Sergey Nivens - Fotolia

Spy bill review fails to address all issues, says cyber expert

UK parliament’s Joint Committee review fails to address issues of collateral damage and business protection by spy agencies, says cyber security expert

Parliament’s Joint Committee report on the UK government’s draft Investigatory Powers Bill is good, but fails to address all the legislation’s shortcomings, according to a cyber expert.

In particular, the report says little about the collateral damage caused by bulk equipment interference, commonly known as hacking, said Erka Koivunen, cyber security adviser at F-Secure.

“We have seen in the Belgacom case that equipment interference activity on non-terrorist and non-combatant organisations can be used to create stepping stones to the intended targets, or as a way to hide the intelligence traces that would point the operation back to GCHQ,” he said.

GCHQ reportedly gained access far beyond Belgacom’s internal employee computers and was able to intercept encrypted and unencrypted streams of private communications, resulting in a $5m bill for Belgacom to clean up its systems and beef up its security.

Koivunen, who was called to give evidence to the Joint Committee, said the report also fails to address what GCHQ should do to protect UK businesses, their partners and their customers from known vulnerabilities that other threat actors might use.

“This must be spelt out clearly in the bill’s final text,” he said.

Koivunen added that F-Secure supports Mozilla and the open-source community in insisting that all vulnerabilities should be identified and fixed, regardless of who put them there.

The draft bill asks for too much trust, provides very little verification, and fails to address concerns about the potential for abuse and lack of oversight, he said.

Read more about the draft Investigatory Powers Bill

As indicated by the Joint Committee’s report, Koivunen said there is still much work to be done on the legislation if it is to become law.

“Sharper, clearer definitions are required in order to protect both the privacy of citizens and viability of the British tech industry,” he said.

“We applaud the Joint Committee for addressing these shortcomings – and encourage the government not to use the rush [due to the sunset clause in the Data Retention and Investigatory Powers Act (Dripa) 2014] to pass the law as an excuse to pass a flawed bill.”

Parliament’s Intelligence and Security Committee (ISC) made a similar recommendation, urging the government to take the time necessary to construct a comprehensive and clear legal framework for authorising the actions of the intelligence agencies.

The government hopes to have the new law in place by the time the Dripa legislation expires at the end of 2016, in line with the sunset clause agreed in return for quick parliamentary approval.

The Joint Committee report is the third parliamentary investigation into the draft Investigatory Powers Bill that legislators have to consider in drafting a final text for new UK surveillance legislation.

The report by parliament’s Science and Technology Committee said the draft bill is too vague and needs to be redrafted to avoid economic damage. The ISC report called for “substantive amendment” regarding privacy protections, equipment interference, bulk personal datasets and communications data.

Read more on Privacy and data protection