I read Warwick Ashford’s article on the Drivers and Inhibitors of Cyber Security Evolution after attending a number of thought provoking meetings during the week of Infosec. The study he quotes should be juxtaposed with an excellent Washington Post “history” of how the Internet became so insecure and with Warwick’s more recent article on how co-operation is driving the fight against e-Crime. Comments by Adrian Leppard, also covered by Warwick, a couple of weeks ago help put these into current context.
The overall cost of computer-assisted fraud (about the same as the current UK fiscal deficit) is causing HM Treasury to take a cool look at the competition between those bidding for funding to address cyber-warfare, anti-terrorism, internet “safety” and e-crime. Meanwhile a number of cyber-risks have become almost uninsurable – but main boards have yet to appreciate the consequences of the deletion of “cyber” from their mainstream business continuity cover. Instead we have the growth of policies to cover the cost of implementing incident response plans which include action (cross-border as necessary) to identify who organised the attack (and who aided and abetted them) so as to mount “asset recovery” exercises (under a mix of criminal and civil law) in parallel with damage limitation exercises (including to protect customers who data may have been compromised). Those incident response plans include retainers with cross-cutting teams drawn from the accounting, law, forensic, security and public affairs practices who are making recruitment firms rich as they compete the expertise they will need. A deliberate “side-effect” of such policies is that those with them are less likely to be attacked because of the known threat of retaliation.
That which was forecast a decade ago (see the EURIM-IPPR studies into Partnership Policing for the Information Society) is therefore finally coming to pass, as the government, law enforcement and industry finally come to appreciate that they need to be at least as good at partnership as organised crime. They should, however, have the advantage that the lack of trust between criminals is even greater than that between the agencies of law enforcement and security and the various cultural and professional tribes of “industry”.
Time has moved on since the EURIM-IPPR study. Some of the findings need updating but some of the most important do not. Law enforcement has not, and never will have, the resources (quality and quantity) to do more than a fraction of what is necessary. The need is for much better frameworks for co-operation with those in industry who do have these.
In looking at forthcoming legislation to update current law on surveillance powers and access to communications data we should give priority to governance structures for voluntary co-operation, under evolving mixtures of civil and criminal law, including internationally. We might also take a good look at legislation and regulation which limits the civil liability of those who fail to take “reasonable” action to protect their customers from abuse. The background work for the DPA exercise on Age Verification indicates that what is ‘reasonable” depends on the perspective of the viewer and also changes over time. It is therefore important that debate is as public and open as practical. Those how say it is too complicated for voters to understand should be trusted as much (or as little) as those who say it is too secret to be openly discussed in public.