Devil's Advocate: Legislating for security

Is there any point, asks Martin Brampton, in legislating for security attacks when a bit of housecleaning could prevent many breaches?

The internet age is apparently beset by dire security threats and the self styled experts are bemoaning the state of legislation. We need new laws, they claim, to cope with the rising tide of hacks, viruses and computer frauds. They ignore the fact that passing laws does not, as Captain Picard might say, make it so.

When the Computer Misuse Act was brought forward, it was correctly pointed out that it is a remarkably Draconian piece of legislation. It prescribed possible prison sentences for all kinds of offences, including making corporate managers responsible for any illegal use of software. Did the Act somehow miss its target? Or is it still too soft?

The evidence brought in support of calls for changes in the law is that very few people are actually being prosecuted and even fewer are being severely punished for wrongdoing. But there are obviously a number of possible reasons for this situation.

There are very few cases of so-called computer misuse where there is hard evidence pinning the blame on an individual. This problem is partly technical and partly practical. From a technical point of view, systems simply are not constructed to provide a chain of evidence that can be traced back to a specific source.

Even when there is such a chain, the source is rarely identifiable as a person for purely practical reasons. While extensive access to computer systems can often be obtained using passwords that are easy to guess, blaming individuals for security breaches will be difficult. Where passwords are harder, how often can they be found on a sticky note under the keyboard?

And this brings us to an issue that people have a natural reluctance to confront. Those inside the organisation cause most of the serious problems that crop up with computer systems. Management is reticent about making accusations without very solid foundations for fear of alienating staff, most of whom are entirely innocent.

Availability of evidence is again a crucial issue. Organisations have a duty to develop guidelines for acceptable use of computer resources, and to communicate them to all staff. Many have done this, and indicated clearly the possible sanctions against breaches. Provided evidence is available, disciplinary action can be taken against offenders and this will no doubt hold up against challenges in employment tribunals.

Even in the case of serious crime, it is the internal threat that is the most significant. The first step taken in a criminal conspiracy is often to infiltrate the target organisation. The figure of the evil genius attacking computer systems from far away is largely a fiction.

Most often, the external threat is a nuisance, and sometimes a considerable expense. Before worrying about legislative change, though, we ought to check that sensible precautions have been taken to limit damage. Putting a website online using popular software that has numerous known security weaknesses is tantamount to leaving your house with the doors and windows open and the valuables on display. The police will be unenthusiastic about dealing with the ensuing theft and the insurance company may well refuse to pay.

It is natural for people to experiment and to break rules. We are curious and we often see difficulties as a challenge. No amount of legislation will change this, nor will it halt all crime. If we want computer systems and the internet to be secure places, we must build them so as to be so. There is no point throwing together a system devoid of protection and then expecting the law to somehow solve our problems.