2 The Cyber Security Strategy
THE CURRENT STRATEGY
26. The threat to national security from cyber attacks
is real and growing. In October 2010, the National Security Strategy
identified the cyber threat to the UK, which includes cyber crime,
as a Tier One threat. This is a higher threat category than the
threat of nuclear attack, but has received less attention and
expenditure. That is to say, a threat of the highest priority
for UK national security, taking account of both likelihood of
cyber attacks and the impact they could have. This assessment
brought hostile attacks upon UK cyber space by other states and
large scale cyber crime alongside such major threats as international
terrorism and international military crisis.[26]
27. Terrorists, rogue states and cyber criminals
are among those targeting computer systems in the UK. The Coalition
Government's approach to tackling e-crime has been focused on
the revised Cyber Security Strategy released in November 2011,
which set out how the UK will support economic prosperity, protect
national security and safeguard the public's way of life by "building
a more trusted and resilient digital environment". [27]
The Cyber Security Strategy is an integral part of the
National Cyber Security Programme (NCSP) launched in 2010.
28. The NCSP includes:
i. Creating a new cyber crime capability as part
of the National Crime Agency
ii. Mainstreaming cyber training throughout the
police
iii. Encouraging the use of 'cyber specials'
by police forces
iv. Promoting international cooperation and shared
understanding of cyber crime
v. Creating a single reporting system for individuals
and small businesses to report cyber crime
vi. Ensuring existing legislation is fit for
purpose and used to optimum effect
vii. Taking action to tackle hate crime on the
internet
viii. Reviewing existing legislation to ensure
it remains relevant and effective
ix. Encouraging the courts to use existing powers
to impose appropriate sanctions for online offences.
29. Dr Ian Brown, Associate Director of Oxford University's
Cyber Security Centre and Senior Research Fellow at the Oxford
Internet Institute, told us that winning the war on cyber crime
required a broad spectrum response from a number of areas of government.
He believed that the Government was working along "the right
lines in developing law enforcement". Other witnesses stressed
the importance of Government efforts to persuade other countries
to take similar action.[28]
30. However RSA, an American computer and network
security company, told us that its experience of dealing with
both the public and private sectors suggested that, whilst recent
policy initiatives such as last year's National Cyber Security
Strategy have advanced the Government's understanding of the cyber
threat and how best to respond to it, the private sector remained
ahead in terms of understanding its scale and maturity, and implementing
appropriate measures to deliver greater security.[29]
We note the increasing threat posed by state industrial
espionage, and international e-crime committed for political purposes,
such as the purported attacks on the Guardian from Syria and
attacks from China on the US media. The Government must not underestimate
the danger such attacks pose to our infrastructure and take firm
action with offending countries to cease their activities, using
international forums to raise these issues.
31. We recommend the establishment of a dedicated
espionage response team that British companies, media, and institutions
can immediately contact to report an attack and who can also provide
training in order to counter attacks.
Measuring e-crime
WHY DOES IT MATTER?
32. The Government has committed £650million
to the NCSP to improve the nation's cyber capabilities in order
to help protect "the UK's national security, its citizens
and our growing economy in cyber space".[30]
As the Government strives to reduce overall expenditure, it is
of note that this significant resource is being directed against
online threats. Witnesses told us that this funding has gone primarily
to the intelligence agencies.
33. It is difficult for us to test policy-makers'
and enforcement agencies' understanding of the level of threat
posed by cyber criminals or where those threats arise in a public
environment without compromising their effectiveness. Our witnesses
however suggested that, while the potential threat to national
security from cyber attack is reasonable well understood, there
is a very poor grasp of the persistently high threat of large
volume, low level crime online.
34. Whilst security services receive the lion's share
of NCSP funding some witnesses have argued that the funding would
be better used "locking up more villains". [31]
Professor Ross Anderson told us that the NCSP's budget
should go to law enforcement and "less of it into the intelligence
sphere", as the threat is primarily from a small number of
prolific criminal gangs. [32]
He explained that the Government had made a "very welcome
increase of £640 million in the cyber security budget two
years ago, but 59% of it went to GCHQ and only a few million to
the police."[33]
CONCERN OVER UK GOVERNMENT MEASUREMENTS
35. The Government's accepted measure on the cost
of e-crime to the UK economy is the one produced by the Cabinet
Office in conjunction with Detica. A number of our witnesses
expressed scepticism regarding this cost estimated of £27bn.
Professor Ross Anderson told us that the Detica report had met
with 'widespread scorn'.[34]
Title |
Author | Date
| Methodology
| Main conclusions and recommendations
| Critical response
|
The Cost of Cyber Crime |
Detica / Cabinet Office |
2011 | Developed a causal model relating cyber crime types to their impact on the economy
Assessed cost in terms of impact on citizens, business and government
No detailed workings or assumptions listed, only that cyber crime types were mapped to a 'number of broad categories of economic impact which are generally consistent with the types of parameters used in macro-economic models of the UK'[35]
Magnitude calculated using three point estimate (best, most likely and worst case scenarios)
| Cost of cyber crime to the UK estimated to be £27bn
£3.1bn - cost to citizens
2.2bn - cost to government
£21bn - cost to business
Cost of cyber crime is 'significant and growing'
Business suffers the highest costs as a result of IP theft and industrial espionage
Cyber crime reporting is inhibited by fear of reputational damage, the lack of a clear reporting mechanism and the perception that nothing can be done even if crimes are reported
Government should start an online forum for UK business to give authoritative and interactive advice on best practice in protection from cyber crime. A central online reporting mechanism could also be located here.
| The report has been heavily criticised for not listing the assumptions or definitions used in the modelling more clearly. E.g. how is 'most-likely' scenario defined and on what evidential basis has it been termed the 'most likely'?
The methodology used appears to have given rise to some potentially anomalous findings. For example the cost of IP theft to the not- for- profit sector is listed as being £800m but as £400m to the Aerospace and Defence sector.
Critics have pointed out that industrial espionage is not a criminal offence in the UK.[36]
The report has omitted malware and online child pornography from its estimate.[37]
Some witnesses believe the report is indicative of a poor understanding of the scale of e-crime. They see policy as being driven by GCHQ and major cyber security suppliers to increase spend in this area.[38]
|
36. Professor Peter Sommer told us that the report on the cost
of cyber crime produced by Detica, lacked credibility as it excluded
"any reference to children, any reference to the effects
of malware, but included industrial espionage, which happens not
to be a crime in this country". He was also concerned about
how precise figures on an industry-by-industry basis of the amount
of losses incurred as a result of industrial espionage were generated.[39]
37. Following the controversy prompted by the findings
in the Cabinet Office/Detica report, Sir Mark Welland, the Chief
Scientific Office at the Ministry of Defence, commissioned further
analysis to "unbundle things into direct and indirect costs".[40]
Professor Ross Anderson told us that this research resulted
in figures which found more credibility with independent experts
and within the security and IT communities.[41]
Nevertheless it appears that the Home Office at least still
relies on the Cabinet Office/Detica figures.
38. We understand that any measure of crime will
always be subject to challenge and e-crime even more so. However
we are puzzled that the Government continues to use highly controversial
figures, in which independent experts or indeed other government
departments such as the Ministry of Defence have little confidence,
as its basis for policy-making.
39. Improving the way in which e-crime is reported
and recorded is key to improving Parliament's and the public's
understanding of it. It is important that policy makers have an
up to date and accurate estimate of the threats from e-crime.
We therefore recommend that the Government publicly distances
itself from the £27bn estimate of the annual cost of e-crime
to the UK economy.
40. We recommend that the Government commission
a working group of experts, drawing on existing good practice
already developed by academia and industry, to produce annual
figures which show the incidence of e-crime and any observable
trends. This group should include representatives from the cyber
security industry and independent experts to ensure the figures
are robust.
Trends in e-crime
41. The UK's crime statistics demonstrate that the
incidence of e-crime is high and increasing. Surveys, such as
the British Crime Survey, demonstrate that individual cyber crime
victimization is significantly higher than for 'conventional'
crime forms. Victimization rates for online credit card fraud,
identity theft, responding to a phishing[42]
attempt, and experiencing unauthorized access to an email
account, vary between 1 and 17 per cent of the online population
for 21 countries across the world, compared with typical burglary,
robbery and car theft rates of under 5 per cent for these same
countries.[43] We note
that many victims of e-crime will not be aware that they are victims.
42. The British Retail Consortium (BRC) is the lead
trade association for the retail sector representing the whole
range of retailers, from small independent stores through to the
large multinational companies such as Tesco and Marks and Spencer.
The BRC's Retail Crime Survey for 2011-2012 found that the total
cost of e-crime to the retail sector was £205.4 million in
2011-12. The diagram below shows that this cost is made up from
direct losses, spending on security and lost revenue.
43. Evidence from RSA and Symantec also attest to
an increase in the threat from e-crime. The RSA's Anti Fraud Command
Centre (AFCC) combines counter-intelligence, threat monitoring,
and threat analysis capabilities to neutralise attempts by cyber
criminals to steal money and information. In the first seven years
of its operation, the AFCC shut down more than 500,000 cyber attacks.
The first six months of 2012 saw an increase in attacks with the
AFCC shutting down 150,000 attacks, at a rate of 1,000 attacks
per day. In June and July 2012 RSA dealt with 250,000 attacks,
on average about one per minute. Based on this experience RSA
has told us that " the cyber threat is increasingly significant
and it is now crucial for all sectors to recognise the dangers
involved and respond".[44]
44. Symantec reported similar experiences. It told
us it undertakes an annual global study of e-crime threats and
trends in e-crime. Based on the data used for its 2011 report
it told us that in 2011 Symantec blocked more than 5.5 billion
malicious attacks, an increase of more than 81% from the previous
year. Symantec's report identified the following trends:
- The number of unique malware identified by
Symantec increased by 41% on the previous year;
- The number of web attacks blocked per day increased
by 36% on the previous year;
- An increasingly high volumes of malware[45]
attacks along with an increase in sophisticated
targeted attacks, where the user may not know they are being attacked
due to the ability of the attacker to slip under the radar and
evade detection;
- A rise in advanced persistent threats and attacks
on the infrastructure of the internet itself;
- An increase in the number of data breaches
of individuals and business information with more than 232.4 million
identities worldwide exposed overall during 2011; and
- A reduction in the overall level of spam (a
popular vehicle for conducting cyber crime) from 85.5% of all
email in 2010 to 75.1% in 2011. Symantec says this reduction is
largely seen as being due to law enforcement action which shut
down Rustock, a massive worldwide botnet,[46]
responsible for sending out large amounts
of spam.
45. The latest Norton Cybercrime Report published
in September 2012 with findings based on a survey of more than
13,000 adults across 24 countries, reported that there were an
estimated 556 million victims of cyber crime each year. This is
more than the entire population of the European Union. In the
UK, Norton estimated that more than 12.5 million people had fallen
victim to cybercrime within the past twelve months. The cost of
these cyber crimes to the UK was a massive £1.8 billion with
an average cost of £144 per cybercrime victim -bearing in
mind how many people are not aware of the crimes, this is probably
an underestimate.[47]
26 Cabinet Office, A Strong Britain in an Age of
Uncertainty: The National Security Strategy, CM 7953, November
2010, pg 27 Back
27
Ev 61, para 16 Back
28
Q 224 Back
29
Ev 87, para 14 Back
30
Ev 61, para 16 Back
31
Q 121 Back
32
Q 121 Back
33
Q 121 Back
34
Ev 21 Back
35
Detica, The Cost of Cyber crime to the UK, 2011, p5 Back
36
Ev 102 [Peter Sommer] Back
37
Ibid. Back
38
Ev 76 [Foundation for Information Policy Research] Back
39
Ev 101 Back
40
Q 120 Back
41
Ross Anderson and Foundation for Information Policy Research,
Measuring the Cost of Cybercrime Back
42
See glossary Back
43
UNODC Comprehensive Study on Cybercrime Back
44
Ev 88, para 17 Back
45
Malware is malicious computer code that can be classified into
four main threat types: viruses, backdoors, worms and Trojans. Back
46
See glossary Back
47
Norton Cybercrime Report, September 2012 Back
|