Home Office aims to create a co-ordinated UKcomputer crime
strategy.
The UK is awash with expertise on IT security, in businesses, among
IT suppliers, in central and local government, the police and the
security services.
So far there have only been sporadic attempts to bring this
expertise together in a co-ordinated way to tackle the threats
posed by viruses, hacking and other forms of computer crime.
This looks set to change with news that Home Office is developing a
computer crime strategy for the UK that will attempt to co-ordinate
computer crime resources across a wide range of public and private
sector bodies.
The work is still in its early stages, but some of the ideas that
have been put forward to the Home Office are beginning to attract
interest. They include the creation of industry-based "IT special
constables" to assist the police, "cyberhood watch" schemes to
alert small businesses of imminent threats, and a review of
computer crime laws.
Development of the Home Office strategy will run in parallel with a
similar review by the government's Central Sponsor for Information
Assurance, part of the Cabinet office. That review is likely to
focus on the need to improve the take up of information security
standards such as BS7799 among local and central government
departments - a move that could also encourage adoption in the
private sector.
In some ways, the UK is playing catch-up with the US, which
published its own cybercrime strategy in February this year. The US
plan, drawn up in response to the 11 September terrorist attacks,
with the backing of the White House, recognises that with many
parts of the internet under private control, the government cannot
secure cyberspace on its own. But it can play a leading role in
educating businesses about risks and solutions, and encourage
research into better ways to protect computer systems.
The Home Office has asked IT industry parliamentary group Eurim to
help it identify the key priorities for a UK computer crime
strategy. The timetable is tight - Eurim aims to report back on the
key issues before Parliament's summer recess and to identify
possible solutions by September. This will give ministers time to
get the ball rolling by introducing some easy-to-implement reforms
before the end of the year.
Jeremy Beale, head of the e-business group at the Confederation of
British Industry, welcomed the move.
"We think computer crime is a major issue for businesses and for
the country. We have moved into an era where the critical national
infrastructure is increasingly vulnerable to terrorism," he said.
"A major effort is needed to build up expertise in industry and
government and to put computer crime on the national agenda."
The main proposals under discussion are:
IT special constables
IT special constables, based in industry and capable of gathering
evidence of computer crime to police standards, could take the
pressure off overstretched police forces. The idea is taken from
the US and Canada, where the armed forces and other government
agencies keep civilian experts on their payroll, ready to be called
on in times of crisis.
"When it came to the Love Bug computer virus, the FBI suddenly had
a 400-strong taskforce, which was almost entirely comprised of
people from IBM, Microsoft, Symantec etc, all of whom were special
reserves with the FBI. The full-time FBI officers did little more
than make the tea," said Philip Virgo, general secretary of
Eurim.
A similar principle could be introduced in the UK to take some of
the pressure off the National High-Tech Crime Unit and regional
computer crime units. Security experts in industry could be trained
how to gather evidence of deliberate security breaches to the
rigorous standards of evidence used by the police to bring criminal
prosecutions in court.
Chris Sundt, a security consultant who is helping the Home Office
develop its security strategy with Eurim, believes that such a move
could bring significant benefits.
"One of the problems we have in industry is handing investigations
over to the police. If you call them too early, it creates problems
because there are not enough police resources. If you call them too
late, evidence may not be admissible in court. Special constables
could act as the police presence until the investigation is handed
over to the police proper," he said.
Critics say that while IT special constables are an interesting
idea that should be explored further, the underlying problem is
that there are not enough IT-literate policemen, and not enough
awareness of IT security issues.
Review of computer crime law
Likely to form a central plank of the Home Office's strategy, the
Computer Misuse Act, introduced in 1990, will need to be updated to
bring it into line with the European Convention on Cybercrime and a
proposed European framework on attacks against information systems.
This could be an opportunity to deal with some of the perceived
inadequacies of the current Computer Misuse ActÊ- an issue that has
formed the heart of Computer Weekly's Lock Down the Law
campaign.
There may also be moves to assess whether legislation could outlaw
the theft of electronic data, which is currently not a criminal
offence in UK law.
Small businesses
There is growing concern in government and business that smaller
companies and even home users are not getting the advice they need
on computer security. The issue is crucial, not only to protect
small companies, but also the larger companies they supply. Hackers
often use small, unprotected computer systems as a launching point
for attacks on larger systems, yet there is little co-ordinated
help for small firms.
Another problem is that there are few IT professionals with the
all-round skills, including security skills, that small businesses
need. One solution could be to develop a programme of training and
qualifications for a new type of IT generalist, who could assist
small businesses to secure and install their systems.
Education and training
The Home Office review is expected to look at ways to make better
use of the security training programmes that have been developed by
industry, law enforcement and academia. Forensic computing courses
developed by the police could provide private sector security
professionals with valuable training, particularly if the idea of
IT special constables is introduced. However, police regulations
currently restrict this.
Identity theft
Measures to tackle identity theft will be high on the Home Office's
agenda. The problem is reaching epidemic proportions and, if left
unchecked, is likely to damage the growth of e-commerce.
Increasingly fraudsters in the UK are using stolen identities to
take out loans or make credit card purchases under other people's
names.
Police computer crime unit
The National High-Tech Crime Unit and the regional police computer
crime units are widely seen as lacking the manpower and the
resources to deal adequately with the current volumes of computer
crime. The Home Office computer crime strategy is likely to revisit
the funding question, and ask whether more officers should be
trained in forensic computer techniques.