ISPs Warn “unnecessary complexity” Hampers Internet Security Push

Internet Service Providers (ISP) have warned that the Government’s push to improve cyber security and thus turn the UK into the “safest place to be online” could be at risk, unless they tackle the “convoluted regulatory system” and avoid creating “unnecessary complexity” (e.g. duplication of reporting and responsibilities).

Hacking and major data breaches seem to have become increasingly common news over the past few years. In that sense it’s no surprise to find that 88% of the ISPs that responded to the UK Internet Service Providers Association’s (ISPA) new survey say they are regularly subject to cyber-attacks, with 44% experiencing daily attacks.

Nearly all of the above attacks (69%) are directed at the customers of those networks (e.g. residential and business broadband users) rather than the ISP itself, although providers can often be targeted too, much as the infamous 2015 personal data breach at TalkTalk confirmed (here).

Indeed anybody with even basic experience in internet security or networking – both individuals and businesses alike – will know that such attacks, many of which can be automated (botnets, viruses, DDoS etc.), are a regular occurrence.

In reality it’s been this way since the earliest days of the online world but perhaps the biggest difference now is that many more people use the internet (more targets for criminals) and businesses have become better at reporting security breaches, often under threat of hefty fines if they don’t.

10 Key Findings from the Survey

* An overwhelming majority (94%) of ISPs surveyed indicated that they expect to increase their investment in cyber security over the next three years.

* Cyber security remains an important priority for ISPs, with 61% of respondents stating that cyber security is a high or very high priority in their company’s day-to-day operations.

* 88% of respondents are regularly subject to cyber attacks, with 44% experiencing daily attacks.

* ISP’s customers are largely the ultimate target of cyber attacks, with 69% of cyber attacks targeted at respondents’ customers as opposed to their own networks.

* Confusion about data breach thresholds and reporting systems persists, with responses suggesting that some ISPs may be unsure about what constitutes a reportable breach.

* The majority (86%) of respondents are implementing or planning to implement Active Cyber Defence measures, as recommended by the National Cyber Security Centre (NCSC).

* All respondents believe that ISPs should play a proactive role in cyber security, with 78% stating that they already offer dedicated cyber security services to their customers.

* ISPs are divided on the importance of sharing their experiences of dealing with cyber attacks with industry colleagues: with 50% of respondents not doing so as a matter of routine. This contrasts with the finding that 40% of respondents think that the handling of cyber crime could be improved if there was better collaboration and coordination within the internet industry.

* 62% of respondents suggested that the handling of cyber crime could be improved if law enforcement agencies took a more coordinated approach to the problem.

* ISPs want the Government to focus on setting out a clearer strategy and standards for cyber security, raising awareness of good practice, particularly amongst SMEs, and providing financial assistance or subsidies to businesses wishing to enhance their cyber security.

Sadly defending against such threats is an endless challenge, which is one of the reasons why it’s so important to keep your software and hardware up-to-date with the latest patches / security fixes. Equally ISPs say that the Government could be doing more to help the situation by making some productive changes.

Andrew Glover, ISPA Chair, said:

“Despite increased awareness about the importance of cyber security, Government and law enforcement must turn their words into actions. In order to ensure the UK has an effective cyber security regime, the Government should streamline the number of organisations involved in the cyber security landscape to minimise confusion. This needs to be underpinned by clear minimum standards on cyber security, set by Government, and improved online cybercrime reporting processes.

The survey indicates that ISPs are working hard to provide a first line of defence for consumers, investing significantly in order a wide range of cyber security services to their customers. This work must be supported by increased awareness of good practice amongst users and improved training for law enforcement officers to ensure that they are properly equipped to tackle cyber crime.”

In response to the survey and in consultation with wider industry, the ISPA has made the following five recommendations.

Cyber Security Recommendations

1. Government should set out clear and practical minimum cyber security standards for industry, which are regularly updated to take account of evolving threats.

2. Government should focus on raising awareness of best practice in cyber security, using targeted subsidies, such as vouchers to help subsidise services, to help raise standards.

3. Government should streamline the number of organisations involved in the cyber security landscape to minimise confusion and duplication, including on areas like breach reporting.

4. Law enforcement agencies should take a more coordinated approach and boost training to improve consistency in cyber crime enforcement outcomes.

5. There needs to be a significant improvement in online cyber crime reporting processes to help and facilitate the sharing of information between interested parties.

The Government’s new White Paper on Internet Safety is due to be be published this winter.

UPDATE 17th October 2018

Meanwhile the Index on Censorship has warned that the government’s heavy pursuit of tougher internet regulation may come at the cost of freedom of expression.

The Index Calls for..

* No new restrictions on types of content. Existing legislation restricting freedom of expression already covers a wide range of harmful speech and we are unconvinced of any need for further forms of expression to be prohibited. Existing legislation should, instead, be appropriately adapted to take into account online forms of expression, rather than to prohibit further forms of speech.

* Any regulation of social media or other online companies to be evidence-based, appropriate, proportionate and in full conformity with international human rights law and standards. In particular, we caution against any regulation which incentives the removal of content with strict time limits or the threat of sanctions, due to risks of excessive caution and the removal of lawful and legitimate content.

* Social media companies to be encouraged to develop fair, simple and transparent oversight mechanisms under which requests for the removal of content, whether by users or governments, can be challenged by those affected. These mechanisms should include transparent dialogue with users, including notifying users why a decision has been made.

* Recognition of the limits to any use of algorithms or automated decision-making related to reviewing content, and the need for human involvement and responsibility in content review processes.

* Civil society organisations, and other relevant stakeholders, to be fully consulted and involved during the White Paper’s development.