The House of Lords Science and Technology Committee has delivered its verdict on personal internet security, calling for the government to set up a centralised e-crime unit and for ISPs and software vendors to take more responsibility for security breaches.

The report argues that individuals cannot be expected to take sole responsibility for their online security as the threats facing them are too complex. Besides, individuals often don't realise that they have become a victim of an attack.

"End users may not even have an incentive to improve security, if the only consequence of poor security is that they lose a little bandwidth to a botnet," said Lord Broers, chair of the committee.

ISPs and security software vendors currently put too much emphasis on individual responsibility for online security and need to take more action, according to the report.

"It is clear that if an ISP is aware that one of its systems is perpetrating spam email it should take steps to stop it," said Lord Broers.

ISP PlusNet said that while individuals couldn't be expected to know about every threat, there was a limit to what an ISP could do.

"Naturally consumers won't be up to speed on every single attack, in the same way that ISPs cannot be expected to scan every website or email," Neil Armstrong, product director at PlusNet, told Web User.

There were other voices of concern, including the Confederation of British Industry (CBI).

Jeremy Beale of the CBI said: "Whilst appealing on the surface, new rules such as increased liabilities on ISPs and software providers need to be treated with caution.

"Such catch-all legislation to address personal security is not guaranteed to work in the fast-evolving landscape of the Internet. It could also impose a disproportionate burden on businesses already struggling to develop effective security practices in the complex world of internet commerce," he continued.

These fears were echoed by security firm Symantec.

"We are concerned by the call to legislate specifically on liability in the IT industry. Such an approach does not take into account the complexity of the IT industry," Symantec's spokesperson said.

A human rights organisation warned that placing more responsibility on ISPs could have a negative effect on the individual.

"Any re-examination of ISP liability needs to be handled very carefully. ISPs are not best placed to police the network, and can be expected to react to this kind of pressure by knocking users off the network without appropriate levels of investigation," the Open Rights Group said in a statement.

The committee also proposed that the police should be the first port of call when reporting cybercrime, not banks as the government has previously recommended.

Lord Broers called for a "reversal of the fundamentally flawed decision taken earlier this year that online frauds should be reported in the first instance not to the police, but the banks.

This "undermines the reliability of crime reporting and statistics, and can only erode pulic trust," he added.

The recommendation to set up a central e-crime unit was welcomed by some in the industry.

"Symantec supports recommendations such as the creation of a police central e-crime unit and the introduction of appropriate data breach notification laws," a spokesperson for Symantec said in a statement.

The most important aspect of the report, though, was that any fight against cybercrime has to be unified. The committee called on the government to work with industry regulator Ofcom as well as ISPs and security and hardware vendors.

Cristina Hoole, spokesperson for PayPal, backed a unified approach to e-crime and stressed the importance of tackling the matter.

"Online companies have an obligation to consumers to help them stay safe online, so they do not become the unwitting victims of e-crime. However, a successful programme does not, and cannot stop there – Government, the police, financial services providers, internet providers, retailers, must all work together to fight the criminals," said Hoole.

The Internet Service Providers' Association (ISPA) agreed that the most effective way to fight cybercrime involved all interested parties pulling in the same direction.

"Personal Internet security must be a joint effort between the internet industry, the Government and its agencies and importantly end-users. A concerted effort to raise awareness of known risks and effectively enforce existing laws is also critical," said Jessica Hendrie-Liaño of ISPA.

www.parliament.uk

More news via RSS Post item to Del.icio.us Post item to Digg.com

Back to index