The UK government must strive towards improving internet security, to avoid disastrous consequences for both businesses and individual users, according to an influential House of Lords committee.
If public confidence in the security of the internet is undermined or, if the internet itself is compromised, the ramifications would be wide-ranging and severe, according to the House of Lords Science and Technology Committee.
"We have become increasingly dependent on the internet, which is embedded in the critical national infrastructure in many countries. At VeriSign in Washington we were told that secure government-run networks now carry over $3tn (£1.5tn) traffic a day — the global economy would grind to a halt without the availability of the internet. And, on a personal level, our lives now depend on the internet — increasingly so, as health services rely more and more on internet-based communications," said Lord Broers, chair of the committee.
While an inquiry by the committee into personal internet security had not looked specifically at critical national infrastructure or cyberwarfare, "we need to be aware of these wider issues to get personal security into proportion", said Lord Broers on Friday.
"The internet is interlinked at many levels. Organised denial-of-service attacks are only possible because criminals, state-sponsored or otherwise, can call on the services of botnets, made up of thousands of [compromised] individual end-user machines. Personal internet security is the essential starting point," said Lord Broers, who added that VeriSign, the company that operates two of the internet's 13 root nameservers, had said that the US internet has to be capable of carrying 170 times the amount of traffic it would do under normal circumstances because of the amount of denial-of-service attacks that try to overwhelm it.
The UK government's emphasis on individuals taking ultimate responsibility for their internet safety is ineffectual, the committee found, and the responsibility is "too much for individual end users to cope with", according to Lord Broers.
"In fact, the reliance on individuals to police their own security risks [is] turning the internet into a semi-lawless 'Wild West'," said Lord Broers, adding that government reliance on education and information to deal with the situation is a "cop-out".
To mitigate the risks, it is imperative that the UK government changes its "laissez-faire" attitude and works more closely with all interested stakeholders, including manufacturers of hardware and software, retailers, internet service providers (ISPs), businesses, the police and the criminal justice system, said the committee's report.
The first step that needs to be taken is for the government and regulator Ofcom to liaise with ISPs and hardware and software manufacturers to improve personal internet security, said Lord Broers. "The government and Ofcom must work with industry to come up with recommendations. Industry will collaborate, as it's clearly in their interests to improve. We are not immediately recommending legislation," he said.
Read this
Q&A: Be alert to booby-trapped web pages
Trend Micro chief technology officer Raimund Genes warns that online life is about to get much hairier...
However, if self-regulation proves inadequate, the committee recommends that ISPs should no longer have recourse to the "mere conduit" defence if they are demonstrably aware of what compromised traffic is flowing over their networks.
Software and hardware vendors should also shoulder more responsibility by being made liable for the security of their products, according to the committee. The committee recommends that economic incentives should be put in place, and that, ultimately, European legislation should be enacted which guarantees vendor liability.
"Manufacturers get away with producing [products] that are sub-standard," said Richard Clayton, a Cambridge University computer science expert who advised the committee. "It doesn't do what it says on the tin. You have to back up stuff with security products because you can't trust what you've bought. If [software or hardware] fails, you should be recompensed for the loss of your data, or if [manufacturers] are just negligent. When you're programming, there are plenty of security tools to check for buffer overflows, say."
Lord Broers said: "Microsoft [as the dominant software manufacturer] is fully aware of the problem and they're allowing it to continue." However, Broers stressed that this was an issue for all software and hardware manufacturers.
Microsoft declined to comment. However, trade association Intellect said: "Intellect agrees that there are standards of software that need to be met but to expect vendors of software or hardware to hold sole responsibility for securing this information is unrealistic, and some responsibility must be taken by the individual to protect their businesses or their private information."
Data-breach legislation would incentivise businesses to take more care with personal data, said Clayton. "The notion is of a low-impact law. If an organisation loses personal data or a laptop is stolen, they are obliged to tell the people whose data has been taken that their data has been taken. It may mean they lose customers, but I hope it will make people take security more seriously in future," he said.
Whole-disk encryption on laptop, mobile and portable storage devices would easily alleviate the problem, Clayton added. "There would be no loss with sensible security precautions in place [like] whole-disk encryption. If you've encrypted laptops or tapes you wouldn't have lost the data."
Merlin, the Earl of Errol, a member of the Science and Technology Committee said: "A lot of online e-crime is focused on identity theft. Having personal details helps [criminals]. A lot of companies are not looking at security outside of the corporate network."
Talkback
ill go with the wild west over government control. great minds create something, now here comes the government to water down and destroy the creation.
Is it just me or is the recent report from the government about internet fraud going just one stage too far?
While the Lord’s committee is right to highlight the threat of organised crime and unchecked private usage of the internet, the onus of protection is perhaps a bit skewed.
The question for me is how can government or business protect individual users more when individual users seem to be happy to give their personal details to any tom, dick or harry just because they are on-line?
For the commission to say that an individual is currently responsible for their own internet security (which is ultimately true), and then imply that this should no longer be the case could set a dangerous precedent. We already see users have little or no regard for their own information once it is on the internet. Social networking is testimony to this, with internet users letting criminals get knowledge of personal details on a scale never before witnessed. How can institutions take more responsibility than they currently do when the personal owners (i.e. each individual user) of information seem to have so little regard for their own security? Statements about individuals being able to absolve themselves further from the responsibility for their own security, and heaping this responsibility onto third parties will only promote crime based on stupidity and a lack of care.
Throwing stones at government and business alike for not protecting the user is a poor solution to managing the problem of fraud. If the purpose of this report it to highlight the poor personal security of many individuals, I applaud it. If it is just to shift the blame to business, obfuscating the need for personal responsibility over your own identity and internet usage, that is something else.
Bart Patrick, SAS UK
I nearly agree with you, SAS. Security is about preventing intrusions, and information leakages, from all sides, and that means both individuals and businesses. Users must be educated, but no-one can pretend they don't have responsibility. Businesses (suppliers and end user companies) must play their role too. As to whether the Government is being heavy-handed, shouldn't we be grateful that it's interested?