It is difficult to imagine that the House of Lords, suffused as it is with solemnity and grandeur, has much to offer the world of computing – let alone the esoteric realm of IT security. But in August of this year, the upper chamber unveiled what is widely regarded by technology pundits as one of the most comprehensive – not to mention controversial – reports to date on Internet security and its far-reaching economic and commercial implications.
The report, Personal Internet Security, researched and compiled by a small group of peers, has pushed one of its members, the Earl of Erroll, into the IT limelight.
Since his election as a hereditary, cross-bench peer following the House of Lords shake-up in 1999, Lord Erroll has shone the torch for ICT, sitting on numerous bodies including the Science and Technology Select Committee, which commissioned the report.
He reveals that he “drifted” into technology more by chance than design. It was during his brief career researching hydroponics – the method of growing plants using mineral nutrients instead of soil – that he taught himself to write programs. “I realised then that I was more interested in writing programs than in hydroponic research,” he says. “So I ended up in the IT area.”
"We're just beyond the Model T Ford stage where IT security is concerned."
It was for this reason that Lord Erroll and his colleagues set out to write a report that was both politically and commercially bold, containing firm recommendations that the Government could act upon. “We saw an opportunity to put the onus on parties who could do something about it, and offer them an incentive to do so,” he says. In the case of software vendors, this incentive came with a particularly controversial twist. Unconvinced by either the ethics or the efficacy of the so-called ‘train and blame’ approach to selling software, as Erroll dubs it, the report’s authors recommended that technology providers be held legally liable for end-user security breaches. It was not a popular notion, and many vendors launched a vigorous public defence.
Lord Erroll, however, claims the idea was not received in its full, long-term context. “I always saw this idea as more of an aspiration,” he explains, “It was more about saying that the business has got to mature.” It is illegitimate, says Erroll, for titanic software houses to sell a product to small businesses on the basis “that it’s a wonderful solution that will protect their business, and then when it doesn’t say, ‘Oh, I’m terribly sorry but it was your decision to buy it’”. Equally, he continues, a small provider offering downloadable freeware cannot be expected to compensate users if the product has flaws.
Eroding Microsoft’s dominance on the desktop would help improve the dynamics of security software development and delivery, he argues. If there were a large number of competing operating systems, the user could choose between high- and low-risk options. The point, he says, is that users do not have that choice and as a result are unable – and indeed offered no incentive – to make a risk assessment for themselves. “We’re just beyond the Model T Ford stage where IT security is concerned,” he adds.
The peer was pleased with the report’s reception within the technology industry – despite the initial controversy it seemed to meet the Committee’s basic objectives. But the Home Office’s reaction was another matter. “They came back to us with a basically anodyne response: ‘It doesn’t matter, it’s all OK, we’ve got it under control’” – effectively shelving the report. The irony of this became all too apparent in November when the HMRC’s disappearing disks fiasco demonstrated the spectacularly lax nature of the Government’s own basic security controls.
The Home Office’s persistent obtuseness on the subject of Internet security perplexes Lord Erroll. He is uncertain as to whether the lack of
action stems from political or financial issues – or both. Optimistically, though, he observes that several influential figures are lining up behind the scenes to drive home some of the core security measures his report put forward. For the IT-savvy earl, it is now just a question of timing.
Security: a vendor problem? A House of Lords report says vendors should take responsibility for ensuring customers' security.
Find more stories in the Security & Continuity Briefing Room