Lords chides government over internet security
The government must act now or risk losing public confidence in the security of the internet, an influential House of Lords committee has found.
A wide-ranging inquiry into personal internet security conducted by the House of Lords Science and Technology Committee has "highlighted the threat to the future of the internet posed by e-crime".
"The government must do more to protect individual internet users," a House of Lords statement read.
"The internet, while still a powerful force for good, has increasingly become the playground for criminals. Today's e-criminals are highly skilled, organised and motivated by financial gain. Individual internet users are increasingly victimised," said the report.
The Science and Technology Committee criticised the "laissez-faire attitude" taken not only by the government but also by manufacturers of hardware and software, retailers, internet service providers (ISPs), businesses, such as banks, that operate online, the police and the criminal justice system.
"The government has insisted in evidence to this inquiry that the responsibility for personal internet security ultimately rests with the individual," the Lords report said. "This is no longer realistic, and compounds the perception that the internet is a lawless 'Wild West'. It is clear to us that many organisations with a stake in the internet could do more to promote personal internet security."
The IT industry caught flak in the report for not historically making security a priority. While this is gradually changing, more radical and rapid change is needed if the industry is to "keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the internet".
"The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through self-regulation and codes of best practice, to demonstrate its commitment to this principle," said the report.
Security safeguards
However, as well as self-regulation, the committee recommended that the government explores, at the European level, the introduction of vendor liability within the IT industry.
"In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end-user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced," said the report.
ISPs have in the past used the "mere conduit" argument in their defence, said the Lords. Now the committee has recommended that the government and Ofcom engage with network operators and ISPs to develop higher and more uniform standards of security within the industry.
"In particular we recommend the development of a BSI-approved kitemark for secure internet services. We further recommend that this voluntary approach should be reinforced by an undertaking that, in the longer term, an obligation will be placed upon ISPs to provide a good standard of security as part of their regulated service."
Banks and online retailers are also not doing enough to protect customers, the report said.
"The steps currently being taken by many businesses trading over the internet to protect their customers' personal information are inadequate. The refusal of the financial-services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at government level. Governments and legislators are not in position to prescribe the security precautions that should be taken; however, they do have a responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect personal data," said the report.
The committee also recommended that the government increase the resources and skills available to the police and criminal justice system to catch and prosecute e-criminals, and establish a centralised and automated system, administered by law enforcement, for the reporting of e-crime.