Malware and cyber crime - Science and Technology Committee Contents


2 Cyber crime and Policing

Individual Exposure and Knowledge

17.  When a computer is enabled to access the internet, that machine becomes part of the network; but access to the internet is not necessarily one-way: anyone with the right skills may be able to access the machine and its contents, to monitor anyone who uses that machine and possibly to co-opt the machine into a network of similarly compromised machines that facilitates further criminal activity. The Serious Organised Crime Agency told us that a:

significant proportion of cyber-crime uses malware to perform some part of the crime. Even spamming now involves the use of malware, as the majority of spam messages are now delivered using Botnets.[25]

18.  Exposure to the possibility of crime is not uncommon. What makes cyber crime different is that many people have not developed an understanding of what constitutes risky behaviour, how to minimise that risk and what to do if they become a victim.

19.  Crimes committed on the internet are often the bread and butter crimes of everyday criminal activity: fraud and theft. The driver for criminal activity on the internet, like everyday street crime, is gaining money. The Cost of Cyber crime report by the Cabinet Office outlines the costs to individual computer users: "£1.7bn for identity theft, £1.4bn for online scams and £30m for 'scareware'."[26]

20.  There is a suggestion in Home Office statistics that use of the internet increases exposure to credit card fraud:

A supplementary document to the British Crime Survey was published by the Home Office in May 2010. It looked at data from 2008-09 and found that 6.4% of credit card owners were aware of fraudulent use of their card over the previous 12 months. Victimisation rates were higher at 11.7% for incomes over £50,000/annum. If the Internet had been used at all (irrespective of income) the rate was 7.7% and if the Internet was used "every day" then it was 8.9%. In contrast, the 2010/11 British Crime Survey found that burglary affected just 2.6% of households and thefts from cars affected 4.2% of households.[27]

21.  We have been told several times, however, that the data on cyber crime is not reliable or authoritative as it is not systematically recorded. Dr Richard Clayton said that "until we have reliable data we will not be able to assess the size of the cyber crime problem nor whether we are making any impact on it".[28] The crimes that are recorded are usually where there has been some monetary loss. Dr Clayton recommended the "recording of all electronic crime incidents, not just those resulting in monetary loss".[29] SOCA appeared to agree, pointing to the US where there is "a better understanding of the threat in the US due to mandatory requirements to report data breaches in most US states. In the UK there is no obligation to disclose, and estimates of the costs of malware are difficult to assess".[30]

22.  In the Cyber Security Strategy[31] the Government announced that it would seek to enhance the ability of the public to report cyber crime. The Government also mentioned the possibility of developing a cyber hub with the aim of increasing the sharing of information among businesses. However, the report does not indicate whether this would involve reporting cyber crime that targeted businesses.

23.  We welcome the Government's commitment in the Cyber Security Strategy to enhance the ability of the public to report cyber crime. We recommend that the Government consider how to encourage (or require) businesses to report incidence of cyber crime. Additionally, we urge internet security companies to work with Government to find a way to use the development of a cyber hub to facilitate the detection of malware.

24.  One of the problems for internet users is that much of the information about internet technology and security issues is laden with jargon. It may be difficult to get people to engage with information on security concerns when the language used to describe the dangers acts as a barrier to that engagement. As the Minister said:

in some ways we wrap a lot of this information up in technology-speak, which sometimes makes it a little bit impenetrable for the public and others to have a sense that it is directly relevant to them. The communications strategy must have that idea at its heart.[32]

[…]

it can at times sound as if you are talking through a complicated plot from a science fiction novel, whereas in fact, what we are talking about is real-life crime and real-life impact.[33]

25.  Janet Williams, the Deputy Assistant Commissioner of the Metropolitan Police told us

we all understand that we won't walk down a dark alley in preference to a lit alley. That is instinctive, and we almost need to get to that point with this, so that people understand what the danger signs are, and at the moment most people don't.[34]

To those in the know, it may seem impossible to believe that people are still taken in by the Nigerian 419 scams[35] or related ones involving winning sums of money on international lotteries.[36] It is true that there are any number of websites such as scambusters.com or snopes.com where it is possible to find the truth behind scams on the internet. However, those new to the online environment may not have sufficient knowledge and awareness and there is no obvious central point for them to consult. However, it is arguably easier to teach the public about scams as these are often simply the same types of confidence tricks that existed prior to the internet but are now using new technology to reach a new audience or to provide enough misdirection to evade the awareness people may have about physical junk mail offerings.

26.  Infection with malware, on the other hand, takes cyber crime apparently to a different level—where experts use their technical skills to, among other things, take over computers worldwide to steal bank details and identity information. Dr Richard Clayton did not believe it was possible to bring the mass of the population up to the level of technical knowledge required to defend themselves; instead we needed to "rely on those who make the software to adapt it in such a way that you no longer need to read the URL[37] in order to be safe".[38]

27.  If people are reluctant to go online because of fears about safety then they may find themselves disadvantaged in terms of retail opportunities and, more importantly, in terms of access to government information, advice and other services.

28.  Knowledge is the best defence against fear and we recommend that government-provided information focuses on how to be safe online rather than warns about the dangers of cyber crime. We also recommend that the Government work with the industry partners announced in the Cyber Security Strategy to promote the equivalent of a 'Plain English' campaign to make the technology easier to understand and use.

Smartphones

29.  Viruses and other malware were not, until recently, a problem for phone users. However, there has been a significant rise in the number of people in the UK using smartphones to access material not simply through the phone networks but also through the internet via wi-fi connections.[39] Research in Motion brought to our attention research by Gartner that suggested that smartphones will outnumber PCs by 2013.[40] PhonepayPlus highlighted to us that there was a growing threat to consumers from potentially harmful applications for mobile phones and a growing need to create awareness among consumers and industry of new threats in the digital sphere.[41]

30.  Our witnesses raised the point that there is a significant generational difference in how people approach online concerns.

The older generation, which may not have used computers regularly, are now starting to use them and have a lack of technical awareness but perhaps have a different view of security. The younger generation is possibly quite the opposite, having far more experience of technology but perhaps being less aware of the need to be secure.[42]

31.  We recommend that the Government take note of the importance of addressing different messages to different generational groups of UK internet users.

32.  We were told by Mr Emms and Professor Furnell, in their joint submission from Kaspersky and the University of Plymouth, that there is some concern that computer users do not apply their awareness of the dangers of malware to mobile phones.

Ofcom now suggests that [while] approximately one in three UK adults use a smartphone there is a distinct lack of understanding around related security issues—a recent report from Retrevo suggests that only a third of Android users are aware that their devices could be susceptible to malware, while Lookout reports an 85% increase in mobile malware detections on the Android platform during the first six months of 2011, along with a five-fold increase in the number of malware-infected apps.[43]

As increasing levels of online activity once confined to desktop and laptop computers takes place on smartphones, PhonepayPlus consider that there is a role for regulation[44] similar to that for premium services on mobile phones. However, regulation of online activity would have to apply to both smartphones and traditional internet platforms (desktop and laptop computers) and Dr Clayton suggested that consumer expectations of the platforms were different and that consumers would be less likely to accept the level of control on their computers that telephone companies exert over their mobile phones.[45]

33.  PhonepayPlus, the UK regulator of premium rate services, also told us that premium rate services in the UK are worth "in excess of £800m annually" and that the movement of the market can be so rapid that the consequences of changes could be beyond most consumers' ability to grasp.[46] They raised concern about whether the regulatory framework that has worked to protect consumers in relation to premium rate services was sufficient to regulate new online services that involve micropayments.[47] A recent estimate puts the global growth in micropayments from $320 billion to $680 billion by 2016.[48]

34.  The Cyber Security Strategy[49] mentioned smartphones only to point out the increasing targeting of this platform by malware but said nothing about exploiting synergies. We are impressed by PhonepayPlus' expertise on the dangers of criminal exploitation of smartphones. We recommend that PhonepayPlus has a dedicated part of the enhanced Get Safe Online website and that they are consulted closely in the development of regulatory policy to take into account, for example, online services involving micropayments.

Policing the internet

35.  The internet does not have the same level of regulation as mobile phones. There is no overarching body that provides consumers with a first place of contact to complain about disreputable or criminal behaviour. It is not the responsibility of an ISP to regulate behaviour online. It is not the job of Nominet to decide what is or is not disreputable behaviour or to enforce a code of conduct on those offering commercial services online. It is not even the responsibility of Ofcom to decide who is a fit and proper person to operate as an ISP. The default for an individual who experiences cyber crime would appear to be to refer it to the police or possibly simply attempt to minimise any financial loss by contacting banks and online services, depending on the exact nature of the crime. There is no single first point of advice and help for the consumer.[50]

36.  Cyber crime issues are handled by a number of police agencies and units. Although the police themselves were clear about the relevant lines of responsibility and authority between units,[51] those outside the police were confused, which suggests that work is needed to make the policing responsibilities more transparent to enable victims of crime to contact the right officers.[52]

37.  We recommend that the police have dedicated pages on Get Safe Online on which they might communicate directly with the general public, to gather information and intelligence about what is happening to individual computer users and to provide consumers with an authoritative policing voice on current cyber crime issues.

38.  While the police now clearly take the problem of cyber crime seriously, both they[53] and the Minister[54] agreed that the policing of cyber crime needed to become mainstream to the point that local police officers are comfortable talking about cyber security. We share the sentiments of Janet Williams of the Association of Chief Police Officers (ACPO):

I don't think we are as good as we need to be in policing, in terms of every single police officer in this country being as equipped to give a member of the public a piece of advice around cyber-security as they are, for example, for their windows and their doors—their general house issues.[55]

39.  More police officers need to have an understanding of cyber crime, at least to the point of properly recording the crime that takes place and signposting victims to relevant organisations that can provide help and advice. The Government recently published its shadow Strategic Policing Requirement,[56] which focuses on policing capability to respond to a large-scale cyber incident rather than the more workaday ability to respond generally to cyber crime. We recommend that the Government ensures that the Strategic Policing Requirement addresses individual-level cyber crime, not least because much of it appears to be directed by organised crime gangs. Given competing local priorities for funding policing activities, only establishment within the Requirement will ensure that police forces invest the money necessary to guarantee that local officers are able to respond to individual victims of cyber crime.

40.  We remain concerned that there exists a clear gap between aspiration and action on the ground. Janet Williams[57] and the Minister[58] indicated their intent to tackle cyber crime at all levels. At the same time Charlie McMurdie, from the Metropolitan Police e-Crime Unit, said: "We could arrest 200 people tomorrow, but they may be low-level users of compromised data".[59] There is obviously a tension between the need to make criminals feel unsafe about being involved in cyber criminality and the desire to use those criminals to track back to the 'root cause—the two, three, four or half a dozen instances of top-end criminality' who direct and control the foot-soldiers.[60] However, if the police and Government want to ensure that "cyber criminals should not feel safe"[61] then they need to find a way to tackle even low-level users of compromised data.

41.  One practical operational problem in relation to cyber crime is the global nature of the threat and the strictly national base of policing around the world. Janet Williams emphasised the impact that the police could make in partnership with the IT industry to tackle global concerns rather than the effectiveness of international policing agencies such as Europol and Interpol.

Now, we work hand in glove with industry, and we are using its people and kit alongside our people and our kit, which enables us to cross jurisdictions. We know that cyber-criminals don't like this and that they are getting quite nervous about that capability. I think that is a good thing; we need more of that because it is obviously working.[62]

However, Charlie McMurdie assured us that when it came to operational activity, police internationally are working better together to tackle the issue of cyber crime:

we have just conducted a recent operation—website suspension work, with rogue medical websites—with 80-odd countries, which was co-ordinated by the Interpol control centre. It provided capability for us and put all the various points of contact in place. But far more work is with Europol, currently. Interpol is just relocating as well, so it has been through quite a move; it is looking at bigger growth, to put in more capability.[63]

We are convinced that the Government and police are working closely together to address some of the international problems of ensuring that policing across national boundaries is more effective.

42.  Janet Williams told us that the legislation for prosecuting cyber crime was 'not fit for purpose'; but was less clear as to where she believed the weaknesses lay.[64] The Minister assured us that the legislative framework was constantly under review to ensure it was fit for purpose.[65] We are not persuaded that there is a pressing need for new legislation. We agree with the Minister that any legislation that may be introduced should be technology neutral to ensure that the fast pace of technological change does not render legislation obsolete as soon as it gets onto the statute books.

43.  Both the Government and the police appear to want the response to low-level cyber crime to be a mainstream part of UK policing. Only when police officers are comfortable operating in online contexts and using existing legislation to tackle online theft and fraud will it be possible properly to identify whether additional legislation is required. However, we think it is important that those engaged in low-grade cyber crime can be punished without recourse to courts and that the Government should work hard with the industry to develop effective online sanctions for cyber criminals as indicated in the Cyber Security Strategy.

44.  We welcome the commitment in the Cyber Security Strategy to make it easier and more intuitive for the public to report online crime. We urge the Government to ensure that this reporting function is integrated with the development of the Get Safe Online site as a one-stop shop for online security information and issues.

Providing a service

45.  One of the beneficial features of the internet is that it drives greater sharing of information. We were disappointed, therefore, to learn that ISPs might fail to share information with their users. Dr Richard Clayton told us:

when a botnet is shut down it is now usual practice to set up a 'sinkhole' that will log the identities of the compromised machines which continue to try and make contact with the disabled [command and control server].

The operators of the sinkhole are unable to communicate with the owners of the compromised machines directly—they can only identify the ISP that is providing Internet connectivity. So it is up to the ISP to pass the bad news on to the relevant customer, because only the ISP knows who was using the IP address at the relevant time. In practice, very few ISPs relay information and almost none go looking for further sources of this type of data.[66]

This is in contrast to the situation in Australia:

It is estimated that over 90 percent of Australian home internet users are customers of the 82 ISPs participating in the [Australian Internet Security Initiative] (ACMA, 2011). When these ISPs have been informed by the [Australian Communications and Media Authority] that a customer's computer has been infected with botware they can select from a range of responses as set out in the voluntary icode. These options include:

(a) contacting the customer directly (by phone, email or SMS or other means);

(b) regenerating the customer's account password to prompt customers to call the helpdesk so they can be directed to resources to assist;

(c) applying an 'abuse' plan where the customer's Internet service is speed throttled;

(d) temporarily quarantining the customer's service, for example by holding them within a 'walled garden' with links to relevant resources that will assist them until they are able to restore the security of their machine;

(e) in the case of spam sources, applying restrictions to outbound email (simple mail transfer protocol -SMTP); and/or

(f) such other measures as determined by the ISP consistent with their terms of service (Internet Industry Association, 2010).[67]

46.  In the UK, there is no such driver for ISPs to intervene on behalf of their users. Dr Clayton told us that there are good and bad companies.

We can see how poor the data passing is by examining the data collected by the Shadowserver Foundation, who operate a sinkhole for Conficker—malware that infected 7 million machines worldwide in November 2008 and which still poses a threat to the infected machines. The Shadowserver data shows that infections have dropped from 5.5 million in September 2010 to 3.5 million now; the worst affected UK ISP has seen a reduction from 7000 to 5000 infected machines over the same period. The best ISPs completely eradicated the problem, and ensured their customers were safe, two years or more ago...[68]

47.  We recommend that the Government work with ISPs to establish an online database where users can determine whether their machine has been infected with botware and gain information on how to clean the infection from their machine. We think that this should also be integrated with the Get Safe Online website.


25   Ev 38, para 5 Back

26   "Cost of Cyber Crime", Detica, 2 February 2011 http://www.baesystemsdetica.com/uploads/resources/THE_COST_OF_CYBER_CRIME_SUMMARY_FINAL_14_February_2011.pdf Back

27   Ev 33, para 45 [Dr Richard Clayton] Back

28   Ev 30, para 10 Back

29   Ev 30, para 10 Back

30   Ev 40, para 14 Back

31   Cabinet Office, Cyber Security Strategy, 25 November 2011 Back

32   Q60 Back

33   Q61 Back

34   Q55 Back

35   A scam where an email purports to be from officials from troubled nations seeking help to move large sums of money to the UK. Helpers are promised large rewards for their help but are instead tricked into providing upfront money or bank account details.  Back

36   For examples see: "Advance fee fraud", Wikipedia, en.wikipedia.org/wiki/Advance-fee_fraud Back

37   URL is the internet address of a website such as www.parliament.uk - this may reveal a different destination to the one that the user thought they were going to by following a link in an email or website. Back

38   Q10 [Dr Clayton] Back

39   "A nation addicted to smartphones", Ofcom, August 2011, stakeholders.ofcom.org.uk/market-data-research/market-data/communications-market-reports/cmr11/ Back

40   Ev w41, para 2 Back

41   Ev w39, para 2 Back

42   Q6 [Dr Westmacott] Back

43   Ev w9, para 24 Back

44   Ev w40, para 13 Back

45   Q25 [Richard Clayton] Back

46   Ev w41, para 21 Back

47   Micropayments are online transactions that are of small denominations e.g. $2, £3.50, or €4, and can be used for digital content purchase such as games, music, movies, comics and electronic books. Micropayments can also be used to charge for digital services such as Facebook applications and access to website member areas. Back

48   The Advanced Payments Report 2011, Edgar, Dunn & Company, February 2011 Back

49   Cabinet Office, Cyber Security Strategy, 25 November 2011 Back

50   Q32 Back

51   Q46 [Janet Williams] Back

52   For example, Ev 29, para 25 [Professor Sommer] Back

53   Q37 [Janet Williams] Back

54   Q84 Back

55   Q31 [Janet Williams] Back

56   A statement of the collective capabilities that police forces across England and Wales will be expected to have in place in order to protect the public from cross-boundary threats such as terrorism, civil emergencies, public disorder and organised crime. The shadow requirement is advisory but a statutory requirement is expected in the Summer of 2012. Back

57   Q31 Back

58   Q84 Back

59   Q36 [Charlie McMurdie] Back

60   Q36 [Charlie McMurdie] Back

61   Q34 [Janet Williams] Back

62   Q34  Back

63   Q48 Back

64   Q53 Back

65   Q85 Back

66   Ev 32, paras 31 and 32 Back

67   Ev w38, paras 15 & 16 Back

68   Ev 32, para 33 Back


 
previous page contents next page


© Parliamentary copyright 2012
Prepared 2 February 2012