Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by Professor Peter Sommer (Malware 01)

1.  I am a Visiting Professor at the London School of Economics and a Visiting Reader at the Open University. I have acted as an expert witness in many trials involving complex computer evidence; some of these have included the deployment of malware.

2.  The Committee will recall that I provided written and oral evidence for its earlier inquiry into Scientific Advice in Emergencies (HC498).

3.  As an academic I have had a very long-standing interest in the issues of the statistics of computer-related or "cyber" incidents as these are often used as the basis of formulating security policies. In March 2009 I carried out a literature review, including statistics, of Internet crime for the National Audit Office as a contribution to a value-for-money review of Government initiatives in reducing the impact of such crimes.

4.  I believe I may be able to assist the Committee by drawing to its attention the problems associated with defining "cyber-crime", producing statistics of its incidence and providing measures of harm or damage.

5.  Declaration. I have no commercial links to any organisations offering products and services dealing with malware.


6.  There is no generally-agreed definition of cyber-crime and this lack directly impacts assessments of extent. We can illustrate the diversity of definitions. The Council of Europe CyberCrime Convention,[3] also known as the Treaty of Budapest, covers in Articles 2-6 as "substantive offences": "illegal access", "illegal interception", "data interference", "system interference", and "misuse of devices". It adds as "computer-related offences", articles 7 and 8, "computer-related forgery" and "computer-related fraud". It further adds, articles 9 and 10,: "offences related to child pornography" and "offences related to infringements of copyright and related rights". It will be seen that articles 4 and 5, respectively, "data interference" and "system interference" include "malware". Articles 4 and 5 more-or-less correspond to s 3 of the UK Computer Misuse Act, 1990: "Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc."

7.  If we now turn to a report produced in February 2011 by the BAE subsidiary Detica in partnership with the Cabinet Office's Office of Cybersecurity and Information Assurance (OCSIA), The Cost of Cyber Crime,[4] this covers: "identity theft and online scams affecting UK citizens; IP theft, industrial espionage and extortion targeted at UK businesses; and fiscal fraud committed against the Government." "Industrial espionage " is not a criminal offence in the UK[5] and the report excludes any direct reference to malware or to child pornography.

8.  The Committee will need to be alert to "research" the main aim of which is to sell product and services rather than inform about risk. The Committee should also watch carefully for the use of language that scares rather that informs. At the moment a number of malware vendors are referring to something called "Advanced Persistent Threats" or APTs. At any point in the last 40 years of computer security there have been threats which for their time were "advanced" and which were deployed with "persistence". Whilst some malware can be readily and usefully identified by way of their methods of exploitation or distribution - for example "buffer overflow", "cross-site scripting", "back-door", "boot-sector", USB autostart", "browser hijack", "covert registry modification", "email address book hijack" etc, "APT" appears to have no useful meaning.


9.  Most official forms of crime recording in the UK are on the basis of specific offences prosecuted. But in relation to "cyber crime" there are particular difficulties as a result of policies of the Crown Prosecution Service. It sees the 1990 Computer Misuse Act as designed to fill in gaps in other forms of legislation[6] and in framing charges will concentrate on what it sees as the substantive offence rather than a modus operandi. Thus, if some-one infiltrates a program to monitor the keystrokes on a computer and then subsequently uses the passwords thereby obtained to access a computer from which to carry out a fraudulent transaction, the offence will probably be recorded as a breach of the Fraud Act 2006, despite the fact that both s 3 and s 1 Computer Misuse Act offences took place. The keystroke monitor would be classified as "malware". A phishing attack would probably also be charged as fraud or money laundering, a Distributed Denial of Service attack (which also tends to involve offences under s 3 Computer Misuse Act when computers are remotely taken over by malware "back doors") would probably be charged as extortion as this is the most common way in which criminals can make money. In every year since the Computer Misuse Act came into force, prosecutions have seldom exceeded 100 per year.

10.  As with many other studies of the extent of crime there are significant methodological difficulties - how far does one include crimes which are suspected but never come to court - what should be the standard of proof for inclusion? Is this "proof" the act of reporting to the police or replying to a question in a survey? What fudge factors should one apply for situations where individuals think they have been subjected to criminal actions but have not - or where they have actually been victimised but have an inadequate realisation? What further fudge factors do you allow for unreported crimes? In relation to activities which cause distress, do you only include situations where a crime has been committed?

11.  In terms of the incidence of malware, the problems of collecting data are somewhat easier. A number of anti-malware vendors offer out-sourced services. The customer agrees to route all his email and web traffic via the vendor who then detects and removes the malware. In an alternative, the customer installs on his own premises a "black box" controlled by the vendor which has the same effect. In both instances the anti-malware vendor is in a position to collect statistics about the variety and frequency of deployment of malware. Examples of such statistics come from Symantec,[7] Macafee,[8] Sophos[9] and Websense.[10]

12.  However these statistics are not reliable as to harm and impact. They refer to situations where malware has been detected and, for the most part, thwarted. They do provide a powerful argument for deploying anti-malware products.


13.  The cost of any incident can be divided into direct and consequential. Direct: "My building and contents have been destroyed and I need money to replace them". Consequential: "While waiting for the replacements I was unable to generate turnover and profit". In the vast majority of malware-triggered incidents there is no physical damage, so that all the losses are consequential. As such the extent of loss in any one incident is substantially a function not of the malware itself but of the use to which the affected computer is being put and the speed with which the victim can recover. That in turn reflects the existence and efficacy of a contingency plan. Contrast the positions of a PC used domestically for entertainment hit by the same malware as a PC sitting on the desk of an city financial trader dealing in multi-million dollar contracts.

14.  A further issue is what to include in remedial costs - what allowance do we make for imprudent victims who have not taken elementary precautions to protect themselves - or who through clumsiness actually make the situation worse?

15.  For this reason all estimates of the costs of cybercrime and malware are wildly speculative.

16.  Some analysts seek to include "lost business opportunities" as opposed to a loss of revenue. The latter can be established by extrapolating from the past business records of a victim and is insurable, the former is simply an optimistic guess and is not insurable. Returning briefly to the BAE/Detica Report mentioned above:[11] At page 3-6 "Costs of different types of cyber crime to the UK economy" identifies "IP Theft" at over £9.2 million and "Industrial Espionage" at £7.6 billion. At page 5 there is a table purporting to break down "industrial espionage" losses by industry. It is difficult to see by what plausible methodology these figures were obtained. AS we have seen, the Report does not cover malware at all.

17.  Statistics and cost impacts are a valuable aid to policy making but reliance on invented figures can only result in bad decisions.

18.  Looking specifically at malware, provided that potential victims subscribe to a high quality anti-malware products which pick up the overwhelming majority of threats, the main impact is the cost of the subscription to the service. For domestic users free anti-malware products are available, eg Grisoft AVG[12] which incur no cost at all. This would leave the impact of so-called zero-day malware, that is malware which has not to that point come to the attention of the anti-malware vendors and is not detected by their products. As we have seen above, loss is then a function of where and how a specific computer is being used and associated contingency / data recovery plans.


Q1.  What proportion of cyber-crime is associated with malware?

19.  Please see my paragraphs 6-12 above.

Q2.  Where does the malware come from? Who is creating it and why?

20.  This is not directly within my expertise. However it appears that there are several different motives. A distinction needs to be made between malware which is released generally and malware which is specifically aimed and where it is part of a targeted act to cause harm, or create opportunities for fraud, espionage or extortion. In the former, the aim seems to be to prove the "success" of the exploit by the number of infections and is essentially a technical challenge; it is a variant of recreational hacking. We can divide targeted exercises as ones aimed at specific individual persons or companies for immediate effect in terms of causing harm; and "harvesting" activities where the targets are initially indiscriminate but the aim is to acquire username/passwords and other credentials which can later be used to carry out a fraud or similar.

21.  Much malware is possible because of the increasing complexity of modern operating systems and applications and their release by software houses without proper testing. Companies like Microsoft desire the additional revenue that the frequent release of new software versions bring and then offer to remedy discovered faults, post purchase, by the provision of frequent "patches". But what other product in history issues rectifications once a week for its entire life-cycle as is the case with its main operating systems? The product faults are discovered by the computer security research community and these are then turned, often by others, into the exploits that become malware. Government could use its power when buying operating systems and application programs and complain about the high level of exploitable bugs.

Q3.  What level of resources are associated with combating malware?

22.  The main resource is that of that anti-malware companies who discover new instances and then include detective and remedial measures in their products. All businesses need to have a contingency/recovery plan to cover a variety of scenarios, including malware infection. Such plans are a combination of data back-up and management action plans. See also my remarks at paragraph 25 below about policing.

Q4.  What is the cost of malware to individuals and how effective is the industry in providing protection to computer users?

23.  See my remarks at paragraphs 13-18 above.

Q5.  Should the Government have a responsibility to deal with the spread of malware in a similar way to human disease?

24.  This appears to be a misleading analogy as there is no equivalent for malware for the doctors, nurses and hospitals which make up the NHS nor any need for them. The main remedies are anti-malware products and contingency/back-up plans. There is an argument for a modest publicly funded Computer Health Information Service which includes advice on malware and contingency planning. This role is fulfilled by GetSafeOnline though there are questions about its level of funding. But much of the effort could surely be left to the private sector anti-malware vendors, whose interest in this instance in selling good products aligns with the national interest in protecting the public and business.

Q6.  How effective is the Government in co-ordinating a response to cyber-crime that uses malware?

25.  For malware that is released but not targeted the main aim of Government policy should be advisory - see my remarks above. For malware used as part of a targeted criminal process the additional remedy is effective policing. The same police resource could also be used to identify those very few UK-based instances where non-targeted malware is authored or deliberately released from the UK, for example Christopher Pile, sentenced in 1995 at Exeter Crown Court. The Committee will be aware of the current confusions and uncertainties surrounding the policing of e-crime in the UK. The main unit is the Police Central E-Crime Unit based at the Met. The new National Crime Agency will incorporate many of the features of SOCA, the Serious Organised Crime Agency, which has a e-crime unit, the investigation of frauds, the commission of which may involve malware, is the remit of the City of London Police. If malware, in the form of backdoors and keystroke loggers is used in espionage attempts this would presumably be a role for the Agencies. The Centre for the Protection of the National Infrastructure (CPNI) has a role in advising government departments and businesses with key government contracts of threats and measures in general including, presumably, malware. It would be helpful if the Committee is able to highlight duplications and uncertainties of scope of remit between these various entities.

I would be happy to expand on any of these issues.

5 September 2011

3 It dates from 2001 and came into force in 2004 and was ratified by the UK in 2011. Back

4 Back

5 Back

6   Statements frequently made by CPS officials in public and private Back

7 Back

8 Back

9 Back

10 Back

11 Back

12 Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012