In July we learned that 10% of the UK population have been the victims of e-Crime – albeit nearly always reimbursed, having “only” suffered the hassle of a refused card and a couple of days struggle to get the cash to survive until they received a new card. Earlier this week we learned that on-line fraud has risen 50% over the past year . Today we saw publicity for the Consumer Association plans for a class action against those banks which do not reimburse those who have been victims of the type of fraud that commonly follows a data breach notification (e.g. the fraudster purports to be from security or technical support team of the organisation that has reported the breach and collects the credentials to bypass the banks security processes).
In parallel we learn that Yahoo discovered it had lost over 500,000 passwords and identities four years ago only when some of them were reported to be on open offer earlier this year. Meanwhile we have no idea as to the security , or otherwise, of all those apps tracking what you do over your mobile phone or social network accounts. It is, however, apparent that those promoting “big data” tracking services have been concealing how they really operate, as well as what they really measure, from those whose advertising budgets they seek to influence as well as from those whose transactions and movements are tracked, analysed and sold to who-ever will pay (or can break the security, if any, of the “big” marketing database). Meanwhile the changing scale and nature of some of the attacks being mounted against those who help law enforcement illustrates how the insecurity of the Internet of Things is already compounding the problems we face.
It is now also exactly three months since I blogged on the report of the Cybersecurity enquiry conducted by the Culture Media and Sport Select Committee. DCMS has yet to respond, although more of the recommendations are for the new Information Commissioner: e.g. that she should link the scale of the fines she levies, whether under existing law or new GDPR, to the lack of security (Para 18) and to the lack of processes to enable a consumer or small business to check that a phone call or e-mail really does come from the organisation claimed (Para 34).
It is perhaps ironic, given current arguments about Brexit, that the latter weakness stems from the lack of action to enforce the e-Commerce Directive requirement that those trading on-line should tell customers how to make physical contact in the event of problem. The good news is that we are beginning to see legal action in the UK, as well as in France, to remove the “innocent carrier” defence from those who make it almost impossible to report traffic in breach of their terms and conditions and/or who deploy technologies in support of geoblocking and IPR licensing while refusing to do so for child protection or personal safety. The latter “problem” should lead to an interesting debate during the second reading of the Digital Economy Bill – when those who want effective age checking to protect children from exposure to pornography to be enforced field reveal that the arguments over what is “practical” are arguments about business models not technology processes.
Para 14 of the CMS report recommends that “All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.”. Under the GDPR “all relevant companies” means almost everyone with an on-line presence.
Paragraph 18 contains a polite bombshell for the Professional Bodies and Trade Associations who are collectively responsible for the insecurities that have made the Internet and many, perhaps most, on-line services so vulnerable. “We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary.”
Having been in the industry for over forty years I know why the situation is as it is: each generation ignores the lessons expensively learned by the previous one because …
The excuses vary but can be summarised as:
- Everything is moving so fast that we cannot afford the time to check and still be first to market.
- The users will find the problems and we will fix them when they do, if we are still with the company.
- Only old farts rabbit on about professionalism. We digerati have new go-faster technologies and acronyms, so what they say is not relevant.
- The trustees of professional bodies cannot afford to take on those willing to spend more on legal cover up than they did on quality control.
In short the current situation is indefensible. Hence the importance of Paragraph 25 of the CMS report, the advice to victims to “lawyer up” and the recommendation that the Law Society provides guidance to their high street members to make it easier for victims to obtain redress under civil law.
That is, however, the negative side of the recommendations. I hope that, whatever the Government response to Select Committee report, (likely to be issued in October in parallel with its new Cyber security strategy), we will see industry, (both suppliers and customers, come together to help rebuild trust in the on-line world before it crumbles further.
I know that two parallel, but interlinked, exercises are being considered.
One is a SASIG event to describe the benefits large on-line users are getting from already following the recommendations in the Select Committee report. This should give the Information Commissioner a supply of case study carrots to accompany any sticks she may threaten to yield (para 34 of the report). The other is a Digital Policy Alliance event to bring together the relevant professional bodies and trade associations to look at alternative ways of identifying, maintaining, promoting and enforcing good practice (Para 30 and Para 38 of the report). These might include regular updates to cyber essentials (now more than a little dated) and linking incident management and cyber-indemnity insurance to auditable (and audited) evidence of competence and behaviour, not just theoretical certifications and processes.
I look forward to seeing both being progressed after the Party Conference Season in co-operation with the Information Commissioner, Government and Industry – including to make the Brexited UK a safer place to go on-line and a more profitable location to base an on-line business, than either continental Europe or the United States.