BLP’s Cybercrime team provide their views on The House of Commons Home Affairs Committee Report on E-Crime.
The Report published in July 2013 covers a broad range of issues relating to Cyber-crime. Over the course of seven months, the Committee questioned a range of witnesses. The Committee arrived at thirty-five recommendations. For convenience we have grouped the main ones together and offer our thoughts based upon what clients and contacts are telling us and our experience in this area.
Funding: Criticism is levelled at a lack of funding for law enforcement. Whilst funding is very important, it is what you do with the money that counts. In this respect, initiatives like the impending establishment within the National Crime Agency of the new National Cyber Crime Unit are welcomed by the Committee.
Agencies: Less welcome is the recommendation for yet another agency, an espionage response team, to be set up. This seems to us to be counter-productive, particularly as the Committee recognises that it is unhelpful to have too many bodies working in this area, for example, to have other law enforcement agencies operating outside the National Crime Agency.
Reporting: Along similar lines, we were concerned by the suggestion that Banks must be required to report all e-crime to law enforcement agencies. Mandatory reporting requirements are controversial. They currently form part of the EU Commission’s Cyber Strategy and Draft Directive and have been criticised by the UK government who favour voluntary information sharing, which seems to work quite well in industry sectors that have adopted it. Whilst zero tolerance might be applauded, does it make economic sense? A lot of time and money could be spent on this both by industry and law enforcement that could be better spent elsewhere. Financial loss, damage to reputation and risk of Regulatory intervention are probably sufficient sticks to encourage appropriate behaviour by companies.
Criminal Sanctions: The Committee expresses concerns that criminals are treated too leniently when caught and so recommends a review of sentencing guidelines. Again, this is something that echoes the EU Parliament’s approach in legislating for minimum sentences across the EU for e-crime in a recently issued Directive. One additional thought here is to consider criminalising the receipt of information stolen via e-crime. At present, it is left to companies and individuals to pursue civil remedies against the recipients of stolen information. If the information is made “toxic” then it might discourage some of theft in the first place.
Market Forces: The Committee refers to evidence from witnesses who suggested new forms of liability for manufacturers of software that is insufficiently secure. The Committee do not take up that suggestion, which would be a difficult measure to subject to a legal test in any event. Instead we think that this is something that will be more market driven, with end-users putting security further towards the top of their purchasing requirements. Evidence given to the Committee by Google supports this for example where they have developed technology that scans Gmail accounts for hijacking activity.