Written evidence submitted by the Home
Office (Malware 00)|
Prepared by the Home Office in consultation with
other Government departments.
1. This paper sets out the
Government evidence to the Science and Technology Committee inquiry
into malicious software (malware) and cyber crime. It has been
prepared by the Home Office in consultation with officials from
other Government departments including the Office of Cyber Security
and Information Assurance at the Cabinet Office, the Cyber Security
Operations Centre and the Department for Business, Innovation
2. The paper outlines what
the Government believes to be the situation regarding malware
and cyber crime and makes references to current and future actions
which are tackling these issues. Separate evidence will be submitted
by the Serious and Organised Crime Agency (SOCA) and by the Metropolitan
Police Service's Police Central e-Crime Unit. The papers from
these organisations will provide more information on current operational
activity to tackle cyber crime.
3. We define the term "malware"
to denote software designed with malicious intent containing features
or capabilities that can potentially cause harm directly or indirectly
to the user and/or the user's computer system.
4. Malware allows criminals
to compromise and control computers. This is achieved through
a variety of means, including spam e-mails that encourage a user
to click on a link that downloads the malware, or through placing
malicious code in an otherwise legitimate website that will cause
the user's computer to be infected when the website is viewed.
5. Malware is used for a
variety of criminal purposes, in particular data theft. This might
include credit card or bank account details, or industrial or
government information, to be sold on for profit. Often the criminal
and the purchaser of the information will be in different countries,
with the victim in a third country.
6. We assess that the threat
from malware is growing, with a huge rise in the amount of it
being created and used - in 2010 more than 286 million unique
malware variants were identified.
Some of these are relatively simple but many are highly sophisticated.
7. Of the various types of
malware, Trojans have become the most prevalent - making up nearly
70% of attacks according to some anti-virus companies - as they
are the most flexible in allowing the instigators of an attack
access to the target computer. They can be seen as an enabler
for all the other types of malware.
What proportion of cyber-crime is associated with
8. Cyber crime falls into
a number of categories, within the general principle that what
is illegal offline is illegal online. Some crimes can only be
carried out using the internet, including attacks on computer
systems to disrupt IT infrastructure, and the stealing of data
over a network using malware, often to enable further crime.
9. Other crimes have been
transformed in scale or form by their use of the internet; for
example credit card fraud can now take place on an industrial
scale. Although crimes such as fraud and theft have always existed,
the growth of the internet has opened up a new market, allowed
for a degree of anonymity and has created new opportunities for
organised criminal groups to finance their activities.
10. A third type of crime,
which uses the internet but is not dependent on it, is that which
is facilitated by the internet. Networks are used for communication,
organisation, or to try to evade law enforcement, in the same
way as older technologies such as telephones. The internet may
be used to organise more effectively a range of "traditional"
crime types such as drug dealing, people smuggling, and child
exploitation and to conceal them more easily from law enforcement
agencies. Mobile internet technology was used by rioters to co-ordinate
looting and disorder in August of this year.
11. Determining the proportion of cyber crime
which involves malware would therefore depend on which level of
cyber crime was under consideration. Moreover, there is no easy
measure of the levels of the different types of cyber crime or
of how they operate. It is also difficult to gather and assess
information on cyber crime as it occurs.
12. Work is being carried
out to address this issue; for example, Action Fraud, which works
closely with the National Fraud Intelligence Bureau, is to be
expanded to become the single reporting point for financially-motivated
13. However, the threat posed
by cyber crime is believed to be significant. The Cost Of
published by Detica and the Office of Cyber Security and Information
Assurance in February 2011, estimates the cost to the UK of cyber
crime to be up to £27 billion per year, or around 2% of GDP.
Industrialisation of cyber crime to enable high volume activity,
such as mass data theft, is largely reliant on malware.
14. It is therefore not possible
to determine what percentage of cyber crime is facilitated by
malware, but there is no doubt that it is a significant factor.
As mentioned in the introduction, production of malware is increasing
exponentially and it has transformed the ability of criminals
to steal data over networks.
Where does the malware come from? Who is creating
it and why?
15. The major threat from
cyber crime comes from increasingly technically-proficient individuals
and organised crime groups. These groups, and the infrastructure
used in the attack, are often outside the jurisdiction of the
UK. The criminals may be in one country and their means of cyber
attack in a second and their victims in a range of other countries,
making evidence gathering and identification of the criminals
difficult. They may not fit the traditional profile of organised
crime groups, and may be more of an affiliation of individuals
who never meet except online.
16. Most organised criminal
activity is aimed, either directly or indirectly, at making money.
Organised crime groups and individuals use cyber technology to
support traditional criminal activities or to develop new criminal
schemes that exploit emerging vulnerabilities in rapidly evolving
cyber technologies and online systems. By focusing their activity
on areas which afford the broadest opportunities, criminals increase
their potential monetary returns. Criminal finances and profits
are central to organised crime and they constantly seek the opportunity
to increase their returns whilst reducing their risk exposure.
17. Although most criminal
activity is financially motivated, a spate of recent attacks on
company websites has been orchestrated by activists protesting
against those associated with ideals they disapprove of. This
has highlighted the disruption that organised groups can cause,
in order to further their aims, through the use of malware and
techniques initially developed for other criminal purposes. This
type of activity could be used against any public or private sector
organisation with a presence online and against which a group
may hold a grievance.
18. While the creator of
malicious software may not be the end-user criminal, the goals
noted above create a market place for malware. As such most of
the malware writers will expect to profit from their works and
have an increasingly sophisticated business model, including maintenance
and support for their software, hiring their expertise out directly
and upgrading their products in light of changes in the market,
to support this. Malicious software and access to other tools,
such as pre-existing botnets, is freely available for purchase
at a variety of "underground" internet fora. This "underground"
infrastructure also requires protection, leading to secondary
layers of required technical expertise. The profit motive is less
prevalent amongst the activist community where more ideological
goals may drive the malware writers.
19. Many IT security companies
report the source of malware as the location where it is hosted
as it is often difficult to identify the origin of the software
itself. This reporting of attack location rather than the source
of the malware can badly skew statistics on where malware creators
are based, however, the IT Security company BitDefender suggests
in its H1 2011 report (http://www.bitdefender.com/files/Main/file/H1_2011_E-Threats_Landscape_Report.pdf)
that China (31%), Russia (22%) and Brazil (8%) are the largest
producers of malware.
What level of resources are associated with combating
20. In October 2010 the National Security Strategy
identified the cyber threat to the UK, which includes cyber crime,
as a Tier 1 threat, on the same level as terrorism. £650
million of new money has been allocated to a National Cyber Security
Programme which will bolster our cyber capabilities in order to
help protect the UK's national security, its citizens and our
growing economy in cyber space. At least £63 million of this
money will go towards enabling the UK to transform our response
to cyber crime, of which countering malware is an important element.
This money is additional to the resources already allocated to
the police and other agencies to tackle crime, including cyber
21. The NCSP will also bolster cyber capabilities
within the intelligence community. GCHQ, as home of the National
Technical Authority for Information Assurance, CESG, is of particular
relevance here. CESG's role is to provide consultancy and technical
support to government and others, in order that they are able
to understand the risks they face and can therefore protect vital
information services and data. Improving protection of data through
reducing vulnerabilities via which malware can gain a foothold
is key to reducing the effectiveness and impact of the malware,
and can be much less costly than taking a reactive stance whereby
malware is only identified after it has had a detrimental impact.
22. The Police Central e-Crime Unit (PCeU) and
the Serious Organised Crime Agency (SOCA) include the combating
of malware as part of their current work on tackling cyber crime.
Further information will be provided in their own evidence to
23. Work has begun to create a dedicated cyber
crime unit as part of the National Crime Agency, building on the
work already done by SOCA and PCeU. There will continue to be
close working between the two units to develop the national response
to cyber crime in advance of the creation of the NCA. This will
be a specialist unit and will support the work of all of the commands
within the National Crime Agency.
24. The unit will be the national centre of excellence
for law enforcement, and will provide resources, intelligence
and guidance on best practice to forces. To support the mainstreaming
of knowledge of cyber crime, the learning developed by the unit
will be fed into police training programmes to provide understanding
of online crime issues across the police service.
25. In February 2011, the Prime Minister brought
together 13 CEOs from a broad spectrum of large companies to discuss
private sector resilience to cyber threats, including online crime.
The meeting was designed to inform them of our new approach to
tackling this issue and the renewed emphasis on improving the
UK's cyber security capability, including better protection for
business from all types of online threats and the need for the
private sector to work in partnership with government to achieve
this aim. At that meeting it was agreed that a joint capability,
in the form of a "hub", would be co-designed by a cross
sector working party.
26. Since then, the working group has been meeting
regularly to turn the "Hub" into reality. The group
will report back to the Prime Minister in the autumn and an announcement
will be made on the manifestation of the Hub, calling on all organisations
to take an active role in protecting our collective interests
What is the cost of malware to individuals and
how effective is the industry in providing protection to computer
27. Cyber crime causes harm
to individuals and the private sector in a range of ways. It results
in direct and indirect financial losses amounting to billions
of pounds, adverse credit ratings and protracted disputes over
suspect payments, and causes damage to reputations. Further harm
can be caused by online extortion, bullying, harassment and hate
28. The Detica/ OCSIA Cost
of Cyber Crime Report estimated that the cost to citizens
of all types of cyber crime taken together (not just that involving
malware) was £3.1 billion per annum. The loss to industry,
including from intellectual property theft and espionage, was
estimated at £21 billion.
29. We are aware of some
excellent initiatives that have been taken by internet
service providers to combat the spread of malware. These include
initiatives such as anti-virus alerts when visiting websites and
warning customers whose PCs are part of a botnet.
30. The banking sector has also invested heavily
in ID assurance products for online banking customers, as well
as providing free software for internet users which monitors transactions
and alerts when malware is detected on a system.
31. Such innovation is welcome and shows what
can be done when the private sector tackles security issues in
partnership with consumers. However, we believe that more could
32. The government plans
to discuss with the largest internet service providers a possible partnership
between industry, government and law enforcement to establish
how malware and botnet activity on the networks could be identified
33. We also want to make
sure that the public and businesses understand the risks of being
on line and know how to take the appropriate action to protect
themselves. Get Safe Online (www.getsafeonline.org) is a joint
initiative between the Government, law enforcement, business and
the public sector, which has been created to provide computer
users and small businesses with free, independent and user-friendly
advice to help them to use the internet confidently and securely.
Should the Government have a responsibility to
deal with the spread of malware in a similar way to human disease?
34. The Government is committed to tackling the
security challenges we face in cyberspace, which include the pervasive
distribution of criminal malware. However, taking action to prevent
cyber crime cannot be the responsibility of the Government alone.
The private sector and the public have important roles to play
alongside law enforcement organisations, technical experts within
government departments and the intelligence and security community.
35. Keeping security software and operating systems
up to date and running anti-virus programmes are two key methods
to reduce the risk of computer systems being compromised by malware.
A major contribution to reducing the vulnerability of systems
to cyber crime can come through industry's ability to deliver
consistent, good quality information assurance products and services.
36. This can range from a member of the public
choosing an appropriate security package to install on their home
computer, to a large organisation designing its online services
securely. We want the public and businesses to be able to identify
easily products with good security. We will work with the private
sector and others to identify how standards for measuring the
effectiveness of products or services could be developed.
37. Much has been done to raise awareness of
online threats, including through the website Get Safe Online.
We will build on that initiative and others by developing a single
Government portal for the provision of advice on internet safety
to the public and businesses. We will ensure that the information
gathered by law enforcement and the private sector which might
help internet users is shared. We will drive this by making sure
that every Government website, as well as DirectGov, contains
a link to this safety information.
38. In this respect, the approach we are taking
to combating malware is similar to how the Government approaches
the control of human disease, being a multi-stakeholder approach
which looks at the problem holistically, resulting in a number
of policy options to tackle the creation and distribution of malware
in parallel to mitigating the damage caused and bolstering defences.
In addition, in some circumstances infected systems may also be
How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
39. By building upon existing capacity within
the intelligence and security agencies and law enforcement units
the Government is investing in better protection against malware
and increased disruption of criminal networks. Further information
about ongoing activity to combat malware and cyber crime will
be provided by SOCA and PCeU in their evidence to this enquiry.
40. The Government has been proactive in identifying
cyber crime and the proliferation of malware as a key international
security issue. As such this issue will form a core element of
discussions at the London Conference on Cyber Space in November,
hosted by the Foreign Secretary, which will bring together representatives
of over 60 nations and international organisations.
41. The Government has also been instrumental
in working more closely with the primary victims of malware and
online crime, the private sector. Millions of UK citizens rely
on secure online systems for their livelihoods as well as underpinning
their enjoyment of the online world. We increasingly shop, communicate,
transact and interact socially online. Confidence in the security
of the internet is therefore critical to consumer confidence.
42. With this in mind the Government's collaboration
with the private sector has progressed to form a lasting partnership
to improve our collective response to cyber attacks on both public
and private sector systems. This work will continue with the
intention of creating a mechanism to share actionable intelligence
on cyber threats, including malware, between Government and the
various at-risk areas of the private sector.
43. The Government has recognised that we need
to do more to respond effectively to cyber crime. We will shortly
publish our cyber crime strategy setting out how we will achieve
a transformation in our approach, supporting activity across all
sectors - the public, business, Government and law enforcement
- to deliver an integrated response.
44. We will reduce the vulnerability of the UK
through better system design, crime prevention and public awareness;
reduce the threat to the UK through disruption and prosecution
of online criminals; and reduce the impact on the UK through the
development of partnerships with the public, business and international
7 September 2011
1 Symantec Internet Security Threat Report 2010 Back