inside aebrahim’s head

A couple days ago I had mentioned that Lord Avebury had asked the UK Government about their usage of IE. The UK Government has now answered and I am reproducing the full text of the question and answer below:

Asked by Lord Avebury

To ask Her Majesty’s Government what discussions they have had with the governments of France and Germany about security risks of using Internet Explorer; and whether they will encourage public sector users to use another web browser. [HL1420]

The Parliamentary Under-Secretary of State, Home Office (Lord West of Spithead): UK government officials and subject matter experts are in regular contact with their counterparts in France, Germany and other countries on both a bilateral and multilateral basis to exchange technical information and opinions on many aspects of cyber security, including software vulnerabilities. For example, the UK’s Government Computer Emergency Response Team (GovCertUK) and Combined Security Incident Response Team (CSIRTUK) are members of the group of European Government CERTS (EGG), as are their French and German equivalents.

Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them. We take internet security very seriously and we have worked with Microsoft and other suppliers over many years to understand the security of the products used by HMG, including Internet Explorer. There is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure. Regular software patching and updating will help defend against the latest threats.

Microsoft issued a patch to fix the recent Internet Explorer vulnerability on 21 January. Prior to this, government departments had been issued with a GovCertUK alert on how to deal with this particular incident and to mitigate vulnerabilities in relation to particular versions of IE.

A government user, operating on government systems, such as the Government Secure Intranet (GSi), will benefit from additional security measures, unlikely to be available to the average home computer user. These include tools which actively monitor for evidence of any malicious attacks.

Source: Lords Hansard text for 26 Jan 2010

While the UK government contends that “there is no evidence that moving from the latest fully patched versions of Internet Explorer to other browsers will make users more secure”, there are many others who would disagree.

Also, although IE8 has significantly improved security models as compared to IE6 and IE7, there is still evidence that IE6 is being heavily used by UK government departments, including the armed forces. I think most people would agree that a “fully patched” IE6 is still relatively more vulnerable to attacks.

Lord Avebury (blog, bio) has tabled a written question in the United Kingdom House of Lords yesterday, which reads as under:

Lord Avebury to ask Her Majesty’s Government whether, in the light of the recent announcement by Microsoft that Internet Explorer was used to carry out the cyber attacks which prompted Google to say it will withdraw from China, they will review the use of Internet Explorer throughout the public sector. HL1505

Source: House of Lords Business (26 January 2010) and Eric Avebury: Internet vulernability

Lord Avebury mentions that the Parliamentary IT authorities are actively discouraging the use of alternative browsers such as Chrome so it is great to see that he is holding the government accountable for their policies.

According to UK parliamentary procedure, the government is obliged to provide a written response to his question on or before 8 February 2010. I think it will be interesting to see what they have to say.

Lord Avebury is an active campaigner for the rights of ethnic minorities in the UK and also those who are British nationals living abroad. He is also a member of the EU Select Committee which considers EU policy on protecting Europe from large-scale cyber attacks.