Report divides internet stakeholders

A new report from the House of Lords Science and Technology Committee could lead to a major overhaul of internet security practices in the UK, with recommendations ranging from the setting up of a central web-based e-crime reporting system to the introduction of security breach notification laws.

According to the proposal, the reporting tool would help law enforcement agencies gain an understanding of the computer crime landscape in the UK, and offer a central repository to collate reports and identify patterns.

A web-based system could be a useful tool for companies if it offered a confidential method of reporting attacks and a more direct link to police IT specialists, something previously provided by the UK's National Hi-Tech Crime Unit, which is now part of the Serious Organised Crime Agency.

The report also backs the proposed Police Central E-crime Unit and calls for ìthe establishment of a central network of computer forensic laboratories to support individual forces.

Jeremy Beale, head of e-business at the CBI, welcomed the report's recommendations. A central e-crime reporting system to pull together criminal investigations at a national level could really speed up the process of identifying and prosecuting crimes, Beale argued.

What would also make a real difference would be improved police capabilities and resources, which the report notes are entirely inadequate at present.

The proposal also calls for a review of the current system that requires online fraud to be reported directly to banks. Instead, fraud victims should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed, the report argues.

Another Lords recommendation is the introduction of data security breach notification legislation that would force firms to report incidents that impact
customer privacy.

Chairman of the committee, Lord Broers, said, "There is little incentive for organisations to take steps to improve security - if they lose personal data, and can keep it out of the media, they don't suffer."

One of the more controversial aspects of the report is its call for IT vendors to be held liable for weaknesses in their products. Unsurprisingly, vendors are skeptical of the proposal.

An approach along the lines suggested in the report on the issue of liability could result in the opposite effect and risk reducing consumer choice and end users' security and privacy, said Symantec's government relations analyst, Ilias Chantzos.

Martin Hill of IT trade association Comptia argued that the responsibility for internet security should be shared between users at a corporate and consumer level, and the vendor community.

Research shows that human error is the main cause of IT security breaches, Hill added. Despite this, a low percentage of firms have end-to-end security awareness training programmes or IT staff skilled in security issues. Businesses must build security into their corporate ethos.