Ministers told that regulators need to be more IT savvy

A debate today in the House of Commons called for regulators to become more IT aware.

Speaking at the Commons Science and Technology Committee meeting this morning, Professor Ross Anderson from the University of Cambridge said that certain industries are already regulated, but the regulators employ insufficient IT expertise.

"Having regulators who are entirely staffed by specialist economists is not adequate," said Anderson.  "Regulators such as Ofgem and Ofcom should have people on their stafff who understand IT, and can take a modern view of the risks that industries are sleepwalking into."

Anderson was referring to the increasing risks from cyber crime, as more industries, services and systems go online, and previously dumb systems gain intelligence and communicative capacity.

"Most of the engineers who take things online are in too much of a hurry to make profits to think about the downsides," he argued.  "Security is usually an afterthought."

The debate also addressed concerns that there might be an attack on critical infrastructure in the UK, following the stuxnet attack in Iran last month.

However, Anderson explained that a cyber attack is not the most likely event to disrupt networks in the near future.

"The most likely cause of disruption to the internet could be software failure associated with the transition to IPv6," he said.  "Although some foreign states have the capacity to disrupt the routing fabric should they desire to do so," Anderson added.

Dr Robert Hayes, senior fellow, the Microsoft Institute for Advanced Technology in Governments, suggested that a major attack on infrastructure is unlikely in the UK, but a more local attack is a high risk.

"Stuxnet is a good example of a cyber weapon we're concerned could be copied and used by a criminal enterprise or idealogical group."

Malcom Hutty from Linx, the London Internet Exchange, agreed.

"The risk of an attack [affecting national infrastructure] would require enormous co-ordination, not only in the amount of work required to prepare and craft the attack, but also in target selection," he said.

He explained that the internet is designed to tolerate isolated failures, so a series of stuxnet style attacks would be required to execute an attack with a national or internation effect.

"If an organisation takes out one service provider, it shouldn't have a national-scale impact," he added.

The debate concluded by calling on the government to endorse digital credentials to enable internet users to be assured that they are dealing with the bodies who are who they purport to be, rather than cyber criminals.