The Science and Technology report, complete with formal minutes, oral evidence from academics and written evidence from interested parties such as the anti-virus industry, provides an overview of the world of cybercrime from a political viewpoint. A discussion of cybercrime statistics, for example, touches on the legal complexities involved in prosecuting cybercriminals: “A phishing attack would probably... be charged as fraud or money laundering, a Distributed Denial of Service attack (which also tends to involve offences under s 3 Computer Misuse Act...) would probably be charged as extortion... In every year since the Computer Misuse Act came into force, prosecutions have seldom exceeded 100 per year.” (In written evidence from Professor Peter Summer.)
But while the overall document provides a detailed analysis of the current state of cybercrime, the report’s practical recommendations are somewhat limited: government must push ahead with the UK Cyber Security Strategy, must try harder to educate users with simple English, and, most particularly, invest in the Get Safe Online website. Indeed, it goes so far as to “recommend that the Government require that access to Get Safe Online advice is provided, by vendors, with every device capable of accessing the internet.”
Two areas of particular interest to the security industry include ‘safety standards,’ and an automated security assessments for software. “In the event that the industry cannot demonstrate an effective self-regulatory model, we recommend that the Government investigate the potential for imposing statutory safety standards,” states the report. And with reference to the ‘kitemarks’ proposed in the UK’s Cyber Security Strategy, “We judge that there will be a need for an automated way to assess the security of software.”
Commenting for his own blog on the report, Graham Cluley of Sophos is encouraged by the stress on better user education. He also has his own recommendation. “One thing which is clear from the report,” he writes, “is that we need an independent way of measuring the cyber threat that's out there. Much of the data used by the report is supplied by security vendors, who - one can argue - could have a vested interest in hyping up the internet threat. To avoid such accusations, proper systems must be put in place to make it easy for citizens to report internet crimes and malware attacks. This could start with better training of the police force as to how cybercrime works, to make many computer users more comfortable in reporting cybercrime to their local police.”