Stephen Timms MP

tScheme Press Launch

Self-regulation is a cornerstone of our approach to regulation in the information age. tScheme reflects the self-regulatory model at its best. With the Government identifying broad policy objectives and then business experts finding the most efficient and business-oriented way to meet those objectives. And its important to underline that tScheme has demonstrated the flexibility and adaptability to changing circumstances which is almost impossible to achieve through traditional regulations. I believe this flexibility will allow tScheme to continue to evolve and take a central role in resolving the complex issues of trust that will continue to set challenges on our path to the information age.

A lot has happened since we passed the Electronic Communications Act in 2000. There was a long and rather painful debate about public key cryptography that persisted throughout the late 1990s. The focus of that debate was the risk to law enforcement of all Internet communications being encrypted and unintelligible for investigative purposes. I was not involved at the time but I understand that my Department were instrumental in finding a practical way forward. The outcome was that we managed to address law enforcement concerns, but shook off any concept of the need to licence this “dangerous” technology. But we were left, at the end, with a clear view that the provision of services which underpinned trust did require a degree of third party assurance. So we took powers in the Act to introduce a licensing scheme for what the Act called “cryptographic service providers”. But the Act also recognised that this role could be performed by the private sector as a self-regulatory activity – and thus the power was subject to a sunset provision which means we lose the power in 2005. Unless that is and I hope today will demonstrate why this is highly unlikely, unless we introduce a statutory scheme in the next year.

We agreed our powers should be time limited to reflect the strong and persuasive arguments of the early backers of the tScheme concept. In intense discussions during the passage of the Act, they put to us a convincing proposition that this could be run effectively by the private sector.

To complete the historical perspective, it quickly became apparent as tScheme established itself that the pressing business and government need was for confidence in authentication. It did not seem likely then – and still does not – that the delivery of business services based on encrypting traffic will be a major feature of our e-economy. Thus the first phase of tScheme activity was focused on approving authentication services based on public key infrastructure or “pki”. And it has to be said that it has done this job very well.

Perhaps there were early on some unrealistic expectations about the popular adoption of digital signatures. Only now can we say that pki technology is becoming an accepted part of the business environment and we are still nowhere near this technology impacting on the mass market.

It could so easily all have gone so wrong. But it is to the credit of all those involved that they stood back and took the broader view. The big issue - and one of the biggest “trust” issues in the information age - is ensuring viable means of identification in an on-line environment. This is where the Government have to applaud the vision of tScheme because, in our view, the questions of identity and authentication have become more challenging and more important in the period since we passed the Electronic Communications Act.

What has happened since then? The events of September 2001 and subsequently have shown that our security on every front is subject to greater challenges than previously. But the terrorist threat is only one strand of the problem.

In the past four years, we have seen wider and deeper reliance on networked information. The bandwidth and mobility which we depend on today were only available to relatively few in 2000. But the extension of bandwidth and mobility bring, in their train, new security problems. ‘Always on’ is exposed all the time - and the availability of bandwidth has been exploited by those who would make our lives a misery as well as by those who would improve it.

The nature of the attacks on our systems has also changed. A wide range of vulnerabilities in software and networks are being discovered and the time between the disclosure of a vulnerability and full-scale exploitation of that vulnerability has gone down from a period of several months to a matter of days. The war between the virus writers and the anti-virus vendors has escalated and we in the past four years we have seen a rapid change in the design of viruses and worms. All of this requires a new level of vigilance from system managers – aided, oddly, by what appears to be infighting among the virus writers. Also worrying is the convergence of techniques used for spamming and virus writing. Spam already tries our patience, the day might not be far off when it tests the resilience of our networks.

Given there have been the “phishing” attacks which have sought to exploit the trusted brands of banks to fool customers into parting with vital account information. It does not require a great leap of imagination to suspect that there may be a great number of other trusted relationships which could be exploited by this sort of activity.

The “phishing” attacks have highlighted the importance of identity. In the wider world, there are discussions going on about identity cards. In the virtual world, the requirement is even more pressing – but even more complex. How can a bank customer know he or she is dealing with his or her bank? How can a mobile worker access sensitive company information from a hotel room? How can a citizen vote in an on-line election without the fear of electoral fraud”? All of these issues require the authentication of both parties. It is more than simply “I am the person pictured on my passport”. Identity on-line can be subject to different levels of confidence and technological rigour depending on the process requirement. Nowhere is the question of authentication more relevant than in our efforts to put all Government services on-line.

The Government is doing a lot on all of this. We need to be clear that we cannot legislate away the problems – even if they were all susceptible to homegrown solutions, which they clearly are not. One of the key principles established by the OECD in its guidelines on network and information security is that all users should be responsible for how their actions impact on the security of the networks. When we are all connected to each other we are all responsible to each other. The idea that security is someone else’s problem is no longer tenable. The solutions will require each party to accept the challenge and to accept that progress will only be achieved through partnership.

So our actions are designed to protect Government assets, understand the problems, promote innovative solutions, create the policy environment at home and abroad to encourage positive action and to deter and detect those who would undermine trust through criminal actions.

I’m looking forward on the 27th of this month to presenting the latest of my Department’s highly regarded information security breaches survey. Of course, I cannot give too much away today but I can say that the outcome will be mixed. It will show that problems are now endemic, that the private sector is responding but there is still much more to do. There is positive feedback on the value of the information provided my own Department to businesses. Identification and promotion of best practice is something that officials in my Department do well and we have developed one of the world’s best web resources aimed at the non-expert, smaller businesses. All of this is done within a broader framework of mainstreaming this as a business issue through, in particular, the use of the 7799 information security standards.

My Department has also been involved in the cross-Government discussions which have led to the creation of the role of the Central Sponsor for Information Assurance in the Cabinet Office. We have made a big effort in the past few years to ensure that we have joined up policies across Government for protecting our own information systems and making sure that those efforts influence and are influenced by developments in the private sector. Our work on protecting critical information infrastructures – through the National Infrastructure Co-ordination Centre – is central to that and I believe we have developed a world-class facility for identifying threats and vulnerabilities and also for developing partnerships for practical solutions. The impact goes far beyond the more obvious critical systems on which we depend.

My colleagues in the Cabinet Office will indicate over the Summer more of their thinking on how information security management should be taken forward across Government – and how that must be achieved in partnership with business and citizens. And the Home Office will be opening up a debate on a more strategic approach to the fight against e-crime.

I wanted to mention one more important development. The release on 10 June of a major piece of work from the Office of Science and Technology. This is the report on cybercrime and cybertrust and is part of the Foresight programme which looks at the big issues which will shape the innovation and research agendas over the longer timeframe. It is a significant report and will underline my earlier point that identity in the virtual world is a complex and crucial issue. This report will suggest areas where we need more knowledge and better practical solutions.

I hope that, in booking ahead, the report will provoke an informed debate about the importance of identity. But our commitment to put e-Government transactions on-line and the challenges of “phishing”, spam and other on-line problems require implementation of the best available solutions now.

That is why we need today’s event both to mark the progress that tScheme has made in approving service providers and establishing a unique position in profiling and assessing the success factors of such providers; and to explore how tScheme has risen to the challenge of establishing identity in a variety of ways according to the needs of the process.

Representations here from the public sector will welcome this opportunity. DTI is one of the case studies today and the opportunities of involving a group consisting of some of the world’s largest in this scheme could extend far wider than the conduct of regulatory business within this Department. Oil and Gas Licensing and Consents Unit whose efficient working plays an important role in our energy policy aims.

I applaud the work of tScheme and all the progress that has been made. The challenges of security and confidence within e-commerce are very substantial and critically important, and we need to be working together to resolve them successfully.