Written evidence submitted by McAfee (Malware
08)
EXECUTIVE SUMMARY
1. McAfee welcomes this opportunity to respond
to the Science and Technology Committee's inquiry into malware
and cyber-crime. As the world's largest dedicated security technology
company, McAfee is at the forefront in the fight against malware
and cyber-crime. UK Government networks alone receive around 20,000
malicious emails every month, with over 1,000 of those deliberately
targeting them.[21]
2. We welcomed the elevation of the cyber-crime
threat to "tier 1" status in last year's National Security
Strategy (NSS) and the Strategic Defence and Security Review (SDSR).
The Cabinet Office report "The Cost of Cyber Crime"
reveals that government and citizens are affected by rising levels
of cyber-crime, (an estimated £2.2 billion and £3.1
billion cost respectively), while the cost to business is around
£21 billion. Government commitments of resources to combat
the cyber threat, such as the additional £650 million announced
in the SDSR, are encouraging signs to address this problem.
3. As a leading authority on cyber-security,
McAfee believes that it is more important than ever before for
the Ministry of Defence (MoD) and Government to undertake in-depth,
regular reviews of the evolution of the threats against national
and global infrastructure. The best in class tools we have developed
and have at our disposal and the unrivalled experience we have
in this specialised area, we believe, can enable the government
to do this in the cyber-security space.
4. By undertaking regular risk assessments of
the cyber threat the Government can have a more adaptive strategy
to prepare against the dangers of cyber-crime, malware and other
threats. However, in what are difficult financial times it is
important for the Government to work in tandem with the private
sector, and draw on the wide range of technical expertise and
experience that they have to offer. McAfee, for example, undertakes
regular studies of the ever-changing cyber threats, such as our
recent Night Dragon, Shady RAT and Operation Aurora reports.
5. This is a problem that can affect all parts
of government, and so the response must be equally wide-reaching.
Rather than simply continuing to use suppliers to fix and patch
systems that fail or come under attack, a systems integrator for
the whole of government could be adopted; the issue is just as
important to the Department for Work and Pensions for example,
as it is to the MoD. This would provide a more cost-effective
solution that is proactive, rather than reactive to this ever
growing threat.
ABOUT MCAFEE
6. McAfee is the world's largest dedicated security
technology company. We are committed to tackling the world's toughest
security challenges and delivering proactive and proven solutions
and services that help secure systems and networks around the
world. Our technologies allow users to safely connect to the internet,
browse and shop the web more securely.
7. Backed by an award-winning global research
team, a number of whom are based in Aylesbury, McAfee creates
innovative products that empower home users, the private sector
and the public sector and allow them to continuously monitor and
improve their security.
Question 1. "What proportion of cyber-crime
is associated with Malware?"
8. The NSS rightly elevated the risk of a cyber-attack
to "tier 1" threat as the number of cyber-crimes is
growing all the time, and malware represents an increasingly large
proportion of those crimes. There is no way of knowing precisely
what proportion of cyber-crime is associated with malware, due
to the ever evolving and expanding nature of the threat. However,
through the many research projects and studies McAfee had undertaken
on the area, we can be confident that the proportion is significant
and requires attention.
9. McAfee's Threat Report for the second quarter
of this year shows that although numerically not the busiest period
in history (just behind last year's pace), when combined with
the first quarter it was the busiest ever first half-year in this
area of cyber-crime, with an increase of 22% over 2010 and over
six million unique malware samples being detected.[22]
The "malware zoo" McAfee has constructed of those strands
of malware that have been identified has now reached over 75 million
inhabitants.
10. McAfee has highlighted three substantial
malware attacks targeting all varieties of global organisations
and corporations over the last five years; Operation Aurora, Operation
Night Dragon and Operation Shady RAT.
11. Operation Aurora targeted Google and twenty
other organisations. It was a coordinated attack which included
a piece of computer code that exploited a Microsoft Internet Explorer
vulnerability to gain access to computer systems. This exploit
then extended to download and activate malware within the systems.
The attack, which was initiated surreptitiously when targeted
users accessed a malicious web page (likely because they believed
it to be reputable), ultimately connected those computer systems
to a remote server. That connection was used to steal company
intellectual property and, according to Google, additionally gain
access to user accounts.
12. Operation Night Dragon was similar to Aurora
in that it sought to infiltrate and attack global companies. Targets
for this attack included global oil, energy and petrochemical
companies. These attacks involved social engineering, spear-phishing
attacks, exploitation of Microsoft Windows vulnerabilities, Microsoft
Active Directory compromises and the use of remote administration
tools with the aim of targeting and harvesting sensitive competitive
proprietary operations and project-financing information with
regard to oil and gas field bids and operations.
13. Unlike both Night Dragon and Aurora, which
provided details of new threats, McAfee's publication Operation
Shady RAT (an acronym for Remote Access Tool) detailed a comprehensive
analysis of victim profiles from a five year target operation
by one specific actor. For the most part, victims had already
remedied the intrusion. However, the publication of McAfee's document
highlighted the on-going cyber-crime threat emerging from malware.
It noted that one cyber actor had been able to compromise 72 different
parties covering a spectrum ranging from the US Federal Government
through to defence contractors, accountancy firms and non-profit
organisations.
Question 2. "Where does the malware come
from? Who is creating it and why?"
14. Both targets and attackers can be individuals,
suspected states or private organisations. Malware attacks tend
to occur in waves and the motivation for such attacks tends largely
to be financial or for reasons of espionage. Once the returns
from a piece of malware start to diminish (mainly due to the security
response from an anti-virus provider or changes in the environment,
eg a monthly role out of update patches for anti-virus software),
a new attack supersedes it, as we saw with Shady RAT.
15. Furthermore, before the attacker notices
an actual reduction in return on investment in a particular attack,
there is no need for an alternative one. This may be, incidentally,
the most likely reason that so many new attacks are launched,
because of the now higher investment in higher quality and more
frequent security updates, necessitating more attacks.
16. Our Threats Report for the second quarter
of 2011 gives a detailed view of then types of threat we're currently
facing. For example, this quarter saw an increase in for-profit
mobile malware, including simple SMS-sending Trojans and complex
Trojans that use exploits to compromise smartphones.[23]
This shows the ever evolving nature of the malware threat. McAfee
now collects on average almost two million new malware samples
every month. This is certainly not a welcome development, but
it is consistent and predictable considering how our business
and private lives are now tethered to technology.
17. McAfee recently demonstrated how easy it
is for one individual to create and use a piece of malware at
parliamentary workshops for MPs. At the workshop, Members were
able to build and launch their own piece of malware in a controlled
environment. This gave them hands on experience of the level of
simplicity, both in terms of acquiring and using malware for criminal
activities.
18. The workshops were part McAfee's initiative
to educate politicians and decision makers on the threat posed
by malware and cyber-crime so that their knowledge and experience
extends beyond simply reading about it in news reports, Government
papers and analytical reports.
Question 3. "What levels of resources
are associated with combatting malware?"
19. In the private sector and among members of
the public, the level of resources committed to combatting malware
depends on the level of awareness of the threat posed by it.
20. The Government currently commits large amounts
of resources to combatting malware, such as the additional £650
million announced in the SDSR. However, this is still a relatively
small amount compared to other areas of defence spending (for
example, the Type 45 destroyer and the cancelled Nimrod MRA4 aircraft
cost £6.4 billion and £3.6 billion respectively), despite
the high threat level of cyber-attack.
21. McAfee commits large amounts of time and
resources to developing methods for combatting malware, as well
as studying its behaviour, creation and motivation. This work
is done both in isolation and through partnerships with other
companies, as well as through involvement in organisations and
initiatives such as Intellect, Cyber Champions and ICSPA.
22. Such initiatives and organisations offer
excellent opportunities for companies and the Government to come
together to share knowledge and experience, which can be used
to devise better methods of defence, or ways to improve efficiency
and lower costs within the sector. In this regard, McAfee fully
supports the comments of former Security Minister Baroness Pauline
Neville-Jones that the government was determined to work with
industry to tackle cyber-crime.
23. The Security Innovation Alliance (SIA) programme,
for example, is a technology partnering programme run by McAfee
to accelerate the development of interoperable security products,
and simplifies integration of these productions within complex
customer environments. The reason the SIA was established by McAfee
was because we recognised that there has been very limited interoperability
between different suppliers, and the programme now has in excess
of 150 partners. If suppliers themselves were more interoperable,
this would enable Government to deliver it on their services,
thereby lowering cost. Indeed, the need for greater interoperability
was outlined as a necessary requirement in the recent SDSR.
Question 4. "What is the cost of malware
to individuals and how effective is the industry in providing
protection to computer users?"
24. The cost to individuals from malware attacks
and cyber-crime is growing and at the same time the attacks themselves
are becoming more sophisticated and targeted. In order to maximise
their financial gains, it is no longer sufficient for hackers
to launch mass attacks and then sit and wait for victims to be
lured in. Instead, criminals are now conducting increasingly detailed
studies of their targets via the many sources available via the
internet (such as information posted on social and business networking
sites). With this information, specific attacks can be crafted
which are more likely to succeed.
25. Criminals will also test their exploits against
the security defences available in an effort to avoid detection
and will tailor the payload to get around those defenceshence
the large number of malware variants being seen today. The combination
of the use of targeted information gathering, stealthy attacks
and the use of multiple vectors of attack, such as combining online
research with phishing emails and web-based malware, is a destructive
one that requires a new mind-set - and technologies - to defeat.
26. A recent Government study put the cost of
cyber-crimes to individuals at around £3.1 billion (£1.7
billion pa for identity theft, £1.4 billion pa for online
scams, and £30 million pa for "scareware" and fake
anti-virus software).[24]
The prevalence of these types of cyber-crime means that their
aggregated effect is detrimental to the UK economy, in addition
to indirect macro-economic effects that could occur, such as a
possible loss of confidence in online services (eg internet banking).
27. Industry itself is extremely effective at
combatting against and providing protection from malware; McAfee
along provides solutions for cloud, network and endpoint security,
as well as its quarterly threat reports and Global Threat Intelligence
(GTI) briefings. However, private security companies cannot force
individuals and companies to protect themselves.
28. It is for this reason that it is so vital
that the Government works with the private sector IT security
providers to ensure that everyone is protected. Another aspect
to this solution, however, is that there are so many systems and
methods for protecting against cyber-attacks that it can be tempting
to just procure as problems arise. This is often more expensive
and slower to react, however. That is why a broader overarching
approach with clear central government accountability and ownership
to coordinate with private sector partners is needed; such an
approach would be considerably more efficient by removing potential
duplication at government level in addressing the cyber threat.
Question 5. "Should the Government have
a responsibility to deal with the spread of malware in a similar
way to human disease?"
29. Government does indeed have a responsibility
to deal with the spread of malware, and in a way malware infections
have many similarities with real-life diseases. Take for example,
the scenario of injecting a virus into a guinea pig and monitoring
the animal's health. In the short term the virus is likely to
replicate a few times, which causes the immune system to react
and produce antibodies. These find and kill the viral copies so
that the guinea pig is healthy again.
30. However, there is an immune system reaction
to the virus - a short learning process that occurs before a reliable
response is deployed. In their reactive mode security products
operate similarly; they produce a response to the new attack and
deploy it. They can observe a piece of malware just once or twice
and protect many millions of users after that point.
31. It is because of this ease with which malware
can spread, coupled to more services used by the public being
handled online, that Government has a responsibility to ensure
that adequate defences are in place.
32. It can do this in two ways. Firstly, through
its own spending and initiatives, such as the Home Office's Cyber
Crime Strategy, or the £650 million announced in the SDSR
to deal with the threat of cyber-attack. McAfee welcomes initiatives
such as these, and encourages the Government to do more in this
regard, and is always willing to offer its own support and expertise.
33. The second method would be to incentivise
the private companies that own and operate the critical infrastructure
of the UK, such as key utilities, to improve their security postures
and ensure that they are adequately protected from cyber-crime.
McAfee feels that this is a logical step to take as the cyber
threat has evolved, spread and become more dangerous. This could
be done through the introduction of the right mix of incentives
(eg grants, research and development scholarships and best practice
awards) and regulation to encourage private critical infrastructure
industries to make the investments and implement the practices
necessary to improve their security postures.
34. Of course it is difficult for Government
to get a grasp of such a large area of expertise, and particularly
in these difficult economic times this is where it should seek
the assistance of private IT security companies like McAfee to
cooperate in terms of sharing knowledge and experience.
35. The Government must also do more to educate
individual citizens of the dangers of cyber-crime, and the protection
available. This could be done cheaply alongside existing online
services, and again private sector IT security companies are well
placed to share knowledge and experience on the various types
and levels of protection available to the public.
36. The first duty of Government is that of protection,
but ensuring that public services, citizens and companies are
aware of the dangers and well-defended against malware, cyber-crime
and other cyber-attacks also has economic benefits, as mentioned
the answer to question 4.
Question 6. "How effective is the Government
in co-ordinating a response to cyber-crime that uses malware?"
37. McAfee welcomed the Government's allocation
of £650 million towards fighting cyber-crime in last year's
SDSR, as well as the various initiatives that the Government is
currently undertaking, such as the Cyber Crime Strategy, the National
Cyber Security Strategy, and the creation of the Defence Cyber
Operations Group.
38. However, such strategies and initiatives
will only be successful if there is effective and joined up leadership,
as well as real partnership with those private sector IT security
companies whose expertise can greatly contribute and compliment.
39. There is currently no government contingency
plan in place to deal with cyber-attack, with action tending to
be reactive, rather than proactive. This is perhaps understandable
during this difficult economic period, however, while initial
spending may be required to bring cyber defences and contingency
plans up to task, once in place they will be far more cost effective
than simply reacting and repairing the damage after every attack,
which are becoming more common by the day.
40. As mentioned above, many commercial security
products themselves are hugely adaptive, able to observe a piece
of malware just a few times and then protect many millions of
users after that point. It is for this reason that the Government
is able to consolidate its approach to cyber defence, as described
above. The Host Base Security System (HBSS) is one example of
a singular, comprehensive approach to cyber-security.
41. HBSS is a programme McAfee is working on
in the US with the Department of Defence (DoD) and is the largest
IT security deployment within the Department. It provides multi-layered
threat protection for more than 5 million DoD and intelligence
agency host platforms such as servers, desktops, and laptops in
accordance with the Enterprise-wide Information Assurance and
computer Network Defense Solutions Steering Group.
42. The HBSS system would also be applicable
to the aims of the UK MoD as it offers cross-platform protection
from one supplier, removing unnecessary duplication and complexity
within the procurement. McAfee has been actively offering its
knowledge and experience of the HBSS programme to the MoD and
Government to ensure that they are better informed when it comes
to making their own procurement decisions. (Annex 1 offers more
information on the HBSS programme).
43. While the Government has taken steps to engage
with industry, it should now be enhanced to allow for collaborative
risk assessments and increased information sharing. Regular risk
assessments, such as McAfee's quarterly Threat Reports and GTI
briefings should also be undertaken by the Government, drawing
from the existing private sector knowledge that exists in this
area, to ensure that the Government's plans to deal with the cyber
threat are as adaptive as the threat itself. The Government needs
to select effective and willing private partners with which to
achieve this, and companies like McAfee are well placed to step
into the breach.
Annex 1
MCAFEE PARTNERS WITH US DEPARTMENT OF DEFENSE
TO DELIVER ON KEY IT SECURITY REQUIREMENTS
McAfee launched an open architecture technology programme,
largely in response to the needs of one of its largest customers,
the U.S. Department of Defense (DOD).
McAfee technology underlies the largest IT security
deployment within the DOD, the Host Base Security System (HBSS),
which provides multilayered threat protection for between five
to seven million host platforms worldwide. HBSS was launched after
the DOD decided that host computer defence was critical to the
protection of the Global Information Grid, and the system is mandated
for installation on all unclassified and classified systems in
the department.
McAfeê Host Intrusion Prevention solutions
are the underlying technology of HBSS, providing monitoring, detection,
and counters to known cyber-threats to the DOD's enterprise architecture
and delivering integrated security capabilities such as anti-virus,
anti-spyware, whitelisting, host intrusion prevention, remediation,
and security policy auditing.
Recently, McAfee partnered with Northrop Grumman
to deploy HBSS for the Secret Internet Protocol Router Network
(SIPRNet) within the US Air Force. SIPRNet is the communications
backbone of the DOD that facilitates the exchange of classified
tactical and operational information at the secret classification
level for both the Air Force and other branches of the US Armed
Services. McAfee has also partnered with Northrop Grumman in
the UK to deliver the company's cyber-test range, which was opened
by Defence Minister Gerald Howarth in October 2010.
In deploying HBSS, the DOD wanted an open framework
that would enable the department to plug in any number of solutions
from different vendors. Largely in response to this need, McAfee
initiated a technology partnering programme called the McAfee
Security Innovation Alliance. The purpose of the McAfee Security
Innovation Alliance programme is to accelerate the development
of interoperable security products and simplify the integration
of those products within complex customer environments.
McAfee security risk management solutions are at
the heart of the McAfee Security Innovation Alliance programme,
allowing organisations of all sizes to benefit from the most innovative
security technologies. They now can simply snap into the McAfee
management platform, McAfee ePolicy Orchestrator® (McAfee
ePO) software. Today, more than 100 technology partners
across Europe, North America, the Middle East, and Australia have
joined the alliance.
We believe that the McAfee Security Innovation Alliance
programme provides an important value proposition for government
and commercial customers who do not want to be locked into a single
vendor.
7 September 2011
21 GCHQ Director Iain Lobban, 13 October 2010 Back
22
McAfee Threats Report: Second Quarter 2011, pg. 9 Back
23
McAfee Threats Report: Second Quarter 2011, pg. 1 Back
24
Cabinet Office report; "The Cost of Cyber Crime",
pg. 18 Back
|