UK Internet Providers Call for Government Support on Cyber-Security

The UK Internet Service Providers Association (ISPA) has today warned that the Government must avoid creating new regulations to tackle the challenges of cyber security. Instead ISPs say they should focus their efforts on supporting education, awareness and better training for law enforcement.

Security issues represent a constant headache for ISPs, as demonstrated by last year’s massive data breach of TalkTalk’s servers that exposed the personal details of some 156,959 customers to abuse (here). Today’s new report (PDF) further confirms that over 90% of providers are coming under some form of attack, but most are already upping their game.

Key Findings of the ISPAs Member Survey

1. Cyber-security is an increasing priority for 79% of ISPs surveyed, 77% said spending is increasing and MDs or C-Suite executives are accountable for cyber-attacks.
2. 92% are subject to cyber-attacks on a daily (31%), weekly (23%) or monthly (38%) basis.
3. ISPs provide a wide variety of tools and services to protect networks and tools to end users.
4. 85% of those surveyed said ISPs should have a proactive role to play in maintaining customer protection and mitigation.
5. ISPs take a proactive approach, with 84% of those surveyed having reported incidents and breaches and 92% provide advice and tools.
6. ISPs want Government to focus on awareness raising (64%) rather than creating new regulations (18%) to meet the challenges of cyber security.
7. Law enforcement should prioritise better training (83%) and coordination with industry (83%), as well as increase funding (58) and prosecutions (50%).
8. 91% are concerned about Government surveillance measures impacting on network security.
9. There is inconsistency with how law enforcement deals with ISP incident reporting.
10. While a large number of public bodies are in contact with ISPs, a third receive little or no contact.

The new report follows only a few months after a major cross-party inquiry into cyber security published its findings, which among other things proposed the introduction of jail terms for “data abusers” and fines for those who “fail to report, prepare for or learn from data breaches“.

However ISPs say that they already do a lot to tackle and defend against such attacks and that it’s the Government which needs to do more, albeit not through the introduction of new regulation. Instead the ISPA suggests that law enforcement “needs to improve how it handles cyber-crime with a wide gap in reports actually leading to successful investigations“.

As an example, of the 83% of ISPs who reported cyber-crime to the police, only 20% felt reports were consistently followed up and 30% said reports received no response at all. ISPs therefore suggest that the police need “more funding and better training“, as well as “better threat information sharing and a new education and public information campaign for end users“.

James Blessing, ISPA Chair, said:

“Cyber-security is critical, and this survey shows how it has become an even bigger issue for ISPs. The survey also reveals that industry believes Government and law enforcement need to raise their game in tackling cyber crime and need to have a clear plan on how they will be tackling offenders and raising awareness among users.

The survey further shows a real belief among ISPA members in a partnership approach with different stakeholders playing their part. This means government, law enforcement, internet companies, individual users, ISPs and businesses all working together to protect networks, follow good cyber hygiene, mitigate threats and bring offenders to justice.”

At the end of the day there’s no such thing as 100% security and no organisation, business or individual can ever truly claim to be completely safe; enterprising hackers will always find a way around even the best security, assuming there’s even a clear definition of “best“. Computers and networks have faced this challenge since the IT revolution first began.

Similarly not all businesses or organisations, especially smaller ones, will have the money or skills necessary to guarantee (if possible) that they have the best security and sometimes they might not even be able to detect the attack. Meanwhile that lack of knowledge could lead some to assume that they are safe, when in fact the opposite may be true.

Likewise many of the problems that ISPs face are also shared by their subscribers, but there are limits to what an ISP can realistically be expected to do in order to protect end-user connectivity (i.e. they can’t easily force you to keep your computer up-to-date with the latest firewall, OS patches and anti-virus etc.).

On the other hand the cross-party inquiry and today’s ISP report do agree on a number of key points, such as the need for better education, awareness and the need to re-examine the impact of new Internet surveillance laws (Investigatory Powers Bill).

ISPA Recommendations

In response to the survey and in consultation with wider industry, ISPA has made the following recommendations:

1. Government should focus be on education, awareness and work collaboration with industry rather than resorting to legislation.

2. Government must consider the damage surveillance legislation can have on network security, such as the intrusive hacking powers within the Investigatory Powers Bill.

3. Law enforcement should prioritise better training of officers and coordination of cyber security.

4. There needs to be more consistency when an ISP reports a case to law enforcement so that all reports are followed up and investigated to bring criminals to justice.

5. Authorities must do more to reach out to the full breadth of the ISP industry, engaging them in information sharing work and consultation.