I have been successful in the ballot to obtain a two and a half hour debate on the adequacy of the safeguards protecting children and young people using social networking sites on the internet.

The debate will be on the afternoon of Thursday 12th February 2009 and appears on the order paper as:

Lord Harris of Haringey to call attention to the growth in the use of social networking internet sites by children and the adequacy of safeguards to protect their privacy and interests; and to move for papers.

The process was that at the beginning of the session I tabled my debate proposal and waited to see whether it would be successful in the ballot: in fact, I gather it was fourth in the ballot for 12th February but those winning the top two slots couldn’t manage the date.

I have been interested in the issue for some time and I hope the debate will cover the extent to which children and young people are encouraged to post personal information on social networking sites to an extent that damages not only their personal security but also their future job prospects.  Nearly 50% of those aged 8 to 17 living in this country are – according to OFCOM – members of an online network community.  Often the warnings given to those signing on for the first time are inadequate.  The Home Office has issued guidance to social network providers but the guidance is not mandatory and has little effect on sites run from outside the UK.

I have heard a number of stories about breaches in information security at the Ministry of Defence in the last week.  It sounds as if the problems occurred in a number of places with malicious code compromising a series of computers, including some on board Royal Navy ships.  It has also been suggested that not only did this lead to a variety of system breakdowns but also that information was transmitted away from the secure system.
If these stories are true, it is significant at a number of levels: first, it would appear to have been a co-ordinated attack on multiple systems (therefore highly organised and credibly sponsored by a nation state); second, it appears to have caused major disruption; and third, it successfully penetrated the existing information security systems.
I have been concerned for a number of years about the inadequate priority given to the information security of the UK’s critical national infrastructure.  When I first started raising this in Parliament with a series of questions, I was essentially told that the Government was satisfied that there were adequate protection systems in place and that in any event there was no evidence or intelligence to suggest that either other nation states or terrorists might seek to exploit any information security vulnerabilities.
Since then, we have seen the Titan Rain cyber-attacks on US and UK systems in 2007 (allegedly sponsored by China), and cyber-disruption aimed at Estonia and Georgia in 2008.
The UK Government has started taking the threat much more seriously than it did and I am not in a position to know whether the arrangements now in place are sufficient.  However, this week’s reports of the attacks on Ministry of Defence computers suggest that there is still a lot more to be done.
For about four years, I asked a series of Parliamentary Questions of each Government Department about the number of incidents of malicious breaches of their IT systems.  The answers obtained were interesting if not very meaningful.  Each year, by far the largest number of breaches were reported by the Ministry of Defence.  This possibly suggested that their systems were the subject of more attacks, but certainly indicated that they had the best system for monitoring what was going on within their IT systems.  In a sense, much more worrying was the fact that up to half of Government regularly reported that they had suffered no malicious attacks whatsoever.  This, of course, could mean that their systems to avoid malicious penetration were perfect or that their systems were regarded as so boring that no-one had bothered to attack them.  Much the more likely explanation, however, was that their systems were not detecting when they had been attacked.
Last year, my Parliamentary Questions were answered with a standard answer that “it was not in the national interest” to provide the data as it might provide assistance to those who were trying to undermine our national security.  It is therefore impossible to gauge the significance and relative scale of the latest attack.  However, if it raises the importance attached to having the highest levels of information security surrounding the UK’s critical national infrastructure, then some good will have come of it.
At the moment, I am not sure whether there is anything to be gained by trying to get more details of what has happened and more importantly what is being learned from the latest attack.  Maybe I will feel more energised tomorrow ….

I discovered today that I have had my third credit card in a year cloned.  To paraphrase Oscar Wilde: to have one credit card cloned may be deemed a misfortune; to have two cloned begins to look like carelessness; and to have three cloned brings on paranoia.

The irony is that I have spent a significant amount of time this year working to see established a national police e-crime unit.  This was recommended by the House of Lords Select Committee inquiry (of which I was a member) on “Personal Internet Security” in August 2007 and the Home Office finally announced its share of the funding a few weeks ago.  Work is now proceeding rapidly.

My personal experience highlights the scale of the problem and the need for proper collation of the data on what is happening and how the frauds are occurring.

The Select Committee report highlighted a concern that people are encouraged to report such problems through the banks, who will then file reports with the police as they feel appropriate.  Many banks have seemed reluctant to involve the police - perhaps because they do not want statistics published demonstrating how weak some of their security arrangements appear to be – and the police are not keen to see the number of offences reported to them rise as it will make their “sanctioned detection” figures appear worse.

In the two earlier cases of cloning I was subject to, I pointed out to my bank that the last valid transaction that took place was in both instances with the same retailer (a restaurant I used to visit regularly until this happened).  There was no indication from them that they found this information significant and that they would be contacting the police to have potentially dodgy waiters or card-readers investigated.  I certainly never heard any more.  When I asked today why no-one had ever come back to me, I was told that they couldn’t do that in case I went round to the retailer concerned “to sort them out” – even though I pointed out that I knew where it was already.

Today’s incident was different.  I received an email from my bank (fortunately I didn’t delete it on sight on the basis that it was a phishing scam) saying that my account address had been changed and to ring the bank if this was not the case.  It eventually transpired that the bank had acted on the basis of a phone-call from someone who not only had my card details, but could answer the security questions about my date of birth and mother’s maiden name (neither are particularly secret pieces of information for anyone).  Properly, they had then contacted me again for confirmation.  I was told that this form of identity theft was increasingly common and could lead to full-scale impersonation and the obtaining of further credit in my name.  The address quoted in the address change would probably turn out to exist but unbeknown to the occupiers an arrangement would have been set up for mail to be collected from a sorting office.  All of this seemed to provide adequate scope for police investigation, but when asked whether they would be referring it on they said they couldn’t say and were keen to advise me that there was little point in advising the police myself.

In the Select Committee hearings we were told that bank card details (with the security question answers) were available for sale in the darker corners of the internet for about £1 each.  My experience has been personally illuminating but is clearly not unique.

Key lessons: first, more investment in the policing of these matters continues to be essential; second, leaving it to the banks to act is not enough; and third, not only is personal vigilance essential but we should all ask our banks to use as security questions something a little more robust than date of birth and mother’s maiden name.

Let nobody say that House of Lords Select Committee reports are without influence!  It seems that one of the recommendations of the House of Lords Committee inquiry into “Personal Internet Security” has been taken on board by Pakistani President, Asif Ali Zardari.  The Committee, of which I was a member, recommended stiffer penalties for those convicted of cyber-crimes.  However, Zardari’s response has probably gone just a bit further than we had in mind.  He has now issued a decree backdated to the end of September that sets the maximum penalties for internet crime as death or life imprisonment.

Those people who felt I had gone too far when I called for a Sarblanes-Oxley type approach to company directors who fail to take information security seriously enough might care to note what the Zardari solution might be!

Fourteen months after publication, the Select Committee report on “Personal Internet Security” was finally debated on the floor of the House of Lords.  Since we produced the report much has happened. There have been the well-publicised data losses at HM Revenues and Customs and from other Government departments and agencies.  And indeed today, we hear of the loss by EDS of an MoD hard drive containing the details of 100,000 service men and women.  This all confirms my view that the Committee was absolutely right to call for a Data Breach Notification law in the UK.

This is, of course, about the culture within organisations – every employee has got to understand the importance of maintaining data security and their responsibility for doing so.  Perhaps if people recognised the potential value of personal data they might be less cavalier in its treatment. For many people, a stolen identity will take weeks or months of effort to sort out.   The FSA estimate that the cost of identity fraud in the UK (admittedly using a fairly wide definition) is around £1.7 billion.  During the inquiry we were told by Team Cymru that on a single server in a typical month there were for sale the data from 32,000 compromised Visa cards, and 13,000 Mastercards.  The price nearly three years ago was $1 for a US card, $2 for a UK card.  Associated data was also for sale including the card-holder’s mother’s maiden name etc. 

Perhaps if employees were told that each personal record was worth at least £100 – they might treat a memory stick or for that matter that MoD hard drive containing a hundred thousand personal records as though it was worth £10 million – certainly with more respect.  

It maybe that engendering such a change in culture will require more than a Data Breach Notification Law.  Perhaps we need something more akin to the framework created by health and safety legislation, where every manager would have to take personal responsibility for delivering information security in their area or face prosecution.  And perhaps we need an IT equivalent of the US Sarblanes-Oxley requirements to make people at Board level take their responsibilities to heart.