E-crime - Home Affairs Committee Contents

1  What is e-crime?

Defining e-crime

5. Like traditional crime, e-crime can take many shapes and can occur at almost any time or in any place. Criminals use a number of methods, depending on skill-sets and goals. There is a variety of different terminology used when referring to internet-related crimes. The terms 'e-crime' and 'cyber crime' are often used interchangeably but during this inquiry we have recognised that there are variations between organisations in the way these terms are defined. Defining e-crime has shaped the manner in which organisations such as the Police and Serious and Organised Crime Agency (SOCA) understand and respond to the evolving criminal threats presented in the digital ages.

6. Cybercrime is defined by police as the use of any computer network for crime.[1] The Home Office and the SOCA-led Cyber Threat Reduction Board (TRB) use a three-fold categorisation, dividing e-crime into:

a)  'pure' online crimes, where a digital system is the target as well as the means of attack. These include attacks on computer systems to disrupt IT infrastructure, and stealing data over a network using malware (the purpose of the data theft is usually to enable further crime);

b)  'existing' crimes that have been transformed in scale or form by their use of the internet. The growth of the internet has allowed these crimes to be carried out on an industrial scale; and

c)  use of the internet to facilitate drug dealing, people smuggling and many other 'traditional' types of crime.

7. The TRB's broad definition recognises the transformational effect of the internet and computer systems in existing crimes. Other organisations include specific offences: the Council of Europe's Cybercrime Treaty uses the term cybercrime to refer to offences ranging from criminal activity against data to content and copyright infringement. The United Nations Manual on the Prevention and Control of Computer Related Crime includes fraud, forgery, and unauthorized access with its definition of cybercrime.[2]

8. The European Commission in 2007 proposed a threefold definition similar to TRB's, identifying cyber crime as:

  • Traditional forms of crime committed over electronic communication networks and information systems
  • The publication of illegal content over electronic media
  • Crimes unique to electronic networks.

The main offences covered by existing European and national legislation are:

  • privacy offences: illegal collection, storage, modification, disclosure or dissemination of personal data;
  • content-related offences: the dissemination of pornography, in particular child pornography, racist statements and information inciting violence;
  • economic crimes, unauthorised access and sabotage: offences relating to unauthorised access to systems (e.g. hacking, computer sabotage and distribution of viruses, computer espionage, computer forgery, and computer fraud);
  • intellectual property offences: violations of the legal protection of computer programs and databases, copyright and related rights.[3]

9. The Association of Chief Police Officers (ACPO) use the following definition of e-crime in its 2009 E-crime Strategy:

    "the use of networked computers or internet technology to commit or facilitate the commission of crime".

10. This broad definition could cover crimes that are facilitated through using the internet as a means of communication. We are concerned that the TRB and the ACPO definitions could be problematic for law enforcement agencies as they risk referring to all crimes whose perpetrators use the internet to organise themselves as 'e-crime'. It is possible that this type of definition could therefore could blur the distinction between crimes carried out using the internet and crimes carried out offline where the internet is used only as an accessory e.g. a drug deal where the dealers communicate via email. Professor Peter Sommer, Visiting Professor at de Montfort University and a Visiting Reader at the Open University explained that "when the term "computer crime" first came into popular usage in the early 1970s the proportion of the population that had access to computers was tiny" and consequently "it was possible to see computer/cyber/e-crime as distinct purely in terms of the demographics of potential offenders". [4] Modern definitions of cyber crime need to recognise that large numbers of crimes are likely to have a "computer" element simply because at least 77% of the population own a PC.[5]

11. We are further concerned that other aspects of e-crime may not be covered within the definitions of cyber crime used by law enforcement agencies. Professor Peter Sommer pointed out that ACPO's definition appeared to exclude "the use of computers to carry out frauds which don't involve networks, the acquisition of illegal material such as child or extreme pornography and the deployment of techniques to generate forged documents".[6]

12. During our inquiry it became clear that the definitions of what constituted e-crime or cyber crime needed frequent revision if organisations wish to attempt to define the rapidly evolving nature of the e-crime threat. However, e-crime is becoming increasingly hard to define as discrete from other crimes because so many criminals now use online devices and generate digital evidence. Crimes that have been transformed by the internet and those unique to electronic networks should continue to be defined and recorded as e-crime. This will enable the police to develop an appropriate level of sophisticated technical resource to respond to these crimes.

13. The ever- increasing incidence of the use of the internet in some form in traditional crimes indicates the futility of special categorisation for such offences. We recommend that more police officers are trained in digital crime detection and equipped with digital forensic skills. These should become standard skills for officers undertaking relevant investigations.

Recognising the threat of e-crime

14. Since the creation of the World Wide Web in 1991, the internet has become increasingly central to our economy and our society. Internet and other information systems have transformed our working environment, driving economic growth, connecting people and providing new ways to communicate and co-operate.

15. Cyberspace is the term used to describe the internet and other information systems that form an interactive domain made up of digital networks used to store, modify and communicate information. Digital networks underpin the supply of electricity and water to homes, help organise the delivery of food and other goods to shops, act as an essential tool for businesses across the UK and connect our TVs and games consoles to data.

16. We have seen worrying evidence that the growth of cyberspace has also opened up the UK to serious security threats. Constant contact with digital networks is a fact of modern life. The UK Cyber Security Strategy, published by the Cabinet Office in 2011, suggests that this development of technology "will be on the scale of the very biggest shifts in human history, such as the coming of the railways, or even learning to smelt metals." [7] The Strategy goes on to acknowledge that as a country "- we have no choice but to find ways to confront and overcome these threats if the UK is to flourish in an increasingly competitive and globalised world".[8] EMC and RSA, one of the world's major IT infrastructure and service providers, told us that the cybercrime threat was sophisticated, complex, and rapidly evolving. They explained that there was "a thriving criminal ecosystem" that mirrored the legitimate IT market where criminals could "freely buy and sell malicious software and services". EMC and RSA estimated that this rapidly maturing online black market had led to a "tenfold reduction in the cost to access cyber crime tools and services and an increase in the volume and sophistication of attacks".[9]

17. The UK Cyber Security Strategy argues that "the digital architecture on which we now rely was built to be efficient and interoperable". It acknowledges that when internet usage first started to grow in the UK, security was less of a consideration. Yet a growing number of adversaries now use cyberspace to steal, compromise or destroy critical data. The scale of our dependence means that our prosperity, our key infrastructure, our places of work and our homes can all be affected. Art Coviello, Executive Chairman of RSA (the Security Division of EMC2), told us that people overlook the extent to which our increased dependency on digital services has extended opportunities for malicious activity:

    "We have now developed so many web applications, we have so many remote access devices, mobile devices, we have so many points of entry into our enterprise...we have expanded the attack surface and made it literally easier for the attackers to take advantage of us."[10]

18. We discussed the threat of e-crime to the UK with a number of our witnesses. Dr Ian Brown, Associate Director of Oxford University's Cyber Security Centre and Senior Research Fellow at the Oxford Internet Institute, told us that there was " quite a bit of evidence that organised criminal gangs have moved into cybercrime".[11] Commissioner Adrian Leppard, City of London Police, told us that the National Fraud Intelligence Bureau had identified around 1,300 organised crime groups who used fraud as their main means of gaining money. He estimated that a quarter of these groups were using the internet as their "main means" of committing fraud. Work undertaken by the National Fraud Intelligence Bureau had shown that "about 25 countries predominantly target the UK".[12]

19. David Livingstone, Associate Fellow, International Security Research Directorate, Chatham House, explained that the amount of valuable and attractive goods and items that could be found on UK-based IT systems was "probably a relatively rich hunting ground for organised criminal gangs".[13] We were told that the top five countries where organised criminal groups were using e-crime to attack the UK were "mainly eastern European, and Russia".[14] Mike Andrews, National E-Crime Co-ordination Manager for the National Trading Standards E-Crime Centre, told us that e-crime attacks were coming from many places including: other European member states; former members of the eastern bloc; and the far east. He cautioned that it was "very difficult to pinpoint specific locations because it truly is, to use a cliché, a global problem".[15] Art Coviello, Executive Chairman, RSA, cautioned that "one of the problems with any attack is attribution, being able to trace the attack back to its source". He told us that "to point the finger at a particular nation is clearly not the right thing to do" but reasoned "that given the level of sophistication that we see in attacks, it can only be sponsored by nation states".[16]

20. We asked our witnesses whether the "war" on e-crime was being fought and won. Commissioner Adrian Leppard, City of London Police, told us that "we are not winning. I do not think we are winning globally, and I think this nature of crime is rising exponentially".[17] Ilias Chantzos, Senior Director, Government Affairs for EMEA and APJ, Symantec reflected that "As the technologies change, the attack surface changes, the techniques that the attackers are going to use change. What is important is that we adjust ourselves and follow that moving target in order to achieve that objective. We will never have 100% security".[18] Art Coviello believed "we can win the war, but we are not winning it yet".[19]

21. David Livingstone, Associate Fellow at the International Security Research Directorate, Chatham House, told us that the "war on cyber crime" was very serious and "getting worse".[20] However, GCHQ's published earlier this year reported that a staggering 80% of cyber attacks could be stopped through basic information risk management.[21] Iain Lobban, Director GCHQ, had previously outlined how cyber crime is not just a national security or defence issue but is something which goes to the heart of our economic well-being and national interest. He stated that "good Information Assurance practice will solve 80% of Government's Cyber Security vulnerabilities. By this we mean observing basic network security disciplines like keeping patches up to date. That, combined with the necessary attention to personnel security and the 'insider' threat, will offer substantial protection for each individual network".[22] However David Livingstone was concerned that whilst such attacks could be prevented by "getting the basics right" the public were generally unaware of what "those basics might be".[23]

22. It is of great concern that the majority of cyber crime could be prevented by better awareness by the user. Whilst the sophisticated threats will remain, we must do more to protect our information online. The Government and the private sector both have a strong incentive to educate users and maintain awareness of cyber crime. We recommend that, through its various channels, all organisations, businesses and schools must provide users with appropriate information and risk management training.

23. We regard as very serious indeed the words of the most senior policeman in the country on online fraud, Commissioner Leppard of City of London Police who told the Committee that we are not winning the war on E-crime.

24. Commissioner Leppard told us that a quarter of the 800 specialist internet crime officers could be axed as spending is cut. We agree with him that this is a very worrying trend. At a time when fraud and e-crime is going up, the capability of the country to address it is going down.

25. Ministers have acknowledged the increasing threat of E-crime but it is clear that sufficient funding and resources have not been allocated to the law enforcement responsible for tackling it. Professor Ross Anderson told us that "we should be putting more of the cyber budget into policing and less of it into the intelligence sphere, into cyber war."[24] We also note as a principle, that if personal data is held in any database, no matter how secure, there is a risk of it being accessed inappropriately, either through human error or malice.[25] The only way to ensure data does not leak is not to collect it.

1   http://news.bbc.co.uk/hi/english/static/in_depth/uk/2001/life_of_crime/cybercrime.stm  Back

2   United Nations, Manual on the Prevention and Control of Computer-Related Crime ,1994 Back

3   http://europa.eu/legislation_summaries/justice_freedom_security/fight_against_organised_crime/l33193b_en.htm  Back

4   Ev 101, para 13 (Prof Peter Sommer) Back

5   Ofcom, http://stakeholders.ofcom.org.uk/binaries/research/cmr/cmr11/UK_CMR_2011_FINAL.pdf Back

6   Ev 101, para 11 (Prof Peter Sommer) Back

7   Cabinet Office, The UK Cyber Security Strategy, Protecting and promoting the UK in a digital world, November 2011, Para 2.1-2.3 Back

8   Cabinet Office, The UK Cyber Security Strategy, Protecting and promoting the UK in a digital world, November 2011, Para 2.1-2.3 Back

9   Ev 86, Executive summary Back

10   Q 311 Back

11   Q 226 Back

12   Q 64 Back

13   Q 225 Back

14   Q 66 Back

15   Q 135 Back

16   Q 314 Back

17   Q 62 Back

18   Q 311 Back

19   Q 311 Back

20   Q 222 Back

21   GCHQ, Countering the cyber threat to business, Spring 2013 Back

22   Iain Lobban, Director GCHQ, International Institute for Strategic Studies 12 October 2010, www.gchq.gov.uk/Press/Pages/IISS-CyberSpeech.aspx  Back

23   Q 236 Back

24   Q 121 Back

25   Qq 131-132 [Professor Ross Anderson & Professor Peter Sommer] Back

previous page contents next page

© Parliamentary copyright 2013
Prepared 30 July 2013