A parliamentary report due next month will call for the Home Office to increase funding to combat cyber-threats such as phishing, corporate hacks and worm attacks, according to those familiar with the plans. The report comes amid parliamentary criticism that the UK's cybercrime law-enforcement operations are woefully under-resourced.
The All-Party Internet Group (APIG) this month completed a review of the 14-year-old Computer Misuse Act (CMA), analysing whether the UK's cybercrime law - written before the Internet era - is in need of an overhaul. While the inquiry found the law to be surprisingly sound, the committee has come to the conclusion that the real problem is lack of attention and resources for enforcement, according to those involved.
The APIG report, due near the end of June, is likely to call for the Home Office to get serious about cracking down on computer crime, estimated to cost European businesses billions of pounds every year. "[Cybercrime enforcement] is under resourced," said APIG chairman Derek Wyatt MP. In giving evidence to the hearings, for example, the Metropolitan Police said it has only about 250 staff devoted to cybercrime, Wyatt said.
One problem is that, officially, the government isn't aware of exactly how big a problem cybercrime is, since figures are not audited by the National Audit Office - and this means there is no political pressure to deal with the issue, Wyatt said. "The first thing we have to do is find out the extent of the problem. We won't win the battle of resourcing the police if we don't get the crimes recorded," he said.
The lack of resources is particularly worrisome for businesses, as business-related attacks are currently at the bottom of the list of enforcement activities, according to security software firm Prevx, which is sponsoring the APIG report. "The National Hi-Tech Crime Unit is focused on its priorities, addressing online child pornography, major fraud and other serious issues. What isn't being addressed is virus writers and hackers, who cause massive amounts of damage to millions worldwide," said Prevx chief executive Nick Ray.
He agreed that getting official recognition for cybercrime figures would be key. "That would put a lot of pressure on politicians. At the moment this is not on their radar," Ray said.
As for the CMA itself, the law has been well-written enough to stand the test of time, and is unlikely to need a major overhaul, according to Ray, Wyatt and others. The law's punitive measures should be strengthened, however, to reflect the increasingly disruptive effects of cybercrime attacks, Wyatt said.
Just as important as bulking up the UK's own cybercrime efforts will be putting pressure on other countries to introduce more stringent measures of their own, Ray said. "Given the international scope of this problem, we need to use our political leverage to encourage similar legislation in as many parts of the world as we can," he said. "There are gaping holes in some countries' frameworks." Cross-border law enforcement cooperation could be improved, he said.
The government may also have a role to play in setting basic technical security standards for businesses or creating an official security ratings system, as it has done in the realm of automobile safety, Ray said. "We didn't suggest that because, as a security company, it would have seemed somewhat self-serving," he said.
Not everyone agrees that tougher laws and better enforcement are the answer to business' cybercrime woes. Secure email provider MessageLabs, which also presented evidence to the inquiry, argues that technical measures would bring a better payoff. "Internet service providers need to step up to the mark and be held accountable for much of this," said MessageLabs CTO Mark Sunner. "If ISPs were to take a more active stance in protecting businesses and users it would make a dramatic reduction in these kinds of threats."
At the moment, most ISPs provide little or no protection at the network level, leaving end users to protect themselves with client-side software, according to Sunner, and in practice, this means that most end-user machines are left vulnerable. This state of affairs has a direct impact on business networks; recent worm attacks have been aided by the existence of millions of unprotected PCs and one-third of all spam is estimated to be relayed by infected machines without the user's knowledge.
"Including a desktop anti-virus product with your ISP offering doesn't cut it," Sunner said. He argued that most desktop products rely on virus definitions, which don't update fast enough and aren't as effective as a server-based system. Server-based protection is a sensitive issue - consumers don't take kindly to ISPs that accidentally block legitimate emails, Sunner admitted.
"These services will live or die based on their ability to handle false positives, and spammers are always finding ways around the filtering mechanisms that are put in place," he said. If ISPs are not willing to go to the expense of installing and maintaining filtering systems, lawmakers should even consider compelling them to do so, Sunner said.
Other industry observers criticised the ISP-based approach as unworkable, and said government bodies are already more involved than they should be in regulating security. "Governments are producing far too much legislation on security at the EU and national levels, and a lot of it is ill-thought-out," said analyst Fran Howarth of Bloor Research.
APIG will release a draft report towards the end of this month, with final recommendations following late in June. The next step will be to get a response from the Home Office, with the aim of getting the a cybercrime plan into the Queen's speech in November, Wyatt said.