Having slated several government misadventures in computing, I was pleasantly surprised by the masterful report on personal Internet security in 2007 from the House of Lords Science & Technology Committee, still available from here.
In the course of little more than a hundred pages, it succinctly summarises most of the key issues, and relates how the many key players – from operating system vendors, to ISPs, to enforcement agencies and watchdogs – have found excuses for doing as little as possible to address those issues.
My only slight disappointment is that it did not take a more robust view of the economic realities.
- THUS Group plc, owners of the original Demon ISP and more broadly purveyors of IP-based services to business, reported £18.9 million profit in the year ended in 2007, on revenues of £95 million; they are now part of the vast Vodafone group.
- Cisco Systems, Inc, who supply much of the hardware for the fabric of the Internet, reported around $2 billion net income (a euphemism for good old-fashioned profit) on sales revenues of nearly $35 billion for the same year; their last quarterly net income was $2.4 billion.
- Microsoft Corporation, whose operating systems and browsers were involved in the vast majority of security failures, reported over $14 billion net income on sales revenues of over $51 billion; their last quarterly gross margin was $14.6 billion.
- eBay Inc., whose business is wholly reliant on the Internet and includes PayPal, reported over $1 billion net income on net revenues of nearly $6 billion for 2006; their last quarterly revenues were $4.45 billion.
I need hardly mention Apple, whose cash mountain has grown to dwarf many national economies. Despite these prodigious profits, and the vast global industry that is generating them, expenditure on tackling Internet crime is risible.
After years of prevarication, the UK Police Central ecrime Unit was set up, and is now the National Cyber Crime Unit within the National Crime Agency (NCA). The entire NCA, which covers all major and organised crime including drugs, has an annual resource budget of just £408 million for 2015-16, of which probably less than 20% will be spent on ‘cyber crime’.
There is still no international agency that is getting a grip on gangs operating from less responsible jurisdictions, and the UK has yet to ratify the Council of Europe’s 2001 Convention on Cybercrime. No-one has the slightest idea of how much crime takes place over the Internet in the UK, and even finding the wherewithall to run an efficient Internet fraud reporting system seems beyond the budgetary or moral capacity of this country. The Internet remains as lawless as the Wild West, or as England was during the era of Viking invasions.
The reality is that most companies that reap richly from the Internet will only re-invest the absolute minimum that they feel obliged to, in order to defend security.
It is as if every car vendor has agreed that fitting locks and alarms to cars is unnecessarily burdensome, so they will just leave it to owners to buy their own padlocks. Thankfully market forces would put pay to that with physical security, but too few individual purchasers of computer products understand even the basics of computer security, and too many corporate purchasing decisions appear altogether irrational when viewed in the context of security.
The report’s recommendations look eminently joined up, but Government reaction, in Cm 7234 (October 2007), was dreadful. As the Committee wrote, UK Government “did not share our view that there was a public perception of the Internet as a lawless ‘wild west’ and many of our recommendations were rejected.”
The Committee considered the Government response was unsatisfactory, and conducted a short follow-up inquiry, resulting in a further report published on 8 July 2008. This is best summarised in their own words: “What progress there is, however, appears to be slow.” Since then there has been a deafening silence, from Parliament and Government.
Very large businesses will only invest where they see returns, and devote substantial resources to reducing their burden of taxation. Until security becomes a key selling point, or taxation imposes the cost of effective public security on their overheads, security will not enter the balance sheet or boardroom.
No-one wants to impede innovation or development, but so long as the industry has to be dragged along, always a year or two behind the criminals, we, the users, will continue to be insecure. Rather than mulling over ideas such as taxing email and trying to block porn sites, our legislators should be enacting measures to funnel some of those huge profits towards publicly-accountable organisations that will fight on our behalf to improve our Internet security.
Perhaps this shocking litany of lame excuses and perpetual procrastination is actually reflection of a covert policy to take crime off the streets, and put it onto the Internet instead.
Updated from the original, which was first published in MacUser volume 23 issue 21, 2007. Once again it is disgraceful how little progress has been made in eight years.