A group of leading experts has warned that the UK must do more to confront the issue of cybercrime if it is to protect the UK’s critical national infrastructure against online attack.
The warning that the UK is slipping dangerously far behind the criminals comes ahead of an expected announcement by the Home Office of measures to deal with rampant cyber crime.
The comments from the former heads of the UK’s cyber crime units, a former Government security adviser and one of the computer security industry’s top technology gurus all stress the need to track down and punish cyber criminals as an essential first step in dealing with cyber security issues.
The responses also broadly point out that the problems the UK face have not been dealt with for a decade.
The call to deal with cyber crime itself is at odds with many of the statements made up till now by both the Government and the Serious and Organised Crime Agency, which have indicated that the protection of the UK’s critical national infrastructure will be the key component of the £650m.
“From what I understand the money is going to bolster the CNI but I have heard it frequently referred to as money that will be used to fight cybercrime and that has to happen. I think it is crucial that we have a law enforcement response and that that is at force level because we have to demonstrate that we can do something about these issues to the SMEs and the people on the street” said Phil Swinburne, the former head of the Metropolitan Police’s High Tech Crime Unit.
The group of experts, writing on the security website Future Intelligence, have called on the Government to protect small businesses and home computers as a priority to cut off the flow of fund to the computer criminals used by cyber attackers.
It was not always so back in 2000 when the Labour administration launched the National High Tech Crime Unit it was met with open arms by the business community.
When it was disbanded on April Fools Day 2006 and its duties transferred to the Serious and Organised Crime Agency, the business community felt let down because it felt that the protection from cybercrime it had enjoyed was withdrawn (as reported in the Guardian – Shambles over cybercrime).
A view reinforced in 2007, when on April Fool’s Day 2007 it was announced that people who had suffered a loss from online cyber crime should, rather than report their loss to the police go to the banks instead.
It was a decision that prompted a police cyber crime specialist to describe the situation as stepping backwards 10 years: “we are in a situation now where the middle and lower end crime is not being dealt with.”
That this is currently the case is evidenced by the fact that the £3.5m budget for the Met Police’s e-crime unit, the only dedicated unit in the UK at the moment was cut by 30% earlier in the year.
SOCA, which itself is about to be absorbed into the National Crime Agency, had a remit to hunt down organised criminals, but many felt that this overlapped into a hunt for links between terrorist funding and organised crime aimed at finding Al Qaeda leaders as a priority and as a result cyber criminals were receiving immunity.
An immunity that has allowed the situation to escalate and get out of control.
Ironically, much of the danger to the CNI and to UK plc actually comes from the poorly protected computers of the SMEs and the people on the street who act as funding mechanisms for the cyber crime interests, as conduits for computer viruses and as the muscle power for the botnets that have been used to bring down the nation states such as Georgia and Estonia, mentioned by Nick Harvey, the Minister for the Armed Forces last week.
As the Microsoft Security Intelligence report pointed out last month, “globally the number of machines that were part of a botnet have more than doubled to 6.5m in just three months.”
The reasons for the growth are simple; poor protection.
Most home users and SMEs do not consider computer security a problem because of the failure of the Government to convince them that it is.
Small businesses think computer crime affects big business and other people because of a lack of evidence of victims.
A point stressed by Peter Wood, a member of the technology trade association ISACA’s Security Advisory Group and a penetration testing expert who works with many businesses.
“Most SME business owners say: ‘How common is this sort of attack? How many businesses has this happened to? Why would anyone attack me or my business? I really don’t think it’s worth the time, effort or money’.
“Most businesses wouldn’t recognise that they’d been attacked; and even if they did, would not discuss it for fear of reputational loss. This means that most SMEs have no idea of the real risks.”
In a report last September, by the computer security company Panda, 52% of SMEs admitted to having been infected, often by USB stick, of those 17% used free software, 13% no protection and 7% said it was unimportant.
Another survey released this week by GFI found that 40% of SMEs only paid a software licence for a year before letting it go out of date and that 48.9% only used the most basic versions or freeware.
A point perhaps explained by a Trend computer security survey in July for the Federation of Small Businesses that found that most felt that IT was their main cost with 58% of those surveyed in Hertfordshire, Cambridgeshire, Bedfordshire stating that an attack would have little impact on their business, some 55% of those surveyed said that they had not suffered an attack.
Small wonder that gangs like the Albert Gonzalez led-Shadow crew managed to obtain 170m credit card details, its attacks included TJ Maxx, Dave and Busters, Heartland payment and a host of other and accounted for untold millions of pounds.
In one raid US federal officers on Gonzalez’s parents house $1.1m was found in a plastic drum in the garden.
Gonzalez is now serving a 20 year prison sentence.
A similar fate faces 60 members of the Zeus Botnet gang In early October, U.S. authorities indicted over 60 people for wire fraud carried out using a version of the Zeus Trojan virus. The gang managed to seize at least $3 million in the United States and over £10 million in Britain.
Security services believe the virus originated in Russia. The hackers mounted a wide-ranging attack, infecting computers with the Zeus Trojan in outwardly inconspicuous e-mail attachments and fake LinkedIn invitations. Once in, the virus would steal the home user’s bank details and transmit them to the hackers.
According to two UK telecoms providers the attack on small businesses is constant.
“Online fraud is enormous and we’re under attack all of the time,” said the CEO of leading Voip company. “We’re under attack all day and every day and if they get through there’s nothing we can do about it. The police don’t’ care because its now the responsibility of the banks and we don’t report it to the banks anymore because they don’t do anything about it. The Americans are the worst for fraud so we just don’t take any business from them anymore.”
Comments backed up by Trefor Davies, head of technology for the ISP Timico.
“We see people trying to break into our clients systems all of the time, we see servers being corrupted, Voip fraud, software exchanges being hacked.
“The criminals will hijack telephony systems or cause the phones to dial premium rate lines and run up huge bills.”
Activity by computer crime that also obscures the picture by creating a hash of white noise that defenders have to sift to identify specific potential threats from other states and economic espionage.
Yet while the National Security Strategy acknowledges that a state sponsored cyber attack could be a very real threat to the UK’s security, our capacity to deal with this according to Commodore Patrick Tyrrell, a former intelligence officer who first warned the UK Government of the economic and infrastructural threat from cyber attack in 1996, is still limited.
“We are facing the same issues that we did 15 years ago, very little has changed in that. The whole issue with cyber attack is that everything is inter-related. What point the ID card scheme for foreign nationals if you can steal an identity online.
“Criminal activity goes hand in hand with this because it is where the money is and that criminal money is used to build a cyber attack capability that can be used for deniable and out-sourced work by a foreign power,” said Tyrrell, who called for an increase in awareness and understanding.
“I think that there is a real danger that much of this money could be wasted because people are unsure of what the problem actually is. We need to be better at understanding where the attacks are coming from – they can be easily ‘cloaked’ – and we need to develop software agents that can react fast to an attack and discover its root and I am not hiding the fact that that will be a complex task,” said Tyrrell, who also identified institutional inertia as a problem.
“When I first presented my paper in 1996 one senior civil servant told me that it would never happen. If you want to get people involved at a high level you need to conduct an exercise that hacks into their systems to bring it home to them.”
Ironically, while the Government has announced it wants to encourage a new entrepreneurial high-tech business culture based on SMEs it has not said how it will protect that new intellectual property at a time it is warning that other nations are stealing it.
Tackling grassroots cybercrime is not sexy.
When the National High Tech Crime Unit was launched on April Fool’s Day 2000, Jack Straw the then Home Secretary happily fielded ‘big Government’ questions about how the new unit would take on the organised cyber gangs.
When asked what the person on the street should do if they were a victim of cybercrime, Straw went silent, 15 minutes later, after a hurried conversation he asked to be able to answer the question again and stated that there would be units set up in local forces, and people would be able to report any cyber crime to those.
A situation that prompted Swinburne to mischievously suggest that the UK’s 43 police forces should pool their cyber crime resources.
“The Government should lean on the chief constables and make them co-operate with each other in this sphere so they can co-ordinate their response.
Oddly while CNI not crime is the focus, according to the National Security Strategy, attacks by terrorists should not be discounted.
A likelihood that has been dismissed by Steve Cummings, the former director of the Centre for the Protection of Critical National Infrastructure, who at a meeting in London two weeks ago said, “I don’t think we have seen any instances of cyber-terrorism yet, I would debate that it is not happening.”
According to Professor Rohan Gunaratna of the International Centre for Political Violence and Terrorism Research it is far more likely that terrorists would outsource any requirements to ideologically motivated members of the organised crime gangs that fund themselves from attacks on SMEs and home computers.
“Outsourcing is the single most important trend we are witnessing among organized criminals. In the future, we are likely to witness the phenomenon of outsourcing in both terrorism and organized crime.
“In the cyber crime domain, the criminals have a greater capacity and a capability than terrorists. With the terrorist – criminal nexus growing, governments need to develop a common strategy to fight both terrorism and crime.”
Dealing with that according to Len Hynds, a former Chief Constable and the former head of the NHTCU, involves going back to basics.
“The NHTCU was world acclaimed and simultaneously raised the technology investigative capability across the 43 forces of England and Wales for £25m.
“For less than 4% of today’s £650m, the UK stood at the cutting edge of technology related investigation and intelligence management.”
For Hynds, look after cybercrime and the cyber attacks look after themselves.
“This new money should focus with equal priority on industry relationships, international collaboration, investigation assets, intelligence analysis that uses academia as a partner to develop tools and the pooling of technologies in genuine partnerships to reinforce infrastructure.”
In other words go after the criminals and protect the infrastructure.
For Professor Barrett there are even simpler measures: “Education of system managers, communication between different potential targets, a programme of penetration studies done to known standards, improved security on all systems including home computers that might be enrolled into a botnet army, improved real-time monitoring. These are all things that were proposed and pushed ten years ago, so perhaps the best thing would be to stop the talking and start doing it.”