The Government are strengthening and weakening cybersecurity
THE UK Internet Service Providers Association (ISPA) have issued a report calling for the Government to offer industry more support on cybersecurity but less regulation.
Their latest Cyber Security Member Survey revealed that a majority of UK ISPs want the Government to assume a greater educative role.
They want Government to ramp up their efforts to raise public awareness of cybersecurity issues, and they want more to be done to train industry on how to deal with threats.
By contrast, the vast majority don't want increased regulation, with 91% being concerned that mass government surveillance negatively affects network security.
Given their concerns, they may be reassured by the recent news that the Government plans to open a National Cyber Security Centre (NCSC) in October.
This centre will act as a coordinator between industry and government, providing private and public sector organisations with vital info and support on digital security matters.
However, with the Investigatory Powers Bill at committee stage in the House of Lords, it appears as though the Government won't be listening to the 91% who want them to rectify the compromises they'll be introducing into the UK's internet networks.
What's more, in a country where many people still aren't aware of how best to protect themselves online, the Government's recently announced centre sadly won't be tasked with educating and helping the public to any significant degree.
On their own
Still, even without the public to worry about, the ISPA Member Survey found that many ISPs are dissatisfied with how the UK's institutions and infrastructure are unequipped to deal effectively with cybercrime.
Among its key findings, it revealed that 17% of ISPs have never gone forward to the authorities to report a cyber attack.
Of those that have, it noted the more worrying fact that 30% said there was no interest or follow-up from the authorities. Just as bad, 50% said reports were only occasionally investigated.
This goes to show that, in many cases, companies are left on their own when they experience cybercrime.
Even worse, 92% of ISPs experience attacks regularly. Of this 92%, 31% experience breaches daily, 32% weekly, and 38% monthly. This has massive implications for the customers of these ISPs.
In response to such problems, the ISPA survey made five recommendations:
1. Government should focus on education and awareness and work collaboratively with industry
rather than resorting to legislation
2. Government must be mindful of the damage surveillance legislation can have on network security, such as the intrusive hacking powers within the Investigatory Powers Bill
3. Law enforcement should prioritise better training of officers and coordination of cyber security
4. There needs to be more consistency when an ISP reports a case to law enforcement so that where practicable all reports are followed up and investigated so that criminals can be brought to justice
5. Authorities must do more to reach out to the full breadth of the ISP industry, engaging them in information sharing work and consultation
Protecting the Critical National Infrastructure
While these demands make it seem as though there's much to be done, the Government is already taking steps to satisfy them.
In November 2015, they announced plans to open a National Cyber Security Centre.
Propped up by £1.9 billion in funding, the Government intends it to become a pivotal centre for expertise and intelligence into cybersecurity.
On the one hand, its staff will research basic vulnerabilities in the cyber systems of the UK's "Critical National Infrastructure," which for now includes the energy, telecoms and financial sectors. They will then share this research with the organisations and businesses concerned, educating them on how best to protect themselves against likely attacks.
On the other, they'll also respond to network breaches as and when they occur. This would involve actively working with affected companies to minimise damage, as well as putting them in touch with firms specialised in cybersecurity.
In many ways, they'll be a single point of contact or "bridge" between industry and experts.
As part of this role, the NCSC will also be instrumental in enabling a more consistent approach from the police, instructing them on how best to respond to reports of attacks when they're made by ISPs and organisations.
This will go some way to ensuring the authorities are more responsive to those ISPs who report security breaches, as well as more able to provide them with help.
And, as a whole, the centre will go some way to providing the ISPA's Member Survey with just what they've recommended.
They'll raise awareness of cybersecurity issues, they'll establish codes of best practice, and they'll make it easier for ISPs and other organisations to overcome their isolation and connect with those who can help them.
National security at the cost of network security?
That said, the NCSC will do nothing to address one of the major recommendations of the ISPA's report.
Namely, they won't put a stop to the mass surveillance being conducted by GCHQ on behalf of the Government. Neither will they stop the Investigatory Powers Bill from being passed, a bill which seeks to enshrine GCHQ's mass surveillance into law and require ISPs and telecoms providers to aid such surveillance.
Superficially, this bill is simply an attempt to defend national security in the face of a constant threat of terrorism.
Yet critics have argued that the bill's proposals would actually undermine the security of the networks GCHQ monitor.
One of these proposals would oblige ISPs to collect "internet collection records" on their customers, collecting data on the browsing history of people so that the security services could access this data if they believed it necessary.
There are worries that such records will be vulnerable to being breached, in much the same way that, for instance, the details of 400,000 TalkTalk customers were stolen after a cyberattack in October 2015.
Then there are the concerns regarding encryption. Once again, critics say that making ISPs and tech companies introduce 'backdoors' into encrypted communications will create opportunities for criminals to compromise the online security of the general public.
These fears are very pressing, and they're pressing precisely because they risk exposing thousands and millions of people to the possibility of having their personal details stolen and exploited by cyber criminals.
No public enquiry line
This threat is something that needs to be addressed separately by the Government, since as it stands, cybercrime already costs the UK £27 billion a year.
Not only that, but the focus of the NCSC will be very much fixed on industry and public bodies, with the general public seemingly being relegated to an afterthought.
For example, the centre's prospectus states that, while they'll provide "bespoke support to a small number of the most critical organisations in the UK," they "will not offer an enquiries line for the general public."
Added to this, they'll make general advice available to the public only when there is a "significant cyber incident affecting the UK."
While this may be justified insofar as the centre's resources are limited, it will nonetheless mean that the Government will waste a distinct opportunity to plug a large hole in the public's knowledge of cybersecurity.
That such a hole exists was shown, for example, by a survey conducted by Get Safe Online in 2014 as part of their Get Safe Online Week.
This survey revealed that 47% of victims of online crime didn't know where to report such crime. It also discovered that only 45% of these victims changed their passwords and online behavior after having fallen victim to cybercrime.
More worryingly, it also found that 54% of mobile phone users and 59% of laptop users don't have a password or pin for their devices.
With such unawareness of the dangers of lax cybersecurity, it's little wonder that 5.8 million cybercrimes were committed in England and Wales in the year leading to March 2016.
And yet, rather than addressing this startling figure by doing more to educate the public, the NCSC will instead be focusing on organisations and businesses.
As such, they may very well prevent the kind of attack that resulted in TalkTalk losing 101,000 customers last year, yet they'll do very little to save individuals from the kind of day-to-day phishing frauds that rose by 20% last year.
Nevertheless, the public do have other options when it comes to informing themselves about the hazards of cybercrime.
As mentioned above, Get Safe Online are a non-profit organisation that offer guidance to people on how to protect themselves against "fraud, identity theft, viruses and many other problems encountered online."
They often run advertising campaigns that seek to increase awareness of important security issues, and they also offer more business-oriented advice to those who run their own company.
Since they're a joint public-private partnership between the Government and various "leading" businesses (e.g. Barclays, Kaspersky Lab, PayPal), they show that the Government are in fact taking the issue of personal online security very seriously, even if said issue will be largely neglected by the NCSC.
Also, for those who've been the victim of cybercrime, there's also Action Fraud. This is the National Fraud and Cyber Crime Reporting Centre, and it's where any victim of an online crime should immediately go if the worst happens.
With Get Safe Online, it should provide all the information and help most people would need.
Of course, It's just a shame more people haven't heard of them, and it's a shame that the Government look set to pass a bill that may only put the public's personal details in jeopardy.