Written evidence submitted by Professor
Peter Sommer (Malware 01)|
1. I am a Visiting Professor at the London School
of Economics and a Visiting Reader at the Open University. I have
acted as an expert witness in many trials involving complex computer
evidence; some of these have included the deployment of malware.
2. The Committee will recall that I provided
written and oral evidence for its earlier inquiry into Scientific
Advice in Emergencies (HC498).
3. As an academic I have had a very long-standing
interest in the issues of the statistics of computer-related or
"cyber" incidents as these are often used as the basis
of formulating security policies. In March 2009 I carried out
a literature review, including statistics, of Internet crime for
the National Audit Office as a contribution to a value-for-money
review of Government initiatives in reducing the impact of such
4. I believe I may be able to assist the Committee
by drawing to its attention the problems associated with defining
"cyber-crime", producing statistics of its incidence
and providing measures of harm or damage.
5. Declaration. I have no commercial
links to any organisations offering products and services dealing
6. There is no generally-agreed definition of
cyber-crime and this lack directly impacts assessments of extent.
We can illustrate the diversity of definitions. The Council
of Europe CyberCrime Convention,
also known as the Treaty of Budapest, covers in Articles 2-6 as
"substantive offences": "illegal access",
"illegal interception", "data interference",
"system interference", and "misuse of devices".
It adds as "computer-related offences", articles 7
and 8, "computer-related forgery" and "computer-related
fraud". It further adds, articles 9 and 10,: "offences
related to child pornography" and "offences related
to infringements of copyright and related rights". It will
be seen that articles 4 and 5, respectively, "data interference"
and "system interference" include "malware".
Articles 4 and 5 more-or-less correspond to s 3 of the UK Computer
Misuse Act, 1990: "Unauthorised acts with intent to impair,
or with recklessness as to impairing, operation of computer, etc."
we now turn to a report produced in February 2011 by the BAE subsidiary
Detica in partnership with the Cabinet Office's Office of Cybersecurity
and Information Assurance (OCSIA), The Cost of Cyber Crime,
this covers: "identity theft and online scams affecting UK
citizens; IP theft, industrial espionage and extortion targeted
at UK businesses; and fiscal fraud committed against the Government."
"Industrial espionage " is not a criminal offence
in the UK
and the report excludes any direct reference to malware or to
Committee will need to be alert to "research" the main
aim of which is to sell product and services rather than inform
about risk. The Committee should also watch carefully for the
use of language that scares rather that informs. At the moment
a number of malware vendors are referring to something called
"Advanced Persistent Threats" or APTs. At any point
in the last 40 years of computer security there have been threats
which for their time were "advanced" and which were
deployed with "persistence". Whilst some malware can
be readily and usefully identified by way of their methods of
exploitation or distribution - for example "buffer overflow",
"cross-site scripting", "back-door", "boot-sector",
USB autostart", "browser hijack", "covert
registry modification", "email address book hijack"
etc, "APT" appears to have no useful meaning.
official forms of crime recording in the UK are on the basis of
specific offences prosecuted. But in relation to "cyber
crime" there are particular difficulties as a result of policies
of the Crown Prosecution Service. It sees the 1990 Computer Misuse
Act as designed to fill in gaps in other forms of legislation
and in framing charges will concentrate on what it sees as the
substantive offence rather than a modus operandi. Thus,
if some-one infiltrates a program to monitor the keystrokes on
a computer and then subsequently uses the passwords thereby obtained
to access a computer from which to carry out a fraudulent transaction,
the offence will probably be recorded as a breach of the Fraud
Act 2006, despite the fact that both s 3 and s 1 Computer Misuse
Act offences took place. The keystroke monitor would be classified
as "malware". A phishing attack would probably also
be charged as fraud or money laundering, a Distributed Denial
of Service attack (which also tends to involve offences under
s 3 Computer Misuse Act when computers are remotely taken over
by malware "back doors") would probably be charged as
extortion as this is the most common way in which criminals can
make money. In every year since the Computer Misuse Act came
into force, prosecutions have seldom exceeded 100 per year.
with many other studies of the extent of crime there are significant
methodological difficulties - how far does one include crimes
which are suspected but never come to court - what should be the
standard of proof for inclusion? Is this "proof" the
act of reporting to the police or replying to a question in a
survey? What fudge factors should one apply for situations where
individuals think they
have been subjected to criminal actions but have not - or where
they have actually been victimised but have an inadequate realisation?
What further fudge factors do you allow for unreported crimes?
In relation to activities which cause distress, do you only include
situations where a crime has been committed?
terms of the incidence of malware, the problems of collecting
data are somewhat easier. A number of anti-malware vendors offer
out-sourced services. The customer agrees to route all his email
and web traffic via the vendor who then detects and removes the
malware. In an alternative, the customer installs on his own
premises a "black box" controlled by the vendor which
has the same effect. In both instances the anti-malware vendor
is in a position to collect statistics about the variety and frequency
of deployment of malware. Examples of such statistics come from
12. However these statistics are not reliable
as to harm and impact. They refer to situations where malware
has been detected and, for the most part, thwarted. They do provide
a powerful argument for deploying anti-malware products.
13. The cost of any incident can be divided into
direct and consequential. Direct: "My building and contents
have been destroyed and I need money to replace them". Consequential:
"While waiting for the replacements I was unable to generate
turnover and profit". In the vast majority of malware-triggered
incidents there is no physical damage, so that all the losses
are consequential. As such the extent of loss in any one incident
is substantially a function not of the malware itself but of the
use to which the affected computer is being put and the speed
with which the victim can recover. That in turn reflects the
existence and efficacy of a contingency plan. Contrast the positions
of a PC used domestically for entertainment hit by the same malware
as a PC sitting on the desk of an city financial trader dealing
in multi-million dollar contracts.
14. A further issue is what to include in remedial
costs - what allowance do we make for imprudent victims who
have not taken elementary precautions to protect themselves -
or who through clumsiness actually make the situation worse?
15. For this reason all estimates of the costs
of cybercrime and malware are wildly speculative.
16. Some analysts seek to include "lost
business opportunities" as opposed to a loss of revenue.
The latter can be established by extrapolating from the past
business records of a victim and is insurable, the former is simply
an optimistic guess and is not insurable. Returning briefly
to the BAE/Detica Report mentioned above:
At page 3-6 "Costs of different types of cyber crime to the
UK economy" identifies "IP Theft" at over £9.2
million and "Industrial Espionage" at £7.6 billion.
At page 5 there is a table purporting to break down "industrial
espionage" losses by industry. It is difficult to see by
what plausible methodology these figures were obtained. AS we
have seen, the Report does not cover malware at all.
17. Statistics and cost impacts are a valuable
aid to policy making but reliance on invented figures can only
result in bad decisions.
18. Looking specifically at malware, provided
that potential victims subscribe to a high quality anti-malware
products which pick up the overwhelming majority of threats, the
main impact is the cost of the subscription to the service. For
domestic users free anti-malware products are available, eg Grisoft
which incur no cost at all. This would leave the impact of so-called
zero-day malware, that is malware which has not to that point
come to the attention of the anti-malware vendors and is not detected
by their products. As we have seen above, loss is then a function
of where and how a specific computer is being used and associated
contingency / data recovery plans.
Q1. What proportion of cyber-crime is associated
19. Please see my paragraphs 6-12 above.
Q2. Where does the malware come from? Who
is creating it and why?
20. This is not directly within my expertise.
However it appears that there are several different motives.
A distinction needs to be made between malware which is released
generally and malware which is specifically aimed and where it
is part of a targeted act to cause harm, or create opportunities
for fraud, espionage or extortion. In the former, the aim seems
to be to prove the "success" of the exploit by the number
of infections and is essentially a technical challenge; it is
a variant of recreational hacking. We can divide targeted exercises
as ones aimed at specific individual persons or companies for
immediate effect in terms of causing harm; and "harvesting"
activities where the targets are initially indiscriminate but
the aim is to acquire username/passwords and other credentials
which can later be used to carry out a fraud or similar.
21. Much malware is possible because of the increasing
complexity of modern operating systems and applications and their
release by software houses without proper testing. Companies
like Microsoft desire the additional revenue that the frequent
release of new software versions bring and then offer to remedy
discovered faults, post purchase, by the provision of frequent
"patches". But what other product in history issues
rectifications once a week for its entire life-cycle as is the
case with its main operating systems? The product faults are
discovered by the computer security research community and these
are then turned, often by others, into the exploits that become
malware. Government could use its power when buying operating
systems and application programs and complain about the high level
of exploitable bugs.
Q3. What level of resources are associated
with combating malware?
22. The main resource is that of that anti-malware
companies who discover new instances and then include detective
and remedial measures in their products. All businesses need to
have a contingency/recovery plan to cover a variety of scenarios,
including malware infection. Such plans are a combination of
data back-up and management action plans. See also my remarks
at paragraph 25 below about policing.
Q4. What is the cost of malware to individuals
and how effective is the industry in providing protection to computer
23. See my remarks at paragraphs 13-18 above.
Q5. Should the Government have a responsibility
to deal with the spread of malware in a similar way to human disease?
24. This appears to be a misleading analogy as
there is no equivalent for malware for the doctors, nurses and
hospitals which make up the NHS nor any need for them. The main
remedies are anti-malware products and contingency/back-up plans.
There is an argument for a modest publicly funded Computer Health
Information Service which includes advice on malware and contingency
planning. This role is fulfilled by GetSafeOnline though there
are questions about its level of funding. But much of the effort
could surely be left to the private sector anti-malware vendors,
whose interest in this instance in selling good products aligns
with the national interest in protecting the public and business.
Q6. How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
25. For malware that is released but not targeted
the main aim of Government policy should be advisory - see my
remarks above. For malware used as part of a targeted criminal
process the additional remedy is effective policing. The same
police resource could also be used to identify those very few
UK-based instances where non-targeted malware is authored or deliberately
released from the UK, for example Christopher Pile, sentenced
in 1995 at Exeter Crown Court. The Committee will be aware of
the current confusions and uncertainties surrounding the policing
of e-crime in the UK. The main unit is the Police Central E-Crime
Unit based at the Met. The new National Crime Agency will incorporate
many of the features of SOCA, the Serious Organised Crime Agency,
which has a e-crime unit, the investigation of frauds, the commission
of which may involve malware, is the remit of the City of London
Police. If malware, in the form of backdoors and keystroke loggers
is used in espionage attempts this would presumably be a role
for the Agencies. The Centre for the Protection of the National
Infrastructure (CPNI) has a role in advising government departments
and businesses with key government contracts of threats and measures
in general including, presumably, malware. It would be helpful
if the Committee is able to highlight duplications and uncertainties
of scope of remit between these various entities.
I would be happy to expand on any of these issues.
5 September 2011
It dates from 2001 and came into force in 2004 and was ratified
by the UK in 2011. Back
Statements frequently made by CPS officials in public and private Back