[As ever, this is also on the BBC News website]
When the United Nations website was defaced by a group of activists who replaced a statement from the Secretary General with the slogan “Hey Ysrail and Usa dont kill children and other people Peace for ever No war” it was hard for the organisation to keep it secret.
The hack was clearly visible to everyone who visited the site, and although it was quickly removed the story rapidly spread and screenshots have been widely circulated.
It seems that the UN had not taken sufficient care over the way that the database which hosts their site checks the data it receives from the outside world, leaving it vulnerable to a specific type of attack called a ‘SQL injection’.
And the lack of an apostrophe in the word ‘dont’ wasn’t bad spelling, but a by-product of the method used.
If the UN can leave itself open to attack there must be many other sites equally vulnerable, and some of them might be holding data rather more valuable even than the speeches of a major politician.
But if my bank, internet service provider, favourite online bookstore or local authority had their servers hacked I might never find out.
The people doing it would be more interested in stealing financial records than putting up slogans on the home page, and the organisations involved have no legal duty to tell me that my personal data has been compromised.
If I lived in California it would be different. The state has had a law which requires companies doing business in the state to warn their customers about security breaches since 2004. Thirty other states including New York and Ohio have followed suit.
But over here we have no such protection, so when retailer TK Maxx discovered that credit and debit card details belonging to over 45 million customers around the world had been compromised they didn’t have to tell UK card holders.
The temptation to keep quiet must be immense, given the damage to reputation, share price and career progression that major security breaches can bring, but the results could be catastrophic for individuals who have their accounts compromised or credit ratings damaged.
Fortunately there is now a chance that the situation may change, if the House of Lords Select Committee on Science and Technology has its way.
They have spent the last year looking at internet security and how it affects us all and they published their final report, called Personal Internet Security, last week.
It calls for a data security breach notification law, arguing that it ‘would be among the most important advances that the United Kingdom could make in promoting personal Internet security’, and recommending that ‘the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency’.
It certainly doesn’t make sense to wait for the promised EU Directive on Data Protection which will include provisions for reporting data breaches, as this could take years to enact and will almost certainly be watered down by lobbyists for the financial services industry who would see such openness as a threat to their clients.
A new law on disclosure would go a long way to making us feel slightly more secure as we use the internet, since we could be confident that we were being told of security lapses.
Data theft is only one aspect of internet security, and there are many other areas covered by this extensive report, including banks’ liability for online fraud, the importance of pushing ISPs to do more to stop spam and a call for improved consumer education.
Good though the report is, not all of the proposals are completely thought through. The call ‘to criminalise the sale or purchase of the services of a botnet, regardless of the use to which it is put’ assumes that we can easily tell what constitutes a ‘collection of compromised computers (individually called robots or zombies) running malicious programs that allow them to be controlled remotely’, as the report glossary defines it.
Yet what happens when a file-sharing program includes botnet code and the click through license explicitly authorises its owner to use their computer as part of a network?
However the report is generally both sensible and well considered, and we should be grateful to Alec Broers and the committee he chairs for pulling information together from so many sources. Broers, a former IBM researcher who used to be Vice Chancellor of Cambridge University, is used to thinking carefully and analytically about problems, and it shows in the final report.
The committee has given us a body of evidence, a framework for thinking about the issues and a lot of suggestions to kick off the debate, so we just have to hope that the few MPs who really understand computers take up the baton and begin the process of turning the ideas into legislation.
For while it is usually far better to apply old laws to new technologies there are times and places when the law must shift to take account of the changed world, and when it comes to internet security we are clearly living in such a time.
UN Website defaced:
How it was done:
US data breach laws:
Science and Technology Select Committee:
Report:
If it becomes an offence to fail to disclose to your data subjects (customers) that your database has been hacked, won’t companies take steps to make sure that they don’t ever know that their database has been hacked? That’ll be cheaper and easier than actually stopping hackers!