Technology advances may lead to laws on minimum security levels

The government needs to start planning now for developments in computer technology that will pose new threats to the UK's...

The government needs to start planning now for developments in computer technology that will pose new threats to the UK's critical national infrastructure and render existing security systems obsolete, the former head of the government's joint intelligence committee said last week.

Pauline Neville-Jones, who chaired the joint intelligence committee under John Major, told a Parliamentary IT committee that the government may need to introduce new laws to protect key computer systems, as the development of intelligent, mobile computers raises new security concerns.

"We are about to enter a world of pervasive computing where a far greater proportion of the community has access to electronic communications," she said. "Computers are becoming increasingly intelligent and capable of modifying their own functions."

The result will be a new generation of mobile computers capable of communicating with each other and logging on to networks to exchange information without the user necessarily being aware of their activities.

Existing generations of firewalls and intrusion detection systems may not provide sufficient protection and could place critical computer systems at risk, Neville-Jones said.

"The more programmable devices you have in the future, the more you have the ability to attack the infrastructure through some form of cyberattack."

Small mobile devices could be pre-programmed to implement a massive denial of service attack, for example, but the ability to track misuse will become increasingly difficult as devices network themselves together.

The government and the private sector need to start thinking about the legal and practical implications of the technology now, said Neville-Jones, who is currently chairwoman of defence specialist Qinetiq and the Information Assurance Advisory Counsel.

"There are real legal problems that will arise with the competitive environment we are going into. As these systems are becoming much more capable, people are going to question whether we attach responsibility to the user or to the system, because of its autonomous behaviour."

The nature of ownership of data is likely to change as devices move information around networks autonomously. It will become less clear who is responsible for data, who will own links between networks and who will be responsible if data is corrupted.

The government may need to update the law before these technologies come into use to maintain adequate security without losing the benefits and the freedom of new technologies. "The day may come when we have to legislate for a minimum amount of security," she said.

Read more on IT risk management