Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by McAfee (Malware 08)


1.  McAfee welcomes this opportunity to respond to the Science and Technology Committee's inquiry into malware and cyber-crime. As the world's largest dedicated security technology company, McAfee is at the forefront in the fight against malware and cyber-crime. UK Government networks alone receive around 20,000 malicious emails every month, with over 1,000 of those deliberately targeting them.[21]

2.  We welcomed the elevation of the cyber-crime threat to "tier 1" status in last year's National Security Strategy (NSS) and the Strategic Defence and Security Review (SDSR). The Cabinet Office report "The Cost of Cyber Crime" reveals that government and citizens are affected by rising levels of cyber-crime, (an estimated £2.2 billion and £3.1 billion cost respectively), while the cost to business is around £21 billion. Government commitments of resources to combat the cyber threat, such as the additional £650 million announced in the SDSR, are encouraging signs to address this problem.

3.  As a leading authority on cyber-security, McAfee believes that it is more important than ever before for the Ministry of Defence (MoD) and Government to undertake in-depth, regular reviews of the evolution of the threats against national and global infrastructure. The best in class tools we have developed and have at our disposal and the unrivalled experience we have in this specialised area, we believe, can enable the government to do this in the cyber-security space.

4.  By undertaking regular risk assessments of the cyber threat the Government can have a more adaptive strategy to prepare against the dangers of cyber-crime, malware and other threats. However, in what are difficult financial times it is important for the Government to work in tandem with the private sector, and draw on the wide range of technical expertise and experience that they have to offer. McAfee, for example, undertakes regular studies of the ever-changing cyber threats, such as our recent Night Dragon, Shady RAT and Operation Aurora reports.

5.  This is a problem that can affect all parts of government, and so the response must be equally wide-reaching. Rather than simply continuing to use suppliers to fix and patch systems that fail or come under attack, a systems integrator for the whole of government could be adopted; the issue is just as important to the Department for Work and Pensions for example, as it is to the MoD. This would provide a more cost-effective solution that is proactive, rather than reactive to this ever growing threat.


6.  McAfee is the world's largest dedicated security technology company. We are committed to tackling the world's toughest security challenges and delivering proactive and proven solutions and services that help secure systems and networks around the world. Our technologies allow users to safely connect to the internet, browse and shop the web more securely.

7.  Backed by an award-winning global research team, a number of whom are based in Aylesbury, McAfee creates innovative products that empower home users, the private sector and the public sector and allow them to continuously monitor and improve their security.

Question 1.  "What proportion of cyber-crime is associated with Malware?"

8.  The NSS rightly elevated the risk of a cyber-attack to "tier 1" threat as the number of cyber-crimes is growing all the time, and malware represents an increasingly large proportion of those crimes. There is no way of knowing precisely what proportion of cyber-crime is associated with malware, due to the ever evolving and expanding nature of the threat. However, through the many research projects and studies McAfee had undertaken on the area, we can be confident that the proportion is significant and requires attention.

9.  McAfee's Threat Report for the second quarter of this year shows that although numerically not the busiest period in history (just behind last year's pace), when combined with the first quarter it was the busiest ever first half-year in this area of cyber-crime, with an increase of 22% over 2010 and over six million unique malware samples being detected.[22] The "malware zoo" McAfee has constructed of those strands of malware that have been identified has now reached over 75 million inhabitants.

10.  McAfee has highlighted three substantial malware attacks targeting all varieties of global organisations and corporations over the last five years; Operation Aurora, Operation Night Dragon and Operation Shady RAT.

11.  Operation Aurora targeted Google and twenty other organisations. It was a coordinated attack which included a piece of computer code that exploited a Microsoft Internet Explorer vulnerability to gain access to computer systems. This exploit then extended to download and activate malware within the systems. The attack, which was initiated surreptitiously when targeted users accessed a malicious web page (likely because they believed it to be reputable), ultimately connected those computer systems to a remote server. That connection was used to steal company intellectual property and, according to Google, additionally gain access to user accounts.

12.  Operation Night Dragon was similar to Aurora in that it sought to infiltrate and attack global companies. Targets for this attack included global oil, energy and petrochemical companies. These attacks involved social engineering, spear-phishing attacks, exploitation of Microsoft Windows vulnerabilities, Microsoft Active Directory compromises and the use of remote administration tools with the aim of targeting and harvesting sensitive competitive proprietary operations and project-financing information with regard to oil and gas field bids and operations.

13.  Unlike both Night Dragon and Aurora, which provided details of new threats, McAfee's publication Operation Shady RAT (an acronym for Remote Access Tool) detailed a comprehensive analysis of victim profiles from a five year target operation by one specific actor. For the most part, victims had already remedied the intrusion. However, the publication of McAfee's document highlighted the on-going cyber-crime threat emerging from malware. It noted that one cyber actor had been able to compromise 72 different parties covering a spectrum ranging from the US Federal Government through to defence contractors, accountancy firms and non-profit organisations.

Question 2.  "Where does the malware come from? Who is creating it and why?"

14.  Both targets and attackers can be individuals, suspected states or private organisations. Malware attacks tend to occur in waves and the motivation for such attacks tends largely to be financial or for reasons of espionage. Once the returns from a piece of malware start to diminish (mainly due to the security response from an anti-virus provider or changes in the environment, eg a monthly role out of update patches for anti-virus software), a new attack supersedes it, as we saw with Shady RAT.

15.  Furthermore, before the attacker notices an actual reduction in return on investment in a particular attack, there is no need for an alternative one. This may be, incidentally, the most likely reason that so many new attacks are launched, because of the now higher investment in higher quality and more frequent security updates, necessitating more attacks.

16.  Our Threats Report for the second quarter of 2011 gives a detailed view of then types of threat we're currently facing. For example, this quarter saw an increase in for-profit mobile malware, including simple SMS-sending Trojans and complex Trojans that use exploits to compromise smartphones.[23] This shows the ever evolving nature of the malware threat. McAfee now collects on average almost two million new malware samples every month. This is certainly not a welcome development, but it is consistent and predictable considering how our business and private lives are now tethered to technology.

17.  McAfee recently demonstrated how easy it is for one individual to create and use a piece of malware at parliamentary workshops for MPs. At the workshop, Members were able to build and launch their own piece of malware in a controlled environment. This gave them hands on experience of the level of simplicity, both in terms of acquiring and using malware for criminal activities.

18.  The workshops were part McAfee's initiative to educate politicians and decision makers on the threat posed by malware and cyber-crime so that their knowledge and experience extends beyond simply reading about it in news reports, Government papers and analytical reports.

Question 3.  "What levels of resources are associated with combatting malware?"

19.  In the private sector and among members of the public, the level of resources committed to combatting malware depends on the level of awareness of the threat posed by it.

20.  The Government currently commits large amounts of resources to combatting malware, such as the additional £650 million announced in the SDSR. However, this is still a relatively small amount compared to other areas of defence spending (for example, the Type 45 destroyer and the cancelled Nimrod MRA4 aircraft cost £6.4 billion and £3.6 billion respectively), despite the high threat level of cyber-attack.

21.  McAfee commits large amounts of time and resources to developing methods for combatting malware, as well as studying its behaviour, creation and motivation. This work is done both in isolation and through partnerships with other companies, as well as through involvement in organisations and initiatives such as Intellect, Cyber Champions and ICSPA.

22.  Such initiatives and organisations offer excellent opportunities for companies and the Government to come together to share knowledge and experience, which can be used to devise better methods of defence, or ways to improve efficiency and lower costs within the sector. In this regard, McAfee fully supports the comments of former Security Minister Baroness Pauline Neville-Jones that the government was determined to work with industry to tackle cyber-crime.

23.  The Security Innovation Alliance (SIA) programme, for example, is a technology partnering programme run by McAfee to accelerate the development of interoperable security products, and simplifies integration of these productions within complex customer environments. The reason the SIA was established by McAfee was because we recognised that there has been very limited interoperability between different suppliers, and the programme now has in excess of 150 partners. If suppliers themselves were more interoperable, this would enable Government to deliver it on their services, thereby lowering cost. Indeed, the need for greater interoperability was outlined as a necessary requirement in the recent SDSR.

Question 4.  "What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?"

24.  The cost to individuals from malware attacks and cyber-crime is growing and at the same time the attacks themselves are becoming more sophisticated and targeted. In order to maximise their financial gains, it is no longer sufficient for hackers to launch mass attacks and then sit and wait for victims to be lured in. Instead, criminals are now conducting increasingly detailed studies of their targets via the many sources available via the internet (such as information posted on social and business networking sites). With this information, specific attacks can be crafted which are more likely to succeed.

25.  Criminals will also test their exploits against the security defences available in an effort to avoid detection and will tailor the payload to get around those defences—hence the large number of malware variants being seen today. The combination of the use of targeted information gathering, stealthy attacks and the use of multiple vectors of attack, such as combining online research with phishing emails and web-based malware, is a destructive one that requires a new mind-set - and technologies - to defeat.

26.  A recent Government study put the cost of cyber-crimes to individuals at around £3.1 billion (£1.7 billion pa for identity theft, £1.4 billion pa for online scams, and £30 million pa for "scareware" and fake anti-virus software).[24] The prevalence of these types of cyber-crime means that their aggregated effect is detrimental to the UK economy, in addition to indirect macro-economic effects that could occur, such as a possible loss of confidence in online services (eg internet banking).

27.  Industry itself is extremely effective at combatting against and providing protection from malware; McAfee along provides solutions for cloud, network and endpoint security, as well as its quarterly threat reports and Global Threat Intelligence (GTI) briefings. However, private security companies cannot force individuals and companies to protect themselves.

28.  It is for this reason that it is so vital that the Government works with the private sector IT security providers to ensure that everyone is protected. Another aspect to this solution, however, is that there are so many systems and methods for protecting against cyber-attacks that it can be tempting to just procure as problems arise. This is often more expensive and slower to react, however. That is why a broader overarching approach with clear central government accountability and ownership to coordinate with private sector partners is needed; such an approach would be considerably more efficient by removing potential duplication at government level in addressing the cyber threat.

Question 5.  "Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?"

29.  Government does indeed have a responsibility to deal with the spread of malware, and in a way malware infections have many similarities with real-life diseases. Take for example, the scenario of injecting a virus into a guinea pig and monitoring the animal's health. In the short term the virus is likely to replicate a few times, which causes the immune system to react and produce antibodies. These find and kill the viral copies so that the guinea pig is healthy again.

30.  However, there is an immune system reaction to the virus - a short learning process that occurs before a reliable response is deployed. In their reactive mode security products operate similarly; they produce a response to the new attack and deploy it. They can observe a piece of malware just once or twice and protect many millions of users after that point.

31.  It is because of this ease with which malware can spread, coupled to more services used by the public being handled online, that Government has a responsibility to ensure that adequate defences are in place.

32.  It can do this in two ways. Firstly, through its own spending and initiatives, such as the Home Office's Cyber Crime Strategy, or the £650 million announced in the SDSR to deal with the threat of cyber-attack. McAfee welcomes initiatives such as these, and encourages the Government to do more in this regard, and is always willing to offer its own support and expertise.

33.  The second method would be to incentivise the private companies that own and operate the critical infrastructure of the UK, such as key utilities, to improve their security postures and ensure that they are adequately protected from cyber-crime. McAfee feels that this is a logical step to take as the cyber threat has evolved, spread and become more dangerous. This could be done through the introduction of the right mix of incentives (eg grants, research and development scholarships and best practice awards) and regulation to encourage private critical infrastructure industries to make the investments and implement the practices necessary to improve their security postures.

34.  Of course it is difficult for Government to get a grasp of such a large area of expertise, and particularly in these difficult economic times this is where it should seek the assistance of private IT security companies like McAfee to cooperate in terms of sharing knowledge and experience.

35.  The Government must also do more to educate individual citizens of the dangers of cyber-crime, and the protection available. This could be done cheaply alongside existing online services, and again private sector IT security companies are well placed to share knowledge and experience on the various types and levels of protection available to the public.

36.  The first duty of Government is that of protection, but ensuring that public services, citizens and companies are aware of the dangers and well-defended against malware, cyber-crime and other cyber-attacks also has economic benefits, as mentioned the answer to question 4.

Question 6.  "How effective is the Government in co-ordinating a response to cyber-crime that uses malware?"

37.  McAfee welcomed the Government's allocation of £650 million towards fighting cyber-crime in last year's SDSR, as well as the various initiatives that the Government is currently undertaking, such as the Cyber Crime Strategy, the National Cyber Security Strategy, and the creation of the Defence Cyber Operations Group.

38.  However, such strategies and initiatives will only be successful if there is effective and joined up leadership, as well as real partnership with those private sector IT security companies whose expertise can greatly contribute and compliment.

39.  There is currently no government contingency plan in place to deal with cyber-attack, with action tending to be reactive, rather than proactive. This is perhaps understandable during this difficult economic period, however, while initial spending may be required to bring cyber defences and contingency plans up to task, once in place they will be far more cost effective than simply reacting and repairing the damage after every attack, which are becoming more common by the day.

40.  As mentioned above, many commercial security products themselves are hugely adaptive, able to observe a piece of malware just a few times and then protect many millions of users after that point. It is for this reason that the Government is able to consolidate its approach to cyber defence, as described above. The Host Base Security System (HBSS) is one example of a singular, comprehensive approach to cyber-security.

41.  HBSS is a programme McAfee is working on in the US with the Department of Defence (DoD) and is the largest IT security deployment within the Department. It provides multi-layered threat protection for more than 5 million DoD and intelligence agency host platforms such as servers, desktops, and laptops in accordance with the Enterprise-wide Information Assurance and computer Network Defense Solutions Steering Group.

42.  The HBSS system would also be applicable to the aims of the UK MoD as it offers cross-platform protection from one supplier, removing unnecessary duplication and complexity within the procurement. McAfee has been actively offering its knowledge and experience of the HBSS programme to the MoD and Government to ensure that they are better informed when it comes to making their own procurement decisions. (Annex 1 offers more information on the HBSS programme).

43.  While the Government has taken steps to engage with industry, it should now be enhanced to allow for collaborative risk assessments and increased information sharing. Regular risk assessments, such as McAfee's quarterly Threat Reports and GTI briefings should also be undertaken by the Government, drawing from the existing private sector knowledge that exists in this area, to ensure that the Government's plans to deal with the cyber threat are as adaptive as the threat itself. The Government needs to select effective and willing private partners with which to achieve this, and companies like McAfee are well placed to step into the breach.

Annex 1


McAfee launched an open architecture technology programme, largely in response to the needs of one of its largest customers, the U.S. Department of Defense (DOD).

McAfee technology underlies the largest IT security deployment within the DOD, the Host Base Security System (HBSS), which provides multilayered threat protection for between five to seven million host platforms worldwide. HBSS was launched after the DOD decided that host computer defence was critical to the protection of the Global Information Grid, and the system is mandated for installation on all unclassified and classified systems in the department.

McAfeê Host Intrusion Prevention solutions are the underlying technology of HBSS, providing monitoring, detection, and counters to known cyber-threats to the DOD's enterprise architecture and delivering integrated security capabilities such as anti-virus, anti-spyware, whitelisting, host intrusion prevention, remediation, and security policy auditing.

Recently, McAfee partnered with Northrop Grumman to deploy HBSS for the Secret Internet Protocol Router Network (SIPRNet) within the US Air Force. SIPRNet is the communications backbone of the DOD that facilitates the exchange of classified tactical and operational information at the secret classification level for both the Air Force and other branches of the US Armed Services. McAfee has also partnered with Northrop Grumman in the UK to deliver the company's cyber-test range, which was opened by Defence Minister Gerald Howarth in October 2010.

In deploying HBSS, the DOD wanted an open framework that would enable the department to plug in any number of solutions from different vendors. Largely in response to this need, McAfee initiated a technology partnering programme called the McAfee Security Innovation Alliance. The purpose of the McAfee Security Innovation Alliance programme is to accelerate the development of interoperable security products and simplify the integration of those products within complex customer environments.

McAfee security risk management solutions are at the heart of the McAfee Security Innovation Alliance programme, allowing organisations of all sizes to benefit from the most innovative security technologies. They now can simply snap into the McAfee management platform, McAfee ePolicy Orchestrator® (McAfee ePO™) software. Today, more than 100 technology partners across Europe, North America, the Middle East, and Australia have joined the alliance.

We believe that the McAfee Security Innovation Alliance programme provides an important value proposition for government and commercial customers who do not want to be locked into a single vendor.

7 September 2011

21   GCHQ Director Iain Lobban, 13 October 2010 Back

22   McAfee Threats Report: Second Quarter 2011, pg. 9 Back

23   McAfee Threats Report: Second Quarter 2011, pg. 1 Back

24   Cabinet Office report; "The Cost of Cyber Crime", pg. 18 Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012