Written evidence submitted by Amit Bhagwat
Conflict of Interest: The author perceives no Conflict
Caution: In answering these questions, I have sometimes
played the devil's advocate. The point is to alert people, who
are meant to protect the society, about the foreseeable dangers
and not to put ideas in criminals' minds. The reader should feel
free to redact/summarise/consult the author.
Approach: I have endeavoured to cover the whole breadth
of the Terms of Reference of the enquiry and have used analysis,
judgement and role-playing, rather than simply depositing past
1. What proportion of cyber-crime is associated
1.1 I do not have accurate statistics. In context
of creating severe panic situationan emergencyalmost
entirely through user-unintended use of computing and electronic
connectivity, my impression is that a very significant major portion
of cyber-crime, certainly in terms of number of units impacted
if not necessarily level of impact per unit, would be through
1.2 Malware is, by its general nature, often
like WMD and therefore far more potent than one-on-one cyber-crime.
2. Where does the malware come from? Who is
creating it and why?
2.1 Of the malwareusually in the form
of programming scripts, etc, that I have analysed, so far all
has given me the impression of coming from humans. We have not
yet reached a stage where AI has broken into human underworld.
Among these human creators, not all are, or mean to be, criminals.
For example, at a local public library, I came across a script
file which replicated itself on USB drives, and then, through
them, to other PCs (it took some patience on my part to prove
to the stubborn library staff that their systems were infected,
but that's another story). When I studied the script carefully,
it appeared that it carried no "payload". So, as the
medics would have put it, it was "infectious" yet "benign".
Yet, it was developed to a point and by a clever enough person,
where the same person or another person with small expenditure
of time, could have turned that script "malignant".
It is hard to be certain, without detailed analysis of the individuals
mind and motives, whether the creator of that script was an established
criminal, a rookie criminal, or a clever but not very mature individual
2.2 The same applies to how the script got where
it did. The library computers were said to be protected by a "cold
storage" environment so any changes made in a user session
would be undone. So was this environment weak or was incompetence
on part of an IT technician, or worse, a deliberate malicious
"Harold Shipman-esque" act was involved? It is worth
2.3 Another example I remember of two of my colleagues
who fit this descriptionclever and benign but not always
mature or responsiblewas where they sent an "upgrade
patch" to teammates, which asked the receiver to login using
their office domain credentials. It turned out that the element
of trust/naivety was such that over two-third of the recipients
complied. The writers of the program duly emailed the hacked credentials
back to the providers and the credentials were then (hopefully)
changed by the providers, yet the behaviour of the program written
was that of a classic malware.
2.4 There are, of course, the hardened professional
criminals, who would use it most. Certain things, such as ability
to plan, analyse, program, associated with high-IQ individuals,
may be regarded common features of malware creators/commissioners/tweakers/integrators,
as is an abnormal or absent sense of right and wrong, or at least
a sense of adventure temporarily blinding their probity. Occasionally,
less able individuals will be willing and knowing "carriers"
of malware, either out of malice or simply irresponsibility. Beyond
that, we must use the Stanislavsky/Holmes method, as best as we
can. I have read some research into how well organised crime organisations
can be where they are often far more efficient, mature and agile
compared to the average large company (one example is the Freakonomics
books compiled in lucid popular style but by serious Economists).
An organised crime / terrorist organisation would rate malware
highly, respectively as a high value business line and as a kind
of WMD, and duly "invest" in it. In fact, malware would
feature heavily in many modern conflicts and in most asymmetric
conflicts, whatever their severity and sensibility, and thus labelling.
A clever enough criminal would also look to carefully identify
and target likely victims, people who are desperate enough to
stray into unknown territory. For example, less established/regulated
pornography sites, which by their very nature will be transmitting
large binary objects/media in the course of their business, can
be effective carriers, sometimes knowingly, willingly and as part
of their business plan, of malware. A typical user of these sites
could be desperate enough to go there against better judgement
and once there, may stay there for long enough for infection to
occur. The other problem, of course, is that information available
from third parties, about how well-established and responsible
a site is, can not always be relied upon.
2.5 Similarly a government, especially a rogue
administration not accountable to ordinary people, will almost
certainly yearn, and often possess, cyber-offence capability using
3. What level of resources are associated
with combating malware?
In organisations, variable, typically 5-50% of IT
budget (though this is based on small sample of organisations
whose budget/IT budget figures I have had access to). For individuals/families
this is typically purchase of standard anti-malware package costing
under £50/y, or a default no-extra-cost package such as Microsoft
Security Essentials. Sometimes, in case of individuals, ignorance
or low systems performance can result in no protection or deliberately
weakened (by changing settings to achieve better performance)
protection. If ISPs are making any efforts to combat malware,
these are not evident. There are some volunteer/goodwill-generation
efforts such as freeware tools, but these can be less reliable
and usually lack customer support feature. If the government is
doing anything at all, that's news to me!
4. What is the cost of malware to individuals
and how effective is the industry in providing protection to computer
Potentially very high cost. The anti-malware industry
is where aircraft automation was before the "fly by wire"
technology matured to the extent where disallowing a pilot to
do silly things became a possible option (considered by Airbus
since A320, but generally not preferred by Boeing). Apart from
the fact that the anti-malware tools may lag a little in time
behind the proliferating malware, much depends on how cautious/trusting/naïve
the human user is. For example, how many human users will never
ever use a program/device driver not signed digitally? Hardly
any. How many well intentioned programmers don't digitally sign
their programs, sometimes because these are distributed freely
and there is no money to pay the certification authority? Many.
How many signed programs are not open source and so involve an
element of trust? Many. How many end users actually compile an
Open Source program, rather than using it pre-compiled by others?
Few. How many end users of Open Source programs who use/compile
the source code understand and scrutinise all of it? Hardly any.
Can we absolutely trust a compiler program to compile a source
code without malice? No. How many compiler programs are hand-written
by the end user of a program that is compiled by a compiler program?
Practically none. When we have so many potential risks and so
many things happen on trust rather than actual examination, the
effectiveness is compromised. Finally, unlike the pilots (who
are mostly professionals) analogy I used, few users of the cyberspace
are ICT professionals associated with relevant specialisation.
So, at every stage, the industry's effectiveness is a bit compromised.
5. Should the Government have a responsibility
to deal with the spread of malware in a similar way to human disease?
Yes. They are similar. It may be argued that malware
usually won't physically kill. It can however cause suffering
comparable to major diseases. More importantly, it is usually
infectious and the infection is usually preventable.
6. How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
I haven't seen any evidence. Competence, to the simple
extent of understanding and being conscientious about one's duty,
of individual public sector workers and public sector units I
have worked with, has shown a range of variation. The government's
record in management of major efforts has generally been disappointing.
In one of my analyses related to enterprise architecture, I systematically
compared leadership and effectiveness of Pitt the Younger and
his cabinet some two centuries ago, with that of Mr Blair and
his. It turns out, the effectiveness has gone down significantly
with greater prevalence of self-serving "purely political"
decisions in the latter case, than in the former. This way, effectiveness
of efforts can be compromised, or at least political leadership
can become inconsequential to it.
7 September 2011