Whitehall acts to marshal UK's security expertise in fight against cybercrime

Home Office aims to create a co-ordinated UKcomputer crime strategy.

Home Office aims to create a co-ordinated UKcomputer crime strategy.

The UK is awash with expertise on IT security, in businesses, among IT suppliers, in central and local government, the police and the security services.

So far there have only been sporadic attempts to bring this expertise together in a co-ordinated way to tackle the threats posed by viruses, hacking and other forms of computer crime.

This looks set to change with news that Home Office is developing a computer crime strategy for the UK that will attempt to co-ordinate computer crime resources across a wide range of public and private sector bodies.

The work is still in its early stages, but some of the ideas that have been put forward to the Home Office are beginning to attract interest. They include the creation of industry-based "IT special constables" to assist the police, "cyberhood watch" schemes to alert small businesses of imminent threats, and a review of computer crime laws.

Development of the Home Office strategy will run in parallel with a similar review by the government's Central Sponsor for Information Assurance, part of the Cabinet office. That review is likely to focus on the need to improve the take up of information security standards such as BS7799 among local and central government departments - a move that could also encourage adoption in the private sector.

In some ways, the UK is playing catch-up with the US, which published its own cybercrime strategy in February this year. The US plan, drawn up in response to the 11 September terrorist attacks, with the backing of the White House, recognises that with many parts of the internet under private control, the government cannot secure cyberspace on its own. But it can play a leading role in educating businesses about risks and solutions, and encourage research into better ways to protect computer systems.

The Home Office has asked IT industry parliamentary group Eurim to help it identify the key priorities for a UK computer crime strategy. The timetable is tight - Eurim aims to report back on the key issues before Parliament's summer recess and to identify possible solutions by September. This will give ministers time to get the ball rolling by introducing some easy-to-implement reforms before the end of the year.

Jeremy Beale, head of the e-business group at the Confederation of British Industry, welcomed the move.

"We think computer crime is a major issue for businesses and for the country. We have moved into an era where the critical national infrastructure is increasingly vulnerable to terrorism," he said. "A major effort is needed to build up expertise in industry and government and to put computer crime on the national agenda."

The main proposals under discussion are:

IT special constables

IT special constables, based in industry and capable of gathering evidence of computer crime to police standards, could take the pressure off overstretched police forces. The idea is taken from the US and Canada, where the armed forces and other government agencies keep civilian experts on their payroll, ready to be called on in times of crisis.

"When it came to the Love Bug computer virus, the FBI suddenly had a 400-strong taskforce, which was almost entirely comprised of people from IBM, Microsoft, Symantec etc, all of whom were special reserves with the FBI. The full-time FBI officers did little more than make the tea," said Philip Virgo, general secretary of Eurim.

A similar principle could be introduced in the UK to take some of the pressure off the National High-Tech Crime Unit and regional computer crime units. Security experts in industry could be trained how to gather evidence of deliberate security breaches to the rigorous standards of evidence used by the police to bring criminal prosecutions in court.

Chris Sundt, a security consultant who is helping the Home Office develop its security strategy with Eurim, believes that such a move could bring significant benefits.

"One of the problems we have in industry is handing investigations over to the police. If you call them too early, it creates problems because there are not enough police resources. If you call them too late, evidence may not be admissible in court. Special constables could act as the police presence until the investigation is handed over to the police proper," he said.

Critics say that while IT special constables are an interesting idea that should be explored further, the underlying problem is that there are not enough IT-literate policemen, and not enough awareness of IT security issues.

Review of computer crime law

Likely to form a central plank of the Home Office's strategy, the Computer Misuse Act, introduced in 1990, will need to be updated to bring it into line with the European Convention on Cybercrime and a proposed European framework on attacks against information systems. This could be an opportunity to deal with some of the perceived inadequacies of the current Computer Misuse ActÊ- an issue that has formed the heart of Computer Weekly's Lock Down the Law campaign.

There may also be moves to assess whether legislation could outlaw the theft of electronic data, which is currently not a criminal offence in UK law.

Small businesses

There is growing concern in government and business that smaller companies and even home users are not getting the advice they need on computer security. The issue is crucial, not only to protect small companies, but also the larger companies they supply. Hackers often use small, unprotected computer systems as a launching point for attacks on larger systems, yet there is little co-ordinated help for small firms.

Another problem is that there are few IT professionals with the all-round skills, including security skills, that small businesses need. One solution could be to develop a programme of training and qualifications for a new type of IT generalist, who could assist small businesses to secure and install their systems.

Education and training

The Home Office review is expected to look at ways to make better use of the security training programmes that have been developed by industry, law enforcement and academia. Forensic computing courses developed by the police could provide private sector security professionals with valuable training, particularly if the idea of IT special constables is introduced. However, police regulations currently restrict this.

Identity theft

Measures to tackle identity theft will be high on the Home Office's agenda. The problem is reaching epidemic proportions and, if left unchecked, is likely to damage the growth of e-commerce. Increasingly fraudsters in the UK are using stolen identities to take out loans or make credit card purchases under other people's names.

Police computer crime unit

The National High-Tech Crime Unit and the regional police computer crime units are widely seen as lacking the manpower and the resources to deal adequately with the current volumes of computer crime. The Home Office computer crime strategy is likely to revisit the funding question, and ask whether more officers should be trained in forensic computer techniques.

Read more on IT for small and medium-sized enterprises (SME)