Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by the Home Office (Malware 00)

Prepared by the Home Office in consultation with other Government departments.


1.  This paper sets out the Government evidence to the Science and Technology Committee inquiry into malicious software (malware) and cyber crime. It has been prepared by the Home Office in consultation with officials from other Government departments including the Office of Cyber Security and Information Assurance at the Cabinet Office, the Cyber Security Operations Centre and the Department for Business, Innovation and Skills.

2.  The paper outlines what the Government believes to be the situation regarding malware and cyber crime and makes references to current and future actions which are tackling these issues. Separate evidence will be submitted by the Serious and Organised Crime Agency (SOCA) and by the Metropolitan Police Service's Police Central e-Crime Unit. The papers from these organisations will provide more information on current operational activity to tackle cyber crime.

3.  We define the term "malware" to denote software designed with malicious intent containing features or capabilities that can potentially cause harm directly or indirectly to the user and/or the user's computer system.

4.  Malware allows criminals to compromise and control computers. This is achieved through a variety of means, including spam e-mails that encourage a user to click on a link that downloads the malware, or through placing malicious code in an otherwise legitimate website that will cause the user's computer to be infected when the website is viewed.

5.  Malware is used for a variety of criminal purposes, in particular data theft. This might include credit card or bank account details, or industrial or government information, to be sold on for profit. Often the criminal and the purchaser of the information will be in different countries, with the victim in a third country.

6.  We assess that the threat from malware is growing, with a huge rise in the amount of it being created and used - in 2010 more than 286 million unique malware variants were identified.[1] Some of these are relatively simple but many are highly sophisticated.

7.  Of the various types of malware, Trojans have become the most prevalent - making up nearly 70% of attacks according to some anti-virus companies - as they are the most flexible in allowing the instigators of an attack access to the target computer. They can be seen as an enabler for all the other types of malware.

What proportion of cyber-crime is associated with malware? 

8.  Cyber crime falls into a number of categories, within the general principle that what is illegal offline is illegal online. Some crimes can only be carried out using the internet, including attacks on computer systems to disrupt IT infrastructure, and the stealing of data over a network using malware, often to enable further crime.

9.  Other crimes have been transformed in scale or form by their use of the internet; for example credit card fraud can now take place on an industrial scale. Although crimes such as fraud and theft have always existed, the growth of the internet has opened up a new market, allowed for a degree of anonymity and has created new opportunities for organised criminal groups to finance their activities.

10.  A third type of crime, which uses the internet but is not dependent on it, is that which is facilitated by the internet. Networks are used for communication, organisation, or to try to evade law enforcement, in the same way as older technologies such as telephones. The internet may be used to organise more effectively a range of "traditional" crime types such as drug dealing, people smuggling, and child exploitation and to conceal them more easily from law enforcement agencies. Mobile internet technology was used by rioters to co-ordinate looting and disorder in August of this year.

11.  Determining the proportion of cyber crime which involves malware would therefore depend on which level of cyber crime was under consideration. Moreover, there is no easy measure of the levels of the different types of cyber crime or of how they operate. It is also difficult to gather and assess information on cyber crime as it occurs.

12.  Work is being carried out to address this issue; for example, Action Fraud, which works closely with the National Fraud Intelligence Bureau, is to be expanded to become the single reporting point for financially-motivated cyber crime.

13.  However, the threat posed by cyber crime is believed to be significant. The Cost Of Cyber Crime,[2] published by Detica and the Office of Cyber Security and Information Assurance in February 2011, estimates the cost to the UK of cyber crime to be up to £27 billion per year, or around 2% of GDP. Industrialisation of cyber crime to enable high volume activity, such as mass data theft, is largely reliant on malware.

14.  It is therefore not possible to determine what percentage of cyber crime is facilitated by malware, but there is no doubt that it is a significant factor. As mentioned in the introduction, production of malware is increasing exponentially and it has transformed the ability of criminals to steal data over networks.

Where does the malware come from? Who is creating it and why?

15.  The major threat from cyber crime comes from increasingly technically-proficient individuals and organised crime groups. These groups, and the infrastructure used in the attack, are often outside the jurisdiction of the UK. The criminals may be in one country and their means of cyber attack in a second and their victims in a range of other countries, making evidence gathering and identification of the criminals difficult. They may not fit the traditional profile of organised crime groups, and may be more of an affiliation of individuals who never meet except online.

16.  Most organised criminal activity is aimed, either directly or indirectly, at making money. Organised crime groups and individuals use cyber technology to support traditional criminal activities or to develop new criminal schemes that exploit emerging vulnerabilities in rapidly evolving cyber technologies and online systems. By focusing their activity on areas which afford the broadest opportunities, criminals increase their potential monetary returns. Criminal finances and profits are central to organised crime and they constantly seek the opportunity to increase their returns whilst reducing their risk exposure.

17.  Although most criminal activity is financially motivated, a spate of recent attacks on company websites has been orchestrated by activists protesting against those associated with ideals they disapprove of. This has highlighted the disruption that organised groups can cause, in order to further their aims, through the use of malware and techniques initially developed for other criminal purposes. This type of activity could be used against any public or private sector organisation with a presence online and against which a group may hold a grievance.

18.  While the creator of malicious software may not be the end-user criminal, the goals noted above create a market place for malware. As such most of the malware writers will expect to profit from their works and have an increasingly sophisticated business model, including maintenance and support for their software, hiring their expertise out directly and upgrading their products in light of changes in the market, to support this. Malicious software and access to other tools, such as pre-existing botnets, is freely available for purchase at a variety of "underground" internet fora. This "underground" infrastructure also requires protection, leading to secondary layers of required technical expertise. The profit motive is less prevalent amongst the activist community where more ideological goals may drive the malware writers.

19.  Many IT security companies report the source of malware as the location where it is hosted as it is often difficult to identify the origin of the software itself. This reporting of attack location rather than the source of the malware can badly skew statistics on where malware creators are based, however, the IT Security company BitDefender suggests in its H1 2011 report ( that China (31%), Russia (22%) and Brazil (8%) are the largest producers of malware.

What level of resources are associated with combating malware?

20.  In October 2010 the National Security Strategy identified the cyber threat to the UK, which includes cyber crime, as a Tier 1 threat, on the same level as terrorism. £650 million of new money has been allocated to a National Cyber Security Programme which will bolster our cyber capabilities in order to help protect the UK's national security, its citizens and our growing economy in cyber space. At least £63 million of this money will go towards enabling the UK to transform our response to cyber crime, of which countering malware is an important element. This money is additional to the resources already allocated to the police and other agencies to tackle crime, including cyber crime.

21.  The NCSP will also bolster cyber capabilities within the intelligence community. GCHQ, as home of the National Technical Authority for Information Assurance, CESG, is of particular relevance here. CESG's role is to provide consultancy and technical support to government and others, in order that they are able to understand the risks they face and can therefore protect vital information services and data. Improving protection of data through reducing vulnerabilities via which malware can gain a foothold is key to reducing the effectiveness and impact of the malware, and can be much less costly than taking a reactive stance whereby malware is only identified after it has had a detrimental impact.

22.  The Police Central e-Crime Unit (PCeU) and the Serious Organised Crime Agency (SOCA) include the combating of malware as part of their current work on tackling cyber crime. Further information will be provided in their own evidence to this enquiry.

23.  Work has begun to create a dedicated cyber crime unit as part of the National Crime Agency, building on the work already done by SOCA and PCeU. There will continue to be close working between the two units to develop the national response to cyber crime in advance of the creation of the NCA. This will be a specialist unit and will support the work of all of the commands within the National Crime Agency.

24.  The unit will be the national centre of excellence for law enforcement, and will provide resources, intelligence and guidance on best practice to forces. To support the mainstreaming of knowledge of cyber crime, the learning developed by the unit will be fed into police training programmes to provide understanding of online crime issues across the police service.

25.  In February 2011, the Prime Minister brought together 13 CEOs from a broad spectrum of large companies to discuss private sector resilience to cyber threats, including online crime. The meeting was designed to inform them of our new approach to tackling this issue and the renewed emphasis on improving the UK's cyber security capability, including better protection for business from all types of online threats and the need for the private sector to work in partnership with government to achieve this aim. At that meeting it was agreed that a joint capability, in the form of a "hub", would be co-designed by a cross sector working party.

26.  Since then, the working group has been meeting regularly to turn the "Hub" into reality. The group will report back to the Prime Minister in the autumn and an announcement will be made on the manifestation of the Hub, calling on all organisations to take an active role in protecting our collective interests in cyberspace.

What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

27.  Cyber crime causes harm to individuals and the private sector in a range of ways. It results in direct and indirect financial losses amounting to billions of pounds, adverse credit ratings and protracted disputes over suspect payments, and causes damage to reputations. Further harm can be caused by online extortion, bullying, harassment and hate crimes.

28.  The Detica/ OCSIA Cost of Cyber Crime Report estimated that the cost to citizens of all types of cyber crime taken together (not just that involving malware) was £3.1 billion per annum. The loss to industry, including from intellectual property theft and espionage, was estimated at £21 billion.

29.  We are aware of some excellent initiatives that have been taken by internet service providers to combat the spread of malware. These include initiatives such as anti-virus alerts when visiting websites and warning customers whose PCs are part of a botnet.

30.  The banking sector has also invested heavily in ID assurance products for online banking customers, as well as providing free software for internet users which monitors transactions and alerts when malware is detected on a system.

31.  Such innovation is welcome and shows what can be done when the private sector tackles security issues in partnership with consumers. However, we believe that more could be done.

32.  The government plans to discuss with the largest internet service providers a possible partnership between industry, government and law enforcement to establish how malware and botnet activity on the networks could be identified and addressed.

33.   We also want to make sure that the public and businesses understand the risks of being on line and know how to take the appropriate action to protect themselves. Get Safe Online ( is a joint initiative between the Government, law enforcement, business and the public sector, which has been created to provide computer users and small businesses with free, independent and user-friendly advice to help them to use the internet confidently and securely.

Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

34.  The Government is committed to tackling the security challenges we face in cyberspace, which include the pervasive distribution of criminal malware. However, taking action to prevent cyber crime cannot be the responsibility of the Government alone. The private sector and the public have important roles to play alongside law enforcement organisations, technical experts within government departments and the intelligence and security community.

35.  Keeping security software and operating systems up to date and running anti-virus programmes are two key methods to reduce the risk of computer systems being compromised by malware. A major contribution to reducing the vulnerability of systems to cyber crime can come through industry's ability to deliver consistent, good quality information assurance products and services.

36.  This can range from a member of the public choosing an appropriate security package to install on their home computer, to a large organisation designing its online services securely. We want the public and businesses to be able to identify easily products with good security. We will work with the private sector and others to identify how standards for measuring the effectiveness of products or services could be developed.

37.  Much has been done to raise awareness of online threats, including through the website Get Safe Online. We will build on that initiative and others by developing a single Government portal for the provision of advice on internet safety to the public and businesses. We will ensure that the information gathered by law enforcement and the private sector which might help internet users is shared. We will drive this by making sure that every Government website, as well as DirectGov, contains a link to this safety information.

38.  In this respect, the approach we are taking to combating malware is similar to how the Government approaches the control of human disease, being a multi-stakeholder approach which looks at the problem holistically, resulting in a number of policy options to tackle the creation and distribution of malware in parallel to mitigating the damage caused and bolstering defences. In addition, in some circumstances infected systems may also be quarantined.

How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

39.  By building upon existing capacity within the intelligence and security agencies and law enforcement units the Government is investing in better protection against malware and increased disruption of criminal networks. Further information about ongoing activity to combat malware and cyber crime will be provided by SOCA and PCeU in their evidence to this enquiry.

40.  The Government has been proactive in identifying cyber crime and the proliferation of malware as a key international security issue. As such this issue will form a core element of discussions at the London Conference on Cyber Space in November, hosted by the Foreign Secretary, which will bring together representatives of over 60 nations and international organisations.

41.  The Government has also been instrumental in working more closely with the primary victims of malware and online crime, the private sector. Millions of UK citizens rely on secure online systems for their livelihoods as well as underpinning their enjoyment of the online world. We increasingly shop, communicate, transact and interact socially online. Confidence in the security of the internet is therefore critical to consumer confidence.

42.  With this in mind the Government's collaboration with the private sector has progressed to form a lasting partnership to improve our collective response to cyber attacks on both public and private sector systems. This work will continue with the intention of creating a mechanism to share actionable intelligence on cyber threats, including malware, between Government and the various at-risk areas of the private sector.

43.  The Government has recognised that we need to do more to respond effectively to cyber crime. We will shortly publish our cyber crime strategy setting out how we will achieve a transformation in our approach, supporting activity across all sectors - the public, business, Government and law enforcement - to deliver an integrated response.

44.  We will reduce the vulnerability of the UK through better system design, crime prevention and public awareness; reduce the threat to the UK through disruption and prosecution of online criminals; and reduce the impact on the UK through the development of partnerships with the public, business and international partners.

7 September 2011

1   Symantec Internet Security Threat Report 2010 Back

2 Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012