When the Digital Britain White Paper was published on 16th June, I raised some concerns about the White Paper’s apparent endorsement of “The Geek Squad” and “The Tech Guys”.

I have now received from Lord Stephen Carter a response to the points I made in the debate.  Unfortunately, the response slightly misses the point (by about a mile, actually).  It sets out the measures being introduced to improve the enforcement of consumer law applying to on-line transactions.  This is all good stuff – a single online complaints register for people encountering an online scam; investment in new equipment, training and staff for on-line consumer law enforcers; and a review of enforcement powers in an on-line world.  However, this is not really going to provide much reassurance for people nervous about letting an unknown person into their homes to fidedle around with their computer systems.

I have now written back to Stephen Carter – although my letter may well have arrived after his last day in office (he is one of the GOAT ministers who is resigning this month).  My letter says:

“Thank you for your letter of 8th July.  I am grateful for the clarification you have provided on the points I raised following your statement to the House on 16th June.

However, I would like to come back on the second issue I raised.  This related to the need to ensure that consumers have adequate protection when dealing with suppliers, such as “The Geek Squad” or “The Tech Guys” – both specifically mentioned in “Digital Britain”.

In your response, you mention the measures being taken to improve enforcement of consumer law applying to on-line transactions.  Whilst these measures are valuable, they rather miss the point of my concerns.  Both “The Geek Squad” and “The Tech Guys” involve the consumer permitting individuals to access their computer equipment (and usually their homes).  Such individuals are being given a position of trust by the consumers concerned, who will assume that they are (1) honest and (2) know what they are doing.  As far as these points are concerned, it is extremely unlikely that the consumer will have the technical knowledge to understand (or indeed to be able to detect) what has been done to their equipment – that is after all why they have asked “The Geek Squad” or “The Tech Guys” to visit or to look at their equipment.

If you engage a security guard from a security firm, the individuals engaged are required to be registered with the Security Industry Authority and will have been vetted for criminality and there are requirements relating to their training.  Yet the activities of most security personnel will usually be visible and will normally be comprehensible to the person engaging them.  Should there not be some similar system of regulation and customer assurance of the quality of work in place for those individuals engaged by “The Geek Squad”, “The Tech Guys” or any other similar service?  If no such system is in place, most customers – who are likely not to be skilled technically – will be vulnerable to data being stolen from them, to malicious code being placed on their machines or to more traditional forms of criminality.

I would welcome your comments on what can be done to address this.  I am copying this letter to Lord West of Spithead (in view of the information security implications) and to Alun Michael MP (in view of his role chairing the Tripartite Internet Crime and Security Initiative).”

I will be interested to see if the civil servants get the point this time.

The Health Services Journal (reporting an investigation by More4 News) says that NHS computer systems were infected by more than 8000 viruses in the last year, most of which would have been avoided if the NHS Trusts concerned had kept their anti-virus software up-to-date.

This would be worrying enough (consequences described included the breakdown of patient appointment systems), but the complacent response of the Department of Health is breathtaking.

According to the HSJ:

“The revelation that NHS trusts have been poor at keeping their anti-virus software up to date has provoked concerns that they are vulnerable to viruses that could cause confidential patient data to be disseminated.

 ”But a spokesman for the Department of Health said the electronic patient records systems provided through the national programme for IT were “protected by the highest levels of access controls and other security measures”.”

However, my understanding has always been that once an individual machine has been compromised – depending on what malware has been installed – then all the data accessed or stored by that machine is potentially vulnerable.  So if so many Trusts are failing to maintain up-to-date anti-virus software, then confidential patient data IS at risk.

The Department of Health spokesperson went on to say that:

“local NHS trusts were legally responsible for complying with data protection rules and were expected to record any breaches.”

So that’s all right then …….

According to the FBI, Goldman Sachs fell victim to potentially one of the most costly losses of information ever when one of their computer specialists decided that the $400,000 a year he was being paid was not actually sufficient compensation for his talents and decided to move to another company who were prepared to treble his salary.  In the few days before he left, the employee apparently copied part of the code controlling Goldman Sachs’s electronic trading platform which enables them to respond almost instantly to market movements (probably in a way that makes those market movements even more destasbilising for the rest of us but is highly profitable for Goldman Sachs).

Of course, it could have been worse, he could have tinkered with the code as well before he left, so that the trading platform would have bankrupted Goldman Sachs instead of making them enormous profits.  At least, I assume that would have been worse …..

Moral: be nice to the geeks in your IT department.

Alan Johnson, the Home Secretary, has made it clear that ID cards will not be compulsory.   In a press conference, he said that the pilot schemes for airside workers to have ID cards in Manchester and London City Airports would not now be compulsory for UK citizens.

He said:

“Holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport.   Accordingly I want the introduction of identity cards for all British citizens to be voluntary and I have therefore decided that identity cards issued to airside workers, planned initially at Manchester and London City airports later this year, should also be voluntary.”

At the press conference, he was asked by journalists if ID cards would be made obligatory and said quite clearly that they would not be.

In a Parliamentary written statement he said:

“There will be significant benefits to individuals from holding an identity card which will become the most convenient, secure and affordable way of asserting identity in everyday life. Identity cards will also be valid for travel throughout Europe in place of a British passport. ….. However, holding an identity card should be a personal choice for British citizens – just as it is now to obtain a passport. Accordingly I want the introduction of identity cards for all British citizens to be voluntary.”

This is a sensible and proportionate approach to adopt.

I have always felt that identity cards were mis-sold when they were first announced.  They were never going to be a magic bullet in the battles against terrorism or organised crime – although that was what was claimed when the proposals were first aired.  However, a simple system enabling the citizen to demonstrate – should they wish to do so – who they are always seemed to me to have enormous value (certainly better than having to turn up at a bank with a driving license, a council tax receipt and a utility bill).  In essence, that is the system that the Government is now saying we will be moving towards.

The Government has today published its much-heralded “Cyber Security Strategy of the United Kingdom“.  The document is welcome and will lead to an Office of Cyber Security (OCS) being set up to “provide strategic leadership” across Government.  In addition, a Cyber Security Operations Centre (CSOC) will be set up as part of GCHQ.  This Centre will be responsible for “incident response”, as well as monitoring “the health of cyber space” and providing advice and information.

This all looks extremely positive, as does the philosophy under-pinning the Strategy which includes working in partnership with industry, being more integrated within government, tackling security challenges early, and being grounded in a set of core values based on human rights.

As ever, (forgive the lapse into cliche) the devil will be in the detail – and the detail is not contained in the Strategy.  How much clout and authority will the OCS have within Government?  Will the CSOC have the resources it needs to be sufficiently pro-active and will it have the legal powers to take appropriate action?

According to the Independent this morning, the announcement of the new Cyber Security Strategy that was promised last week and that I have been calling for over the weeks (years?) will take place tomorrow.  Earlier this week I chaired a seminar on “Meeting the Threats in Cyberspace”.  One of the most impressive (worrying?) presentations was from Scott Borg of the US Cyber Consequences Unit.  His conclusions, which spell out why a fresh approach from the UK Government is so urgent, can be summarised as follows:

“Based on the work the US-CCU has already done, it is evident that the potential economic and strategic consequences of cyber-attacks are very great.  The US-CCU’s research has demonstrated that the numbers widely quoted for the costs of denial-of-service cyber-attacks lasting up to three days are actually wildly inflated.  But the US-CCU’s findings show that other types of cyber-attacks are potentially much more destructive.  Especially worrisome are the cyber-attacks that would hijack systems with false information in order to discredit the systems or do lasting physical damage.  At a corporate level, attacks of this kind have the potential to create liabilities and losses large enough to bankrupt most companies.  At a national level, attacks of this kind, directed at critical infrastructure industries, have the potential to cause hundreds of billions of dollars worth of damage and to cause thousands of deaths.

Some of the attack scenarios that would produce the most devastating consequences are now being outlined on hacker websites and at hacker conventions.  The overall patterns of cyber intrusion campaigns suggest that a number of potentially hostile groups and nation states are actively acquiring the capability to carry out such attacks.  Meanwhile, the many ways in which criminal organizations could reap huge profits from highly destructive attacks are also now being widely discussed.  This means that American corporations and American citizens need urgently to be informed, not just of their technical vulnerabilities, but of the economic and strategic consequences if those vulnerabilities are exploited.  It is only by basing our cyber-defenses on a comprehensive assessment of cyber-attack consequences that we can make sure those defenses are sensible and adequate.”

The Boston Globe has an article from a fellow at the Harvard Kennedy School of Government arguing that the United States should assert its right to cyber self-defence by declaring that “it will promptly counter-attack as accurately and as proportionally as technology allows”. 

This is an interesting – if scary – argument.  It conjures up memories of the Cold War and “Mutually Assured Destruction” or even further back of Lord Palmerston and “the send a gun-boat” style of diplomacy.  Did either strategy work?  Well, some would argue there was no nuclear war during the Cold War years (although, the aftermath poses some interesting problems of proliferation etc).  And, of course, during the Palmerston era the Sun never set on the British Empire (allegedly because the Sun knew it could never trust the British Empire in the dark).

It is undeniably the case that a number of nation-states are developing an offensive cyber-warfare capacity and those that ostensibly are only interested in developing a defensive strategy can readily reverse the process to become offensive (Porton Down was always ostensibly about developing chemical weapons defence …).

Similarly, non-state-sponsored cyber attacks often emanate from countries who are either indifferent to the activities going on within their borders or are powerless to intervene.

Does this give a country the right to retaliate?  The Boston Globe article suggests that a few bouts of such retaliation would bring about the creation of some international means of regulating and protecting  cyberspace.  That may be true, but it would be good to think that such an outcome could be achieved without the digital trench warfare that the article describes.

Today’s “Digital Britain” report has an interesting paragraph on “Securing Home Networks” which says:

“In addition, the market is increasingly providing a high level of after sales support to its customers through additional assistance in relation to dealing with technical complexity – a sort of “AA breakdown” assistance for your personal networking needs. As home networks become more complex, it is legitimate to expect that these types of service will continue to grow. Services such as “the Geek Squad” from Carphone Warehouse and “Tech Guys” at PC World provide consumers with fast and effective advice on a range of issues including computer optimisation, device set-up, software installation, parental control set-up and tuition, security and software installation, back-up services and many others.”

I expressed some reservations about this when the report was introduced in the House of Lords this afternoon by Lord Stephen Carter. saying:

“I note in the report the support for the after-sales services provided by a number of computer retailers, such as the Geek Squad, the Tech Guys and so forth.  Have the Government given any thought to the personnel who visit people in their homes and put things on their computers?  What steps are being taken to ensure that those individuals are quality-assured and regulated in the same way that physical security personnel are regulated by the Security Industry Authority? “

My concern was that at present the individuals who work in such areas are unregulated, there is no agreed quyalification standard, and there is no guarantee that they are honest.  Those people who rely on such services to protect or maintain their IT equipment are the least likely individuals to know whether something adverse (such as installing a key-logger) has been done to their systems.

The Minister’s response recognised that there was an issue, although he sidestepped the point about regulation,:

“I do not know what checks and balances those operators put in place, but I will do further due diligence to find out. My noble friend raises an interesting question; as people’s domestic IT systems become more and more sophisticated—which they will—the level of complexity, and therefore the level of security and trust that people will want to have with the providers of those services, will only increase. My view is that it will be four or five years before we have a sort of AA or RAC of the IT world providing that level of assistance at scale for many homes. It is an intriguing question.”

The issue may well be worth pursuing ….

The “Digital Britain” report, published today has an excellent section on “Digital Security and Safety”.  The report makes it clear that there will definitely be a national Cyber Security Strategy, something I have been calling for for some time, when it says:

“The UK’s National Security Strategy describes how ‘cyber security’ cuts across almost all the national security challenges that it identifies, and the need to address them in a coherent way. To this end, the Government is developing a Cyber Security Strategy to build a safe, secure and resilient cyber space for the UK, through both the beneficial exploitation of cyber space and the reduction of risks posed by those who seek to do the UK harm: the forthcoming Cyber Security Strategy will set out how the Government intends to approach this task.”

This is an extremely welcome development.  When Lord Stephen Carter made his statement introducing the report in the House of Lords this afternoon, I asked him when the Strategy might be issued and he said he hoped it would be ready by the end of July.

According to David Hencke (so it must be true) in today’s Guardian, the Government is planning to establish a new Cyber Security Agency and this will be announced in a wide-ranging statement, updating the National Security Strategy.

Last month I pointed out the radical approach being taken by the Obama Administration in the United States towards tackling the cyber threat.  As I told David Hencke, it will be welcome if the UK is now going to do something similar. 

However, whatever is proposed will have to be adequately resourced and will need to be properly linked to the national Police E-crime Unit and also to the national security apparatus.