Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by Amit Bhagwat (Malware 12)

Conflict of Interest: The author perceives no Conflict of Interest.

Caution: In answering these questions, I have sometimes played the devil's advocate. The point is to alert people, who are meant to protect the society, about the foreseeable dangers and not to put ideas in criminals' minds. The reader should feel free to redact/summarise/consult the author.

Approach: I have endeavoured to cover the whole breadth of the Terms of Reference of the enquiry and have used analysis, judgement and role-playing, rather than simply depositing past facts.

1.  What proportion of cyber-crime is associated with malware?

1.1  I do not have accurate statistics. In context of creating severe panic situation—an emergency—almost entirely through user-unintended use of computing and electronic connectivity, my impression is that a very significant major portion of cyber-crime, certainly in terms of number of units impacted if not necessarily level of impact per unit, would be through malware.

1.2  Malware is, by its general nature, often like WMD and therefore far more potent than one-on-one cyber-crime.

2.  Where does the malware come from? Who is creating it and why?

2.1  Of the malware—usually in the form of programming scripts, etc, that I have analysed, so far all has given me the impression of coming from humans. We have not yet reached a stage where AI has broken into human underworld. Among these human creators, not all are, or mean to be, criminals. For example, at a local public library, I came across a script file which replicated itself on USB drives, and then, through them, to other PCs (it took some patience on my part to prove to the stubborn library staff that their systems were infected, but that's another story). When I studied the script carefully, it appeared that it carried no "payload". So, as the medics would have put it, it was "infectious" yet "benign". Yet, it was developed to a point and by a clever enough person, where the same person or another person with small expenditure of time, could have turned that script "malignant". It is hard to be certain, without detailed analysis of the individuals mind and motives, whether the creator of that script was an established criminal, a rookie criminal, or a clever but not very mature individual without malice.

2.2  The same applies to how the script got where it did. The library computers were said to be protected by a "cold storage" environment so any changes made in a user session would be undone. So was this environment weak or was incompetence on part of an IT technician, or worse, a deliberate malicious "Harold Shipman-esque" act was involved? It is worth investigating.

2.3  Another example I remember of two of my colleagues who fit this description—clever and benign but not always mature or responsible—was where they sent an "upgrade patch" to teammates, which asked the receiver to login using their office domain credentials. It turned out that the element of trust/naivety was such that over two-third of the recipients complied. The writers of the program duly emailed the hacked credentials back to the providers and the credentials were then (hopefully) changed by the providers, yet the behaviour of the program written was that of a classic malware.

2.4  There are, of course, the hardened professional criminals, who would use it most. Certain things, such as ability to plan, analyse, program, associated with high-IQ individuals, may be regarded common features of malware creators/commissioners/tweakers/integrators, as is an abnormal or absent sense of right and wrong, or at least a sense of adventure temporarily blinding their probity. Occasionally, less able individuals will be willing and knowing "carriers" of malware, either out of malice or simply irresponsibility. Beyond that, we must use the Stanislavsky/Holmes method, as best as we can. I have read some research into how well organised crime organisations can be where they are often far more efficient, mature and agile compared to the average large company (one example is the Freakonomics books compiled in lucid popular style but by serious Economists). An organised crime / terrorist organisation would rate malware highly, respectively as a high value business line and as a kind of WMD, and duly "invest" in it. In fact, malware would feature heavily in many modern conflicts and in most asymmetric conflicts, whatever their severity and sensibility, and thus labelling. A clever enough criminal would also look to carefully identify and target likely victims, people who are desperate enough to stray into unknown territory. For example, less established/regulated pornography sites, which by their very nature will be transmitting large binary objects/media in the course of their business, can be effective carriers, sometimes knowingly, willingly and as part of their business plan, of malware. A typical user of these sites could be desperate enough to go there against better judgement and once there, may stay there for long enough for infection to occur. The other problem, of course, is that information available from third parties, about how well-established and responsible a site is, can not always be relied upon.

2.5  Similarly a government, especially a rogue administration not accountable to ordinary people, will almost certainly yearn, and often possess, cyber-offence capability using malware.

3.  What level of resources are associated with combating malware?

In organisations, variable, typically 5-50% of IT budget (though this is based on small sample of organisations whose budget/IT budget figures I have had access to). For individuals/families this is typically purchase of standard anti-malware package costing under £50/y, or a default no-extra-cost package such as Microsoft Security Essentials. Sometimes, in case of individuals, ignorance or low systems performance can result in no protection or deliberately weakened (by changing settings to achieve better performance) protection. If ISPs are making any efforts to combat malware, these are not evident. There are some volunteer/goodwill-generation efforts such as freeware tools, but these can be less reliable and usually lack customer support feature. If the government is doing anything at all, that's news to me!

4.  What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

Potentially very high cost. The anti-malware industry is where aircraft automation was before the "fly by wire" technology matured to the extent where disallowing a pilot to do silly things became a possible option (considered by Airbus since A320, but generally not preferred by Boeing). Apart from the fact that the anti-malware tools may lag a little in time behind the proliferating malware, much depends on how cautious/trusting/naïve the human user is. For example, how many human users will never ever use a program/device driver not signed digitally? Hardly any. How many well intentioned programmers don't digitally sign their programs, sometimes because these are distributed freely and there is no money to pay the certification authority? Many. How many signed programs are not open source and so involve an element of trust? Many. How many end users actually compile an Open Source program, rather than using it pre-compiled by others? Few. How many end users of Open Source programs who use/compile the source code understand and scrutinise all of it? Hardly any. Can we absolutely trust a compiler program to compile a source code without malice? No. How many compiler programs are hand-written by the end user of a program that is compiled by a compiler program? Practically none. When we have so many potential risks and so many things happen on trust rather than actual examination, the effectiveness is compromised. Finally, unlike the pilots (who are mostly professionals) analogy I used, few users of the cyberspace are ICT professionals associated with relevant specialisation. So, at every stage, the industry's effectiveness is a bit compromised.

5.  Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

Yes. They are similar. It may be argued that malware usually won't physically kill. It can however cause suffering comparable to major diseases. More importantly, it is usually infectious and the infection is usually preventable.

6.  How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

I haven't seen any evidence. Competence, to the simple extent of understanding and being conscientious about one's duty, of individual public sector workers and public sector units I have worked with, has shown a range of variation. The government's record in management of major efforts has generally been disappointing. In one of my analyses related to enterprise architecture, I systematically compared leadership and effectiveness of Pitt the Younger and his cabinet some two centuries ago, with that of Mr Blair and his. It turns out, the effectiveness has gone down significantly with greater prevalence of self-serving "purely political" decisions in the latter case, than in the former. This way, effectiveness of efforts can be compromised, or at least political leadership can become inconsequential to it.

7 September 2011

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012