On Friday 10th August, the House of Lords Science and Technology Committee published results of their inquiry into "Personal Internet Security". Richard Clayton, who served as the "Specialist Adviser" to the committee, has written a great introduction to the report highlighting recommendations such as increasing ISPs' responsibility, obliging banks to bear e-fraud losses, introducing data breach notification laws and software liability.
As part of their investigation, the Committee engaged a multitude of experts ranging from e.g. PayPal CISO Michael Barrett to Prof. Ross Anderson, Bruce Schneier to Robert Littas, Head of Fraud Management in Visa Europe. Both the report and evidence (submitted in writing and during interview sessions) are available from the Parliament's web site and are a must read for every security professional.
Amongst renowned security experts and executives of multi-billion companies, Ilkley Computer Club - a local community support group in a small town (population 13,828) in the north of England (UK), was asked to submit their views on the subject. They did so with the following introduction:
Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th & 6th Formers from local schools. Today, the majority of members are “silver surfers” who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions. The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge – or lack of it – may aid understanding.
Like every other witness the Club was asked to suggest ways of "tackling the problem" and provided 6 recommendations. What I could not fail to note is that the Committee adopted 5 out of 6 suggestions made by the Club. The following excerpts from the report illustrate this.
Club: "There must be positive Government guidance pushed to users;"
8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)
Club: "Government advice must be from a single point of contact;"
8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects.
Club: "Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc);"
8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)
Club: "Software produces must take more care when writing software to avoid bugs in the first place;"
8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)
8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)
Club: "If washing machines can be “kite marked” to EU or UK standards, why not computers?"
8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)
Everyone might have their own interpretation of how the suggestions of ordinary computer users ended up being so spot-on as far as the Committee's conclusions are concerned, but undoubtedly it is a fascinating result. Perhaps, "users don't know what they want" is not as true as many vendors tend to believe and users can not only help to identify problems but also to develop solutions?
Securing personal financial transactions online and all that comes with it: trojans and man-in-the-browser, e-banking and e-commerce, usability and scalability. By Igor Drokov, Elena Punskaya et al. at Cronto - the inventor of Visual Transaction Signing.