UK's softly-softly approach to cyber-law

Last updated 15:23 04/12/2012

Relevant offers

Digital Living

Sony hackers' 9/11 threat not credible Support for talk of Spark, Vodafone undersea cable Uber defends workers' God View access Top Kiwi Google searches of 2014 Spark, Vodafone plan submarine cable Overseas tech firms storm our shores Hackers post alleged police passwords Sony threatens to sue for publishing emails Spark finally announces Gigatown plans Google faces $21m fine for privacy violations

Britain will try to get companies to beef up cyber security by encouraging investors and shareholders to hold them to account on the issue, but will reject US-style mandatory reporting of online attacks, government officials say.

Britain has made tackling the theft of intellectual property on the Internet and the protection of critical infrastructure from hostile cyber assault top national security issues, setting aside £650 million over four years to address the problems.

More than nine in 10 British companies have suffered a cyber breach in the past year and intellectual property is being stolen on an "industrial scale", government officials said in a briefing ahead of a government update on Monday on its year-old cyber security strategy.

But despite the fact that more and more trade secrets are being purloined via the Internet, officials said they favoured a softly-softly approach.

That would involve professional auditing and governance bodies and shareholders and analysts pressuring company directors to explain what they were doing to thwart cyber threats, they said.

"The government does want to see more disclosures. But we don't think the right way of approaching that is to pass laws to force people to do it in those areas where they are not already obliged," one official said on condition of anonymity because of the sensitivity of security issues.

"Rather than forcing companies to disclose it, we think it is best to encourage analysts, investors, shareholders, insurers, to ask for that information," he said.

'A PERVERSE INCENTIVE'

Unlike their US peers, British companies aren't required to report cyber attacks, an obligation that supporters of such legislation believe keeps directors on their toes and helps ensure cyber defences are up to scratch because of the fear of reputational damage.

However, Britain believes obligatory reporting risks having the opposite effect and becoming a "perverse incentive" that would prompt directors to actually turn a blind eye to online breaches in order to escape unwanted publicity.

Even when companies did reveal such attacks, company directors would be likely to say as little as possible about such incidents, the official said.

Mandatory reporting "would be positively harmful from the point of view of getting people to share information," he said.

In a related move, the government said on Monday it would extend a pilot scheme under which 160 firms in the defence, finance, pharmaceuticals, energy and telecommunications sectors shared information about cyber attacks confidentially.

Ad Feedback

Alan Calder, head of British cyber consultancy IT Governance, questioned the government's approach, saying the US model of mandatory reporting was a good discipline for directors.

"Being forced to disclose information would be a very good thing, it would put a lot of pressure on companies," he said.

- Reuters

Comments

Special offers

Featured Promotions

Sponsored Content