2 Cyber crime and Policing
Individual Exposure and Knowledge
17. When a computer is enabled to access the
internet, that machine becomes part of the network; but access
to the internet is not necessarily one-way: anyone with the right
skills may be able to access the machine and its contents, to
monitor anyone who uses that machine and possibly to co-opt the
machine into a network of similarly compromised machines that
facilitates further criminal activity. The Serious Organised Crime
Agency told us that a:
significant proportion of cyber-crime uses malware
to perform some part of the crime. Even spamming now involves
the use of malware, as the majority of spam messages are now delivered
using Botnets.[25]
18. Exposure to the possibility of crime is not
uncommon. What makes cyber crime different is that many people
have not developed an understanding of what constitutes risky
behaviour, how to minimise that risk and what to do if they become
a victim.
19. Crimes committed on the internet are often
the bread and butter crimes of everyday criminal activity: fraud
and theft. The driver for criminal activity on the internet, like
everyday street crime, is gaining money. The Cost of Cyber
crime report by the Cabinet Office outlines the costs to individual
computer users: "£1.7bn for identity theft, £1.4bn
for online scams and £30m for 'scareware'."[26]
20. There is a suggestion in Home Office statistics
that use of the internet increases exposure to credit card fraud:
A supplementary document to the British Crime Survey
was published by the Home Office in May 2010. It looked at data
from 2008-09 and found that 6.4% of credit card owners were aware
of fraudulent use of their card over the previous 12 months. Victimisation
rates were higher at 11.7% for incomes over £50,000/annum.
If the Internet had been used at all (irrespective of income)
the rate was 7.7% and if the Internet was used "every day"
then it was 8.9%. In contrast, the 2010/11 British Crime Survey
found that burglary affected just 2.6% of households and thefts
from cars affected 4.2% of households.[27]
21. We have been told several times, however,
that the data on cyber crime is not reliable or authoritative
as it is not systematically recorded. Dr Richard Clayton said
that "until we have reliable data we will not be able to
assess the size of the cyber crime problem nor whether we are
making any impact on it".[28]
The crimes that are recorded are usually where there has been
some monetary loss. Dr Clayton recommended the "recording
of all electronic crime incidents, not just those resulting in
monetary loss".[29]
SOCA appeared to agree, pointing to the US where there is "a
better understanding of the threat in the US due to mandatory
requirements to report data breaches in most US states. In the
UK there is no obligation to disclose, and estimates of the costs
of malware are difficult to assess".[30]
22. In the Cyber Security Strategy[31]
the Government announced that it would seek to enhance the ability
of the public to report cyber crime. The Government also mentioned
the possibility of developing a cyber hub with the aim of increasing
the sharing of information among businesses. However, the report
does not indicate whether this would involve reporting cyber crime
that targeted businesses.
23. We welcome the Government's
commitment in the Cyber Security Strategy to
enhance the ability of the public to report cyber crime. We recommend
that the Government consider how to encourage (or require) businesses
to report incidence of cyber crime. Additionally, we urge internet
security companies to work with Government to find a way to use
the development of a cyber hub to facilitate the detection of
malware.
24. One of the problems for internet users is
that much of the information about internet technology and security
issues is laden with jargon. It may be difficult to get people
to engage with information on security concerns when the language
used to describe the dangers acts as a barrier to that engagement.
As the Minister said:
in some ways we wrap a lot of this information up
in technology-speak, which sometimes makes it a little bit impenetrable
for the public and others to have a sense that it is directly
relevant to them. The communications strategy must have that idea
at its heart.[32]
[
]
it can at times sound as if you are talking through
a complicated plot from a science fiction novel, whereas in fact,
what we are talking about is real-life crime and real-life impact.[33]
25. Janet Williams, the Deputy Assistant Commissioner
of the Metropolitan Police told us
we all understand that we won't walk down a dark
alley in preference to a lit alley. That is instinctive, and we
almost need to get to that point with this, so that people understand
what the danger signs are, and at the moment most people don't.[34]
To those in the know, it may seem impossible to believe
that people are still taken in by the Nigerian 419 scams[35]
or related ones involving winning sums of money on international
lotteries.[36] It is
true that there are any number of websites such as scambusters.com
or snopes.com where it is possible to find the truth behind scams
on the internet. However, those new to the online environment
may not have sufficient knowledge and awareness and there is no
obvious central point for them to consult. However, it is arguably
easier to teach the public about scams as these are often simply
the same types of confidence tricks that existed prior to the
internet but are now using new technology to reach a new audience
or to provide enough misdirection to evade the awareness people
may have about physical junk mail offerings.
26. Infection with malware, on the other hand,
takes cyber crime apparently to a different levelwhere
experts use their technical skills to, among other things, take
over computers worldwide to steal bank details and identity information.
Dr Richard Clayton did not believe it was possible to bring the
mass of the population up to the level of technical knowledge
required to defend themselves; instead we needed to "rely
on those who make the software to adapt it in such a way that
you no longer need to read the URL[37]
in order to be safe".[38]
27. If people are reluctant to go online because
of fears about safety then they may find themselves disadvantaged
in terms of retail opportunities and, more importantly, in terms
of access to government information, advice and other services.
28. Knowledge is the best defence
against fear and we recommend that government-provided information
focuses on how to be safe online rather than warns about the dangers
of cyber crime. We also recommend that the Government work with
the industry partners announced in the Cyber Security Strategy
to promote the equivalent of a 'Plain English' campaign to make
the technology easier to understand and use.
Smartphones
29. Viruses and other malware were not, until
recently, a problem for phone users. However, there has been a
significant rise in the number of people in the UK using smartphones
to access material not simply through the phone networks but also
through the internet via wi-fi connections.[39]
Research in Motion brought to our attention research by Gartner
that suggested that smartphones will outnumber PCs by 2013.[40]
PhonepayPlus highlighted to us that there was a growing threat
to consumers from potentially harmful applications for mobile
phones and a growing need to create awareness among consumers
and industry of new threats in the digital sphere.[41]
30. Our witnesses raised the point that there
is a significant generational difference in how people approach
online concerns.
The older generation, which may not have used computers
regularly, are now starting to use them and have a lack of technical
awareness but perhaps have a different view of security. The younger
generation is possibly quite the opposite, having far more experience
of technology but perhaps being less aware of the need to be secure.[42]
31. We recommend that the Government
take note of the importance of addressing different messages to
different generational groups of UK internet users.
32. We were told by Mr Emms and Professor Furnell,
in their joint submission from Kaspersky and the University of
Plymouth, that there is some concern that computer users do not
apply their awareness of the dangers of malware to mobile phones.
Ofcom now suggests that [while] approximately one
in three UK adults use a smartphone there is a distinct lack of
understanding around related security issuesa recent report
from Retrevo suggests that only a third of Android users are aware
that their devices could be susceptible to malware, while Lookout
reports an 85% increase in mobile malware detections on the Android
platform during the first six months of 2011, along with a five-fold
increase in the number of malware-infected apps.[43]
As increasing levels of online activity once confined
to desktop and laptop computers takes place on smartphones, PhonepayPlus
consider that there is a role for regulation[44]
similar to that for premium services on mobile phones. However,
regulation of online activity would have to apply to both smartphones
and traditional internet platforms (desktop and laptop computers)
and Dr Clayton suggested that consumer expectations of the platforms
were different and that consumers would be less likely to accept
the level of control on their computers that telephone companies
exert over their mobile phones.[45]
33. PhonepayPlus, the UK regulator of premium
rate services, also told us that premium rate services in the
UK are worth "in excess of £800m annually" and
that the movement of the market can be so rapid that the consequences
of changes could be beyond most consumers' ability to grasp.[46]
They raised concern about whether the regulatory framework that
has worked to protect consumers in relation to premium rate services
was sufficient to regulate new online services that involve micropayments.[47]
A recent estimate puts the global growth in micropayments from
$320 billion to $680 billion by 2016.[48]
34. The Cyber Security Strategy[49]
mentioned smartphones only to point out the increasing targeting
of this platform by malware but said nothing about exploiting
synergies. We are impressed
by PhonepayPlus' expertise on the dangers of criminal exploitation
of smartphones. We recommend that PhonepayPlus has a dedicated
part of the enhanced Get Safe Online website and that they are
consulted closely in the development of regulatory policy to take
into account, for example, online services involving micropayments.
Policing the internet
35. The internet does not have the same level
of regulation as mobile phones. There is no overarching body that
provides consumers with a first place of contact to complain about
disreputable or criminal behaviour. It is not the responsibility
of an ISP to regulate behaviour online. It is not the job of Nominet
to decide what is or is not disreputable behaviour or to enforce
a code of conduct on those offering commercial services online.
It is not even the responsibility of Ofcom to decide who is a
fit and proper person to operate as an ISP. The default for an
individual who experiences cyber crime would appear to be to refer
it to the police or possibly simply attempt to minimise any financial
loss by contacting banks and online services, depending on the
exact nature of the crime. There is no single first point of advice
and help for the consumer.[50]
36. Cyber crime issues are handled by a number
of police agencies and units. Although the police themselves were
clear about the relevant lines of responsibility and authority
between units,[51] those
outside the police were confused, which suggests that work is
needed to make the policing responsibilities more transparent
to enable victims of crime to contact the right officers.[52]
37. We recommend that the police
have dedicated pages on Get Safe Online on which they might communicate
directly with the general public, to gather information and intelligence
about what is happening to individual computer users and to provide
consumers with an authoritative policing voice on current cyber
crime issues.
38. While the police now clearly take the problem
of cyber crime seriously, both they[53]
and the Minister[54]
agreed that the policing of cyber crime needed to become mainstream
to the point that local police officers are comfortable talking
about cyber security. We share the sentiments of Janet Williams
of the Association of Chief Police Officers (ACPO):
I don't think we are as good as we need to be in
policing, in terms of every single police officer in this country
being as equipped to give a member of the public a piece of advice
around cyber-security as they are, for example, for their windows
and their doorstheir general house issues.[55]
39. More police officers need to have an understanding
of cyber crime, at least to the point of properly recording the
crime that takes place and signposting victims to relevant organisations
that can provide help and advice. The Government recently published
its shadow Strategic Policing Requirement,[56]
which focuses on policing capability to respond to a large-scale
cyber incident rather than the more workaday ability to respond
generally to cyber crime. We
recommend that the Government ensures that the Strategic Policing
Requirement addresses individual-level cyber crime, not least
because much of it appears to be directed by organised crime gangs.
Given competing local priorities for funding policing activities,
only establishment within the Requirement will ensure that police
forces invest the money necessary to guarantee that local officers
are able to respond to individual victims of cyber crime.
40. We remain concerned that there exists a clear
gap between aspiration and action on the ground. Janet Williams[57]
and the Minister[58]
indicated their intent to tackle cyber crime at all levels. At
the same time Charlie McMurdie, from the Metropolitan Police e-Crime
Unit, said: "We could arrest 200 people tomorrow, but they
may be low-level users of compromised data".[59]
There is obviously a tension between the need to make criminals
feel unsafe about being involved in cyber criminality and the
desire to use those criminals to track back to the 'root causethe
two, three, four or half a dozen instances of top-end criminality'
who direct and control the foot-soldiers.[60]
However, if the police and Government want to ensure that "cyber
criminals should not feel safe"[61]
then they need to find a way to tackle even low-level users of
compromised data.
41. One practical operational problem in relation
to cyber crime is the global nature of the threat and the strictly
national base of policing around the world. Janet Williams emphasised
the impact that the police could make in partnership with the
IT industry to tackle global concerns rather than the effectiveness
of international policing agencies such as Europol and Interpol.
Now, we work hand in glove with industry, and we
are using its people and kit alongside our people and our kit,
which enables us to cross jurisdictions. We know that cyber-criminals
don't like this and that they are getting quite nervous about
that capability. I think that is a good thing; we need more of
that because it is obviously working.[62]
However, Charlie McMurdie assured us that when it
came to operational activity, police internationally are working
better together to tackle the issue of cyber crime:
we have just conducted a recent operationwebsite
suspension work, with rogue medical websiteswith 80-odd
countries, which was co-ordinated by the Interpol control centre.
It provided capability for us and put all the various points of
contact in place. But far more work is with Europol, currently.
Interpol is just relocating as well, so it has been through quite
a move; it is looking at bigger growth, to put in more capability.[63]
We are convinced that the Government and police are
working closely together to address some of the international
problems of ensuring that policing across national boundaries
is more effective.
42. Janet Williams told us that the legislation
for prosecuting cyber crime was 'not fit for purpose'; but was
less clear as to where she believed the weaknesses lay.[64]
The Minister assured us that the legislative framework was constantly
under review to ensure it was fit for purpose.[65]
We are not persuaded that there is a pressing need for new legislation.
We agree with the Minister that any legislation that may be introduced
should be technology neutral to ensure that the fast pace of technological
change does not render legislation obsolete as soon as it gets
onto the statute books.
43. Both the Government and
the police appear to want the response to low-level cyber crime
to be a mainstream part of UK policing. Only when police officers
are comfortable operating in online contexts and using existing
legislation to tackle online theft and fraud will it be possible
properly to identify whether additional legislation is required.
However, we think it is important that those engaged in low-grade
cyber crime can be punished without recourse to courts and that
the Government should work hard with the industry to develop effective
online sanctions for cyber criminals as indicated in the Cyber
Security Strategy.
44. We welcome the commitment
in the Cyber Security Strategy to make it easier
and more intuitive for the public to report online crime. We urge
the Government to ensure that this reporting function is integrated
with the development of the Get Safe Online site as a one-stop
shop for online security information and issues.
Providing a service
45. One of the beneficial features of the internet
is that it drives greater sharing of information. We were disappointed,
therefore, to learn that ISPs might fail to share information
with their users. Dr Richard Clayton told us:
when a botnet is shut down it is now usual practice
to set up a 'sinkhole' that will log the identities of the compromised
machines which continue to try and make contact with the disabled
[command and control server].
The operators of the sinkhole are unable to communicate
with the owners of the compromised machines directlythey
can only identify the ISP that is providing Internet connectivity.
So it is up to the ISP to pass the bad news on to the relevant
customer, because only the ISP knows who was using the IP address
at the relevant time. In practice, very few ISPs relay information
and almost none go looking for further sources of this type of
data.[66]
This is in contrast to the situation in Australia:
It is estimated that over 90 percent of Australian
home internet users are customers of the 82 ISPs participating
in the [Australian Internet Security Initiative] (ACMA, 2011).
When these ISPs have been informed by the [Australian Communications
and Media Authority] that a customer's computer has been infected
with botware they can select from a range of responses as set
out in the voluntary icode. These options include:
(a) contacting the customer directly (by phone, email
or SMS or other means);
(b) regenerating the customer's account password
to prompt customers to call the helpdesk so they can be directed
to resources to assist;
(c) applying an 'abuse' plan where the customer's
Internet service is speed throttled;
(d) temporarily quarantining the customer's service,
for example by holding them within a 'walled garden' with links
to relevant resources that will assist them until they are able
to restore the security of their machine;
(e) in the case of spam sources, applying restrictions
to outbound email (simple mail transfer protocol -SMTP); and/or
(f) such other measures as determined by the ISP
consistent with their terms of service (Internet Industry Association,
2010).[67]
46. In the UK, there is no such driver for ISPs
to intervene on behalf of their users. Dr Clayton told us
that there are good and bad companies.
We can see how poor the data passing is by examining
the data collected by the Shadowserver Foundation, who operate
a sinkhole for Confickermalware that infected 7 million
machines worldwide in November 2008 and which still poses a threat
to the infected machines. The Shadowserver data shows that infections
have dropped from 5.5 million in September 2010 to 3.5 million
now; the worst affected UK ISP has seen a reduction from 7000
to 5000 infected machines over the same period. The best ISPs
completely eradicated the problem, and ensured their customers
were safe, two years or more ago...[68]
47. We recommend that the Government
work with ISPs to establish an online database where users can
determine whether their machine has been infected with botware
and gain information on how to clean the infection from their
machine. We think that this should also be integrated with the
Get Safe Online website.
25 Ev 38, para 5 Back
26
"Cost of Cyber Crime", Detica, 2 February 2011
http://www.baesystemsdetica.com/uploads/resources/THE_COST_OF_CYBER_CRIME_SUMMARY_FINAL_14_February_2011.pdf Back
27
Ev 33, para 45 [Dr Richard Clayton] Back
28
Ev 30, para 10 Back
29
Ev 30, para 10 Back
30
Ev 40, para 14 Back
31
Cabinet Office, Cyber Security Strategy, 25 November 2011 Back
32
Q60 Back
33
Q61 Back
34
Q55 Back
35
A scam where an email purports to be from officials from troubled
nations seeking help to move large sums of money to the UK. Helpers
are promised large rewards for their help but are instead tricked
into providing upfront money or bank account details. Back
36
For examples see: "Advance fee fraud", Wikipedia,
en.wikipedia.org/wiki/Advance-fee_fraud Back
37
URL is the internet address of a website such as www.parliament.uk
- this may reveal a different destination to the one that the
user thought they were going to by following a link in an email
or website. Back
38
Q10 [Dr Clayton] Back
39
"A nation addicted to smartphones", Ofcom, August
2011, stakeholders.ofcom.org.uk/market-data-research/market-data/communications-market-reports/cmr11/ Back
40
Ev w41, para 2 Back
41
Ev w39, para 2 Back
42
Q6 [Dr Westmacott] Back
43
Ev w9, para 24 Back
44
Ev w40, para 13 Back
45
Q25 [Richard Clayton] Back
46
Ev w41, para 21 Back
47
Micropayments are online transactions that are of small denominations
e.g. $2, £3.50, or 4, and can be used for digital content
purchase such as games, music, movies, comics and electronic books.
Micropayments can also be used to charge for digital services
such as Facebook applications and access to website member areas. Back
48
The Advanced Payments Report 2011, Edgar, Dunn & Company,
February 2011 Back
49
Cabinet Office, Cyber Security Strategy, 25 November 2011 Back
50
Q32 Back
51
Q46 [Janet Williams] Back
52
For example, Ev 29, para 25 [Professor Sommer] Back
53
Q37 [Janet Williams] Back
54
Q84 Back
55
Q31 [Janet Williams] Back
56
A statement of the collective capabilities that police forces
across England and Wales will be expected to have in place in
order to protect the public from cross-boundary threats such as
terrorism, civil emergencies, public disorder and organised crime.
The shadow requirement is advisory but a statutory requirement
is expected in the Summer of 2012. Back
57
Q31 Back
58
Q84 Back
59
Q36 [Charlie McMurdie] Back
60
Q36 [Charlie McMurdie] Back
61
Q34 [Janet Williams] Back
62
Q34 Back
63
Q48 Back
64
Q53 Back
65
Q85 Back
66
Ev 32, paras 31 and 32 Back
67
Ev w38, paras 15 & 16 Back
68
Ev 32, para 33 Back
|