Conservative Party Report on Cybercrime

March 12, 2008

Speaking at the 2008 e-crime Congress, David Davis described cybercrime as a ¡¥serious threat to individuals, business and government¡¦ and accused Labour of having ignored the issue.

The report outlines a number of proposals to tackle cybercrime, including:

– creating a new Police National Cybercrime Unit

– establishing a cybercrime team within the Crown Prosecution Service

– appointing a single minister responsible for cybercrime

– reforming the mere conduit defence for ISPs, which it describes as unsustainable in its present form.

The full report can be downloaded from here. It provides something of a primer for those looking to brush up on the range of possible computer-related threats and enough scare stories to make Ricky Hatton quiver. The proposals themselves are more prosaic and thus more interesting. They are set out below.

Improving Enforcement

We would create a new Police National Cybercrime Unit (NCU). Law enforcement against cybercrime needs to be strengthened. This requires specialist support and co-ordination. The NCU would be responsible for analysing trend and threat information received, supporting hi-tech crime investigations carried out by individual police forces and promoting higher levels of understanding and recognition of cybercrime implications in all police activities. We would ensure that the new cybercrime unit is fully equipped to combat cybercrime in conjunction with the e-crime unit of the Serious Organised Crime Agency (SOCA).

We would establish a cybercrime team within the Crown Prosecution Service. This team, drawing on existing specialists within the CPS, would work closely with officers from the new police National Cybercrime Unit to further enhance capabilities and improve potential outcomes from prosecutions. We would also examine sentencing guidelines on cybercrime to ensure that the courts have proper regard to the fact that in a significant proportion of on-line crimes small individual offences occur on a serial, almost production line, basis and in sentencing the courts should take account of the whole picture and the intrusive nature of the crime committed.

Improving Reporting

We would establish a Fraud and Cybercrime Complaint Centre ¡V a single reporting centre for cybercrime along the lines of the US Internet Crime Complaint Centre (IC3). The reporting of cybercrime and cybersecurity incidents needs to be made much more straight-forward and accessible. In order to fight cybercrime we need to obtain a much clearer understanding of the scale, nature and extent of the threat and ensure that victims of cybercrime know how to report a crime or malicious on-line incident. We would establish an on-line complaint centre to enable users to provide real time complaints of spam, fraud, malicious software or website incidents. This would form part of a combined Fraud and Cybercrime Complaint Centre.

We will improve the way in which the Police record cybercrime and reverse changes that prevent the public reporting on-line financial fraud to the police.

Promoting Greater Prevention

We would significantly upgrade the Government’s on-line safety and advice website. This on-line ¡¥portal¡¦ would offer the public the most up to date information on cyber security and to help them protect themselves on-line. The website would be linked to the Fraud and Cybercrime Complaint Centre to enable people to report cybercrime on-line and to ensure that emerging threats are communicated quickly. We would develop this facility in conjunction with private sector partners to draw together best practice advice from industry on cybersafety as well as examining more effective ways in which to make consumers aware of the information that is available.
Education and awareness of the potential risks in the on-line environment need to be enhanced. We would promote cybersafety and cybersecurity as a core part of all ICT training in schools and colleges.

We would work with industry to promote common standards and preventative software tools. This would be enhanced by the adoption of a BSI ¡V approved Kite Mark recognising certain standards in internet security and on-line safety. For example legitimate emails from large organisations could be recognised through electronic signatures embedded in the emails enabling more effective screening of fraudulent phishing emails by internet service providers preventing them from hitting consumer in-boxes. We would put in place mechanisms to maintain the viability and suitability of standards to take account of the changing nature of new and emerging cybercrime threats.

Providing leadership and promoting co-operation

We would designate a single minister for cybercrime. Leadership within government and the emphasis placed on cybercrime needs to be strengthened to ensure that it is given the focus and priority it requires. That is why a Home Office minister reporting to the Home Secretary would be given responsibility for co-ordinating policy on cybersecurity, cybercrime prevention and international co-operation.

We would create a new framework to promote closer co-operation between government and business with the shared aim of reducing the risk of cybercrime. We would create a Cybercrime Compact overseen by the Cybersecurity Minister bringing together government, the financial sector, hardware and software manufacturers and other business groups to promote closer working on initiatives to improve cybersecurity. In particular this forum would seek to develop common standards and more effective joint working between government and industry.

Promoting international partnerships

We would ratify the Cybercrime Convention and strengthen international partnerships with law enforcement agencies around the globe. Because international co-operation and common standards between countries are such an essential part in bearing down on cybercrime wherever it may be originating from, we would also promote improved international co-operation and standards through the Internet Governance Forum and the G8.

Strengthening Cyberlaw

We would review existing legislation to ensure that it provides effective sanctions and offences against developing cybercrimes. In particular, we would legislate to put beyond doubt that the hiring of botnets for the purposes of conducting or facilitating cyber attacks on others is a criminal offence.

In conjunction with the Financial Services Authority we would impose an obligation on financial service companies to report all malicious security incidents affecting their computer systems. We will require all companies and businesses holding personal data on individuals who suspect that their systems have been hacked into and that personal information could have been compromised to report such incidents to the Information Commissioner and the Fraud and Cybercrime Complaint Centre and to make notification to their customers when required by the Commissioner.
We would create an offence of reckless handling of personal data by government, making it an offence for a Crown Servant or a government contractor to lose personal data from their control.

Combating Cyberabuse

The public need to be confident that appropriate measures are being taken regarding the posting of images which incite abuse, violence and race hate crime. However, virtually nothing is being done by the Government to address this serious issue. In order to promote strong social cohesion and to ensure greater public protection, it is essential that firm action is taken by internet service providers, the police and other law enforcement agencies to prevent attacks inspired or encouraged by such reprehensible activity.

A Conservative Government would conduct an urgent review of the existing criminal sanctions regulating the broadcast or publication of material which is intended to promote violence or hate crimes to ensure that the law is being enforced robustly and effectively.

We would reform the ‘mere conduit’ defence for Internet Service Providers under the E-Commerce Directive as it is unsustainable in its current form.

We recognise that there is a balance to be struck between the need for freedom of expression whilst protecting the public from harm. But there is a clear shared social responsibility on the operators of file sharing websites and internet service providers to ensure that grossly offensive images are not made available for download. This responsibility extends not only to file sharing but to taking action against fraudulent websites and email accounts being used to perpetrate cyber-attacks on others.

We will assess what penalties (whether criminal or civil) should apply to internet service providers which fail within a specified time to act on requests to take down images or comply with requirements to remove bogus or inappropriate websites or to act on spam or other malicious email notified to them as originating from their services.

We will consult on these proposals with both industry and users.
In addition to these specific measures we will examine the current data protection framework and arrangements to ensure that personal data and information is properly protected and secured. We will also undertake further detailed analysis on the protection of critical infrastructure from cyber attack and measures required to enhance national cyber security.