1.  The Internet has changed the way we communicate, work and live. Terms such as "blog", "download" and "Google" have become a normal part of our everyday language at work as much as at home. However, unfortunately so too have the terms phishing, spam, spyware, computer virus and identity theft. Internet users are increasingly at risk from a constantly evolving online threat environment. The ever-increasing sophistication and ability of organised criminals, terrorist groups and individual hackers to use the Internet as a tool for criminal activity has meant an increasing importance being placed on the need to protect personal information and business data when online.

  2.  The CBI welcomes the opportunity to provide input to this important inquiry into personal Internet security. It is important to recognise that the networked economy has grown extensively over the last decade, and with it the interdependence of the online community in the UK. However, all those using the Internet, whether it is for business or personal use, leave themselves and other online users open to online attack if they are operating insecure Internet systems. Public concerns over Internet security and lack of confidence in using online services represents a key risk to the UK maintaining and building on the economic growth gained from the e-business and e-commerce. Furthermore, the success of the planned transformation of public services' delivery relies on the trust and buy-in of the UK public to the use of the Internet to engage with government.

  3.  The Internet is a vast network of computers connected together through a series of servers located across the globe. This means that, when considering the issue of Internet security, the Committee cannot confine itself solely to considering the threats and security dangers for private individuals without also recognising how the behaviour of individuals can impact on the Internet security of companies and government agencies.

What is the nature of the security threat?

  4.  Online interaction between individuals and business has increased in recent years, becoming more extensive and elaborate with firms using the Internet to deliver added-value and innovative goods and services. However, just as Internet users are becoming more sophisticated, so too are criminals. As users and developers of Internet security tools become more aware and savvy of online dangers, criminals are modifying attacks to make them more targeted.

  5.  The changing nature of security threats can be illustrated by the evolution of spam and phishing attacks. In the past, spam emails were often simply an annoyance to users and computer system administrators. However, spam now poses a serious security risk as one of the most effective ways of spreading malicious software (malware) and computer viruses. Just opening an infected email, which a user may honestly believe is from a trusted source, can may lead a significant damage. Some spam emails are sophisticated enough to be able to block anti-virus systems and actively change to avoid detection by anti-spam technologies. Targeted phishing attacks, involving highly detailed personal information obtained through identity theft to customise emails to make them seem more plausibly sent from bona-fide organisations or individuals, are known as "spear" phishing.

  6.  As personal information becomes a valuable asset to criminals, identity theft has become a major threat to online users. The increasing online provision of goods and services has led to consumers and firms creating numerous online identities in accordance with the requirements of different online providers. For example, individuals may have a different username and password for online banking than they do for downloading music or booking a holiday online. This situation increases the risk of identity theft, as individuals are required to provide duplicate identifying and authenticating data to multiple companies that are then open to possible exposure and theft. Federated identity management is emerging as a possible solution to this problem as it allows individuals either a single sign-on or a system of multiple sign-ons based on a single set of shared identity data. However, any federated scheme must have appropriate security in place to protect the identifying data that is accessed and shared between multiple partners.

  7.  The increasing online provision of goods and services has been greatly supported by the popularity of broadband in the UK. According to the Office of Communications (Ofcom) there are now 11.1 million broadband Internet users in the UK, compared with 6.2 million in 2004.[1] The take-up of broadband is welcomed by business. However, the CBI remains concerned that broadband users may not be fully aware of the increased risk of attack when moving from narrowband to always-on Internet access—illustrated by the rise in "botnet" attacks in the UK over the last few years—and the additional security subsequently required.

  8.  Sent largely via spam emails, "botnets" consist of programmes installed by hackers that enable them to gain control of an online computer; turning the computer into a "robot" or "bot". These "bots" are then used as part of a wide network of computers to distribute viruses and/or launch phishing or denial of service attacks. Botnets thrive on computers that spend large amounts of time online, as they form a more stable network of computers for distributing viruses, spam and phishing attacks. In the UK the rise in broadband "always on" Internet access is resulting in broadband users spending on average 12.7 hours a week online, compared with only 6.6 hours by traditional narrowband users.[2] This means that broadband users that do not have adequate security in place are at increased risk from a botnet attack. According to research published by Symantec in March 2005, the UK already has the largest population of botnets in the world, ahead of both the US and China.[3] With broadband the backbone of the UK's networked economy, raising awareness of broadband security issues must be seen as a key priority for government and business alike.

What is the scale of the problem?

  9.  It is difficult to assess the true scale or impact of Internet security attacks on the UK as victims, are both often unaware of security attacks and how to report them. Reluctance also sometimes exists amongst businesses to report e-crimes because of concerns over adverse publicity and damage to corporate reputation—another factor is also a lack of confidence in the capabilities of local police forces in responding to and investigating incidents of e-crime. This may be to a certain extent simply a matter of perception. For example, firms sometimes fear that reporting e-crime to their local police will result in the removal of their IT hardware for investigation, leading to an inability to adequately continue conducting business. But it can also reflect a relative lack of skilled personnel and resources within local forces in dealing with online crime. The recent dissolving of the National High-Tech Crime Unit was seen by many businesses as a reduction in the Government's commitment to fighting computer crime. Together, these factors perpetuate a reluctance amongst businesses—particularly outside London—to report e-crime, something that is helping criminals to elude prosecution.

Do the public understand the threat they face?

  10.  For many people caught up in the straightforward demands of day-to-day life and the tasks of running a viable business, Internet security can seem faraway, just too daunting or purely a technical issue. This is, until disaster strikes.

  11.  Media coverage of incidents of computer crime and identity theft has raised the profile of online security in the business community. According to the DTI 2006 Information Security Breaches Survey, nine out of 10 UK companies now have a firewall in place, with 98% investing in anti-virus systems. However, it is not clear whether businesses are simply going through the motions—employing traditional security technologies, such as firewalls—without assessing the risks they face and identifying the key business assets that need protection. Although the use of anti-virus software has risen, for instance, only 53% of firms have implemented intrusion detection measures, and the CBI is concerned that most companies are continuing to rely simply on passwords for access to critical business data. As a result, firms may be leaving themselves open to attack by not having in place appropriate security measures that protect not only themselves but online customers and supply chain partners.

  12.  Online security is not solely an issue of installing appropriate technology. It is also about changing attitudes and behaviour towards the Internet through education and training. For business, educating employees on security issues can help to secure companies' overall operations and also help employees protect their Internet activities at home. This includes ensuring that security remains up-to-date. Simply implementing technology will not protect online users if the software is not correctly updated—online attacks can evolve to a point where they can evade and elude out-of-date security solutions.

  13.  However, for many businesses, and particularly SMEs, providing staff training can be costly. The CBI believes the Government should consider providing financial incentives such as tax breaks to encourage and help SME's provide online security education and training for employees. Education and awareness programs, such as Get Safe Online can also make an important contribution to raising understanding of the necessity of implementing Internet security measures. However, as indicated below, more is needed to raise understanding of the collective responsibility online users (from school children to silver surfers) have in protecting their own and others' Internet security.

How much does information security depend on the software and hardware manufactures?

  14.  As the target, and often victim, of online attacks, companies understand all too well the importance of having security in place to protect their customers as well as themselves. In currently highly competitive market conditions, having effective security has become a key differentiator in the provision of online services, and in being seen as a trusted and secure online provider, partner or brand. Market demand for secure technology solutions is being met by the development of innovative products and tools such as anti-spam filters, anti-intrusion detection software and encryption. Industry solutions, backed by easily accessible, user-friendly and up-to-date advice and support on key security issues and trends, provide users with the confidence that their online activities are secure.

  15.  However, securing the Internet is not something that can be tackled or solved solely by the software or hardware community or in fact by the business community alone. Businesses, individuals, government and law enforcement agencies all share a collective responsibility to protecting themselves online and addressing Internet security issues. In February 2006 the CBI launched a joint government-business guide, "Securing Business Value Online", aimed at raising awareness amongst SMEs of the importance of security in their online supply chains. The guide was produced jointly by DTI and a leading group of CBI members, including representatives from both the user and supplier communities.

  16.  The following are examples of just some of the activities currently underway in the UK and internationally where UK business as a whole is working with government to raise awareness and reduce Internet security threats:

—  CBI business guide "Securing Business Value Online: A guide for SMEs in supply chains";

—  UK Get Safe Online campaign;

—  Internet Watch Foundation (IWF);

—  Institute of Information Security Professionals;

—  Annual e-Crime Congress Event for business and government representatives;

—  Development of CERTs and WARPs in association with NISCC;

—  European Network and Internet Security Agency (ENISA);

—  UN Internet Governance Forum—addressing spam and Internet security at Athens IGF in October;

—  OECD development of a common framework for implementing security and data privacy.

Is the regulatory framework for Internet services adequate?

  17.  The CBI believes many firms, particularly those outside of London, are still not fully aware of their legal and regulatory requirements when doing business online. As a result, firms may be leaving themselves, and their customers or partners, open to possible regulatory penalties and or legal action. At recent CBI regional workshops, a lack of regional support and information for local firms on the legal and regulatory requirements and security considerations for online business was identified as a concern of many firms. The DTI's work on raising awareness of the importance of information security issues is seen by the CBI as an example of government good practice. Unfortunately, this approach is not being consistently replicated by the Regional Development Agencies (RDAs). The CBI believes the RDAs should be playing a greater and more transparent role in helping businesses understand Internet regulatory issues and in raising awareness of the importance of Internet security. To that end, the CBI believes the Government should investigate the effectiveness of the RDAs in this area, and if necessary devote additional resources. It is vital that regional companies, particularly SMEs, are given consistent levels of support and advice across the country in order to develop their online capabilities and to ensure that the UK continues to grow as a leading market for e-commerce.

  18.  Internationally, there has been a steady increase in recent years in European and international regulatory and legislative requirements on companies operating online. For many sectors, this can result in a somewhat confusing plethora of requirements. This is a particular burden for companies that share data and provide services to customers and partners across legal jurisdictions. The CBI believes the Government has a responsibility to continue to engage strongly internationally (for example, through the EU and OECD) to ensure UK companies are not negatively effected by changes to international e-commerce legislation, regulation or standards. Financial cutbacks at the DTI do not help in this regard.

Is the legislative framework and criminal law adequate to meet the challenge of cyber crime?

  19.  If the UK is to reach its full e-potential, it is essential that legislation recognises the ways in which computer networks are attacked and provides appropriate legal powers to deter and to redress business for computer-related crime. The long overdue updating of the Computer Misuse Act (CMA) under the Police and Justice Bill has been welcomed by business, particularly the increase in penalties and fines that will also allow offenders to be extradited to the UK for prosecution. However, to ensure the amended CMA becomes an effective deterrent against cyber criminals, the CBI believes it is also vital that the guidelines for courts on how and when the Act should be applied must also be reviewed. Without this, it is unlikely that the legal penalties imposed will be proportionate to the financial losses suffered by victims of computer crime.

  20.  As explained above, computer viruses and "botnet" attacks are increasingly being sent via spam emails. The ability to investigate and penalise those responsible for sending spam is therefore an important tool in the fight against computer crime. However, at present the CBI believes the effectiveness of the Information Commissioner's Office (ICO) in combating spam is reduced by inadequate powers and limited scope for investigation. The CBI has been calling for the Information Commissioner's powers to be reviewed and amended to remove current limitations regarding appeals on enforcement notices and on powers to investigate the origins of spam.

  21.  Under the Privacy and Electronic Communications (EC Directive) Regulations 2003, if an ICO enforcement notice to cease sending alleged unsolicited direct marketing e-mails (spam) is challenged by the accused, an appeal begins and the notice is effectively suspended. In practical terms, this means spam can continue until the appeal is heard. This can lead to situations where those accused are able to continue their activities, sometimes for up to a year, until the appeal is heard. While the CBI recognises that an appeals process is needed, we believe the ICO should have the power to act quickly and effectively to prevent those accused from continuing to send what is clearly spam even while an appeals process is underway. In addition, the CBI believes that the ICO's information gathering powers should be extended to enable the ICO to require third parties to provide information to track down and identify companies that conceal their identities when sending spam. Currently, the ICO is often prevented from even beginning an investigation as he is unable to identify who to investigate. By addressing these issues, the ICO will be made more effective in implementing the powers given under UK Regulations and help to remove the perception of the UK as an easy target for spammers.

Is the Government equipped to fight Cyber Crime?

  22.  At a time when the Internet is being heralded as a key platform for the UK's future economic growth and transformation of public service delivery, the Government has a responsibility to place Internet security high on the political agenda. To date, this has been lacking. Of course, important issues such as online child protection have been rightly given high level political attention and support. However, the importance of Internet security to ongoing e-commerce growth in the UK has not been given the sustained, high level political visibility that is needed to bring about change. As mentioned above, the demise of the National High-Tech Crime Unit has been seen as a reduction in the Government's commitment to fighting computer crime. It is understood that the Serious and Organised Crime Unit (SOCA) will be continuing the work of the NHTCU; however, concerns remain at the perceived reduction in dedicated police resources to combat computer crime. Questions remain as to whether the Government has equipped SOCA with adequate resources and the dedicated focus necessary to ensure its work, and the success of NHTCU, can continue.

  23.  One reason for the perceived lack of Government commitment may be the fact that responsibilities for Internet security within Government are somewhat dispersed between a variety of departments and offices, with little overarching powers of co-ordination meaning that there is, in effect, no government strategy for information security. The Home Office, the DTI, the Cabinet Office's Central Sponsor for Information Assurance (CSIA), and the ICO all have responsibilities for different aspects of information security. While the CBI is not advocating the creation of a single governmental body or agency for Internet security issues, more forcefully co-ordinated co-operation and focus of efforts amongst the departments and offices involved would help. Even, for instance, a single reporting point and clearing house for complaints about spam would be useful for businesses and individuals not expert on what law had been broken (privacy, fraud, etc.) by a particular email—and could help the various agencies decide the best response to take towards the sending party involved.

  24.  If the Government's vision of the online delivery of public services is to be successfully advanced, co-operation and agreement between departments will be vital. Data sharing between departments is at the very heart of the Transformation Government agenda. Its success will require departments to work closely to develop common polices and procedures that ensure the security, confidentiality and integrity of individuals' data shared, and stored, online.

20 October 2006

2   Ofcom Communication Market Report 2006 Back

3   Symantec Global Internet Threat Report March 2005 Back