DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

—  Individuals suffering financial fraud (eg phishing, pharming, insecure internet connections, viruses, spyware, insecure email correspondence, insecure web site usage).

—  Identity theft with consequential loss (eg insecure public databases with more and more detailed information all in one place).

—  Being framed for another's crimes (eg through stolen credit card usage, or abuse of open wireless networks attributable to individuals).

—  Some innocents being unfairly arrested on inappropriate evidence (eg some of the victims of Operation Ore).

—  Individuals unknowingly breaking the law, or their family breaking the law—both criminal and civil (eg children on music download sites).

—  Loss of personal work (eg viruses destroying creative work).

—  Loss of reputation (eg people displaying their ignorance by suffering the above).

—  Loss of privacy (eg on hacked machines).

—  Distress caused to innocent parties (eg children suffering from inappropriate emails, instant messenger abuse, child exploitation).

—  IT specialists suffering attention of organized crime and the threat of violence (eg bank security staff held to ransom).

—  The loss of availability of IT functionality (eg DOS attacks on DNS infrastructure).

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  The cases that reach the newspapers and courts are likely to be a small percentage of all incidents.

How well do users understand the nature of the threat?

  Most users see a computer as "white goods", in many ways a computer is more like a car—with similar potential for catastrophe. The misrepresentation of threat levels via press horror stories is also unhelpful, as they can conceal the real facts and issues.

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  New PCs being pre-installed with freeware security software with no ongoing subscription requirements eg: Zonealarm firewall (free for personal use) and AVG (free personal edition).

  New IT equipment should be distributed with a default of security on instead of off (eg wireless routers with changed admin passwords).

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  Generally poor, and somewhere between overconfident and/or paranoid—given the lack of detailed understanding by consumers.

  Maybe school initiatives on computer security education issues could help.

What factors may prevent private individuals from following appropriate security practices?

  Ignorance of both the risks they are taking and appropriate countermeasures.

  The costs of subscribing to the security software as supplied to them by the computer retailers.

  The pervasiveness of the computer "White Goods" mentality.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  Generally, more so than ever before by the most successful companies. Clearly Microsoft now see good security as a business enabler rather than a pure cost. There are plenty of companies about, however, that still need to learn this lesson.

Who should be responsible for ensuring effective protection from current and emerging threats?

  Clearly, some of the responsibilties lie with:

—  Individuals—people can't drive a car without learning to drive and learning the law.

—  The IT industry—"manufacturers shouldn't sell cars which are lacking legally required safety equipment and should strive to go beyond minimums." In similar terms, ISPs publish "terms of use", which say things like "you will not spread unsolicited email" (or viruses), and "you will not scan other peoples systems for open ports", but in practice they do not enforce their terms of use unless someone (usually a victim), complains. If the ISPs actively policed their terms and conditions, so that they warned customers as soon as they had detected non-compliance with their policies, then it would help avoid innocent customers who found their machines being used by malicious 3rd parties, and also warn off any "wannabe" hackers at the first opportunity. In practice ISPs focus on profit and numbers of customers, instead of monitoring their consumer compliance more ethically. ISPs could also do more to offer "secure services" which filtered out aggressive incoming network traffic.

—  Business—companies should provide users with as safe an environment as possible to use their equipment to do business with them, and accept some of the fraud risks.

—  Government—Police should deter and/or catch dangerous drivers, and the Government is responsible for "highway code", driver licencing, and safety education.

What is the standing of UK research in this area?

  The UK security industry is world leading, but this has not been translated into a clear reduction in the risks for UK computer users.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  Some initiatives, eg the NISCC initiatives for corporates, are very helpful. Similar information for the public is less accessible.

How far do improvements in governance and regulation depend on international co-operation?

  Significantly, there is no point in local laws in different countries being so mutually exclusive that some companies can no longer legally do business with them.

Is the regulatory framework for Internet services adequate?

  ISPs should have more accountability for notifying their users who are (possibly unknowingly) breaking the law.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  If there is no public perception of a requirement, and no commercial pressure to provide, then there will not be improvement. If the public want secure systems, and business sees profit in secure systems, (which has started in some areas), improvement can gather momentum.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  While SOCA appears to have enough resource to deal with high profile priority issues, it is questionable if this is enough to support local police forces on less high-profile cases. The lack of qualified forensic experts to support the courts (and reveal innocence where appropriate) is also a potential source of serious miscarriages of justice.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  Potentially it can be adequate, but only if it can react quickly enough to the ongoing rapid changes in potential threats.

How effectively does the UK participate in international actions on cyber-crime?

  Clearly more effectively than we have in the past, Operation Ore found many guilty parties, but destroyed the lives of too many innocents.