1 Introduction
The need to address malware and
cyber crime
1. The Government has defined malware as software
written with malicious intent.[1]
Thus the elements of a piece of malware may legitimately be used
as software as long as there is no malicious intent.
2. The BCS,[2]
in their submission, outlined the variety of ways in which malware
could have an impact on individual computer users.
- The PC[3]
becomes part of a Botnet[4]
(maybe thousands or tens of thousands of individual computers),
which is then used by criminals to distribute Spam email to others,
or to launch a denial of service attack against an organisation.
Botnets are increasingly rented out for criminal purposes. The
owner of the PC may only suffer a loss in performance of their
PC or they may be accused of committing a criminal offence.
- The malware may be used to extract useful information
that may be stored on the PC, which could include personal details,
bank details etc. For example, the Government said in December
2010 that it had been a victim of the Zeus malware, with undisclosed
loss of sensitive information. The loss of information can have
serious consequences for the individual concerned, not only financial
loss, but also by affecting their relationships with others or
cause the loss of irreplaceable records such as personal photographs.
- The PC may be used to host illegal content, such
as child pornography. The owner of the PC is then open to the
accusation of knowingly hosting the illegal content.[5]
3. BCS indicated that there were no authoritative
statistics on how many PCs are infected in the UK: estimates vary
between one and fifteen percent. In their opinion, 5% would be
a conservative estimate.[6]
Symantec told us that 38% of respondents to the latest Norton
Cyber crime Report[7] had
suffered a malware related incident, over half of those within
the 12 months preceding the survey. Malware was the most common
form of cyber crime experienced, followed by online credit card
fraud and social network profile hacking.[8]
4. The McAfee Threat Report for the third quarter
of 2011 showed that mobile phone malware had doubled since 2009
and that the majority of new malware on mobile platforms had been
targeted at android phones. Malware for mobile phones, with total
detected variants numbering just over 1200, remained a small element
in overall malware statistics as over 4 million new malware variants
for PCs were detected by McAfee in the third quarter of 2011 alone.[9]
5. Newspapers find any cyber crime a fascinating
topic, despite the fact that the crimes perpetrated are usually
traditional ones such as fraud or theft, with the internet or
email being merely the instrument of the crime.[10]
The main focus of media interest, however, is on the large scale
attacks on companies or government agencies which would constitute
threats to national security. A recent example was a report that
a US water utility had been a victim of hacking and the hackers
had been able to damage the pumps in that utility.[11]
These stories portray a scenario of shadowy enemies striking from
hidden locations to threaten civilisation, reminiscent of cold
war propaganda. They are not always well-foundedfor example
the FBI have indicated that they could not confirm intrusion in
the water company system and that they 'concluded that there was
no malicious or unauthorised traffic from Russia or any foreign
entities, as previously reported'.[12]
6. Recent news stories cover a wide range of
other cyber crime incidents. In August there were reports of companies
being defrauded as international phone calls were re-routed through
their company switchboards.[13]
In September a Dutch firm, DigiNotar, was widely reported as filing
for bankruptcy after being hacked.[14]
In October the Guardian reported on a new Stuxnet[15]
worm targeting companies in Europe.[16]
7. However, the majority of 'e-crime' is less
dramatic but more pervasive. Dr Richard Clayton told us that
in the most general terms [...] the eco-system
for mass-market criminality is based on spam sent by botnets,
and those botnets are constructed by compromising end-user machines
with malware.[17]
8. BCS referred us to a survey by the Ponemon
Institute showing that the cost of data breaches of UK organisations
had increased for a third year running. They reported the average
data breach to cost £71 per record accessed, with the highest
overall cost reported being £6.2 million.[18]
These costs included detection and escalation of the data breach,
notification of those affected, the cost of responding to the
breach and the cost of lost business.
9. The Norton Cybercrime Report showed
that while three times more adults surveyed suffered cyber crime
than offline crime over the past 12 months (44% online compared
with 15% offline) only three in ten of them thought they were
more at risk online than offline. Norton reported 1 million cyber
crime victims a day over the 24 countries surveyed.[19]
The Commtouch Internet Trends Threat Report 2011 also pointed
out that malware attached to emails was a rising trend. Commtouch
provides security vendors with proactive email-borne virus detection
that analyses over 2 billion emails per day: it found that in
March 2011 over 30% of emails analysed had attached malware.[20]
10. The Government, in response, published its
Cyber Security Strategy on 25 November 2011.[21]
Francis Maude, the Minister for the Cabinet Office and Paymaster
General, indicated how he expected the strategy to tackle cyber
crime and promote a more informed citizenry:
This strategy also outlines our plans for a new cybercrime
unit with the National Crime Agency, to be up and running by 2013.
This unit will build on the groundbreaking work of the Metropolitan
police's e-crime unit by expanding the deployment of "cyber-specials",
giving police forces across the country the necessary skills and
experience to handle cybercrimes. We will also ensure that the
police use existing powers to ensure that cybercriminals are appropriately
sanctioned as well as introducing a new single reporting system
to report financially motivated cybercrime through the existing
Action Fraud reporting centre.
[...]
Prevention and education are also crucial. Get Safe
Online is a very good example of how Government, industry and
law enforcement can work together to address this issue and improve
the website by early 2012. In addition, we will work with ISPs
to seek a new voluntary code of conduct to help people identify
if their computers have been compromised and what they can do
about it.[22]
Previous work
11. On 2 March 2011, we published the report,
Scientific advice and evidence in emergencies, to examine
how scientific advice and evidence is used in national emergencies,
when the Government and scientific advisory system are put under
great pressure to deal with atypical situations.[23]
The threat of an online attack where national security might be
threatened was one scenario which we considered. This inquiry
focussed, however, on national security rather on the impact on
individual citizens or on the structure of policing of cyber crime.
12. The Government has also been active in looking
at national security and the threat of cyberattack on the UK.
The Government organised a conference bringing organisations from
all over the world to discuss the issues and how to improve resilience
to cyberattacks.[24]
The Government's Cyber Security Strategy (mentioned in
paragraph 10 above) also addresses these high level problems but
also sets out how individual computer users and small businesses
might be protected from the impact of crime committed through
malware.
Our inquiry
13. We announced our inquiry on 19 July 2011
and issued a call for evidence based on the following terms of
reference:
- What proportion of cyber-crime
is associated with malware?
- Where does the malware come from? Who is creating
it and why?
- What level of resources are associated with combating
malware?
- What is the cost of malware to individuals and
how effective is the industry in providing protection to computer
users?
- Should the Government have a responsibility to
deal with the spread of malware in a similar way to human disease?
- How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
14. We received 22 submissions in response to
our call. We would like to thank all those who submitted written
memoranda.
15. In November 2011 we held two evidence sessions
during which we took oral evidence from three panels of witnesses,
to whom we are grateful:
On 9 November 2011 we took evidence from: Dr Richard
Clayton, Research Assistant, University of Cambridge, Professor
Peter Sommer, Visiting Professor in the Department of Management,
London School of Economics, and Dr Michael Westmacott, BCS, the
Chartered Institute for IT but also representing Royal Academy
of Engineering & Institution of Engineering and Technology.
On 14 November 2011 we took evidence from two panels.
First: Gordon Morrison, Director of Defence and Security, Intellect,
Janet Williams, Deputy Assistant Commissioner, Charlie McMurdie,
Detective Superintendent, Head of Police Central e-Crime Unit,
Metropolitan Police, and Lesley Cowley, Chief Executive, Nominet;
followed by James Brokenshire MP, Parliamentary Under-Secretary
of State for Crime and Security, Home Office.
We would also like to thank Symantec and McAfee for
providing an informal opportunity for us to get practical experience
of malware and a clearer perspective on the extent of the associated
problems.
16. We begin our report with an overview of the
impact of cyber crime on individuals and small businesses along
with an examination of the role of the police in tackling cyber
crime. We go on to examine the defences available to individuals
and what should be done to ensure that the average UK citizen
becomes more aware of cyber crime and is able to take necessary
self-protection measures.
1 Ev 23, para 3 Back
2
Formerly the British Computer Society, now BCS, the Chartered
Institute for IT Back
3
PC-usually used to denote a personal computer running a Microsoft
operating system Back
4
Botnet-a network of compromised PCs that may be used by the malware
author for criminal purposes Back
5
Ev 36, para 4 Back
6
Ev 36, para 4 Back
7
Norton Cyber crime Report 2011 http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/ Back
8
Ev w24, para 20 Back
9
McAfee Labs, McAfee Threats Report: Third Quarter 2011,
2011
www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf Back
10
For example, "Fraudsters are costing shoppers £7bn,
say MPs", The Daily Telegraph, 9 November 2011 Back
11
"Hackers 'hit' US water treatment systems", BBC online,
21 November 2011, www.bbc.co.uk/news/technology-15817335 Back
12
"FBI plays down claim that hackers damaged US water pump"
BBC online, 23 November 2011, www.bbc.co.uk/news/technology-15854327 Back
13
"Businesses hit by new cybercrime", BBC Online,
15 August 2011, www.bbc.co.uk/news/uk-england-14533738 Back
14
For example, "DigiNotar files for bankruptcy in wake of devastating
hack", Wired, www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/ Back
15
Stuxnet is a computer worm, discovered in June 2010, that initially
spreads via Microsoft Windows and targets Siemens industrial software
and equipment. Back
16
"New Stuxnet worm targets companies in Europe", Guardian,
19 October 2011 Back
17
Ev 31, para 18 Back
18
Ev 36, para 4 Back
19
Symantec, Norton Cyber crime Report 2011, September 2011
uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/ Back
20
Commtouch, Internet Threats Trend Report, April 2011 Back
21
Cabinet Office, Cyber Security Strategy, 25 November 2011 Back
22
HC Deb, 25 November 2011, c38-9WS Back
23
Science and Technology Committee, Third Report of Session 2010-12,
Scientific advice and evidence in emergencies, HC 498 Back
24
London Conference on Cyberspace, QEII Centre, 1-2 November 2011 Back
|