1 What is e-crime?
Defining e-crime
5. Like traditional crime, e-crime can take many
shapes and can occur at almost any time or in any place. Criminals
use a number of methods, depending on skill-sets and goals. There
is a variety of different terminology used when referring to internet-related
crimes. The terms 'e-crime' and 'cyber crime' are often used interchangeably
but during this inquiry we have recognised that there are variations
between organisations in the way these terms are defined. Defining
e-crime has shaped the manner in which organisations such as the
Police and Serious and Organised Crime Agency (SOCA) understand
and respond to the evolving criminal threats presented in the
digital ages.
6. Cybercrime is defined by police as the use of
any computer network for crime.[1]
The Home Office and the SOCA-led Cyber Threat Reduction
Board (TRB) use a three-fold categorisation, dividing e-crime
into:
a) 'pure' online crimes, where a digital system
is the target as well as the means of attack. These include attacks
on computer systems to disrupt IT infrastructure, and stealing
data over a network using malware (the purpose of the data theft
is usually to enable further crime);
b) 'existing' crimes that have been transformed
in scale or form by their use of the internet. The growth of the
internet has allowed these crimes to be carried out on an industrial
scale; and
c) use of the internet to facilitate drug dealing,
people smuggling and many other 'traditional' types of crime.
7. The TRB's broad definition recognises the transformational
effect of the internet and computer systems in existing crimes.
Other organisations include specific offences: the Council of
Europe's Cybercrime Treaty uses the term cybercrime to refer to
offences ranging from criminal activity against data to content
and copyright infringement. The United Nations Manual on the Prevention
and Control of Computer Related Crime includes fraud, forgery,
and unauthorized access with its definition of cybercrime.[2]
8. The European Commission in 2007 proposed a threefold
definition similar to TRB's, identifying cyber crime as:
- Traditional forms of crime
committed over electronic communication networks and information
systems
- The publication of illegal content over electronic
media
- Crimes unique to electronic networks.
The main offences covered by existing European and
national legislation are:
- privacy offences: illegal collection,
storage, modification, disclosure or dissemination of personal
data;
- content-related offences: the dissemination of
pornography, in particular child pornography, racist statements
and information inciting violence;
- economic crimes, unauthorised access and sabotage:
offences relating to unauthorised access to systems (e.g. hacking,
computer sabotage and distribution of viruses, computer espionage,
computer forgery, and computer fraud);
- intellectual property offences: violations of
the legal protection of computer programs and databases, copyright
and related rights.[3]
9. The Association of Chief Police Officers (ACPO)
use the following definition of e-crime in its 2009 E-crime Strategy:
"the use of networked computers or internet
technology to commit or facilitate the commission of crime".
10. This broad definition could cover crimes that
are facilitated through using the internet as a means of communication.
We are concerned that the TRB and the ACPO definitions could
be problematic for law enforcement agencies as they risk referring
to all crimes whose perpetrators use the internet to organise
themselves as 'e-crime'. It is possible that this type of definition
could therefore could blur the distinction between crimes carried
out using the internet and crimes carried out offline where the
internet is used only as an accessory e.g. a drug deal where the
dealers communicate via email. Professor Peter Sommer, Visiting
Professor at de Montfort University and a Visiting Reader at the
Open University explained that "when the term "computer
crime" first came into popular usage in the early 1970s the
proportion of the population that had access to computers was
tiny" and consequently "it was possible to see computer/cyber/e-crime
as distinct purely in terms of the demographics of potential offenders".
[4] Modern
definitions of cyber crime need to recognise that large numbers
of crimes are likely to have a "computer" element simply
because at least 77% of the population own a PC.[5]
11. We are further concerned that other aspects
of e-crime may not be covered within the definitions of cyber
crime used by law enforcement agencies. Professor Peter Sommer
pointed out that ACPO's definition appeared to exclude "the
use of computers to carry out frauds which don't involve networks,
the acquisition of illegal material such as child or extreme pornography
and the deployment of techniques to generate forged documents".[6]
12. During our inquiry it became clear that the definitions
of what constituted e-crime or cyber crime needed frequent revision
if organisations wish to attempt to define the rapidly evolving
nature of the e-crime threat. However, e-crime is becoming increasingly
hard to define as discrete from other crimes because so many criminals
now use online devices and generate digital evidence. Crimes
that have been transformed by the internet and those unique to
electronic networks should continue to be defined and recorded
as e-crime. This will enable the police to develop an appropriate
level of sophisticated technical resource to respond to these
crimes.
13. The ever- increasing incidence of the use
of the internet in some form in traditional crimes indicates the
futility of special categorisation for such offences. We recommend
that more police officers are trained in digital crime detection
and equipped with digital forensic skills. These should become
standard skills for officers undertaking relevant investigations.
Recognising the threat of e-crime
14. Since the creation of the World Wide Web in 1991,
the internet has become increasingly central to our economy and
our society. Internet and other information systems have transformed
our working environment, driving economic growth, connecting people
and providing new ways to communicate and co-operate.
15. Cyberspace is the term used to describe the internet
and other information systems that form an interactive domain
made up of digital networks used to store, modify and communicate
information. Digital networks underpin the supply of electricity
and water to homes, help organise the delivery of food and other
goods to shops, act as an essential tool for businesses across
the UK and connect our TVs and games consoles to data.
16. We have seen worrying evidence that the growth
of cyberspace has also opened up the UK to serious security threats.
Constant contact with digital networks is a fact of modern life.
The UK Cyber Security Strategy, published by the Cabinet Office
in 2011, suggests that this development of technology "will
be on the scale of the very biggest shifts in human history, such
as the coming of the railways, or even learning to smelt metals."
[7] The
Strategy goes on to acknowledge that as a country "- we have
no choice but to find ways to confront and overcome these threats
if the UK is to flourish in an increasingly competitive and globalised
world".[8] EMC and
RSA, one of the world's major IT infrastructure and service providers,
told us that the cybercrime threat was sophisticated, complex,
and rapidly evolving. They explained that there was "a thriving
criminal ecosystem" that mirrored the legitimate IT market
where criminals could "freely buy and sell malicious software
and services". EMC and RSA estimated that this rapidly maturing
online black market had led to a "tenfold reduction in the
cost to access cyber crime tools and services and an increase
in the volume and sophistication of attacks".[9]
17. The UK Cyber Security Strategy
argues that "the digital architecture on which we now rely
was built to be efficient and interoperable". It acknowledges
that when internet usage first started to grow in the UK, security
was less of a consideration. Yet a growing number of adversaries
now use cyberspace to steal, compromise or destroy critical data.
The scale of our dependence means that our prosperity, our key
infrastructure, our places of work and our homes can all be affected.
Art Coviello, Executive Chairman of RSA (the Security Division
of EMC2), told us that people overlook
the extent to which our increased dependency on digital services
has extended opportunities for malicious activity:
"We have now developed so many web applications,
we have so many remote access devices, mobile devices, we have
so many points of entry into our enterprise...we have expanded
the attack surface and made it literally easier for the attackers
to take advantage of us."[10]
18. We discussed the threat of e-crime to the UK
with a number of our witnesses. Dr Ian Brown, Associate Director
of Oxford University's Cyber Security Centre and Senior Research
Fellow at the Oxford Internet Institute, told us that there was
" quite a bit of evidence that organised criminal gangs have
moved into cybercrime".[11]
Commissioner Adrian Leppard, City of London Police, told
us that the National Fraud Intelligence Bureau had identified
around 1,300 organised crime groups who used fraud as their main
means of gaining money. He estimated that a quarter of these groups
were using the internet as their "main means" of committing
fraud. Work undertaken by the National Fraud Intelligence Bureau
had shown that "about 25 countries predominantly target the
UK".[12]
19. David Livingstone, Associate Fellow, International
Security Research Directorate, Chatham House, explained that
the amount of valuable and attractive goods and items that could
be found on UK-based IT systems was "probably a relatively
rich hunting ground for organised criminal gangs".[13]
We were told that the top five countries where organised
criminal groups were using e-crime to attack the UK were "mainly
eastern European, and Russia".[14]
Mike Andrews, National E-Crime Co-ordination Manager for
the National Trading Standards E-Crime Centre, told us that e-crime
attacks were coming from many places including: other European
member states; former members of the eastern bloc; and the far
east. He cautioned that it was "very difficult to pinpoint
specific locations because it truly is, to use a cliché,
a global problem".[15]
Art Coviello, Executive Chairman, RSA, cautioned that "one
of the problems with any attack is attribution, being able to
trace the attack back to its source". He told us that "to
point the finger at a particular nation is clearly not the right
thing to do" but reasoned "that given the level of sophistication
that we see in attacks, it can only be sponsored by nation states".[16]
20. We asked our witnesses whether the "war"
on e-crime was being fought and won. Commissioner Adrian Leppard,
City of London Police, told us that "we are not winning.
I do not think we are winning globally, and I think this nature
of crime is rising exponentially".[17]
Ilias Chantzos, Senior Director, Government Affairs for EMEA and
APJ, Symantec reflected that "As the technologies change,
the attack surface changes, the techniques that the attackers
are going to use change. What is important is that we adjust ourselves
and follow that moving target in order to achieve that objective.
We will never have 100% security".[18]
Art Coviello believed "we can win the war, but we are
not winning it yet".[19]
21. David Livingstone, Associate Fellow at the International
Security Research Directorate, Chatham House, told us that the
"war on cyber crime" was very serious and "getting
worse".[20] However,
GCHQ's published earlier this year reported that a staggering
80% of cyber attacks could be stopped through basic information
risk management.[21]
Iain Lobban, Director GCHQ, had previously outlined how cyber
crime is not just a national security or defence issue but is
something which goes to the heart of our economic well-being and
national interest. He stated that "good Information Assurance
practice will solve 80% of Government's Cyber Security vulnerabilities.
By this we mean observing basic network security disciplines like
keeping patches up to date. That, combined with the necessary
attention to personnel security and the 'insider' threat, will
offer substantial protection for each individual network".[22]
However David Livingstone was concerned that whilst such
attacks could be prevented by "getting the basics right"
the public were generally unaware of what "those basics might
be".[23]
22. It is of great concern that the majority of
cyber crime could be prevented by better awareness by the user.
Whilst the sophisticated threats will remain, we must do more
to protect our information online. The Government and the private
sector both have a strong incentive to educate users and maintain
awareness of cyber crime. We recommend that, through its various
channels, all organisations, businesses and schools must provide
users with appropriate information and risk management training.
23. We regard as very serious indeed the words
of the most senior policeman in the country on online fraud, Commissioner
Leppard of City of London Police who told the Committee that we
are not winning the war on E-crime.
24. Commissioner Leppard told us that a quarter of the
800 specialist internet crime officers could be axed as spending
is cut. We agree with him that this is a very worrying trend.
At a time when fraud and e-crime is going up, the capability of
the country to address it is going down.
25. Ministers have acknowledged the increasing
threat of E-crime but it is clear that sufficient funding and
resources have not been allocated to the law enforcement responsible
for tackling it. Professor Ross Anderson told us that "we
should be putting more of the cyber budget into policing and less
of it into the intelligence sphere, into cyber war."[24]
We also note as a principle, that if personal data is held in
any database, no matter how secure, there is a risk of it being
accessed inappropriately, either through human error or malice.[25]
The only way to ensure data does not leak is not to collect it.
1 http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.stm
Back
2
United Nations, Manual on the Prevention and Control of Computer-Related
Crime ,1994 Back
3
http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_organised_crime/l33193b_en.htm
Back
4
Ev 101, para 13 (Prof Peter Sommer) Back
5
Ofcom, http://stakeholders.ofcom.org.uk/binaries/research/cmr/cmr11/UK_CMR_2011_FINAL.pdf Back
6
Ev 101, para 11 (Prof Peter Sommer) Back
7
Cabinet Office, The UK Cyber Security Strategy, Protecting
and promoting the UK in a digital world, November 2011, Para
2.1-2.3 Back
8
Cabinet Office, The UK Cyber Security Strategy, Protecting
and promoting the UK in a digital world, November 2011, Para
2.1-2.3 Back
9
Ev 86, Executive summary Back
10
Q 311 Back
11
Q 226 Back
12
Q 64 Back
13
Q 225 Back
14
Q 66 Back
15
Q 135 Back
16
Q 314 Back
17
Q 62 Back
18
Q 311 Back
19
Q 311 Back
20
Q 222 Back
21
GCHQ, Countering the cyber threat to business, Spring 2013 Back
22
Iain Lobban, Director GCHQ, International Institute for Strategic
Studies 12 October 2010, www.gchq.gov.uk/Press/Pages/IISS-CyberSpeech.aspx
Back
23
Q 236 Back
24
Q 121 Back
25
Qq 131-132 [Professor Ross Anderson & Professor Peter Sommer] Back
|