Home Office demands massive cybersecurity overhaul

The government has warned that police and law makers need to step up their efforts to fight crime on the Internet.

A Home Office report called "The Future of Netcrime Now", which it began work on two years ago and published last week, said that police need to try and get ahead of the growing problem of cybercrime if they are to successfully tackle it.

The report stated: "The continuing emergence of new opportunities for offending requires a broadening of the parties involved in tackling such problems; hence policy makers and law enforcement must continue to gear up, building relationships with the kind of individuals and organisations recruited for this research so as to remain abreast, if not ahead, of the criminal threats and challenges we continue to face."

The Home Office did not respond for comment on the report in time for this article, but sources say that the author behind it has moved on from Home Office cybersecurity research team. According to reports, the Home Office asked the last survey question in February 2003 -- suggesting the reports findings could be at least a year old.

The report said that seven out of the top ten problems on the Internet related to online paedophilia groups, and that technology was providing more opportunities for crimes such as spying and piracy.

"The combination of the Internet and global retailing now paves the way for such rapid and wide dissemination of new technology that unpredictable negative consequences do not just locally emerge but often explode onto the global environment. Such a rapid emergence of new criminal tools or opportunities can lead to what has been termed a 'crime harvest', as offenders reap the new found criminal opportunity before it is closed," said the report.

It added that police could soon be forced to play a similar game of catch-up with crime as software vendors face today when they are required to reactively patch vulnerabilities in their software.

"The lag between offender first move and defender response is what one must seek to reduce or even close. Unfortunately, in terms of software vulnerabilities, the lag is moving in the offenders' favour, as the time delay between the discovery of a vulnerability (by various sources) and its exploitation by offenders is narrowing, giving less time for the vendor to produce and distribute the patch. What is one to do in light of the increasingly complex and rapid development of information and communications technology which is often accompanied by criminal opportunities?"

The report criticised British banks' security practices, stating that they needed improved measures to protect their customers from crime. Unlike some banks in Scandinavia, British banks have failed to implement two-factor authentication technology, such as RSA's SecureID, for Internet banking, despite calls from former White House cyber-security advisors Howard Schmidt and Richard Clarke to do so. Clarke said that online banking transactions cost just half of one percent of a physical transaction.

"Organisations such as online banks are only recently getting to grips with how they inform their users of threats such as the use of fake emails and bank Web sites. They, along with numerous other providers of online goods and services, need to review the security of their offerings, the secure practice information they give customers, and put in place rapid response measures when a vulnerability of some kind is exploited by adaptive criminals," said the Home Office's report.

The Association for Payment Clearing Services (APACS), which represents the banking industry, said last month that no decisions had been taken to go ahead with two-factor despite the rise in phishing attacks.

"The fact is it's a massive undertaking," said Tom Salmond, a managing consultant in the e-banking fraud liaison group at APACS. "It's under active consideration, but no decisions have been made at this time."

The Home Office report makes several recommendations to improve Internet and cybercrime policing in general. It said that 'netcrime' investigative techniques should be integrated to work with physical investigation practices, and that there should be a co-ordinated intelligence gathering exercise to examine organised crime on the Web.

The National Hi-Tech Crime Unit, which is dedicated to fighting organised hi-tech crime, was unavailable to comment on this issue at the time of writing.

The report also said that efforts should be made to remove or disrupt the availability of malicious Internet tools and that every police officer should be given a basic level of anti-cybercrime training. Earlier this year Centrex, the organisation that provides anti-cybercrime training, saw its budget cut by 30 percent. It said that cuts were not just applicable to training in computer investigations.

The police could begin employing private companies to handle digital forensics work, the report said. "Possible solutions include the outsourcing of such examination to a suitable third party and the use of police staff specialists rather than officers to undertake such forensic recovery." It added that police forces needed to allocate resources to for specialist officers to receive relevant cybercrime training. Last month, the Association of Chief Police Officers said police forces were facing a £350m shortfall in budgets from struggling to juggle funds because of new responsibilities, such as fighting cybercrime.

The report also hinted that police could employ the skills of people with questionable backgrounds. "Law enforcement and other agencies must be creative in identifying additional skilled individuals to support netcrime investigations."

The report backed suggestions from European security lobbyist EURIM that the UK needs to have a facility to report cybercrimes. It said that the government needed to launch a 'safe and legal surf' awareness campaign to children to make them aware of the penalties for illegal activity.

The report surveyed 53 security experts.