[ISN] Lords: Government doesn't get internet threat

From: InfoSec News (alerts@private)
Date: Thu Nov 01 2007 - 01:02:33 PST


http://news.zdnet.co.uk/security/0,1000000189,39290465,00.htm

By Tom Espiner  
ZDNet.co.uk
31 Oct 2007 

The government has been accused of putting its 'head in the sand', after 
rejecting many recommendations from the House of Lords aimed at 
protecting consumers online

The UK government has failed to understand the threat to the continued 
growth of the internet posed by cybercrime, according to the influential 
House of Lords Science and Technology Committee.

Lord Erroll, a member of the committee, hit out at the government's 
reaction to the committee's report into personal internet security, 
saying that the government had failed to react appropriately.

"Throughout our inquiry we tried to think outside the box, to look ahead 
10 years at what the internet might be like, taking into account the 
emerging risks and challenges today," Lord Erroll stated. "That's why 
our recommendations concentrated on incentives; we must ensure that 
everyone is motivated to improve security. Unfortunately, the government 
dismissed every recommendation out of hand, and their approach seems to 
solely consist of putting their head in the sand."

The government's reply to the committee's wide-ranging report on 
personal internet security, published on 10 August, was presented to 
Parliament on 24 October.

The Lords report had warned of the danger that public confidence in the 
internet would be lost, due to "perception that the internet is a 
lawless 'Wild West'." However, in its reply, the government rejected 
"the suggestion that the public has lost confidence in the internet and 
that lawlessness is rife", saying there was "an acceptable level of 
comfort with the technology".

Part of the government's reply addressed the recommendation that there 
should be a data-breach notification law to provide businesses with 
incentives to take better care of customer data. The government rejected 
this, saying that there was no clear evidence that a law that forced 
companies to admit when they had been the victims of cybercrime would be 
effective.

"We are... clearly not so convinced as the committee that [a data-breach 
notification law] would immediately lead to an improvement in 
performance by business in regard to protecting personal information, 
and we do not see that it would have any significant impact on other 
elements of personal internet safety," said the government response.

Lord Erroll told ZDNet.co.uk that the government had "missed the point" 
of having a data-breach notification law. He said that not only would 
this give businesses an incentive to better safeguard customer data, but 
it would also provide law enforcement with accurate figures to judge the 
scale of the problem and react accordingly.

"One challenge to internet security is that there are no real figures on 
the scale of the problem, and such a law would provide those figures. 
Primarily, the law would tighten up company procedures, but no-one 
really knows the scale of the problem," Erroll said.

The government did say that it would consider finding "more formal ways" 
of reporting security breaches to the Information Commissioner's Office 
(ICO), but only "when problems arise".

Lord Erroll said this did not go far enough, as, by the time problems 
have arisen, is too late — especially given that the information 
commissioner has to be invited into an organisation that has suffered a 
security breach. The committee had wanted extra powers for the 
information commissioner to be able to audit systems before problems 
arose.

"The information commissioner can only act after a breach or serious 
concern has been raised," said Lord Erroll. "If you've got to wait until 
the horse bolts before you put a lock on the stable door, it's too late. 
We'd like the information commissioner to be able to examine the stable 
doors."

The information commissioner is charged with upholding the Data 
Protection Act. Lord Erroll said the committee thinks the government is 
reluctant to grant the information commissioner more powers to 
proactively audit systems because the government itself would then be 
subject to more ICO scrutiny.

"The powers would apply to government as well as the private sector. We 
think that's why [the government] is resisting it," said Lord Erroll.

The government also rejected calls for software and hardware vendors to 
be liable for the security of their products, and for banks to guarantee 
e-fraud refunds.



__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Thu Nov 01 2007 - 01:16:58 PST