UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 618-vii

HOUSE OF COMMONS

ORAL EVIDENCE

TAKEN BEFORE THE

Home Affairs Committee

e-Crime

Tuesday 23 April 2013

Art Coviello, Professor Jim Norton and Ilias Chantzos

Evidence heard in Public Questions 309 - 345

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Home Affairs Committee

on Tuesday 23 April 2013

Members present:

Keith Vaz (Chair)

Nicola Blackwood

Michael Ellis

Dr Julian Huppert

Steve McCabe

Mark Reckless

Chris Ruane

Mr David Winnick

________________

Examination of Witnesses

Witnesses: Art Coviello, Executive Chairman, RSA, The Security Division of EMC2, Professor Jim Norton, Engineering the Future, and Ilias Chantzos, Senior Director, Government Affairs for EMEA and APJ, Symantec, gave evidence.

Q309 Chair: I call the Committee to order. This is the penultimate session of our inquiry into cyber and e-crime. After this session, we only have the Minister to take evidence from. I welcome the witnesses to the dais, and thank you for coming here from a very far distance. I know, Mr Coviello, you in particular are not a frequent visitor to the United Kingdom, so we are glad to have you here.

Art Coviello: Thank you.

Chair: There will be a Division in the House at 3.05pm, so we are hoping to finish your evidence by then so you do not have to wait for us to come back after the vote. May I start with you, Mr Coviello. Obviously, we will go on to talk about fraud and banking crime and cybercrime in general, but with the background of the Boston bombings that took place just 10 days ago, I know your company deals primarily with financial issues. Have you ever been asked by the Government of the United States or any other Government actually to monitor websites in respect of dealing with terrorism?

Art Coviello: No, that is not something we would engage in, although our security products and services extend well beyond the financial sector itself, including protecting the Government.

Q310 Chair: Given that you look at these websites every day and you have a large team of people, which I understand is in Israel-

Art Coviello: Yes.

Chair: -who do the monitoring of these websites, would it be too much of an extension of what you do to actually monitor these other websites that are causing concern to the security services?

Art Coviello: It probably would be. I think we could, but those types of activities would tend to be handled by the Government and not by us. We restrict ourselves to things of more of a commercial nature.

Q311 Chair: Now, we have had evidence that has been given to us by the head of the City of London Police-the City of London Police in the UK deal with cybercrime-who told this Committee, and I quote, "We are not winning the war on online criminals". Do you think that the war has been lost?

Art Coviello: I do not think the war has been lost, but we are not winning it either. I think what people need to keep in mind is not so much the threat-obviously, we have to keep in mind the threat environment-but what people sometimes overlook is what I call the expansion of the attack surface. We have now developed so many web applications, we have so many remote access devices, mobile devices, we have so many points of entry into our enterprise, and now we starting to outsource a lot of our infrastructure and applications to the cloud, that we have expanded the attack surface and made it literally easier for the attackers to take advantage of us. But having said that, I am a technologist, so I am an optimist, and I believe we can win the war, but we are not winning it yet.

Ilias Chantzos: If I were to address the question, let’s say, in a lighter fashion, I would say that if we had lost the war things would not be working very well right now, would they? It seems to me that things are actually still working quite well. We can go online to the bank. We can order online tickets. We do order online goods. The digital economy seems to be operating and it seems to be operating quite well and people trust it. This is not a question of winning or just losing a war, but of understanding that security is a moving target, security is a moving goal. The technologies change. We see an expansion in cloud. We see an expansion in mobility. As the technologies change, the attack surface changes, the techniques that the attackers are going to use change. What is important is that we adjust ourselves and follow that moving target in order to achieve that objective. We will never have 100% security.

Professor Norton: I do not believe that we are losing the war. It is a war we can win, but we will not win it purely with technology. There are three things we have to do, and the first and most important relates to people. I could build you the most perfect security system, as I am sure could my colleagues here, and I am sure a thoroughly misunderstanding user of that system could defeat it. We do not educate our people properly. We do not train them in what is good practice, and there is not a technological solution to that. So, one, we need training; two, we need better software, and we know how to write software very much better than we actually do in practice in most cases today; and thirdly, we need better resourcing for the police. That is not just nationally but internationally.

Q312 Chair: Mr Coviello, I am concerned at the number of social media sites or internet sites that offer people packages for fraud on the internet as part of internet services. Do you know whether there are any well-known social media sites that have been used for that purpose?

Art Coviello: As a matter of fact, recently-and I think we are going to release the coverage this week-an Indonesian hacker was actually using Facebook as a means to disseminate information about his fraud as a service. That was, quite frankly, very unusual but it is a disturbing change to anything we have seen previously. It just suggests an utter disrespect of being caught.

Q313 Chair: Has that stopped, do you know?

Art Coviello: I am sorry?

Chair: Is it still ongoing on Facebook that people can-

Art Coviello: I do not know if the site has been brought down as yet. I am assuming that it will be brought down quite shortly.

Q314 Chair: I do not know whether you all have seen the survey that has just been published by Verizon, which shows that state-sponsored industrial espionage is now the second most common form of cybercrime. Have you all seen that survey? It has just been published today. Is it a surprise to you that there is so much state-sponsored espionage, and, if so, do you have any indication of which countries are doing this? We have had a list from the City of London Police. They have talked about Russia and the Eastern European states, but do you know which states might be responsible?

Art Coviello: One of the problems with any attack is attribution, being able to trace the attack back to its source. That is where people have to be very careful because unless you have evidence, to point the finger at a particular nation is clearly not the right thing to do, and I see too much of that. Having said that, given the level of sophistication that we see in attacks, it can only be sponsored by nation states. We see it clearly. We see it in the form of economic espionage. It is ongoing, and it is increasing.

Q315 Chair: Thank you. Just one final thing: could you confirm the Norton study, which shows that there are 556 million victims of cybercrime every year-is that a figure that you recognise? Also, the cost of cybercrime to the UK at £1.8 billion. Do you have any fresh figures or are those figures that you can endorse?

Ilias Chantzos: I believe the Norton study that you are quoting is the latest study that has been released from us until now. We have actually released very recently the Internet Security Threat Report, which is the latest statistics that we have analysed for activities in 2012, which are not focused on the consumer side only. Having said that, I should emphasise that the methodology of the Norton study is such that the results of the study are based on self-reporting. We went out and asked individuals whether they had been victimised. It is not based so much on attacks that we have actually observed but rather on what the public has told us. The numbers in terms of financial losses is based on the numbers that the victims claim that they have lost.

Chair: Sure.

Q316 Mr Winnick: RSA apparently suffered a serious security breach, which has been dealt with. In fact, the company has been commended for its response. Was that the first major security breach?

Art Coviello: In terms of RSA, clearly it was, yes.

Q317 Mr Winnick: What did it involve?

Art Coviello: It was a very sophisticated attack. It was two separate APT groups, as we define them; advanced persistent threat groups. Again, one of the things we did was immediately contact law enforcement and request additional help from the National Security Agency as well as from Homeland Security. The Government responded very quickly in helping us understand-

Q318 Mr Winnick: About what time was this?

Art Coviello: The attack commenced on March 4th, 2011, and within two days they were on-site helping us. These kinds of attacks are very difficult for a number of reasons. You have to ensure that you find all the places where they have compromised your infrastructure before you take them out because you do not want to tip them off that you know that they are in there. This is the kind of help and assistance that was provided by the Government. Of course, we have our own capabilities. Fortunately, while we were not able to stop them from exfiltrating some important information from our infrastructure, because we discovered the attack timely enough and disclosed the attack timely enough, there were no losses sustained by any company as a result of the attack.

Mr Winnick: I see.

Art Coviello: But I should add that it was the first time that law enforcement had seen two separate groups attacking a company at the same time. Again, the sophistication of the attack could only have been carried out by a nation state based on our point of view and that of law enforcement. Another interesting aspect of this is that the attack commenced at a supplier of ours. Emails from that supplier, targeted emails, were sent into our employees, and that is how they were able to breach our perimeter. Also, we were not the ultimate victim of the attack. What they wanted to do was use the first company to get to us, and ultimately, in our point of view, they were after our defence industrial base. They were going to use our information to attack our defence industrial base and potentially our Government.

Q319 Mr Winnick: Do you think lessons can be learnt by other companies from the manner in which you dealt with this and the support that was given, as you say, by the authorities?

Art Coviello: Well, yes. I believe that any company who is breached, which could potentially result in harm to another company, has a moral if not legal obligation to disclose that breach so that they can prevent other companies from being hurt, and that is exactly what we did.

Q320 Dr Huppert: Can we step back for a second to this issue of what we should aspire to? Mr Chantzos, I think you said that we cannot have 100% security, and, Professor Norton, you made the point that a lot of it is about behaviour and what information there is. To what extent would you subscribe to the principle that if people put data out online in the broader sense it is fundamentally vulnerable, and so if you want to make data safe, you do not collect it, you do not put it out there? Would you accept that as a principle?

Ilias Chantzos: Well, I think it is very important to understand the value of our personal data. Most people do not appreciate the importance that our personal data has and, frankly, you see whole lives, whole lifelines, timelines, on social networks. That is extremely dangerous. The reason why it is extremely dangerous is that, to follow up on the points that Mr Coviello so accurately described, you launch a targeted attack-and by the way if you look at the Internet Security Threat Report that we just released, we have seen a 42% increase in targeted attacks-by targeting the individuals. How do you target the individuals? You profile them. The fact that you have your lifecycle of friends, your information about yourself on a social network publicly visibly available, makes them a perfect open-source intelligence tool, and makes it very, very easy for you to be profiled, followed, and then attacked.

One of the most frequent examples that I give is people put their birthdays on social networks and then they accept congratulations on their birthdays, but, by the way, that is one of the three to four authentication questions every time you call your credit card company. What is your date of birth? Yet this is an example of how it can go terribly wrong. Professor Norton was correct in saying that security is not just about the technology, it is also about the people and the process, and this is exactly why there are the social network problems that we see.

Dr Huppert: I was hoping for more of a yes or no, but thank you for that anyway.

Professor Norton: May I just add to that a little? In an information economy personal information is now traded as value. That is fine if the person whose information is traded is doing that knowingly, but we have, I am afraid, miserably failed, not just here but probably around the world, in educating people about the impact of that. Yet we are trading information as value not just on social media sites but in all sorts of other ways as well without a true understanding by the individuals concerned of its implications.

Q321 Dr Huppert: But just in terms of the principle that I was trying to outline, you would broadly agree with it or broadly disagree that if you really want to avoid data loss, you do not make the data available?

Professor Norton: No.

Q322 Dr Huppert: You disagree?

Art Coviello: Absolutely.

Professor Norton: There is a hierarchy of data, and it is very important that people are trained to understand that. There is some data you may want to release, and it may be greatly beneficial to you to release. There are others you do not want to release. I think simply treating it as inaccessible is wrong.

Ilias Chantzos: You have to effectively risk-manage the type of information you release about yourself.

Q323 Dr Huppert: I am being prompted to ask about some other issues. Professor Norton, you said something about poor software design being a big problem.

Professor Norton: Yes.

Dr Huppert: I used to write a bit of Perl script, so I am probably responsible for much of this. Why do you think the security is so poor, and what do we need to do in order to get standards higher in terms of the software that is being produced so that it does not have injection holes and all sorts of things?

Professor Norton: We do not use the formal mathematical methods that we have available, which we have had for 40 years, to produce better software.

Q324 Dr Huppert: Are they applicable to all complex software, though?

Professor Norton: Any piece of complex software can be decomposed into pieces of less complex software. However, you are right, it is much more of a challenge if you are writing a global operating system, but much of what we do, and I am thinking here, for example, of infrastructure, are actually very simple systems, and they are entirely amenable to being written with formal methods. What I am getting at there is that we have a culture in the software industry of testing. Testing will only prove what faults you have; it will not tell you what you have not found. It would be far better to have a culture of better design, which is designing out the faults before you have to test them out, which is impossible anyway.

Q325 Dr Huppert: Is that something that could be done easily, or do people have to be specially trained? I have never tried formal methods myself, so I do not know how easy it is.

Professor Norton: The National Security Agency in the States has pioneered the use of this in a thing called AdaCore. They demonstrated that it could be done at a very comparable cost to writing less good software. It is a matter of habit. Our universities used to train in it, but the industry did not hire the people who were trained, so they stopped giving the courses in it. This is a Catch-22 situation we need to resolve.

Q326 Dr Huppert: Mr Chantzos, I think Symantec said that providers will only be willing to accept liability for their products if they get control over the way in which consumers use them. Is that right? Do you think that slightly insulates companies from any responsibility?

Ilias Chantzos: I think you are perhaps reading more in there than what we have actually said. First of all, we already have liability under law for the stuff that we make within the marketplace. The question really is if we look into extending that liability, what is a reasonable level, and what is appropriate given the controls that the software manufacturer has or does not have on this product? As Professor Norton I think also admitted, there cannot be such thing as a perfect software. It is not possible right now. The issue is that we do not have an effective control of the way that our customers use the software that we make available. Should we be liable also for the fact that, for example, users take the software and do not patch it? You look around; systems get vulnerable and get attacked for malware that exists from 2008. The third most popular infection is Configure back in 2008, for instance. It is not as simple as saying there is defective software out there. It is also about how do the people install it and use it; is it fit for purpose for what it is being used for at the moment?

Q327 Nicola Blackwood: I just wanted to go back a little bit to follow up on the issue of the security breaches, which you were speaking about, Mr Coviello. You mentioned the fact that you think it is very important that organisations and institutions come forward when they have been breached but that many are reluctant to do so for reputational reasons. Now, I believe that you came forward in 2011 saying that you had been breached, but you mentioned the fact that the breach had occurred in 2004. Is that correct, or am I mistaken?

Art Coviello: No, mistaken.

Nicola Blackwood: Sorry, that is just the information that we have here.

Art Coviello: No, the breach occurred in 2011. We determined that information was taken around the 16th and we went public around the 17th, in that fast a timeframe, yes.

Q328 Nicola Blackwood: Do you think that other companies would do the same, or do you think that there is a general reluctance to do so?

Art Coviello: Well, I can only speak for my company, but obviously there is a fair amount of humiliation and embarrassment. In our case, it is our primary responsibility to protect our customers. It would be a total abdication of everything we stand for if we had not come forward and said there was a breach and give remedial advice to our customers to protect themselves.

Q329 Nicola Blackwood: Are you aware that the Government has brought forward a new cyber-security fusion cell in order to create an environment for companies and organisations to gather information and bring information forward in order to improve the gathering of information on such attacks?

Art Coviello: Yes.

Q330 Nicola Blackwood: Do you think that this will be helpful in these matters?

Art Coviello: Absolutely.

Q331 Nicola Blackwood: Why do you think it will be helpful?

Art Coviello: Because any opportunity you can timely share information about attacks, as long as you disseminate the information broadly, which is what our Department of Homeland Security did in our case, mans that all potentially affected companies can be on the lookout for a similar-type attack, whether it is the IP addresses from which the attack has been launched or the particular malware itself.

Q332 Nicola Blackwood: Do you think that there is anything they should be doing better with this particular cell? Do you have any advice for improving it?

Art Coviello: I am not deeply familiar with it, so I cannot give you such advice. I would say as a general statement the more you can do the better.

Q333 Nicola Blackwood: Did you have anything you wanted to add?

Ilias Chantzos: I do, actually. Very quickly, there are two different issues here. One is the question of information sharing, and the other one is the question of security breaches. You should be aware that already in the UK the ICO has encouraged the reporting on a voluntary basis of security breaches when personal data have been lost. I think that is very important and a step in the right direction, and I agree with Mr Coviello and his points about transparency and responsibility of the companies. I would also argue that that policy results in better security because nobody wants to be in a position where they have to go and report something that unpleasant. At the same time, you also need to be aware that this discussion is taking place in Brussels, so there will be legislation. It already exists for the telecoms, and it has been proposed for other policy areas as well.

Q334 Chris Ruane: To Art Coviello, you have said that the traditional models of security, such as using firewalls and antivirus software, are no longer effective against sophisticated online threats. What should companies do instead?

Art Coviello: In an age where the attack surface has broadened, as I pointed out earlier, in an age where there is no discernible perimeter, perimeter-oriented defences are less and less effective. So, the game shifts from outright prevention of breaches to early detection and response to breaches. The model that we advocate is one where you have technology that can detect these breaches far more timely. To do that, you have to have a lot of data. You have to be able to see the faint signal from the attacker that anomalous behaviour or anomalous flow or use of data is occurring. To do that requires a substantial capability to correlate and analyse vast streams of data at very fast speeds.

Q335 Chris Ruane: Okay. This is to all of you. We understand that the Zeus Trojan, the malware most widely used by criminals to target financial institutions, is detected less than 40% of the time by antivirus software. Does this indicate that the antivirus software is no longer fit for purpose? Is our technology-the good guys’ technology, the good guys’ brains-better than the bad guys’?

Ilias Chantzos: I would like to actually see those detection statistics, but I would begin by saying that, first of all, we need to bear it in mind that the traditional antivirus technology, meaning the signature-based detection, is by no means any more sufficient. Why? Because it is based on the premise that I will see the virus, I will capture it, analyse it, and therefore I can detect it. What we see right now is attackers using polymorphism, meaning techniques whereby they constantly mutate, to use a biological example, the virus so that it can be less easily detectable by the antivirus software. Rather than focusing on the antivirus, modern-day security needs to focus on protecting the information in multiple layers by doing things like behavioural blocking, by doing things like intelligence analysis and by doing things like correlation, not just signature-based detection.

Chair: Professor Norton, you do not need to put up your hand.

Professor Norton: We are missing a huge resource here, and that resource is the people who work for us. You will probably have seen BIS published a report this morning that suggested that the vast majority of UK companies never bother to train their people in any kind of information security or the reasons why it is important. If they were so trained, you would be doing exactly the same thing as used to happen in the physical world. You would detect fraud in particular because you had a member of staff who would never go on holiday and so on. If people were sensitised to looking for unusual activity in the systems they use, we would have another entire line of detection here. Instead, we tend to regard the people who work for us as the enemy and the danger, not the people who could be helping.

Q336 Chris Ruane: How do you turn around that mindset?

Professor Norton: It is a major task in training, and it is not just for jobs; it is across the generations. You have to explain why this matters and why you have to treat those systems as if they were yours, not just your company’s, and you care about it.

Art Coviello: I guess I have to respectfully disagree. While I believe fervently in defence in depth and while I believe fervently in educating our people in terms of policy, attackers today are far too sophisticated, and the average person is no match for the attacks. Now, could you prevent a small percentage of them if you had better training? Absolutely, but that is not going to get us there. Again, I would not say do not do it, but I would not expect a major return from it.

Ilias Chantzos: Mr Chairman, can I give a very simple, practical-

Chair: So long as it is very quick.

Ilias Chantzos: Very quick; think for a moment what the job of our HR colleagues, human resources, is. Their job is to do exactly what we are told on email not to do: receive emails from people they do not know and open attachments that say CVs, which can very easily contain malware. I am giving this as an example of how social engineering is actually easy despite perhaps the training that people will do. Still, training is important, no question about it.

Q337 Michael Ellis: Gentlemen, you have referred earlier to examples of individual responsibility for online security, and you used the birthday example-we all know people who tend to either use their birthdays as passwords or give them in social media and then get asked those sorts of questions by banks looking for authorisation. I notice, Professor Norton, that you used the Highway Code as an analogy for increasing the responsibility of individuals to keep their information secure online. What practical changes could be made, do you think, to increase responsibility in this area?

Professor Norton: At the risk of being boring, I am going to go back to education again. We do expect certain levels of behaviour of the people who drive on the road. In the various organisations I have been part of, the British Computer Society, where I was president, pioneered various elements of simple training in this area, and I think it is absolutely crucial. We released a series of technologies. I will give you an example. In Germany, when broadband internet was introduced, it came complete with antivirus packages. It was not sold without it. We did not do that here. We just let the technology out there without the help and support that people would need to use it safely. You would not dream of doing that with a car.

Michael Ellis: The problem is, as is so often the case with the internet, how would you enforce that? We know how we enforce rules of the road and other regulations, but how is it possible to enforce behaviour so that people are not cavalier with their own security and then introduce breaches?

Professor Norton: There is no simple solution to that, I have to concede, but I think the work that is going on in Government at the moment, for example, to throw out the teaching of information technology and bring in teaching of coding and computer science is a huge step forward. It should also include basic computer hygiene and security.

Q338 Michael Ellis: Mr Chantzos, do you have any observations to make further to that?

Ilias Chantzos: There is no doubt that education and people is a big component. Clearly, we are already doing a number of things like Get Safe Online, for example, or the child NGOs that exist in the UK and continue to engage them. At the same time, from the perspective of the provider, we try to offer security by creating more distance between the security and the user so that it is more invisible yet it works for the individual. The security becomes something that he does not need to modify or change. It does not become an obstruction; it becomes an enabler. Obviously, on the commercial side, try to make available security through the ISP to the end user through the OEM channel.

Q339 Michael Ellis: This is what I want to press you on, because isn’t it up to people like yourselves and the companies to actually take some responsibility in this area rather than putting it on the individual and say, "We can develop technology that can do away possibly with passwords as we currently know them so people do not have to remember passwords and they are not so open to abuse or interception as we currently see them"? Is that not something that could be developed? Can we not improve this area?

Ilias Chantzos: It can be improved, but at the same time you need to bear in mind the kind of risk that you are going to have. For example, if we do do away with passwords and we use fingerprints, you cannot cut off your finger if you lose your fingerprint. As a user, you see the challenge.

Art Coviello: Once again, I think education is an admirable thing. I think personal responsibility is an admirable thing; we should encourage it. But the fact of the matter is the consumer-facing organisations are the place to solve this problem. Whether you should know it or not, 10 out of the top 11 UK banks use our risk-based authentication in online transactions. It is a technology that is seamless and transparent to the user. The software takes a device fingerprint of the device you log on from and it recognises you based on the geographic area of your IP address and certain characteristics of that device. We also have the capability in software to allow the bank to monitor your transactions looking for anomalies. The way security has to move is towards understanding anomalies in human behaviour, as I said earlier, and anomalies in the flow and use of data, and we can use technology to do that.

Q340 Michael Ellis: Recognising something that looks suspicious?

Art Coviello: Exactly.

Professor Norton: Let me emphasise the two points I made in my opening answer, and also say it is a question of better software. We should not have websites that are open to SQL attacks and things of that kind. We should do this much better. It is also down to better enforcement and a much better chance of getting caught.

Ilias Chantzos: And integrated.

Professor Norton: Yes.

Chair: Thank you very much.

Q341 Nicola Blackwood: I think in the course of this session we have heard a lot about the scale of the challenge and the pace of the threat as it changes. I think I heard from Professor Norton an emphasis on individual responsibility and at this end an emphasis on technological resilience. Can I have some kind of an assessment on how you think the private sector and the public sector-so, policing but also those who hold a huge amount of data such as perhaps the NHS and our schools-are working together at the moment and how we need to work on improving that, starting with Professor Norton, perhaps-

Professor Norton: Can I make a proposal, and that is-

Nicola Blackwood: -who still does not need to raise his hand to answer.

Professor Norton: It is a habit; absolutely. We have some interesting tools in the accounting world that we ought to be using. I am a chartered director and I am also the Chief External Examiner of the Institute of Directors. One thing we could do is cause the accounting profession to take much more seriously intangible assets, which are all those databases that you were mentioning. If they were valued on the balance sheet and if the board were to take a stonking great impairment write-down if they were lost or loss-adjusted, this issue would rise up the priority of boardrooms remarkably. That should apply equally in the public sector. The point is we have tools to do this; we are just not using them, and that is a great shame.

Ilias Chantzos: It is going to be a combination of policy; it is going to be a combination of technology, quite frankly. One of the biggest challenges that we see right now in information-sharing is the creation of the trust environment, the creation of the infrastructure to share that information, and very often as well we see challenges around legislation, data protection being one of them. I think it is critical, and I think the UK is a very good example of a country that is working in order to address all these issues, so bringing together public and private sector, finding mechanisms to exchange information and building an environment of trust. I think that a number of other European countries are trying to follow that example, but I think in the UK very good work is done in that direction.

Art Coviello: Once again, I have to disagree with my colleague. I actually started my career as a certified public accountant, and I think grossing up the balance sheet for some value of a database would be an extremely bureaucratic answer to a problem, so I would not advise it.

In terms of public/private partnership, in the US we have been talking about public/private partnerships since 2003, and we have got nowhere. Quite frankly, it is an extreme frustration. I do not know the details of how it is working over here, although just in general the outline of your strategy is far more coherent than anything that is being done in the US, I can tell you that. I can also tell you that it appears that you are on the right track around information sharing. Unfortunately, in the US we have not been able to get a Bill passed to facilitate information sharing, which to me is quite a pity. Anything that can be done to use Government as a clearing house to receive and disseminate information broadly about attacks is going to increase the effectiveness of our ability to detect and respond to attacks. If, as I said earlier, breaches are probable, if not inevitable, then having intelligence sooner as opposed to later is fundamental to building out a new model of security so that we can shrink the window of vulnerability from all attacks.

Q342 Chair: Thank you. Professor Norton, finally, you were not one of the nine cyber-security experts who wrote to The Times this week asking the Prime Minister to drop his proposed legislation. Is it because you do not agree with them or that you agree with the Government’s legislation?

Professor Norton: No, I agree with those who wrote to The Times.

Q343 Chair: You feel that it would hinder innovation and would undermine the privacy of the citizen if this legislation goes through?

Professor Norton: I think these are very complex arguments that have not been properly addressed in that legislation.

Q344 Chair: Mr Coviello, this is almost the last session on e-crime for us. We started this inquiry in November. We have heard about your set-up in Israel with 150 experts trying to protect your clients. Would we be able to find in another part of the world 150 criminals all working together in a similar organisation or in a similar place trying to do exactly the opposite, or is it still tightly knit groups of people all over the world? Has this become now a very organised way of perpetrating crime?

Art Coviello: You would not find them all assembled in one place, but you would find far more than 150 scattered around the world, absolutely. There is no question about that in my mind. To make a guess of whether it is hundreds or thousands I could not speculate, but it is certainly a significant number given the volume and the capabilities and the activity that is going on.

Q345 Chair: I do not know whether you have been to the spy museum in Washington, which I visited last August. As you go in there, the very first video is President Obama with a chilling account of what is happening in cybercrime and how this is the No 1 danger faced in the history of the United States of America, on a par with terrorism. Can you compare what is happening in America to what is happening here? Is it possible for you to tell us is something going on there that is better than what we are doing here or vice versa?

Art Coviello: Unfortunately, no. The internet knows no boundaries, so the attacks can be launched from anywhere to anyone. When I travel to Asia they tell me the attacks are coming from the United States and Europe. When I am in Europe they tell me the attacks are coming from Asia and the United States. So, quite frankly, the attacks are coming from everywhere, and, again, it is incumbent on Government to do exactly what you are doing and I laud this Committee’s activity.

One thing I did want to point out: in the charter of your Committee you talk about "increasing the understanding". I contrast that with the word "awareness". There is almost too much awareness. There is not a day that goes by that we do not see some publication, but unless we achieve a high level of understanding we are not going to be able to take the measures necessary to address this problem. Awareness is not it; understanding is, and that is what this Committee is trying to accomplish, and I laud your efforts.

Chair: Mr Coviello, Mr Chantzos and Professor Norton, thank you very much for coming.

Prepared 2nd May 2013