E-crime - Home Affairs Committee Contents


2  The Cyber Security Strategy

THE CURRENT STRATEGY

26. The threat to national security from cyber attacks is real and growing. In October 2010, the National Security Strategy identified the cyber threat to the UK, which includes cyber crime, as a Tier One threat. This is a higher threat category than the threat of nuclear attack, but has received less attention and expenditure. That is to say, a threat of the highest priority for UK national security, taking account of both likelihood of cyber attacks and the impact they could have. This assessment brought hostile attacks upon UK cyber space by other states and large scale cyber crime alongside such major threats as international terrorism and international military crisis.[26]

27. Terrorists, rogue states and cyber criminals are among those targeting computer systems in the UK. The Coalition Government's approach to tackling e-crime has been focused on the revised Cyber Security Strategy released in November 2011, which set out how the UK will support economic prosperity, protect national security and safeguard the public's way of life by "building a more trusted and resilient digital environment". [27] The Cyber Security Strategy is an integral part of the National Cyber Security Programme (NCSP) launched in 2010.

28. The NCSP includes:

i.  Creating a new cyber crime capability as part of the National Crime Agency

ii.  Mainstreaming cyber training throughout the police

iii.  Encouraging the use of 'cyber specials' by police forces

iv.  Promoting international cooperation and shared understanding of cyber crime

v.  Creating a single reporting system for individuals and small businesses to report cyber crime

vi.  Ensuring existing legislation is fit for purpose and used to optimum effect

vii.  Taking action to tackle hate crime on the internet

viii.  Reviewing existing legislation to ensure it remains relevant and effective

ix.  Encouraging the courts to use existing powers to impose appropriate sanctions for online offences.

29. Dr Ian Brown, Associate Director of Oxford University's Cyber Security Centre and Senior Research Fellow at the Oxford Internet Institute, told us that winning the war on cyber crime required a broad spectrum response from a number of areas of government. He believed that the Government was working along "the right lines in developing law enforcement". Other witnesses stressed the importance of Government efforts to persuade other countries to take similar action.[28]

30. However RSA, an American computer and network security company, told us that its experience of dealing with both the public and private sectors suggested that, whilst recent policy initiatives such as last year's National Cyber Security Strategy have advanced the Government's understanding of the cyber threat and how best to respond to it, the private sector remained ahead in terms of understanding its scale and maturity, and implementing appropriate measures to deliver greater security.[29] We note the increasing threat posed by state industrial espionage, and international e-crime committed for political purposes, such as the purported attacks on the Guardian from Syria and attacks from China on the US media. The Government must not underestimate the danger such attacks pose to our infrastructure and take firm action with offending countries to cease their activities, using international forums to raise these issues.

31. We recommend the establishment of a dedicated espionage response team that British companies, media, and institutions can immediately contact to report an attack and who can also provide training in order to counter attacks.

Measuring e-crime

WHY DOES IT MATTER?

32. The Government has committed £650million to the NCSP to improve the nation's cyber capabilities in order to help protect "the UK's national security, its citizens and our growing economy in cyber space".[30] As the Government strives to reduce overall expenditure, it is of note that this significant resource is being directed against online threats. Witnesses told us that this funding has gone primarily to the intelligence agencies.

33. It is difficult for us to test policy-makers' and enforcement agencies' understanding of the level of threat posed by cyber criminals or where those threats arise in a public environment without compromising their effectiveness. Our witnesses however suggested that, while the potential threat to national security from cyber attack is reasonable well understood, there is a very poor grasp of the persistently high threat of large volume, low level crime online.

34. Whilst security services receive the lion's share of NCSP funding some witnesses have argued that the funding would be better used "locking up more villains". [31] Professor Ross Anderson told us that the NCSP's budget should go to law enforcement and "less of it into the intelligence sphere", as the threat is primarily from a small number of prolific criminal gangs. [32] He explained that the Government had made a "very welcome increase of £640 million in the cyber security budget two years ago, but 59% of it went to GCHQ and only a few million to the police."[33]

CONCERN OVER UK GOVERNMENT MEASUREMENTS

35. The Government's accepted measure on the cost of e-crime to the UK economy is the one produced by the Cabinet Office in conjunction with Detica. A number of our witnesses expressed scepticism regarding this cost estimated of £27bn. Professor Ross Anderson told us that the Detica report had met with 'widespread scorn'.[34]
Title AuthorDate Methodology Main conclusions and recommendations Critical response
The Cost of Cyber Crime Detica / Cabinet Office 2011Developed a causal model relating cyber crime types to their impact on the economy

Assessed cost in terms of impact on citizens, business and government

No detailed workings or assumptions listed, only that cyber crime types were mapped to a 'number of broad categories of economic impact which are generally consistent with the types of parameters used in macro-economic models of the UK'[35]

Magnitude calculated using three point estimate (best, most likely and worst case scenarios)

Cost of cyber crime to the UK estimated to be £27bn

£3.1bn - cost to citizens

2.2bn - cost to government

£21bn - cost to business

Cost of cyber crime is 'significant and growing'

Business suffers the highest costs as a result of IP theft and industrial espionage

Cyber crime reporting is inhibited by fear of reputational damage, the lack of a clear reporting mechanism and the perception that nothing can be done even if crimes are reported

Government should start an online forum for UK business to give authoritative and interactive advice on best practice in protection from cyber crime. A central online reporting mechanism could also be located here.

The report has been heavily criticised for not listing the assumptions or definitions used in the modelling more clearly. E.g. how is 'most-likely' scenario defined and on what evidential basis has it been termed the 'most likely'?

The methodology used appears to have given rise to some potentially anomalous findings. For example the cost of IP theft to the not- for- profit sector is listed as being £800m but as £400m to the Aerospace and Defence sector.

Critics have pointed out that industrial espionage is not a criminal offence in the UK.[36]

The report has omitted malware and online child pornography from its estimate.[37]

Some witnesses believe the report is indicative of a poor understanding of the scale of e-crime. They see policy as being driven by GCHQ and major cyber security suppliers to increase spend in this area.[38]

36. Professor Peter Sommer told us that the report on the cost of cyber crime produced by Detica, lacked credibility as it excluded "any reference to children, any reference to the effects of malware, but included industrial espionage, which happens not to be a crime in this country". He was also concerned about how precise figures on an industry-by-industry basis of the amount of losses incurred as a result of industrial espionage were generated.[39]

37. Following the controversy prompted by the findings in the Cabinet Office/Detica report, Sir Mark Welland, the Chief Scientific Office at the Ministry of Defence, commissioned further analysis to "unbundle things into direct and indirect costs".[40] Professor Ross Anderson told us that this research resulted in figures which found more credibility with independent experts and within the security and IT communities.[41] Nevertheless it appears that the Home Office at least still relies on the Cabinet Office/Detica figures.

38. We understand that any measure of crime will always be subject to challenge and e-crime even more so. However we are puzzled that the Government continues to use highly controversial figures, in which independent experts or indeed other government departments such as the Ministry of Defence have little confidence, as its basis for policy-making.

39. Improving the way in which e-crime is reported and recorded is key to improving Parliament's and the public's understanding of it. It is important that policy makers have an up to date and accurate estimate of the threats from e-crime. We therefore recommend that the Government publicly distances itself from the £27bn estimate of the annual cost of e-crime to the UK economy.

40. We recommend that the Government commission a working group of experts, drawing on existing good practice already developed by academia and industry, to produce annual figures which show the incidence of e-crime and any observable trends. This group should include representatives from the cyber security industry and independent experts to ensure the figures are robust.

Trends in e-crime

41. The UK's crime statistics demonstrate that the incidence of e-crime is high and increasing. Surveys, such as the British Crime Survey, demonstrate that individual cyber crime victimization is significantly higher than for 'conventional' crime forms. Victimization rates for online credit card fraud, identity theft, responding to a phishing[42] attempt, and experiencing unauthorized access to an email account, vary between 1 and 17 per cent of the online population for 21 countries across the world, compared with typical burglary, robbery and car theft rates of under 5 per cent for these same countries.[43] We note that many victims of e-crime will not be aware that they are victims.

42. The British Retail Consortium (BRC) is the lead trade association for the retail sector representing the whole range of retailers, from small independent stores through to the large multinational companies such as Tesco and Marks and Spencer. The BRC's Retail Crime Survey for 2011-2012 found that the total cost of e-crime to the retail sector was £205.4 million in 2011-12. The diagram below shows that this cost is made up from direct losses, spending on security and lost revenue.

43. Evidence from RSA and Symantec also attest to an increase in the threat from e-crime. The RSA's Anti Fraud Command Centre (AFCC) combines counter-intelligence, threat monitoring, and threat analysis capabilities to neutralise attempts by cyber criminals to steal money and information. In the first seven years of its operation, the AFCC shut down more than 500,000 cyber attacks. The first six months of 2012 saw an increase in attacks with the AFCC shutting down 150,000 attacks, at a rate of 1,000 attacks per day. In June and July 2012 RSA dealt with 250,000 attacks, on average about one per minute. Based on this experience RSA has told us that " the cyber threat is increasingly significant and it is now crucial for all sectors to recognise the dangers involved and respond".[44]

44. Symantec reported similar experiences. It told us it undertakes an annual global study of e-crime threats and trends in e-crime. Based on the data used for its 2011 report it told us that in 2011 Symantec blocked more than 5.5 billion malicious attacks, an increase of more than 81% from the previous year. Symantec's report identified the following trends:

-  The number of unique malware identified by Symantec increased by 41% on the previous year;

-  The number of web attacks blocked per day increased by 36% on the previous year;

-  An increasingly high volumes of malware[45] attacks along with an increase in sophisticated targeted attacks, where the user may not know they are being attacked due to the ability of the attacker to slip under the radar and evade detection;

-  A rise in advanced persistent threats and attacks on the infrastructure of the internet itself;

-  An increase in the number of data breaches of individuals and business information with more than 232.4 million identities worldwide exposed overall during 2011; and

-  A reduction in the overall level of spam (a popular vehicle for conducting cyber crime) from 85.5% of all email in 2010 to 75.1% in 2011. Symantec says this reduction is largely seen as being due to law enforcement action which shut down Rustock, a massive worldwide botnet,[46] responsible for sending out large amounts of spam.

45. The latest Norton Cybercrime Report published in September 2012 with findings based on a survey of more than 13,000 adults across 24 countries, reported that there were an estimated 556 million victims of cyber crime each year. This is more than the entire population of the European Union. In the UK, Norton estimated that more than 12.5 million people had fallen victim to cybercrime within the past twelve months. The cost of these cyber crimes to the UK was a massive £1.8 billion with an average cost of £144 per cybercrime victim -bearing in mind how many people are not aware of the crimes, this is probably an underestimate.[47]


26   Cabinet Office, A Strong Britain in an Age of Uncertainty: The National Security Strategy, CM 7953, November 2010, pg 27 Back

27   Ev 61, para 16 Back

28   Q 224 Back

29   Ev 87, para 14 Back

30   Ev 61, para 16 Back

31   Q 121 Back

32   Q 121 Back

33   Q 121 Back

34   Ev 21 Back

35   Detica, The Cost of Cyber crime to the UK, 2011, p5 Back

36   Ev 102 [Peter Sommer] Back

37   Ibid. Back

38   Ev 76 [Foundation for Information Policy Research] Back

39   Ev 101 Back

40   Q 120 Back

41   Ross Anderson and Foundation for Information Policy Research, Measuring the Cost of Cybercrime Back

42   See glossary Back

43   UNODC Comprehensive Study on Cybercrime Back

44   Ev 88, para 17 Back

45   Malware is malicious computer code that can be classified into four main threat types: viruses, backdoors, worms and Trojans. Back

46   See glossary Back

47   Norton Cybercrime Report, September 2012 Back


 
previous page contents next page


© Parliamentary copyright 2013
Prepared 30 July 2013