UK House of Lords internet security report challenges government position
The Lords recommend that banks rather than customers should bear the burden of transaction fraud. And this is only one of the points where they challenge to the core conventional wisdom on ways to secure the internet for public use, identifying current failings by both government and commerce including poor intelligence gathering and sharing, over-reliance on end users to secure themselves, inadequate attention to authentication for internet banking and insufficient liability of ISPs for the content they carry. However, when addressing possibly the thorniest issue currently under scrutiny - the legality of hacker tools - the Lords seem less assured.
The culmination of over a year of research and discussion by the House of Lords Science and Technology Committee, the 121 page report "Personal Internet Security", published today runs to seven sections covering protocols, technologies, appliances and applications, and internet use by business and individuals. It is in several places critical of current government approaches to internet security, for example stating in the conclusions to chapter 2 that "The Government ... have a responsibility to show leadership in pulling together the data [on the internet security risk] that are available, interpreting them for the public ... Instead of doing this, the Government have not even agreed definitions of key concepts such as “e-crime”. In chapter 3 a conclusion is that "The current assumption that end-users should be responsible for security is inefficient and unrealistic. We therefore urge the Government and Ofcom to engage with the network operators and Internet Service Providers to develop higher and more uniform standards of security within the industry", simultaneously recommending restriction of the "mere conduit" defence currently available to ISPs where their infrastructure is identified as carrying malicious traffic. A further bold recommendation is the imposition on a Europe-wide basis of product and appliance vendor liability where negligence is demonstrable, EULA terms notwithstanding.
Probably the most dramatic recommendation is that "the Government introduce amendments to the criminal law, explicitly to criminalise the sale or purchase of the services of a botnet, regardless of the use to which it is put." However, elsewhere in the report it is commented that "Legitimate security researchers are at risk of being criminalised as a result of the recent amendments to the Computer Misuse Act 1990" by which it is almost certainly meant the currently suspended "supply" clause in Part 5 of the Police and Justice Act, the equivalent of which has already been passed into law in Germany and is likely to be adopted eventually throughout the EU. This single most difficult and critical issue - the balance between protection against malicious use of technologies and the legitimate use of similar technologies to assist in the identification of system vulnerabilities - is disappointingly the one where this otherwise constructive and challenging report is ambivalent, and as the emphasis is on the recommendation rather than the comment, we can probably expect the draconian position to dominate the decision making to the detriment of security researchers and defenders alike.
- Personal Internet Security, House of Lords Science and Technology Committee report