Memorandum by the Confederation of British
1. The Internet has changed the way we communicate,
work and live. Terms such as "blog", "download"
and "Google" have become a normal part of our everyday
language at work as much as at home. However, unfortunately so
too have the terms phishing, spam, spyware, computer virus and
identity theft. Internet users are increasingly at risk from a
constantly evolving online threat environment. The ever-increasing
sophistication and ability of organised criminals, terrorist groups
and individual hackers to use the Internet as a tool for criminal
activity has meant an increasing importance being placed on the
need to protect personal information and business data when online.
2. The CBI welcomes the opportunity to provide
input to this important inquiry into personal Internet security.
It is important to recognise that the networked economy has grown
extensively over the last decade, and with it the interdependence
of the online community in the UK. However, all those using the
Internet, whether it is for business or personal use, leave themselves
and other online users open to online attack if they are operating
insecure Internet systems. Public concerns over Internet security
and lack of confidence in using online services represents a key
risk to the UK maintaining and building on the economic growth
gained from the e-business and e-commerce. Furthermore, the success
of the planned transformation of public services' delivery relies
on the trust and buy-in of the UK public to the use of the Internet
to engage with government.
3. The Internet is a vast network of computers
connected together through a series of servers located across
the globe. This means that, when considering the issue of Internet
security, the Committee cannot confine itself solely to considering
the threats and security dangers for private individuals without
also recognising how the behaviour of individuals can impact on
the Internet security of companies and government agencies.
What is the nature of the security threat?
4. Online interaction between individuals
and business has increased in recent years, becoming more extensive
and elaborate with firms using the Internet to deliver added-value
and innovative goods and services. However, just as Internet users
are becoming more sophisticated, so too are criminals. As users
and developers of Internet security tools become more aware and
savvy of online dangers, criminals are modifying attacks to make
them more targeted.
5. The changing nature of security threats
can be illustrated by the evolution of spam and phishing attacks.
In the past, spam emails were often simply an annoyance to users
and computer system administrators. However, spam now poses a
serious security risk as one of the most effective ways of spreading
malicious software (malware) and computer viruses. Just opening
an infected email, which a user may honestly believe is from a
trusted source, can may lead a significant damage. Some spam emails
are sophisticated enough to be able to block anti-virus systems
and actively change to avoid detection by anti-spam technologies.
Targeted phishing attacks, involving highly detailed personal
information obtained through identity theft to customise emails
to make them seem more plausibly sent from bona-fide organisations
or individuals, are known as "spear" phishing.
6. As personal information becomes a valuable
asset to criminals, identity theft has become a major threat to
online users. The increasing online provision of goods and services
has led to consumers and firms creating numerous online identities
in accordance with the requirements of different online providers.
For example, individuals may have a different username and password
for online banking than they do for downloading music or booking
a holiday online. This situation increases the risk of identity
theft, as individuals are required to provide duplicate identifying
and authenticating data to multiple companies that are then open
to possible exposure and theft. Federated identity management
is emerging as a possible solution to this problem as it allows
individuals either a single sign-on or a system of multiple sign-ons
based on a single set of shared identity data. However, any federated
scheme must have appropriate security in place to protect the
identifying data that is accessed and shared between multiple
7. The increasing online provision of goods
and services has been greatly supported by the popularity of broadband
in the UK. According to the Office of Communications (Ofcom) there
are now 11.1 million broadband Internet users in the UK, compared
with 6.2 million in 2004.
The take-up of broadband is welcomed by business. However, the
CBI remains concerned that broadband users may not be fully aware
of the increased risk of attack when moving from narrowband to
always-on Internet accessillustrated by the rise in "botnet"
attacks in the UK over the last few yearsand the additional
security subsequently required.
8. Sent largely via spam emails, "botnets"
consist of programmes installed by hackers that enable them to
gain control of an online computer; turning the computer into
a "robot" or "bot". These "bots"
are then used as part of a wide network of computers to distribute
viruses and/or launch phishing or denial of service attacks. Botnets
thrive on computers that spend large amounts of time online, as
they form a more stable network of computers for distributing
viruses, spam and phishing attacks. In the UK the rise in broadband
"always on" Internet access is resulting in broadband
users spending on average 12.7 hours a week online, compared with
only 6.6 hours by traditional narrowband users.
This means that broadband users that do not have adequate security
in place are at increased risk from a botnet attack. According
to research published by Symantec in March 2005, the UK already
has the largest population of botnets in the world, ahead of both
the US and China.
With broadband the backbone of the UK's networked economy, raising
awareness of broadband security issues must be seen as a key priority
for government and business alike.
What is the scale of the problem?
9. It is difficult to assess the true scale
or impact of Internet security attacks on the UK as victims, are
both often unaware of security attacks and how to report them.
Reluctance also sometimes exists amongst businesses to report
e-crimes because of concerns over adverse publicity and damage
to corporate reputationanother factor is also a lack of
confidence in the capabilities of local police forces in responding
to and investigating incidents of e-crime. This may be to a certain
extent simply a matter of perception. For example, firms sometimes
fear that reporting e-crime to their local police will result
in the removal of their IT hardware for investigation, leading
to an inability to adequately continue conducting business. But
it can also reflect a relative lack of skilled personnel and resources
within local forces in dealing with online crime. The recent dissolving
of the National High-Tech Crime Unit was seen by many businesses
as a reduction in the Government's commitment to fighting computer
crime. Together, these factors perpetuate a reluctance amongst
businessesparticularly outside Londonto report e-crime,
something that is helping criminals to elude prosecution.
Do the public understand the threat they face?
10. For many people caught up in the straightforward
demands of day-to-day life and the tasks of running a viable business,
Internet security can seem faraway, just too daunting or purely
a technical issue. This is, until disaster strikes.
11. Media coverage of incidents of computer
crime and identity theft has raised the profile of online security
in the business community. According to the DTI 2006 Information
Security Breaches Survey, nine out of 10 UK companies now have
a firewall in place, with 98% investing in anti-virus systems.
However, it is not clear whether businesses are simply going through
the motionsemploying traditional security technologies,
such as firewallswithout assessing the risks they face
and identifying the key business assets that need protection.
Although the use of anti-virus software has risen, for instance,
only 53% of firms have implemented intrusion detection measures,
and the CBI is concerned that most companies are continuing to
rely simply on passwords for access to critical business data.
As a result, firms may be leaving themselves open to attack by
not having in place appropriate security measures that protect
not only themselves but online customers and supply chain partners.
12. Online security is not solely an issue
of installing appropriate technology. It is also about changing
attitudes and behaviour towards the Internet through education
and training. For business, educating employees on security issues
can help to secure companies' overall operations and also help
employees protect their Internet activities at home. This includes
ensuring that security remains up-to-date. Simply implementing
technology will not protect online users if the software is not
correctly updatedonline attacks can evolve to a point where
they can evade and elude out-of-date security solutions.
13. However, for many businesses, and particularly
SMEs, providing staff training can be costly. The CBI believes
the Government should consider providing financial incentives
such as tax breaks to encourage and help SME's provide online
security education and training for employees. Education and awareness
programs, such as Get Safe Online can also make an important contribution
to raising understanding of the necessity of implementing Internet
security measures. However, as indicated below, more is needed
to raise understanding of the collective responsibility online
users (from school children to silver surfers) have in protecting
their own and others' Internet security.
How much does information security depend on the
software and hardware manufactures?
14. As the target, and often victim, of
online attacks, companies understand all too well the importance
of having security in place to protect their customers as well
as themselves. In currently highly competitive market conditions,
having effective security has become a key differentiator in the
provision of online services, and in being seen as a trusted and
secure online provider, partner or brand. Market demand for secure
technology solutions is being met by the development of innovative
products and tools such as anti-spam filters, anti-intrusion detection
software and encryption. Industry solutions, backed by easily
accessible, user-friendly and up-to-date advice and support on
key security issues and trends, provide users with the confidence
that their online activities are secure.
15. However, securing the Internet is not
something that can be tackled or solved solely by the software
or hardware community or in fact by the business community alone.
Businesses, individuals, government and law enforcement agencies
all share a collective responsibility to protecting themselves
online and addressing Internet security issues. In February 2006
the CBI launched a joint government-business guide, "Securing
Business Value Online", aimed at raising awareness amongst
SMEs of the importance of security in their online supply chains.
The guide was produced jointly by DTI and a leading group of CBI
members, including representatives from both the user and supplier
16. The following are examples of just some
of the activities currently underway in the UK and internationally
where UK business as a whole is working with government to raise
awareness and reduce Internet security threats:
CBI business guide "Securing
Business Value Online: A guide for SMEs in supply chains";
UK Get Safe Online campaign;
Internet Watch Foundation (IWF);
Institute of Information Security
Annual e-Crime Congress Event for
business and government representatives;
Development of CERTs and WARPs in
association with NISCC;
European Network and Internet Security
UN Internet Governance Forumaddressing
spam and Internet security at Athens IGF in October;
OECD development of a common framework
for implementing security and data privacy.
Is the regulatory framework for Internet services
17. The CBI believes many firms, particularly
those outside of London, are still not fully aware of their legal
and regulatory requirements when doing business online. As a result,
firms may be leaving themselves, and their customers or partners,
open to possible regulatory penalties and or legal action. At
recent CBI regional workshops, a lack of regional support and
information for local firms on the legal and regulatory requirements
and security considerations for online business was identified
as a concern of many firms. The DTI's work on raising awareness
of the importance of information security issues is seen by the
CBI as an example of government good practice. Unfortunately,
this approach is not being consistently replicated by the Regional
Development Agencies (RDAs). The CBI believes the RDAs should
be playing a greater and more transparent role in helping businesses
understand Internet regulatory issues and in raising awareness
of the importance of Internet security. To that end, the CBI believes
the Government should investigate the effectiveness of the RDAs
in this area, and if necessary devote additional resources. It
is vital that regional companies, particularly SMEs, are given
consistent levels of support and advice across the country in
order to develop their online capabilities and to ensure that
the UK continues to grow as a leading market for e-commerce.
18. Internationally, there has been a steady
increase in recent years in European and international regulatory
and legislative requirements on companies operating online. For
many sectors, this can result in a somewhat confusing plethora
of requirements. This is a particular burden for companies that
share data and provide services to customers and partners across
legal jurisdictions. The CBI believes the Government has a responsibility
to continue to engage strongly internationally (for example, through
the EU and OECD) to ensure UK companies are not negatively effected
by changes to international e-commerce legislation, regulation
or standards. Financial cutbacks at the DTI do not help in this
Is the legislative framework and criminal law
adequate to meet the challenge of cyber crime?
19. If the UK is to reach its full e-potential,
it is essential that legislation recognises the ways in which
computer networks are attacked and provides appropriate legal
powers to deter and to redress business for computer-related crime.
The long overdue updating of the Computer Misuse Act (CMA) under
the Police and Justice Bill has been welcomed by business, particularly
the increase in penalties and fines that will also allow offenders
to be extradited to the UK for prosecution. However, to ensure
the amended CMA becomes an effective deterrent against cyber criminals,
the CBI believes it is also vital that the guidelines for courts
on how and when the Act should be applied must also be reviewed.
Without this, it is unlikely that the legal penalties imposed
will be proportionate to the financial losses suffered by victims
of computer crime.
20. As explained above, computer viruses
and "botnet" attacks are increasingly being sent via
spam emails. The ability to investigate and penalise those responsible
for sending spam is therefore an important tool in the fight against
computer crime. However, at present the CBI believes the effectiveness
of the Information Commissioner's Office (ICO) in combating spam
is reduced by inadequate powers and limited scope for investigation.
The CBI has been calling for the Information Commissioner's powers
to be reviewed and amended to remove current limitations regarding
appeals on enforcement notices and on powers to investigate the
origins of spam.
21. Under the Privacy and Electronic Communications
(EC Directive) Regulations 2003, if an ICO enforcement notice
to cease sending alleged unsolicited direct marketing e-mails
(spam) is challenged by the accused, an appeal begins and the
notice is effectively suspended. In practical terms, this means
spam can continue until the appeal is heard. This can lead to
situations where those accused are able to continue their activities,
sometimes for up to a year, until the appeal is heard. While the
CBI recognises that an appeals process is needed, we believe the
ICO should have the power to act quickly and effectively to prevent
those accused from continuing to send what is clearly spam even
while an appeals process is underway. In addition, the CBI believes
that the ICO's information gathering powers should be extended
to enable the ICO to require third parties to provide information
to track down and identify companies that conceal their identities
when sending spam. Currently, the ICO is often prevented from
even beginning an investigation as he is unable to identify who
to investigate. By addressing these issues, the ICO will be made
more effective in implementing the powers given under UK Regulations
and help to remove the perception of the UK as an easy target
Is the Government equipped to fight Cyber Crime?
22. At a time when the Internet is being
heralded as a key platform for the UK's future economic growth
and transformation of public service delivery, the Government
has a responsibility to place Internet security high on the political
agenda. To date, this has been lacking. Of course, important issues
such as online child protection have been rightly given high level
political attention and support. However, the importance of Internet
security to ongoing e-commerce growth in the UK has not been given
the sustained, high level political visibility that is needed
to bring about change. As mentioned above, the demise of the National
High-Tech Crime Unit has been seen as a reduction in the Government's
commitment to fighting computer crime. It is understood that the
Serious and Organised Crime Unit (SOCA) will be continuing the
work of the NHTCU; however, concerns remain at the perceived reduction
in dedicated police resources to combat computer crime. Questions
remain as to whether the Government has equipped SOCA with adequate
resources and the dedicated focus necessary to ensure its work,
and the success of NHTCU, can continue.
23. One reason for the perceived lack of
Government commitment may be the fact that responsibilities for
Internet security within Government are somewhat dispersed between
a variety of departments and offices, with little overarching
powers of co-ordination meaning that there is, in effect, no government
strategy for information security. The Home Office, the DTI, the
Cabinet Office's Central Sponsor for Information Assurance (CSIA),
and the ICO all have responsibilities for different aspects of
information security. While the CBI is not advocating the creation
of a single governmental body or agency for Internet security
issues, more forcefully co-ordinated co-operation and focus of
efforts amongst the departments and offices involved would help.
Even, for instance, a single reporting point and clearing house
for complaints about spam would be useful for businesses and individuals
not expert on what law had been broken (privacy, fraud, etc.)
by a particular emailand could help the various agencies
decide the best response to take towards the sending party involved.
24. If the Government's vision of the online
delivery of public services is to be successfully advanced, co-operation
and agreement between departments will be vital. Data sharing
between departments is at the very heart of the Transformation
Government agenda. Its success will require departments to work
closely to develop common polices and procedures that ensure the
security, confidentiality and integrity of individuals' data shared,
and stored, online.
20 October 2006
1 Ofcom Communication Market Report 2006 Back
Ofcom Communication Market Report 2006 Back
Symantec Global Internet Threat Report March 2005 Back