Lords: Government doesn't get internet threat
The UK government has failed to understand the threat to the continued growth of the internet posed by cybercrime, according to the influential House of Lords Science and Technology Committee.
Lord Erroll, a member of the committee, hit out at the government's reaction to the committee's report into personal internet security, saying that the government had failed to react appropriately.
"Throughout our inquiry we tried to think outside the box, to look ahead 10 years at what the internet might be like, taking into account the emerging risks and challenges today," Lord Erroll stated. "That's why our recommendations concentrated on incentives; we must ensure that everyone is motivated to improve security. Unfortunately, the government dismissed every recommendation out of hand, and their approach seems to solely consist of putting their head in the sand."
The government's reply to the committee's wide-ranging report on personal internet security, published on 10 August, was presented to Parliament on 24 October.
The Lords report had warned of the danger that public confidence in the internet would be lost, due to "perception that the internet is a lawless 'Wild West'." However, in its reply, the government rejected "the suggestion that the public has lost confidence in the internet and that lawlessness is rife", saying there was "an acceptable level of comfort with the technology".
Part of the government's reply addressed the recommendation that there should be a data-breach notification law to provide businesses with incentives to take better care of customer data. The government rejected this, saying that there was no clear evidence that a law that forced companies to admit when they had been the victims of cybercrime would be effective.
"We are... clearly not so convinced as the committee that [a data-breach notification law] would immediately lead to an improvement in performance by business in regard to protecting personal information, and we do not see that it would have any significant impact on other elements of personal internet safety," said the government response.
Lord Erroll told ZDNet.co.uk that the government had "missed the point" of having a data-breach notification law. He said that not only would this give businesses an incentive to better safeguard customer data, but it would also provide law enforcement with accurate figures to judge the scale of the problem and react accordingly.
"One challenge to internet security is that there are no real figures on the scale of the problem, and such a law would provide those figures. Primarily, the law would tighten up company procedures, but no-one really knows the scale of the problem," Erroll said.
The government did say that it would consider finding "more formal ways" of reporting security breaches to the Information Commissioner's Office (ICO), but only "when problems arise".
Lord Erroll said this did not go far enough, as, by the time problems have arisen, is too late — especially given that the information commissioner has to be invited into an organisation that has suffered a security breach. The committee had wanted extra powers for the information commissioner to be able to audit systems before problems arose.
"The information commissioner can only act after a breach or serious concern has been raised," said Lord Erroll. "If you've got to wait until the horse bolts before you put a lock on the stable door, it's too late. We'd like the information commissioner to be able to examine the stable doors."
The information commissioner is charged with upholding the Data Protection Act. Lord Erroll said the committee thinks the government is reluctant to grant the information commissioner more powers to proactively audit systems because the government itself would then be subject to more ICO scrutiny.
"The powers would apply to government as well as the private sector. We think that's why [the government] is resisting it," said Lord Erroll.
The government also rejected calls for software and hardware vendors to be liable for the security of their products, and for banks to guarantee e-fraud refunds.