10 Aug 2007
A new report out today from the House of Lords Science and Technology Committee could lead to a major overhaul of current UK internet security practices, with recommendations ranging from the introduction of a central web-based e-crime reporting system to the introduction of security breach notification laws.
According to the report, the reporting tool would help law enforcement agencies gain an understanding of the computer crime landscape in the UK, and offer a central repository to collate reports and identify patterns.
The new system could be a welcome addition for businesses concerned about the current policing of internet attacks. Since the National Hi-Tech Crime Unit (NHTCU) was swallowed up into the UK’s crime-fighting organisation, the Serious Organised Crime Agency, firms wanting to report IT crime incidents were directed to their local police stations. A web-based system could be a useful tool for companies if it offered a confidential method of reporting attacks and a more direct link to police IT specialists, something previously provided by the NHTCU.
Another Lords recommendation was the introduction of data security breach notification legislation that would force firms to report incidents that impact customer privacy. Similar legislation is already in place across many US states.
"A data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security", advises the report. “We recommend that the government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency.”
Greg Day, senior security analyst at McAfee, said a disclosure law would improve confidence in the long-term. “It increases pressure on businesses to stop those sorts of breaches from happening,” he added.
A more controversial aspect of the report is a call for IT vendors to be held liable for weaknesses in their products.
Day argued that it would be “very difficult” to hold vendors responsible for breaches. He added, “It comes down to how solutions are implemented. You would have to ask, ‘Did they have it configured correctly, updated and maintained?’”
Andy Kellet of analyst Butler Group agreed that the report takes too simplistic a view. “There is a need for a better understanding of how security works, how vendors build solutions and how they are implemented, " he argued.
Another sector that could be impacted by the report is the financial services industry. The Lords committee calls for a review of the current system that requires online fraud to be reported directly to banks. Instead, fraud victims “should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed”, the report argues. It also recommends the introduction of legislation that holds banks liable for losses as a result of online fraud.
Is it just me or is the recent report from the government about internet fraud going just one stage too far?
While the Lord's committee is right to highlight the threat of organised crime and unchecked private usage of the internet, the onus of protection is perhaps a bit skewed.
The question for me is how can government or business protect individual users more when individual users seem to be happy to give their personal details to any tom, dick or harry just because they are online?
For the commission to say that an individual is currently responsible for their own internet security (which is ultimately true), and then imply that this should no longer be the case could set a dangerous precedent. We already see users have little or no regard for their own information once it is on the internet. Social networking is testimony to this, with internet users letting criminals get knowledge of personal details on a scale never before witnessed. How can institutions take more responsibility than they currently do when the personal owners (i.e. each individual user) of information seem to have so little regard for their own security? Statements about individuals being able to absolve themselves further from the responsibility for their own security, and heaping this responsibility onto third parties will only promote crime based on stupidity and a lack of care.
Throwing stones at government and business alike for not protecting the user is a poor solution to managing the problem of fraud. If the purpose of this report is to highlight the poor personal security of many individuals, I applaud it. If it is just to shift the blame to business, obfuscating the need for personal responsibility over your own identity and internet usage, that is something else.
Posted by: Bart Patrick, SAS UK 13 Aug 2007
Have your say on this article
Newsletters
Latest stories from Security Technology
Latest videos
You may also like
Security Technology jobs
Technology Patent Wars
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
