Lords calls for urgent action on internet security
The UK government must strive towards improving internet security, to avoid disastrous consequences for both businesses and individual users, according to an influential House of Lords committee.
If public confidence in the security of the internet is undermined or, if the internet itself is compromised, the ramifications would be wide-ranging and severe, according to the House of Lords Science and Technology Committee.
"We have become increasingly dependent on the internet, which is embedded in the critical national infrastructure in many countries. At VeriSign in Washington we were told that secure government-run networks now carry over $3tn (£1.5tn) traffic a day — the global economy would grind to a halt without the availability of the internet. And, on a personal level, our lives now depend on the internet — increasingly so, as health services rely more and more on internet-based communications," said Lord Broers, chair of the committee.
While an inquiry by the committee into personal internet security had not looked specifically at critical national infrastructure or cyberwarfare, "we need to be aware of these wider issues to get personal security into proportion", said Lord Broers on Friday.
"The internet is interlinked at many levels. Organised denial-of-service attacks are only possible because criminals, state-sponsored or otherwise, can call on the services of botnets, made up of thousands of [compromised] individual end-user machines. Personal internet security is the essential starting point," said Lord Broers, who added that VeriSign, the company that operates two of the internet's 13 root nameservers, had said that the US internet has to be capable of carrying 170 times the amount of traffic it would do under normal circumstances because of the amount of denial-of-service attacks that try to overwhelm it.
The UK government's emphasis on individuals taking ultimate responsibility for their internet safety is ineffectual, the committee found, and the responsibility is "too much for individual end users to cope with", according to Lord Broers.
"In fact, the reliance on individuals to police their own security risks [is] turning the internet into a semi-lawless 'Wild West'," said Lord Broers, adding that government reliance on education and information to deal with the situation is a "cop-out".
To mitigate the risks, it is imperative that the UK government changes its "laissez-faire" attitude and works more closely with all interested stakeholders, including manufacturers of hardware and software, retailers, internet service providers (ISPs), businesses, the police and the criminal justice system, said the committee's report.
The first step that needs to be taken is for the government and regulator Ofcom to liaise with ISPs and hardware and software manufacturers to improve personal internet security, said Lord Broers. "The government and Ofcom must work with industry to come up with recommendations. Industry will collaborate, as it's clearly in their interests to improve. We are not immediately recommending legislation," he said.
However, if self-regulation proves inadequate, the committee recommends that ISPs should no longer have recourse to the "mere conduit" defence if they are demonstrably aware of what compromised traffic is flowing over their networks.
Software and hardware vendors should also shoulder more responsibility by being made liable for the security of their products, according to the committee. The committee recommends that economic incentives should be put in place, and that, ultimately, European legislation should be enacted which guarantees vendor liability.
"Manufacturers get away with producing [products] that are sub-standard," said Richard Clayton, a Cambridge University computer science expert who advised the committee. "It doesn't do what it says on the tin. You have to back up stuff with security products because you can't trust what you've bought. If [software or hardware] fails, you should be recompensed for the loss of your data, or if [manufacturers] are just negligent. When you're programming, there are plenty of security tools to check for buffer overflows, say."
Lord Broers said: "Microsoft [as the dominant software manufacturer] is fully aware of the problem and they're allowing it to continue." However, Broers stressed that this was an issue for all software and hardware manufacturers.
Microsoft declined to comment. However, trade association Intellect said: "Intellect agrees that there are standards of software that need to be met but to expect vendors of software or hardware to hold sole responsibility for securing this information is unrealistic, and some responsibility must be taken by the individual to protect their businesses or their private information."
Data-breach legislation would incentivise businesses to take more care with personal data, said Clayton. "The notion is of a low-impact law. If an organisation loses personal data or a laptop is stolen, they are obliged to tell the people whose data has been taken that their data has been taken. It may mean they lose customers, but I hope it will make people take security more seriously in future," he said.
Whole-disk encryption on laptop, mobile and portable storage devices would easily alleviate the problem, Clayton added. "There would be no loss with sensible security precautions in place [like] whole-disk encryption. If you've encrypted laptops or tapes you wouldn't have lost the data."
Merlin, the Earl of Errol, a member of the Science and Technology Committee said: "A lot of online e-crime is focused on identity theft. Having personal details helps [criminals]. A lot of companies are not looking at security outside of the corporate network."