August 15 2007

Lords calls for government action on e-crime

Government must act now to maintain confidence in the internet, according to a report on the threat of e-crime produced by the House of Lords Science and Technology Committee.

The Committee argues that the laissez-faire attitude taken to internet security by a range of stakeholders including Government, ISPs, hardware and software manufacturers and others risks undermining public confidence in the internet and contributes to a 'wild west' culture where the end user alone is responsible for ensuring they are protected from criminal attacks online.

Instead of acting to protect individuals, or providing incentives for the private sector to act, Government continues to insist that individuals are ultimately responsible for their own security. The Committee describe this approach as "inefficient and unrealistic".

The Lords Committee recommends a range of measures that would:

Increase the resources and skills available to the police and criminal justice system to catch and prosecute e-criminals

Establish a centralised and automated system, administered by law enforcement, for the reporting of e-crime.

Provide incentives to banks and other companies trading online to improve the data security by establishing a data security breach notification law.

Improve standards of new software and hardware by taking the first steps towards the establishment of legal liability for damage resulting from security flaws.

Encourage internet service providers to improve the security offered to customers by establishing a "kite mark" for internet services.

Lord Broers, Chairman of the House of Lords Science and Technology Committee, said: "People are said to fear e-crime more than mugging. That needs to change, or else confidence in the internet could be destroyed.

"You can't just rely on individuals to take responsibility for their own security. They will always be out-foxed by the bad guys. We feel many of the organisations profiting from internet services now need to take their share of the responsibility. That includes the IT industry and the software vendors, the banks and internet traders, and the internet service providers.

"The state also needs to do more to protect the public, not only the government itself, but regulators like Ofcom, the police and the court system.

"You can't legislate for better internet security. But the Government can put in place incentives for the private sector to up their game. And they can invest in better data protection and law enforcement. It's time to act now, before it's too late."

Lee Lawson, lead penetration tester at managed security consultancy, dns comments: "While web applications do create more speed and mobility for transactions on the web, the variety of threats that now exist is growing rapidly. Now, more than ever, businesses and retailers alike should have a Web Applications Security Assessment (WASA) at least once a year, to ensure the safety of online activity.

"WASA is different from a lot of traditional penetration and FTP testing, requiring automated and manual testing to identify and strengthen any weaknesses in Internet accessible applications. Though the House of Lords report shows that there aren't any exact statistics as to the scale of the problem, concern is growing. All retailers and companies operating online want to avoid exposure of sensitive customer details at all costs, so they must ensure that their 'public presence' is fully tested."

Paul Simms, a fraud protection specialist and CEO of the 3rd Man comments: "The apparent lawlessness is the result of frequent misunderstandings between organisations and people in the industry. All of the security to protect is there as long as organisations and people use it. The internet has opened up a world of exposure and users of it must take reasonable steps themselves to protect themselves and their customers."

Emma Herrod