The House of Lords Committee on Science and Technology made five recommendations in its report on Personal Internet Security last week, and it’s hard to argue with most of what they said.
Nobody was spared criticism. The UK Government, the police, the ISPs, and the technology vendors all came in for carefully-worded rebuke for their self-interested complacency. For the most part, they’ve been queuing up ever since to excuse themselves.
Most of these agencies still see the issue as a private problem, no matter that they have each failed in varying ways to live up to their responsibilities for allowing the problem to get worse.
If you are a victim of e-crime then that is pretty much all your fault. You didn’t secure your PC, you chose an ISP that didn’t offer enough security, you chose the wrong bank, or you just opened the wrong email, allowing one of a long list of hellish malware programs to find a home on your equipment. If you actually suffer loss as a consequence then to whom do you report it? Not the police who don’t want to know. It’s a private problem between you and your bank, or other private company, says government.
The software industry turns up to help you, but that costs extra. Microsoft vaunted its new version of Windows, Vista, as being secure, unlike its last version, XP, that certainly wasn’t. Then it put the upgrade prices up because it decided that security was an added feature that people must pay more for.
If the same arguments were used when someone is burgled, mugged or has their car stolen, the public would be outraged. Helpfully, the committee came up with some advice to kickstart some long overdue debate. Most of it is remarkably in touch with the underlying problems. Here’s what I made of their main thoughts.
1. Increase the resources and skills available to the police and criminal justice system to catch and prosecute e-criminals.
Correct, but this understates the true extent of the problem in my view. Behind the phrase “resources and skills” lies a complex, expensive and time-consuming challenge that can only be solved by a re-structuring of UK policing. The truth is that, at the moment, e-crime is another one of problems (like drugs, for instance) the police have no real answer to. As I never tire of saying, the UK probably has ten times as many traffic police as it has trained e-crime officers.
E-crime is a low priority because making it a high priority would force the authorities to come up with a strategy to tackle it, and they are way off having that in the works.
2. Establish a centralised and automated system, administered by law enforcement, for the reporting of e-crime.
This is the most important recommendation of the report. Without a centralised UK database of electronic crime reporting, the problem cannot be tacked because nobody actually knows what is going on. It is a disgrace that instead of tacking this issue straight on, the government was earlier this year allowed to get away with a change in procedure that turned reporting over to private companies. Been ripped off? Tell your credit card company not the police. Presumably the police went along with this change because they have no resources to tackle such crimes.
What better way to hide an uncomfortable statistic than to move it off the books?
3. Provide incentives to banks and other companies trading online to improve the data security by establishing a data security breach notification law.
Another idea whose time has come. At the moment, companies can get away with hiding security breaches, hardly a great way to encourage better security. The government is said to be against the idea, and you can bet that the financial services industry is against it. And the Financial Services Authority (FSA) has inadvertently made this whole situation more ridiculous by hammering those companies honest enough to own up (see the Nationwide Building Society data breach debacle), fining and embarrassing them in equal and humiliating measure. Fines are fine, but why not make everyone own up so that everyone can be fined? Now that would be fairer.
4. Improve standards of new software and hardware by taking the first steps towards the establishment of legal liability for damage resulting from security flaws.
Software companies – not least Microsoft – have been allowed to get away with incredible shoddiness in the security design of their software, leaving companies and individuals to suffer the consequences and pay the bills. But there are two problems.
Firstly, no company can possibly guarantee that its software is free of security problems, and the very nature of software makes this an unsolvable problem. The effect of blanket legal liability would be to inhibit software development, stunting new ideas (too risky!) and lengthening the time it takes software to get to market. It would be a fairer world but one where software is duller, and innovation less likely.
Second, there is a better way – just force companies to admit security flaws. By companies, I mean not the vendors, but their corporate customers. Force them to explain how and where a security breach occurred, and if this was down to a problem in a piece of software, tell the world about that too. How many vendors would want to be associated with this kind of public naming and shaming?
About the only argument I can see for liability is within the more limited scope of those vendors that choose to ignore known security problems despite the risk to customers. That deserves legal sanction. It is wrong that software development is seen as being about making new products and not also fixing old ones that aren’t secure.
5. Encourage Internet service providers to improve the security offered to customers by establishing a “kite mark” for Internet services.
A waste of time. Kite marks assume that every ISP takes part - they wouldn’t – and that they are in the UK and therefore care. The best way to get ISPs to shape up is to let the market decide. Meanwhile, let’s have more information on how much each ISP does to secure its networks and customers (which ones track bots, for instance) and less on issues such as how much bandwidth each offers, or whether one ‘traffic shapes’ its gaming customers. The UK press has long ago convinced itself that the only issue of interest to readers is performance. It’s isn’t, or shouldn’t be.
The full report from the Lords Committee on Science and Technology can be found here. It’s worth a read.