Malware and cyber crime - Science and Technology Committee Contents


1 Introduction

The need to address malware and cyber crime

1.  The Government has defined malware as software written with malicious intent.[1] Thus the elements of a piece of malware may legitimately be used as software as long as there is no malicious intent.

2.  The BCS,[2] in their submission, outlined the variety of ways in which malware could have an impact on individual computer users.

  • The PC[3] becomes part of a Botnet[4] (maybe thousands or tens of thousands of individual computers), which is then used by criminals to distribute Spam email to others, or to launch a denial of service attack against an organisation. Botnets are increasingly rented out for criminal purposes. The owner of the PC may only suffer a loss in performance of their PC or they may be accused of committing a criminal offence.
  • The malware may be used to extract useful information that may be stored on the PC, which could include personal details, bank details etc. For example, the Government said in December 2010 that it had been a victim of the Zeus malware, with undisclosed loss of sensitive information. The loss of information can have serious consequences for the individual concerned, not only financial loss, but also by affecting their relationships with others or cause the loss of irreplaceable records such as personal photographs.
  • The PC may be used to host illegal content, such as child pornography. The owner of the PC is then open to the accusation of knowingly hosting the illegal content.[5]

3.  BCS indicated that there were no authoritative statistics on how many PCs are infected in the UK: estimates vary between one and fifteen percent. In their opinion, 5% would be a conservative estimate.[6] Symantec told us that 38% of respondents to the latest Norton Cyber crime Report[7] had suffered a malware related incident, over half of those within the 12 months preceding the survey. Malware was the most common form of cyber crime experienced, followed by online credit card fraud and social network profile hacking.[8]

4.  The McAfee Threat Report for the third quarter of 2011 showed that mobile phone malware had doubled since 2009 and that the majority of new malware on mobile platforms had been targeted at android phones. Malware for mobile phones, with total detected variants numbering just over 1200, remained a small element in overall malware statistics as over 4 million new malware variants for PCs were detected by McAfee in the third quarter of 2011 alone.[9]

5.  Newspapers find any cyber crime a fascinating topic, despite the fact that the crimes perpetrated are usually traditional ones such as fraud or theft, with the internet or email being merely the instrument of the crime.[10] The main focus of media interest, however, is on the large scale attacks on companies or government agencies which would constitute threats to national security. A recent example was a report that a US water utility had been a victim of hacking and the hackers had been able to damage the pumps in that utility.[11] These stories portray a scenario of shadowy enemies striking from hidden locations to threaten civilisation, reminiscent of cold war propaganda. They are not always well-founded—for example the FBI have indicated that they could not confirm intrusion in the water company system and that they 'concluded that there was no malicious or unauthorised traffic from Russia or any foreign entities, as previously reported'.[12]

6.  Recent news stories cover a wide range of other cyber crime incidents. In August there were reports of companies being defrauded as international phone calls were re-routed through their company switchboards.[13] In September a Dutch firm, DigiNotar, was widely reported as filing for bankruptcy after being hacked.[14] In October the Guardian reported on a new Stuxnet[15] worm targeting companies in Europe.[16]

7.  However, the majority of 'e-crime' is less dramatic but more pervasive. Dr Richard Clayton told us that

… in the most general terms [...] the eco-system for mass-market criminality is based on spam sent by botnets, and those botnets are constructed by compromising end-user machines with malware.[17]

8.  BCS referred us to a survey by the Ponemon Institute showing that the cost of data breaches of UK organisations had increased for a third year running. They reported the average data breach to cost £71 per record accessed, with the highest overall cost reported being £6.2 million.[18] These costs included detection and escalation of the data breach, notification of those affected, the cost of responding to the breach and the cost of lost business.

9.  The Norton Cybercrime Report showed that while three times more adults surveyed suffered cyber crime than offline crime over the past 12 months (44% online compared with 15% offline) only three in ten of them thought they were more at risk online than offline. Norton reported 1 million cyber crime victims a day over the 24 countries surveyed.[19] The Commtouch Internet Trends Threat Report 2011 also pointed out that malware attached to emails was a rising trend. Commtouch provides security vendors with proactive email-borne virus detection that analyses over 2 billion emails per day: it found that in March 2011 over 30% of emails analysed had attached malware.[20]

10.  The Government, in response, published its Cyber Security Strategy on 25 November 2011.[21] Francis Maude, the Minister for the Cabinet Office and Paymaster General, indicated how he expected the strategy to tackle cyber crime and promote a more informed citizenry:

This strategy also outlines our plans for a new cybercrime unit with the National Crime Agency, to be up and running by 2013. This unit will build on the groundbreaking work of the Metropolitan police's e-crime unit by expanding the deployment of "cyber-specials", giving police forces across the country the necessary skills and experience to handle cybercrimes. We will also ensure that the police use existing powers to ensure that cybercriminals are appropriately sanctioned as well as introducing a new single reporting system to report financially motivated cybercrime through the existing Action Fraud reporting centre.

[...]

Prevention and education are also crucial. Get Safe Online is a very good example of how Government, industry and law enforcement can work together to address this issue and improve the website by early 2012. In addition, we will work with ISPs to seek a new voluntary code of conduct to help people identify if their computers have been compromised and what they can do about it.[22]

Previous work

11.  On 2 March 2011, we published the report, Scientific advice and evidence in emergencies, to examine how scientific advice and evidence is used in national emergencies, when the Government and scientific advisory system are put under great pressure to deal with atypical situations.[23] The threat of an online attack where national security might be threatened was one scenario which we considered. This inquiry focussed, however, on national security rather on the impact on individual citizens or on the structure of policing of cyber crime.

12.  The Government has also been active in looking at national security and the threat of cyberattack on the UK. The Government organised a conference bringing organisations from all over the world to discuss the issues and how to improve resilience to cyberattacks.[24] The Government's Cyber Security Strategy (mentioned in paragraph 10 above) also addresses these high level problems but also sets out how individual computer users and small businesses might be protected from the impact of crime committed through malware.

Our inquiry

13.  We announced our inquiry on 19 July 2011 and issued a call for evidence based on the following terms of reference:

  • What proportion of cyber-crime is associated with malware?
  • Where does the malware come from? Who is creating it and why?
  • What level of resources are associated with combating malware?
  • What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?
  • Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?
  • How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

14.  We received 22 submissions in response to our call. We would like to thank all those who submitted written memoranda.

15.  In November 2011 we held two evidence sessions during which we took oral evidence from three panels of witnesses, to whom we are grateful:

On 9 November 2011 we took evidence from: Dr Richard Clayton, Research Assistant, University of Cambridge, Professor Peter Sommer, Visiting Professor in the Department of Management, London School of Economics, and Dr Michael Westmacott, BCS, the Chartered Institute for IT but also representing Royal Academy of Engineering & Institution of Engineering and Technology.

On 14 November 2011 we took evidence from two panels. First: Gordon Morrison, Director of Defence and Security, Intellect, Janet Williams, Deputy Assistant Commissioner, Charlie McMurdie, Detective Superintendent, Head of Police Central e-Crime Unit, Metropolitan Police, and Lesley Cowley, Chief Executive, Nominet; followed by James Brokenshire MP, Parliamentary Under-Secretary of State for Crime and Security, Home Office.

We would also like to thank Symantec and McAfee for providing an informal opportunity for us to get practical experience of malware and a clearer perspective on the extent of the associated problems.

16.  We begin our report with an overview of the impact of cyber crime on individuals and small businesses along with an examination of the role of the police in tackling cyber crime. We go on to examine the defences available to individuals and what should be done to ensure that the average UK citizen becomes more aware of cyber crime and is able to take necessary self-protection measures.


1   Ev 23, para 3 Back

2   Formerly the British Computer Society, now BCS, the Chartered Institute for IT Back

3   PC-usually used to denote a personal computer running a Microsoft operating system Back

4   Botnet-a network of compromised PCs that may be used by the malware author for criminal purposes Back

5   Ev 36, para 4 Back

6   Ev 36, para 4 Back

7   Norton Cyber crime Report 2011 http://uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/ Back

8   Ev w24, para 20 Back

9   McAfee Labs, McAfee Threats Report: Third Quarter 2011, 2011
www.mcafee.com/us/resources/reports/rp-quarterly-threat-q3-2011.pdf 
Back

10   For example, "Fraudsters are costing shoppers £7bn, say MPs", The Daily Telegraph, 9 November 2011 Back

11   "Hackers 'hit' US water treatment systems", BBC online, 21 November 2011, www.bbc.co.uk/news/technology-15817335 Back

12   "FBI plays down claim that hackers damaged US water pump" BBC online, 23 November 2011, www.bbc.co.uk/news/technology-15854327 Back

13   "Businesses hit by new cybercrime", BBC Online, 15 August 2011, www.bbc.co.uk/news/uk-england-14533738 Back

14   For example, "DigiNotar files for bankruptcy in wake of devastating hack", Wired, www.wired.com/threatlevel/2011/09/diginotar-bankruptcy/ Back

15   Stuxnet is a computer worm, discovered in June 2010, that initially spreads via Microsoft Windows and targets Siemens industrial software and equipment. Back

16   "New Stuxnet worm targets companies in Europe", Guardian, 19 October 2011 Back

17   Ev 31, para 18 Back

18   Ev 36, para 4 Back

19   Symantec, Norton Cyber crime Report 2011, September 2011 uk.norton.com/content/en/uk/home_homeoffice/html/cybercrimereport/ Back

20   Commtouch, Internet Threats Trend Report, April 2011 Back

21   Cabinet Office, Cyber Security Strategy, 25 November 2011 Back

22   HC Deb, 25 November 2011, c38-9WS Back

23   Science and Technology Committee, Third Report of Session 2010-12, Scientific advice and evidence in emergencies, HC 498 Back

24   London Conference on Cyberspace, QEII Centre, 1-2 November 2011 Back


 
previous page contents next page


© Parliamentary copyright 2012
Prepared 2 February 2012