Cool response to Love Bug raises spook role questions

The UK Government, unlike its US counterpart, was tight-lipped in the aftermath of the Love Bug. But what sort of government...

The UK Government, unlike its US counterpart, was tight-lipped in the aftermath of the Love Bug. But what sort of government action on security can we expect? asks Peter Sommer, academic and government e-commerce adviser

During the recent spate of "loveable" Visual Basic/Outlook viruses, USofficials - from the FBI and the US National Infrastructure Protection Center (NIPC) - were all over the media offering advice and comment.

But here in the UK, the public response to the virus from the NIPC's near-equivalent - the National Infrastructure Security Co-ordination Centre (NISCC) - was almost non-existent.

So what do we, and what should we, expect the UK Government to do about computer security? The Department of Trade & Industry has sponsored an Information Security Management standard, BS7799. We also have the ITSEC/Common Criteria scheme for security products, and sponsored research in emerging fields such as intrusion detection.

But beyond these, what role should government play to secure the IT infrastructure?

NISCC is a development and formalisation of arrangements that have existed for some time. Traditionally, departments of the Security Service and the GCHQ Communications and Electronic Security Group have provided advice and consultancy to government ministries, their agencies and a handful of companies holding key defence contracts. Data on computer security breaches and bulletins warning about them are issued under the Unified Incident Reporting and Alert Scheme.

However, important parts of the national infrastructure are increasingly being outsourced, and the telecommunications companies and utilities are now in private ownership. For the spooks, successive waves of privatisation, together with the current spate of private/public financing schemes, have resulted in a change from the culture of anonymity. Already, many senior private-sector information security professionals know NISCC staffers.

Although the work of the new "virtual agency" includes the usual headline-grabbing cybersleuth activities, much effort also goes into risk analysis, prevention and contingency planning. But NISCC still only deals with national infrastructure - the politics surrounding the setting-up of a national cyberpolice force are still unresolved. The function of this cyberpolice force, the Government Technical Assistance Centre, is to support warrants issued under the Regulation of Investigatory Powers (RIP) Bill.

UK personnel are also prominent in the G8 round of cybercrime conferences, beneath the surface of which there may already be serious difficulties. The US wants an international cybercrime unit. But European officials are concerned that it would be US-dominated, while business is worried about the costs of providing interception facilities.

The Crime in Cyberspace convention, drafted by the Council of Europe last April, at least begins to look at nitty-gritty issues such as training, acquisition and preservation of evidence, and mutual legal assistance treaties.

Meanwhile, the UK Government focuses on making quiet, private contacts. Its key word is "co-regulation". The US approach is different but, for all those dynamic TV appearances, the official warnings about the Love Bug came too late.

Nevertheless, we shouldn't be too glib about the UK's attitude. We can legitimately ask, "Are all the relevant issues, such as the balance between official powers, the cost to industry and safeguards for privacy, under proper review? And who, in Parliament and beyond, can assess whether NISCC and others are actually doing a good job?"

Peter Sommer is a research fellow at the London School of Economics, and special adviser to the Commons Trade & Industry Select Committee for its inquiries into e-commerce.

more e-security news

Read more on IT for government and public sector