CYBER RESILIENCE HOW TO PROTECT SMALL FIRMS IN THE DIGITAL ECONOMY
FSB-Cyber-Resilience-report-2016
FSB-Cyber-Resilience-report-2016
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
fsb.org.uk<br />
The Government should review the relevant law and policy framework to examine whether:<br />
• There are further enhancements that can be made to the law to better encourage co-operation<br />
and collaboration between the private sector and law enforcement.<br />
• There can be ways of leveraging in more private sector capacity to deal with cyber crime,<br />
including more encouragement of private sector investigation and legal action against<br />
cyber criminals.<br />
Grabosky and Broadhurst have described how an effective anti-cyber crime strategy needs to<br />
improve the coordination and collaboration (including joint operations) between law enforcement<br />
and private sectors through enabling systematic exchanges between them. 133<br />
There is potential to move beyond collaboration. Given there is considerable expertise and resources<br />
in the private sector the Government should review relevant laws and other obstacles which currently<br />
might be deterring private organisations from pursuing their own investigations and legal action (civil<br />
and criminal) against cyber criminals. As well as removing any obstacles, the Government should look<br />
at whether there might be scope for creating specific incentives for encouraging those in the private<br />
sector with the expertise and resources into undertaking private investigations and taking private<br />
actions against cyber criminals. The objective should be to incentivise additional investigative and<br />
enforcement capacity which would complement the efforts of the police and prosecutors.<br />
Once the Investigatory Powers Bill has been passed by Parliament the Government should<br />
comprehensively review the current wider criminal and civil powers for dealing with cyber crimes<br />
available to law enforcement and relevant regulators (such as Trading Standards).<br />
While the UK is widely considered to have a good framework of criminal law in relation to cyber crime,<br />
there may be room for some further enhancements. As Grabosky and Broadhurst have noted, to<br />
effectively tackle cyber crime, it is vital that technology and criminal practices do not outpace the ability<br />
of law enforcement to investigate and therefore Governments need to be ready to enact substantive<br />
and procedural laws which are adequate to cope with current and anticipated manifestations of cyber<br />
crime. 134<br />
While the review should be comprehensive and look to ensure that the barriers to dealing with cyber<br />
crime in the UK are minimal, it should include a focus on four issues:<br />
• Reviewing whether the UK is as fully compliant with the requirements of the Council of Europe<br />
(Budapest) Convention on cyber crime. 135 Corrective action should be taken where the UK is<br />
found not to be fully compliant.<br />
• Look at whether there is any need for creating new criminal offences e.g. a specific offence of<br />
ID theft and whether there could be closer regulation of online information sources which make<br />
personal information easily available which criminals are able to exploit. One avenue to explore<br />
should be whether there is a need for the law to encourage social media sites to be more<br />
effective at deleting old data or encouraging their users to make sure they delete old data. 136<br />
• Whether strict liability offences could play more of a role in dealing with aspects of cybercriminality.<br />
• The extent to which the tool-box available to law enforcement could be strengthened through<br />
the availability of new or the extension of existing civil powers to use alongside the criminal law.<br />
The Government needs to push aggressively the need for more intense international co-operation in<br />
all the appropriate international forums, such as the International Telecommunications Union (ITU), the<br />
OECD, the UN and the Commonwealth Telecommunications Organisation (C<strong>TO</strong>) i.e. those international<br />
forums that have a truly global reach. Regional measures such as the Network and Information<br />
Security Directive are unnecessary distractions and at worst counter-productive complications to the<br />
real goal of international co-operation. 137<br />
133 Grabosky P and Broadhurst R, The Future of Cyber crime in Asia, Cyber crime: The Challenge in Asia, 2005.<br />
134 Grabosky P and Broadhurst R, The Future of Cyber crime in Asia, Cyber crime: The Challenge in Asia, 2005.<br />
135 The Council of Europe’s Convention on Cybercrime aims to align the ‘…relevant criminal laws, police investigative procedures and mutual assistance<br />
arrangements of the signatory states’. Source: Wall, D E, ‘Cybercrime, 2007.<br />
136 Tweedie, N, Just how easy is it to hack into your life?, 2011.<br />
Available at: http://www.telegraph.co.uk/finance/newsbysector/mediatechnologyandtelecoms/digital-media/8597757/Just-how-easy-is-it-to-hack-into-your-life.html<br />
137 FSB argued against the need for the Network and Information Security Directive before it was agreed by the EU institutions. It not only fails, because it is a<br />
45