Written evidence submitted by IET, The
Royal Academy of Engineering and BCS,
the Chartered Institute for IT (Malware 11)|
Please find attached a response to the House of Commons
Science and Technology Select Committee inquiry on Malware and
Cyber Crime. This response represents the views of BCS, The Chartered
Institute for IT, the Institution of Engineering and Technology
(IET) and the Royal Academy of Engineering.
We note that the Government Cyber Crime Strategy
will be published later this month. We would be willing to comment
on this strategy once published, as a supplement to the response
1. What proportion of cyber-crime is associated
We believe that a definitive answer cannot be given.
The true extent of the cyber-crime problem goes unreported and
unrecorded. Authoritative data has yet to be collected and collated
from responsible bodies such as the Serious Organised Crime Agency
(SOCA) and the Police National E-Crime Unit. We are cautious about
recommending "industry" figures as we believe that in
many cases the figures are debatable and in some instance self-serving.
Even with a precise definition of cyber crime or
of malware, security researchers cannot do more than guess at
statistics by extrapolating from tiny populations. In May 2010,
it was generally accepted in the anti-malware research community
that there were around 43 million known malicious programs (evidenced
by several presentations at the Computer Anti-virus Researcher's
Organisation (CARO) workshop in Helsinki). ESET (an antivirus
company) claims that as many as 200,000 unique samples of malware
can be seen per day. It is hard to be specific however, due to
the fact that estimates vary widely from company to company.
It is generally argued that malware is used either
directly or indirectly in a significant proportion of cyber crime.
A very high proportion of cyber crime has some sort of connection
with malware, with most crime being fuelled by botnets (spam,
phishing, malware distribution, Distributed Denial of Service
(DDoS), fake antivirus (AV), captcha breaking, click fraud etc).
Malware can be utilised in various and different forms. It can
range in complexity from a simple open proxy to an advertisement
delivery platform, to something quite advanced such as a self-propagating
malware delivery system. Malware has increased in complexity,
sophistication and volume, making it more difficult to quantify.
The banks and law enforcement agencies are best placed
to provide a more definitive answer on what proportion of cyber
crime is associated with malware. Bank customers are asked to
report instances of cyber crime to their bank rather than directly
to the police; however the banks are said to have an incentive
to treat many reports as the fault of their customer and not as
crime. Police figures are therefore likely to be lower than the
We would like to point out that there is likely to
be a substantial increase in cyber crime as more financial transactions
are carried out on mobile phones, which are much more vulnerable
and virtually unprotected from malware.
2. Where does the malware come from? Who is
creating it and why?
The usual intention of a malware user is to compromise
and potentially control as many systems as possible. Usually malware
is created by intelligent individuals who desire either financial
advantage, fame or power - power gained from control or the fame
gained from being an international cyber criminal. A significant
proportion of malware is said to come via emails, mainly through
The usual sources include organised crime, hackers,
and activists; reasons include status, disruption, dissidents,
military, business espionage, theft, financial gain and global
There are six notable groups associated with the
use of malware:
(i) "Script kiddies"
exploit code developed by others and pretend that they are hackers.
They are sually only able to attack very weakly secured systems.
work individually or within increasingly professional organisations
and are responsible for credit card fraud and other theft activities.
In economically challenged countries with high unemployment, graduates
are tending to join these groups. In Russia, there are various
groups using a notorious Internet Service Provider (ISP) which
has been reported to host websites for illegal businesses. They
use professional teams for their criminal objectives.
(iii) Hacker groupsThese
groups usually work anonymously and develop tools for hacking.
They may hack computers for no criminal reason, often to just
show their presence. Hacking can also provide a route to employment,
with companies often hiring hackers to test their security.
(iv) InsidersAlthough they
represent only 20% of the threat, they produce 80% of the damage
to the systems. These attackers are considered to be the most
dangerous group. It is very difficult to identify them as they
reside inside an organisation, working as authorised users. Their
motives may be criminal or personal.
(v) Political/religious/commercial groupsThese
groups are not usually interested in financial gain. Governments
can deploy considerable resources and technical expertise to develop
malware for political ends. The Stuxnet worm for instance, which
attacked Iran's nuclear enrichment facilities, was believed to
be developed by a foreign government. Malware is said to be also
used by commercial companies with the intention of stealing the
IPR from their competitors.
(vi) Advanced Persistent Threat (APT)/nation
stateThis term has been used for some time in government
and military domains to describe targeted cyber attacks carried
out by highly organised state-sponsored groups, with deep technical
skills and computing resources.
Regional variations have been observed in the use
of malware. African malware use tends to involve non-technical
fraud. Russia and Latin/South America tend to be associated with
malware relating to banking/financial fraud and phishing. Russia
and Eastern Europe have highly organised gangs devoted to a whole
economic framework related to cyber crime, from money laundering
to credit card credentials to malware distribution.
3. What level of resources is associated with
We believe that considerable resources are needed
to combat malware. Malware prevention is thought to be a significant
expense and drain on resources. Ensuring that all AV, (Anti Virus)
signatures are up-to-date is often a full time job for an individual
or team depending on the size of the organisation that is being
served. It is reported that the United States federal agencies
spend about $100 million a year on combating cyber crime through
the Federal Bureau of Investigation (FBI), Secret
Service, National Cyber-Forensics & Training Alliance (NCFTA),
Department of Homeland Security (DHS). Large web services firms
like Google and Microsoft are thought to spend in the order of
$100 million a year each on cyber crime prevention, with smaller
firms like PayPal and Yahoo spending in the tens of millions.
We believe that it is impossible to provide a complete
defence against malware. It is only possible to provide an effective
defence for known vulnerabilities for which that the vendor has
supplied a security patch. AV software is only partially effective
in detecting malware on a data channel that the software is monitoring.
There is no defence against malware that is exploiting vulnerabilities
that are only known to the attacker (or malware writer). This
means that even with vast resources, an organisation cannot guarantee
100% effectiveness in the detection and elimination of malware
We have identified five distinct resource types:
(i) Development resources are used to
design and implement security in a system as it is being built.
On 15 January 2002, Bill Gates,
the chairman of Microsoft, informed all employees that security
was a top priority, changing the company's strategy. It took Microsoft
until 25 August 2004 to make its PC operating system secure, when
it released Service Pack 2 for Windows XP. The first PC operating
system that was built with security in mind was not until 30 January
2007 when Windows Vista was released, some five years after the
company's strategy was changed. Microsoft released Windows 7 on
22 October 2009 which made significant improvements in the security
of the product over previous versions. However, there are still
vulnerabilities in Windows 7.
Microsoft is the exception.
Most vendors of software tend not to incorporate security into
their products, as they see the cost as an overhead, with no commercial
advantage to them. For example, Adobe found its products targeted
in 2010-11, particularly Adobe Reader and Flash, which forced
them to have to release out-of-cycle security to address vulnerabilities
that were actively being exploited.
(ii) Research resources are the resource
required to find and identify the vulnerability in a system, whether
it is being actively exploited at present or not.
Responsible researchers who
have identified vulnerabilities in a system inform the vendor,
and allow the vendor time to fix the vulnerability. Malware writers
do not inform the vendor of the vulnerabilities they are exploiting.
Malware that is exploiting an unknown vulnerability has to be
reversed-engineered, which is a highly skilled job and resource
To fully analyse a specific
piece of malware may take weeks or months depending on its level
of sophistication. For example, the Stuxnet worm is still being
analysed six months after the original detection.
(iii) Vendor resources (which also apply
to systems developed internally) are those resources required
to develop and test a security patch to help with the detection
Vendors who become aware of
security vulnerabilities in their products have to develop a security
patch that will prevent the malware exploiting that particular
vulnerability. However, the vendor has to ensure that the patch
does not break any of the existing functionality of the system.
The vendor may have to divert resource away from developing new
products to developing and testing a patch for the vulnerability.
Individual resources are
those employed by an individual to maintain their own system in
a good state to defend against malware.
The resources that individuals
have to deploy require some technical knowledge. Security patches
have to be deployed in a timely manner, and many people simply
do not understand the importance of doing so. AV has to be installed,
which will then update with the latest AV signatures. We would
welcome any initiatives that would help to educate users about
the dangers of opening suspicious emails, for instance, the risks
associated with opening attachments without scanning them first.
(v) Organisation resources are the resources
of organisations (government department/agency, commercial organisation,
or charitable organisations) used to maintain their systems in
a good state in order to effectively defend against malware attacks.
The costs are significant
as security patches must be tested before they are deployed. If
there is inadequate testing, then the system may no longer work
after the patch has been deployed. If the testing takes too long,
then the system can become infected with malware before the patch
is deployed. To perform effective testing requires that test scripts
are developed that enable automated testing to be performed. While
the test system does not need to be identical to the live system,
it does need to be a realistic representation of the live system
to enable valid tests to be performed. This requires significant
outlay in resources to develop the test scripts, and to have the
infrastructure in place for the test systems.
While a large organisation
can afford to invest in systems, scripts and resources to carry
out testing and analyse the test results, this is not realistic
for individuals, who must rely on the testing performed by the
vendor. Individuals do not have the expertise to monitor for suspicious
activity, although this would improve with the provision of educational
initiatives, as mentioned in section iv.
4. What is the cost of malware to individuals
and how effective is the industry in providing protection to computer
There are no authoritative statistics. The proportion
of infected PCs is variously estimated to be in the 1-15% range;
5% might be a conservative estimate. It has been reported that
hostile cyber attacks on companies accounted for nearly one third
of all UK data breaches in 2010 - up from around 22% the year
before, with incidents becoming increasingly expensive.
A survey by the Ponemon Institute found that the
cost of a data breach rose in 2010 for the third year running.
The average data breach incident cost UK organisations £1.9
million or £71 per record, an increase of 13% on 2009, and
18% on 2008. The incident size ranged from 6,900 to 72,000 records,
with the cost of each breach varying from £36,000 to £6.2
million. The most expensive incident increased by £2.3 million
compared to 2009.
Impact to individuals
The impact to the individual from a successful malware
infection is varied, but can be very significant. Examples include:
(i) The PC becomes part of a Botnet (maybe thousands
or tens of thousands of individual computers), which is then used
by criminals to distribute Spam email to others, or to launch
a denial of service attack against an organisation. Botnets are
increasingly rented out for criminal purposes. The owner of the
PC may only suffer a loss in performance of their PC, or they
may be accused of committing a criminal offence.
(ii) The malware may be used to extract useful
information that may be stored on the PC, which could include
personal details, bank details etc. For example, the government
outlined in December 2010 that it had been a victim of the Zeus
malware, with undisclosed loss of sensitive information. The loss
of information can have serious consequences for the individual
concerned, not only financial loss, but could affect their relationships
with others or cause the loss of irreplaceable records such as
(iii) The PC may be used to host illegal content.
For example, child pornography. The owner of the PC is then open
to being accused of knowingly hosting the illegal content.
The cost of malware infection is very high. Whilst
there are some solutions, they tend to be part of a portfolio,
which can be expensive. The cost to individual PC users is reported
to be in the tens of pounds/dollars and euros per year in terms
of AV expenditure. Furthermore, it is claimed that up to two million
people or 4% of the English population are said to become victims
of fraud each year. Cleaning up infected corporate networks may
cost tens of millions of pounds and take a team of people several
By and large, industry is not effective in defending
against malware attacks. Many vendors still do not take security
seriously. What we are seeing is an arms race, with the malware
writers always being one step ahead of the defenders. To quote
from a Virus Bulletin article (1 Feb, 2011):
"In the mid 90s we were in a position where
we could accurately count the number of viruses that had been
seen. This was possible for several reasons:
(i) The number of new viruses was small enough
for each sample to be identified and analysed in detail.
(ii) It was easy to determine which part was
virus and which part was the infected application.
(iii) The size and complexity of the malware
was quite limited."
In 2011, the situation is completely different, with
a large variety of malware out on the internet (new variants of
a particular malware are produced every day or so). Malware threats
have increased in complexity.
AV software vendors have varying degrees of effectiveness
at detecting known malware threats. Some large vendors have effectively
stopped developing their product five years ago, so may only be
50% effective at detecting known malware.
5. Should the Government have a responsibility
to deal with the spread of malware in a similar way to human disease?
All malware is in breach of the Computer Misuse Act
1990 and therefore a criminal activity. Malware therefore needs
to be viewed in the same way as any other criminal offences. Human
disease, in contrast, is natural and may be unavoidable. This
is not the case for malware and as such the Government needs to
be instrumental in tracing those responsible and prosecuting them
accordingly. The biological analogies (virus, worm) should not
be stretched to imply that similar control mechanisms would be
effective in the cyber domain.
According to the Cabinet Officesee http://www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime.
"The Cost of Cyber Crime" report reveals
that whilst government and the citizen are affected by rising
levels of cyber crime, at an estimated £2.2 billion and £3.1
billion cost respectively, business bears the lion's share of
the cost. The report indicates that, at a total estimated cost
of £21 billion, over three-quarters of the economic impact
of cyber crime in the UK is felt by business. In all probability,
and in line with worst-case scenarios, the real impact of cyber
crime is likely to be much greater.
We therefore believe that the Government should help
tackle the spread of malware, to reduce the impact on the UK economy.
We also believe that the Government needs to provide
incentives to businesses to protect individuals against such losses.
At present, it is not considered a commercial imperative among
The Government should consider the following when
developing a cyber crime strategy:
(i) EducationThe website http://www.getsafeonline.org/
provides good advice on security. We would encourage the Government
to increase the level of advice it provides to the public about
security, in order that people do not remain ignorant about the
issues of information security. Users need to be educated in
information security to ensure that they are able to effectively
protect themselves. The best security systems can be defeated
by a user who wilfully and ignorantly overrides them (eg when
they are the target of Phishing and Spear Phishing attacks, which
dupe people into entering personal data into fake websites). We
would again argue that more resources should be given over to
explaining the basic security facts and the importance to individuals
and industry. Basic lessons in the safe use of computers should
be provided regularly to schoolchildren throughout their schooling,
starting in primary school, in view of the reducing age at which
children become active and vulnerable users of computers and mobile
(ii) Government contractsIt is
important that the UK Government leads by example. The Government
could consider deploying products where the vendor of the product
has actively designed security into the product. As in the case
of Microsoft, this is not a simple tick-in-a-box exercise, but
requires considerable effort to achieve properly. Security has
to be designed into the product from the start, and cannot be
added on at a later date.
The Government is a large
buyer of ICT systems. Consequently, it can have an impact on the
marketplace. The Government could have significant influence if
a list of more secure products was published. This could result
in increased security provision by individuals and organisations,
who look to the Government to provide advice.
Furthermore, the Government
needs to ensure that its contracts ensure that its own systems
are maintained in a secure state. Contracts need to outline which
systems should be patched (all should be patched, in our view)
and the frequency of patch deployment.
(iii) LegislationCriminals operate
in many different jurisdictions, making it difficult to prosecute
There are very few convictions
under current legislation. Developing malware, and installing
malware onto computers, are offences which should be punished
with penalties proportionate to the losses caused.
Legislation would also need
to make it clear that researchers and vulnerability and penetration
testers, who have a contract in place to perform such testing,
are not committing an offence.
(iv) International relationshipsThe
UK Government needs to encourage other countries to establish
appropriate legislation that enables the successful prosecution
of criminals who are committing cyber crime. Sanctions also need
to be imposed on countries that are harbouring cyber criminals.
There needs to be cooperation
between countries on cyber crime. While for some serious crimes
such as child pornography, there is cooperation, there is not
the same level of cooperation for less serious offences. The cost
to the UK economy is estimated at £21 billion a year by the
Cabinet Office (see above), with the majority of criminals based
outside the UK. The UK cannot solve this problem on its own. It
needs the cooperation of other countries to eliminate the threat.
6. How effective is the Government in co-ordinating
a response to cyber-crime that uses malware?
We are unclear on the detail of the Government's
strategy toward cyber crime associated with malware. We do, however,
strongly believe that it is the responsibility of the government
to try and prevent cyber crime.
We would like to see renewed focus by the Government
in preventing exploitation of its core departments by its competitors
overseas and lead by example. We would also argue that the police
need to be better resourced to combat cyber crime, and to ensure
that all criminal malware use is prosecuted. This will need to
be done in conjunction with any educational initiatives that ensure
individuals and organisations are aware of malware threats and
the importance of security provision.
7 September 2011