Outlawing lax security

Legislation currently under scrutiny by the US House of Representatives could force publicly traded US corporations to certify that they have conducted an annual computer security audit. This assessment would have to be conducted by a third party, and those supporting the proposal say it would protect America's information networks.

Many technology companies are said to be lobbying heavily against the introduction of such a law, while others point out that to be truly effective such a proposal would have to also apply to private firms and government agencies.

But would the UK benefit from such a law and is there any noise being made about enforced security on this side of the Atlantic? The official line from the government is that effective corporate IT security is fundamentally the responsibility of the companies concerned. "We've got no plans to enforce mandatory IT audits. This isn't on the agenda at all at present," explains a Home Office spokesman. He added that the government is making an effort to ensure the security of companies that play a vital role in the running of the country, through the National Infrastructure Security Coordination Centre (NISCC).

The NISCC was set up around four years ago. Its role is to protect the companies and organisations that operate UK's critical national infrastructure – such as energy, water, and telecommunications networks or government departments – from attacks on their computer networks

The Home Office insists the risk of an electronic attack aimed at a company that is part of the critical infrastructure of the country is very small. The consequences of such an attack could be catastrophic, which is why the government chose to play a closer role in protecting these companies.

Risks and responsibilities
Leaving other firms to handle IT security themselves could be a big mistake, though, if they can't cope with the responsibility, according to some experts. "Some companies are already aware of the risks and are taking action, especially in sectors such as banking, communications and the critical infrastructure. The problem is that they're generally the large companies," says Jeremy Beale, head of e-business at the Confederation of British Industry (CBI), who believes that the vast majority of medium and small businesses don't have the in-house technical expertise to make themselves secure and to engage with suppliers.

These minnows, if insecure, can be a major irritation to bigger fish in the business sea.

"These small firms will be part of a supply chain with larger companies, and the security and robustness of a supply chain is only as strong as its weakest link," Beale warns.

Voluntary standards
But despite this knock-on effect, the CBI says it doesn't support the introduction of compulsory IT audits as suitable standards aren't yet in place. A number of voluntary standards exist, including BS7799 and the tScheme e-commerce mark. There are also several existing bodies that aim to support IT security, such as the Security Alliance for Internet and New Technologies (SAINT) and the Central Sponsor for Information Assurance (CSIA) -- a unit of the Cabinet Office that promotes information assurance.

Beale says the current situation is "a bit diffuse", and he would like the government to provide incentives for the development of some clear, universal standards. Future legislation can never be ruled out, but there is a strong argument that it should very much be a last resort given the difficulties of drafting a workable law, he claims.

Liberal Democrat Richard Allan MP says that while company and government services should conduct IT security audits on a regular basis to ensure that they can detect and resolve any weaknesses in their systems, framing legislation in such a rapidly moving area would be difficult.

"There is a risk that an audit imposed by regulation would simply become a check box to tick rather than security being the concern of everyone in an organisation," warns Allan, one of Westminster's most technologically savvy MPs. He wants the issue of IT security to be addressed now rather than waiting for a specific new legal requirement to come into place.

"Rather than bringing in new legislation, it may be more effective to make all company directors aware of the many existing legal responsibilities that mean they must run secure systems. Laws on data protection, financial probity, trading standards, and consumer protection amongst others, as well as commercial requirements under financial and contract law all mean that businesses need to consider the security of their IT," Allan pointed out.

Dan Scobie, head of business solutions at ISP Star Internet, agrees that creating a new law for IT security would be tricky. "The danger is that we'd end up with another Data Protection Act scenario -- with complicated legislation that is very difficult to interpret." Another hurdle is that the whole process of introducing legislation would take far too long to be practicable, he adds.

"You've got to write the legislation, find Parliamentary time and push it through Parliament. Suddenly, you find you've done nothing for five years," he says.

The US approach
Similar arguments are currently being made in America, where it is thought unlikely that the "Corporate Information Security Accountability Act", prepared by Representative Adam Putnam, will become law. But unless the technology industry cleans up its act, some type of mandatory system may be inevitable.

The United States has a cybersecurity policy, called the National Strategy to Secure Cyberspace, but critics claim it lacks teeth. Five working parties are hiving away on white papers at this moment, hoping to deliver recommendations that can be implemented quickly.

In the meantime, existing scrutiny procedures have a role to play, according to Brice Clark, worldwide director of strategy and business planning for HP's ProCurve networking business. He recently met a senior executive from a company that failed a general audit, because the auditors were able to get into the boardroom, plug a laptop into a wide-open Ethernet network and crash the company's IT system.

"The potential for abuse in this way is enormous, because so many companies do the same thing. Frankly, I'm amazed the problem isn't worse," Clark says. He, though, doesn't personally believe that legislation is the answer, favouring the education route.

The value of an audit
Other experts question whether getting an independent organisation to assess a firm's IT security would actually be that valuable. "Just because you get a third party to audit the security of your organisation does not necessarily mean that any off-the-shelf audit they conduct will be sufficient for your needs," says Graham Cluley, senior technology consultant at security firm Sophos.

An audit of a company's accounts seeks to confirm that they are a true and accurate representation of the company's financial state of affairs. It doesn't make any comments on whether this is a good or bad state of affairs to be in -- that responsibility lies with the shareholders. In the same way, an IT security audit that merely stated that a firm was running antivirus software without checking that the latest patches were installed would be of little value.

An annual IT security audit might also tempt companies to ignore such matters for the rest of the year. "It could lead to an attitude within enterprises that sees annual audits as discharging the responsibility for security or supplanting more stringent safeguards already in place in an enterprise, and so ending up making matters worse," claims Manek Dubash, director of analyst group Webster Buchanan Research. "As ever, governments need to think through fully the real world consequences before moving to legislate, and consider whether they've picked the right tool for the job," he adds.

With the Home Office insisting that mandatory security audits aren't under consideration in the UK, Britain's business community has an opportunity to up its game away from the glare of the spotlight. It's an opportunity it would do well to seize, as it might take just one devastating virus or hacker attack to push calls for new legislation. "If people can't work together and achieve some commonality, the danger is that government will decide to impose some level of audit," Beale predicts.

And once the internal details of your firm have been taken down, who knows where that evidence might end up. "One potential medium-term outcome of the US proposal is that a successor government might insist on the results of security audits being lodged with a governmental agency under the guise, for example, of aiding the so-called 'war against terrorism'," warns Dubash.