Take cyber crime seriously, government told

Microsoft UK's chief security advisor, Ed Gibson, has attacked the government over what he claims is a lack of effective reporting channels for internet-related crime.

Speaking at the launch of a CBI report into online security for small and medium-sized businesses, Gibson said that while creating documents was all well and good, very few companies had any real notion of who they should report an electronic attack to.

He said: "I bet if I asked anyone in this room, 'Who would you report an electronic crime to in the police?', no one would know. We are ignorant of the size of the problem. There is a real lack of meaningful statistics."

Rejecting the offer of a microphone and choosing instead to stride up and down between the panel of experts and the audience of IT and business professionals, Gibson claimed that the government was not doing enough to facilitate the timely reporting of cyber crime.

Gibson said the decision to roll the National Hi-Tech Crime Unit (NHTCU) into a new larger agency, The Serious Organised Crime Agency (Soca), in April 2006 would actually make it harder for businesses to work out to whom they should report an electronic crime. Gibson also attacked the amount of funding the NHTCU has received since its creation in 2001, claiming it has declined annually.

Surprising many audience members, Gibson added that the most effective way to improve online security was by individuals taking small steps such as locking down their desktop. Microsoft has been heavily criticised in the past for the poor levels of security in its products, particularly its Windows operating system.

Gibson aimed the majority of his comments at Alun Michael, minister for Industry and Regulation at the Department of Trade and Industry, who was present at the event to launch the CBI report.

Michael responded to Gibson's charge by claiming that he had recently reported a potential attack on his own computer to the helpdesk at the House of Commons, which passed his report directly to the police.

Another charge made by the Microsoft security chief, who joined Microsoft in July 2005 from the FBI, where he held senior positions as a special agent for 20 years, is that there needs to be stronger punishments in place for those who commit electronic crime.

Gibson claimed: "We can talk and talk about what is in the book [CBI report] but legislation alone will not do it. We can talk about the Computer Misuse Act till the cows come home but unless there are any meaningful punishments for computer crime then none of this makes sense."

Earlier this week, the government said it would update the Computer Misuse Act. This will include a maximum 10-year prison sentence for individuals who maliciously impair the operation of a computer, or hinder or prevent access to programs or data.

The CBI report, called Securing Business Value Online, is specifically aimed at small to medium-sized companies which Michael identified as "the weakest link in the chain" when it comes to electronic security. He said: "The old adage that the chain is only as strong as its weakest link, is relevant here."

Michael added that effective online security stemmed from taking the right approach to the problem rather than simply buying in a fix-all technology. He said: "The problem is at heart how companies are managed and not about waiting for some technological silver bullet."

Andrew Donoghue writes for ZDNet UK