Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by Finmeccanica Cyber Solutions (Malware 06)

The Committee seeks submissions on the following matters:

What proportion of cyber-crime is associated with malware?

1.  The experience of Finmeccanica Cyber Solutions' CERT team is that malware plays a crucial role in the types of attack associated with cyber-crime. Aside from the very basic "phishing" attacks that tend to be based more on social-engineering techniques malware is now generally introduced into the majority of technical attacks occurring via email and web.

Where does the malware come from? Who is creating it and why?

2.  Fundamentally malware is developed in response to vulnerabilities in operating-systems or in software. The vulnerabilities that malware exploits naturally arise as part of the common software engineering processes that have been used over the past thirty years. Vulnerabilities that affect very popular operating systems (such as one of the Microsoft Windows variants) and popular pieces of software (such as one of the common web browsers) quickly become publicised, often with exploit code being released into the public domain.

3.  Where this is done as part of the "white hat" philosophy, the vendor of the operating-system or software is first informed so that the so-called "fix" or "patch" is released before the news becomes public. However many individuals do not keep up-to-date with operating-system and software patches and remain vulnerable. This makes it easy for technically savvy criminals to attempt to inject malware through a variety of known vulnerabilities.

4.  These individuals (sometimes so-called "black hats") rather than inform the software vendors, keep the vulnerabilities to themselves or publicise it within an underground.

5.  Recent years have seen a criminal "IT service industry" visibly emerge. A number of groups produce "malware packs", which can be purchased (via suitably anonymous means) by organised crime or even state sponsored organisations to launch wide-scale and targeted attacks via email and the web. Such packs often include a subscription that entitles the purchaser to regular updates ensuring that the latest vulnerabilities in operating-systems are covered.

6.  Certain classes of malware, generally those that practice denial-of-service attacks, focus on weaknesses of the design of the internet itself and are difficult to mitigate. For example, huge "bot nets" can disrupt ecommerce sites by bombarding them with traffic from a diverse range of IP addresses. It is currently very difficult to defend against such attacks.

What level of resources are associated with combating malware?

7.  Finmeccanica Cyber Solutions is aware of one global FTSE-100 corporation that has spent between one and five million pounds to specifically address malware through technical controls. We understand that spending in the financial sector, particularly the retail banks, is similar.

8.  The countermeasures and safeguards against malware are technical (anti-malware software and so on) and procedural (user awareness, staff awareness).

What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

9.  Finmeccanica Cyber Solutions works on many customer sites and notes that basic controls against malware and virus infection are now almost universally implemented. The effectiveness of such measures depends not only on their extensively and individual effectiveness but also the procedures surrounding them.

10.  Security controls are often said to be in competition with usability in that they can make the users' business internet business activities more difficult. This seems to be borne out by Finmeccanica Cyber Solutions' observation that when users are left responsible for updating their operating-system patches and software they often neglect to perform this activity regularly, even when the process only involves a few mouse clicks.

11.  As the technical details of malware are beyond the full understanding of the layman some "internet security" companies scaremonger, scam, and even introduce their own malware in the guise of anti-malware.

12.  The potential cost of malware to individuals, in an age of internet banking, internet shopping and social networking is spreads across financial loss, identity theft, loss of earnings and damage to reputation.

13.  Malware targeted at specific companies and organisations is likely to be focussing on making a financial gain. Obviously any successful attack against a consumer organisation that is publicised will affect customers' views of the organisation.

Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

14.  As the internet continues to pervade individual and work life it compliments or supplants pre-internet facilities that many may consider the government should protect. For example, the postal system for carrying letters, television and radio broadcasts, access to news and so on. The internet can replace the need for physical access to work, physical access to couriers, replace the need for paper-copies of documents. The government's has the related responsibility to protect therefore probably extends to education, clarity of law and law enforcement.

15.  In all these senses the Finmeccanica Cyber Solutions view is that the government should continue to legislate to protect and maintain the essential infrastructure of businesses and public life including when these cross-over to the internet. This should then include measures to control cyber-crime and planning for emergencies.

16.  Government does have a duty to protect its own networks and the data it holds on behalf of UK subjects. Although it is making strides to do this, it is facing the growing issue that its cyber footprint, and the value of the data and funds it holds in cyber space, are beyond the capacity of its own organisation to protect. Government needs to reach out to trusted parties to expand this capability.

How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

17.  Finmeccanica has over many years built close relationships with the law enforcement communities in both the UK and Italy and our response to this question is informed by these relationships. We believe that the UK government's response to cyber-crime generally is amongst the best in the world, especially since responsibility for tackling the cyber threat across the crime and terrorism fields were brought together at the ministerial level.

18.  However, there are still many different bodies involved depending on the nature of the crime being committed. For example, child exploitation crimes are dealt with by CEOP, fraud by the SFO, theft by PCeU and counter-terrorism operations by SOCA. Such a division of responsibilities was entirely appropriate in the pre-internet and pre-malware days. In the current climate, where new forms of malware and new ways of exploiting their potential are emerging at an exponentially growing rate, we believe it would be appropriate to examine the potential for either centralisation or resource sharing across the different groups involved in policing cyber space.

19.  We recognise that the knowledge and skills required to investigate and prosecute child abuse are necessarily different from those for financial crime. However we believe that the similarities in the use of malware and other forms of cyber attack by different categories of crime warrant the synergies and subsequent cost savings which could accrue from centralising the capabilities required to identify that a cyber crime has been committed and provide the digital forensic evidence to support subsequent investigation and prosecution by specialist units.


Finmeccanica Cyber Solutions is part of Finmeccanica in the UK and offers information assurance and cyber security services for organisations across public and private sector.

6 September 2011

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012