital identity system to be absolutely universal. In other words, you would not be able to go on to the internet unless you had a digital identity. You would then have to ask where that identity came from and how it was to be managed. The basis of it has to be that every single computer has somehow to be registered centrally; that central register must have a means of linking a real person to the owner of that computer; and there has to be a means of authenticating it.
You are talking about a huge infrastructure, which probably will not be economically viable. You cannot make it absolutely universal. You may be able to do that shortly after we get permanent global peace but not very much before. It is just not going to happen. As Richard said, digital identity can be useful for citizen-to-Government transactions and perhaps certain other things. Your other problem is that, if the technical system is bad or it gets compromised, then you have a single point of failure. In case you think that that is a theoretical concept, in Holland recently a company issued so-called authentication certificates to various companies that were to be used across the web but that was compromised. It is not a straightforward solution at all, I am afraid.
Q12 Pamela Nash: If there was a mandatory scheme for Government-to-citizen transactions, perhaps for banks, would it improve the security situation?
Professor Sommer: It would depend how it was implemented, but it would not deal with the vast majority of malware. I am not sure how much fraud the Government suffer across the internet in their contacts with the citizenry. If there was a particular problem of fraud or hijacked identity, it might do something, but in a sense there is already a structure, through the Government Gateway, for paying tax or whatever. There is a sort of digital identity element there. I share Richard’s view. Neither of us is particularly convinced that we need a single digital identity. Identities for particular purposes are probably adequate, and they also avoid the problem of a single point of failure. If you have only one digital identity and it gets compromised, that’s you finished. You will have no access to your bank or to the state, and a huge palaver in trying to rectify everything.
Q13 Stephen Mosley: I was interested in what you said earlier, Professor Sommer, about most people thinking of their computer as a consumer appliance sitting in the corner of the room. I guess that it is not only consumers in the house that do that. I imagine that most of us here today use our computers for e-mails, internet surfing, Word, and perhaps a spreadsheet or two, but that is about it. We do not use the further capabilities.
Dr Clayton said that the top 10 tips would soon roll into a top 100 tips. Do you think that we buy computers almost the wrong way around? We are buying an open box capable of all the wonderful things which you were talking about, but the reality is that most of us want that consumer appliance. When you buy a machine, should it not automatically have the highest security settings, with ports locked down and downloads blocked on the machine, rather than buying an open box that we have to configure ourselves in order to tighten security? Surely, it should be a case of getting something that is tight, and then if you want to open it up you can, but you get warnings when you do so.
Professor Sommer: There are a few answers. First, I do not know whether you remember the Amstrad PCW. It was a dedicated word processing device; that is all that it did. Actually it was a fully functional computer and you had to work quite hard to use it, but, if you did a certain number of things, you could suddenly see the operating system behind it and you could then run other sorts of programs. That was quite a good structure. There may be a good case for someone producing things along those lines.
The second issue that you raised was about security being locked down. The trouble is that the operating systems on which computers are based these days are incredibly complex and full of flaws. Although you might sell something on day one as being fully locked down, it is very likely that there will be flaws later on that can be exploited and which would make it less secure. But I do think it is an interesting idea. To a certain extent, Apple tried to follow that model with the iPhone in the sense the company made it rather difficult to put on any applications that it had not tested and specified to a certain level. To a limited extent, Apple is addressing the point. Perhaps entrepreneurs will read the minutes of this hearing and immediately produce something of the sort that you suggest.
Dr Westmacott: It was tried in the past by Amstrad; it released a phone that could perform e-mails and web-browsing, but it was not very successful. I do not know whether that was due to the implementation of the product or the fact that it restricted the computer to just two functions. One of the wonderful things about modern computers is that they can do so much, and most people buy them for those capabilities. You could restrict systems to web-browsing, but unfortunately web-browsers are now very complicated and, functionally, they perform a huge number of things. Indeed, they almost act as an operating system in their own right, and they can be updated with different software components, but those components could be vulnerable to exploitation as they may not have been well designed. I am not sure that trying to provide a consumer device that performs limited operations would work unless you followed the business model that allowed you to control everything, much as Apple tries to do, to ensure full quality control of all software and everything else. Even then, if your quality controls are not sufficient, there could still be problems.
Professor Sommer: You then get another problem, which is of monopoly or quasi-monopoly suppliers. You will get people complaining that Apple is taking too large a share of books and newspapers that are sold over too large a share of the apps, or applications, that are being run. It is a route, but, as with everything that we have been discussing today, it is only a partial solution.
Dr Clayton: It is probably very modest of me to say so, but I wrote the code for the Amstrad PCWs and I had nothing whatsoever to do with the Amstrad phone. You can draw whatever conclusions you want from that.
It is true that Apple operates a system which is basically, "Lock everything down. Never ask a user a question. Always know the answer to it." Microsoft has produced a system that is extremely open, and, when it is not sure what to do, it asks the user an incomprehensible question and gets them to answer yes or no. That question is asked because there are generally some people in the world who will answer it in one way and some who will answer it another.
Your question is a little out of date in that, when you get a machine these days, whether from Apple, Microsoft or anyone else, it is in fact considerably locked down compared to the situation that was true many years ago. The difficulty is that it tends to come with anti-virus software on it, but it is only good for 30 days, and that is entirely unclear to people. Therefore, after 30 days, that extremely good protection evaporates and you then have less protection. Equally, I am very cynical of the power of anti-virus software to spot many threats, so perhaps it does not make all that much difference. That is the sort of issue that needs to be considered-what things are bundled together and so forth. However, as soon as people get their computer home and go on the net, they will be invited to download more codecs, a flash driver and that sort of thing, and they are then pretty much on their own as to whether that is the right thing to do. If anything, I would like to see systems bought from the shops having a wider range of things being pre-installed, so that you do not have to spend the first few days installing them in order to view websites, because at that point people may install the proper codec rather than a dodgy one for the malware.
Q14 Stephen Mosley: Dr Westmacott, you mentioned flaws in software and quality control. Surely, the software suppliers have some liability here. They should be designing software that does not have these flaws. I know that in many cases they deliberately put holes in the software that can be exploited for their own use, but sometimes they can be exploited by others. Do the software providers not have some liability?
Dr Westmacott: Absolutely. I think of the case of software vendors installing what you might call back doors, but that practice is widely frowned upon and I do not believe that it happens as much in the real world as is believed. Certainly, software vendors certainly have a big responsibility to ensure that their products are developed securely. However, there is another driving force, which is the market, which says that they must continually be innovating and creating new products, and selling new services. The time that it takes to ensure that a piece of software is so securely developed and safe is far too long. In fact, software developed like that is obsolete by the time it is released to the market. The problem is that the software vendors are always trying to put out new products, and a certain level of risk is accepted. Another consideration is the type of software vendors. There are the operating system providers, and then there are the vendors who create software that sits on top of their operating system. The operating system vendors need to spend the most time ensuring that they have a reliable platform, as should other software vendors.
Professor Sommer: As you say, the problem is the commercial driver. What most people need from an operating system is probably delivered by more recent versions of Windows XP and in office applications such as Office 2000, and a few people would like some improvements, but it does not make commercial sense for companies such as Microsoft that need to produce high levels of revenue. They do that by producing exciting new features, some of which are less necessary than others. The more complex you make the system, the greater the chance of various parts failing.
The current position, in my view, is that Microsoft releases products far too early. It makes up for that by putting a great deal of effort into releasing caches and corrections; it is very dedicated about that and very good at talking to other companies about how it operates. However, that does not disguise the fact that, if you buy Windows 7, you have to accept that once a week you will get an update that probably requires you to reboot your computer. As I said in my written evidence, I cannot think of another product in history for which, during its entire life cycle, the manufacturer sends you a little package of screws or bolts or whatever and says, "Please install this to make your product a little safer." You expect it to be safe. Governments, who are very big purchasers of software, are probably well placed to go back to the likes of Microsoft and say, "Your commercial interests and our requirements for safe computing do not altogether align." Microsoft is very good at PR, and it is quite genuine in its support for a wide range of organisations, but that does not alter the fundamental problem that it releases products that are too complex and too untested, and then only afterwards tries to rectify them.
Q15 Stephen Mosley: You mentioned the Government. Is there anything on which the Government should be focusing in your opinion?
Professor Sommer: The Government are a large purchaser. If you think of the ability of an individual to complain to Microsoft, I am an individual and I know people at Microsoft, but, if I complain, they laugh and say, "Oh, there you go again." This obviously applies also to large companies. Large purchasers, which include nation states, are in a position to make those points much more forcibly than individuals.
Q16 Graham Stringer: Approaching it from the other side, is it possible to make computers more secure by changing the design of the hardware so that the safety is built in from the very beginning? I am not sure whether that is a meaningful question, but I would be interested to hear your answer.
Professor Sommer: The short answer is no, not really. To come back to the question of digital identities, we periodically get the idea that the hardware-each motherboard or each computer-could contain a unique identity to be used as part of the rather elaborate system that you need in order to give digital identity. There are advantages and disadvantages to that. You then come back to the fact that the identity has to be registered to an individual and registered centrally, and so you have that very large cost. If we had more time, I could tell you of other problems that probably do not help very much.
Dr Clayton: What you may have in mind here is the concept of the trusted boot, where, in order to avoid malware getting on to your machine at such a low level, you cannot even detect it because the malware goes and fools the detector into saying, "I’m not here. I’m not the droid you are looking for." The notion is that you have a chain of digital signatures so that each step checks that the next step is a properly signed code that definitely comes from Microsoft and not a malware writer, before it starts running it. That is a fine system, in concept. Unfortunately, it means that you cannot run a different operating system on that machine. You might want to run a copy of Linux or something like that, but Linux’s development world is not set up to produce signed code in that sort of way and, therefore, you would not be able to run it on those sorts of machines. The people promoting this are really keen on it, because it means that once you have bought the machine you can only ever run Microsoft software on it. Microsoft is really keen on that, but it is not necessarily what you want. Equally, if you look at the handset market, again you do not expect to buy an Android platform and then run Apple software on it.
Perhaps in the handset market we are getting a diversity of platforms, but the bottom line is that, in the end, you cannot check every single piece of software because after a while it gets too complicated to do. You, therefore, end up having to accept more components running on your machine that can do bad things. Microsoft is already telling us that a lot of the failures-those times when everyone says that Windows crashed-were not caused by Windows but by the drivers, which are bits of software written by people in Taiwan to go with their particular hardware devices which are part of the machine. It sounds attractive, but it has a huge economic impact, whether or not you are building in monopolies and that sort of thing, and it probably does not solve the right problem.
Dr Westmacott: A good comparison to make is with that of the rail and airline industries, where software for trains and aeroplanes has to go through far more rigorous engineering. There is a lot of research into secure development and-I am looking at you because I can’t think of the words.
Professor Sommer: I am not quite sure of the phrase you are looking for. One of the things that you get in safety-critical software-
Dr Westmacott: That was absolutely it.
Professor Sommer: That was the phrase that you were looking for-safety-critical software. To make it really safe, you strip down its functionality. If you are having software to run in the examples you gave, or to run a nuclear power station, where you do not want failure too often, you strip out the functionality. You make things safe by ensuring that it does only the simple but essential things. If you were prepared to tolerate an operating system without lots of pretty pictures but just simple text that you could send, and very simple documents and e-mails, there would be far less code to go wrong, and far less code would need to be tested. But that would probably not be acceptable to people any longer. Again, we come to the balance between lots of functionality and the ability to test it.
Q17 Graham Stringer: Again, looking at it from the other side, would it be sensible to have some self-regulation? For instance, when you first put your computer in, you get the top 10 safety tips, or the top 100, automatically on a video at the start, and, whether they like it or not, people would get some awareness of the hazards.
Professor Sommer: It is a good idea. Are you suggesting that there should be a Government regulation mandating vendors to provide that information?
Q18 Graham Stringer: Self-regulation should become an industry norm.
Professor Sommer: It is a function that Get Safe Online could perform and might be a valuable expenditure of public funding. It would not cost much money to generate that information and make it available. That would be a good educational programme. There are other opportunities for educational programmes, but it has to be treated like any other form of public education, such as drinking and driving or not spreading diseases and so on. You have to keep repeating it, and presenting the information sometimes when people do not expect it and at times that they can find it. But the route that you suggest seems a very good one to me.
Q19 Stephen Metcalfe: Professor Sommer, you said that the internet service providers had attempted to provide greater internet security for their customers but because they had to charge for it the take-up was low. If it was to become mandatory, if you were to make the internet service providers do that across the board to everyone, at what point in the network should it be? Should it be on the individual’s personal machine, should it be at the internet service provider, or should it be at the connection with the landline-with BT or Virgin Media? Do you have a view on that?
Professor Sommer: The way that you phrased the questions perhaps identifies the range of problems. The particular difficulty about imposing any type of control is that the internet service providers can provide it only at what they call the subscriber level. In other words, they are delivering it to the box that you have in your house-the hub that connects to the outside world. Most of these devices are wireless and the multi-computer home varies; in a sense, what the individual user does is not in the control of the ISP. We come back all the time to the filtering problem that Richard spoke about and you were talking about as well. There is no magic filter that says, "Stop the bad stuff and let the good stuff go through." How do you recognise the bad stuff or the good?
There are many partial solutions. A number of ISPs, including the main one that I use, provide some malware filtering facilities, and that sort of works; it is part of the basic price. This may have come up in Richard’s evidence or perhaps he mentioned it earlier, but the next stage is for somebody to provide a response when a user says that they have a problem. In other words, is there a helpline? Helplines are colossally expensive in relation to what people are paying monthly for internet access.
Q20 Stephen Metcalfe: You said that there was no magic filter, although your internet service provider has a form of filter.
Professor Sommer: It looks for basic malware and spam.
Q21 Stephen Metcalfe: Are you saying that it will not find it all?
Professor Sommer: No.
Q22 Stephen Metcalfe: As an aside, some commercial companies are saying that they are going to operate a virus and malware protection system based on Cloud that is away from your machine. Is that going to work?
Dr Clayton: No; it is not going to work for the simple reason that malware has changed. We are no longer in the ’80s, when there were six different forms of malware a month, and everyone spotted them 100%. There are literally millions of bits of new malware a month because nobody has the time to pull them apart, and they have been made deliberately so that every single instance is different. They are, therefore, very challenging to filter. The detection rate on brand new malware is somewhere in the region of 30% to 40%, if that. That is easily explained because the bad guys test the malware and only issue it once it is no longer being detected. Even after a month or so, the detection rate rises to about only 70%. Basically, malware detection does not work terribly well. Mandating ISPs to provide this as some way of fixing the problem is not going to do that, but it will cost a lot of money and give people a false sense of security.
Dr Westmacott: If I may, I shall follow on from that and speak about the sources of malware, where malware comes from, and the reason why there are so many different types. There has been a proliferation of automated malware generation tools; these are toolkits which can be purchased online, which can generate-
Chair: We have been given a very good demonstration by a couple of companies.
Q23 Stephen Metcalfe: Are those who have malware protection installed on their equipment any better off than those who do not?
Dr Clayton: They are a little bit better off because they may be lucky and the malware is actually detected.
Q24 Stephen Metcalfe: But it is not a silver bullet.
Dr Clayton: It is not a silver bullet, no.
Professor Sommer: Most security is about reducing the risk; it is not eliminating it.
Q25 Graham Stringer: You started to answer this in response to my earlier question. Are the problems surrounding smart phones substantially different from the problems with PCs and laptops?
Professor Sommer: They are different in scale, for two reasons. First, because of the way that cell phones are sold, you are induced to buy a new contract on the basis of having a brand new phone. The development cycle for new phones is much quicker than it is for producing operating systems, and as they become more complex there is a greater opportunity for mistakes in design. That is one aspect. The other aspect is that, if you want to correct a conventional operating system fault, it is relatively easy; you are sent a bit of code and you may have to reboot. As you are doing it, you are cursing the waste of time while that happens. However, the operating system and the applications of the smart phone are in firmware, and the business of changing that is altogether much more dramatic and frightening, because there does not appear to be any easy way back. You have to connect your smart phone to a computer, and there is a long period when nothing very much seems to be happening. If the power goes down in the middle of it, you could end up with what is technically known as a brick. Physically, on the outside, there is a smart phone but it has no functionality. That is a great problem.
Dr Clayton: I am much more sanguine about what is going on in the telco market, for the simple reason that the telcos have, over history, taken the view that all the traffic on the network is theirs and the devices are theirs. As a result, when malware is distributed for smart phones, the telcos take it off again. We would not tolerate that with our computers in our front rooms, with the ISP suddenly coming along and saying, "We’re terribly sorry; we don’t like that piece of software that you’re running. We’re going to take it off." We would not tolerate the sort of monitoring that the telcos do. The telcos do it because they are trying to prevent toll fraud. People defraud them by making free calls and so on. The telcos come from a tradition of monitoring their networks and so forth that is completely different from the internet. It is a much more closed system, and they are much more in a position to control what is going on. As smart phones start using the internet more, not across telcos but starting to use wi-fi devices and so forth, that may change. But the philosophy and the general attitude taken by the telcos is so different that I do not see malware on smart phones being a huge problem for the next few years.
Q26 Stephen Metcalfe: The Government have a duty to protect their citizens from crime. Much of what is being done here is crime; crime has criminal intent. Should the police be treating it with the same severity as any other crime, bearing in mind that the consequences are often equal to other crimes?
Dr Clayton: I would say yes, but you have to accept that, if you are burgled, the police will not pay a great deal of attention unless there is blood on the floor. We have to see cyber-crime in the same way. It would be a shame if you were being defrauded, but we are looking for the equivalent of blood on the floor.
Dr Westmacott: We need to gather far more information on the prevalence of criminal activity and individual occurrences, and we need to provide the public with the ability easily to report information on malware and to say when specific crimes have occurred. Without that information, it will be difficult to move forward with law enforcement.
Professor Sommer: You must understand that the funding for tackling cyber-crime comes from the same pool of money as everything else and there are many competing demands-bobbies on the beat, dealing with antisocial behaviour and so on. Specialist police officers have been putting in a great deal of effort to develop a strategy. You will probably hear about that later; it is in the Home Office document. I think they have got the balance about right.
All of us here are intensely aware of cyber-crime. I act as an expert witness, so I naturally think that a great deal more time and money should be spent on it. On the whole, the strategy being developed is for all police officers to have some awareness, for all detectives to manage and understand digital evidence to a certain level; and we need an elite body that is able to tackle the more complex issues. That strategy is broadly correct. My big concern is that we have a proliferation of overlapping agencies, but I covered that to a certain extent in my written evidence. I hope that you will be pressing the police and the Home Office when they give evidence on why so many different agencies are needed. You will note that they all claim to be covering the big websites where card information is held. Is it right that they should all be doing that, because they appear to be stepping on each other’s toes, in my view?
Chair: Gentlemen, it has been a most informative session, and I am very grateful to you for coming in. You have been incredibly helpful to our inquiry.