Home Affairs CommitteeWritten evidence submitted by Engineering the Future [EC 05]

This is an Engineering the Future response to the Home Affairs Select Committee call for evidence on E-Crime.

This response has been developed by:

BCS, The Chartered Institute for IT.

The Institution of Engineering and Technology.

The response is supported by:

The Engineering Council.

The Institution of Mechanical Engineers.

The Royal Academy of Engineering.

Please note that a glossary of terms that are used in this response is provided at the end of the submission.

1. What e-crime is understood to be and how this affects crime recording

“E-crime” (and its near-synonym “cyber-crime”) is an ambiguous term that is used to mean, variously, crimes whose nature intrinsically requires the involvement of one or more computers. These offences fall within the remit of The Computer Misuse Act or what might be termed “traditional” crimes, such as fraud or extortion, where the use of a computer is a subsidiary element. Crimes such as “phishing”, where an email is used to obtain private information for fraudulent purposes, possibly in concert with a fraudulent website, are recent variants on a technique known in the security community as “social engineering” and among journalists as “blagging”.

For this reason, any reported statistics that purport to state the extent of, growth in, or damage caused by cyber crime or e-crime, should be regarded with considerable caution unless they are accompanied by full definitions of these terms, a breakdown of the incidents that fall into each sub-category and full details of how any losses have been calculated. It would be absurd, for example, to count every illegally downloaded music track as a lost sale at the retail price, just as it would be absurd to assume that everyone who buys a fake Rolex watch at a car boot sale was, in fact, intending to buy the real thing.

It is noticeable that the highest estimates of the prevalence of cyber crime or cyber attacks come from organisations whose business depends on the sales of technical countermeasures or whose budgets could be seen to depend on the degree of alarm about cyber security within government. So far as we are aware, there are no independently verified statistics about the extent of any individual categories of cyber crime.

It is likely that a great deal of e-crime goes unreported and unrecorded. Most internet users will receive several phishing emails, malicious attachments or attempted money-laundering or advance-fee-fraud approaches each week. In practice, most of these will be deleted. While there is a facility for recipients to forward such email to phishing@cityoflondon.police.uk with all the headers intact, it is unclear whether they are recorded or are followed up.

While the police are the natural first line responders for any crime, few of the UK’s 52 geographical police forces have the expertise and the resources to deal with large scale e-crime, especially on a national or international scale. While there are specialist units, the UK does not have a single authority for the reporting and investigation of e-crime. The present system appears to lack the coordination and process to reassure the citizen and deal with an industrial scale threat. Victims and suspected victims of e-crime would benefit from a greater awareness, more transparency and a single point of contact when seeking advice and incident reporting.

2. The extent and nature of the threats on which e-crime policy is based and how well they are understood by policy makers

The Cabinet Office has stated that government and the citizen are affected by rising levels of e-crime, at an estimated cost of £2.2 billion and £3.1 billion respectively. However it acknowledges that business bears the lion’s share of the cost of e-crime, at a total estimated cost of £21 billion.1 These figures should be treated with caution for the reasons given earlier. It is clear, however that e-crime is a significant threat to UK citizens and businesses.

The rapid growth of eCommerce increases our dependency on the availability and integrity of the internet and our computer and communications infrastructure. While the extent of that dependency is easy to understand in terms of the potential impact of the denial or corruption of those services, it is more difficult to comprehend the true extent and nature of the threat. The source of the threat is extensive, ranging from the substantial resources of a nation state to the ingenuity of an inspired individual or the copycat behaviour of “script kiddies” (see glossary of terms, page 6). The nature of the threat is variable depending on the business and technology employed. However, in the modern industrial-size processing environments on which our economy depends, the integrity and availability of information will remain our principal vulnerability and the focus of any attack, while the vulnerabilities in systems controlling industrial plant and national infrastructure should not be overlooked.

Some threats have been researched, clearly defined and are understood by policy makers: such as online child exploitation covered by Child Exploitation and Online Protection Centre (CEOP) and understanding of online phishing, identity theft and crimes involving financial fraud by the Serious Organised Crime Agency (SOCA). However other areas like bullying online, defamation, invasion of privacy, particularly where social media are employed, are not so well defined or understood by policymakers.

The UK is experiencing a period of rapid social, economic, technical and political change which has engendered a more challenging and permissive environment. New technology enables a raft of traditional non-violent crimes to be committed in new ways, across borders and at scale previously unimagined. Policy makers must remain vigilant and maintain a far greater awareness of the potential and the vulnerability of our information society to malicious attack.

3. The effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change

Law enforcement in the UK struggles to address the magnitude of the task of combating e-crime. While there are some notable successes in combating serious online crime, anti-terrorism and espionage, the vast bulk of e-crime inevitably goes undetected or unreported and therefore unresolved. Policing is nearly non-existent at the more mundane levels that most citizens experience e-crimes. This is very serious since it creates an impression that the police do not care about e-crime as it affects the ordinary citizen, particularly where the local response is close to non-existent or patchy at best. E-crime is now much more frequent than physical crime but is largely unrecorded and unresolved.

There is growing action to increase the percentage of police officers who have been trained to handle the burgeoning amount of digital evidence that is relevant to solving and successfully prosecuting all kinds of crime and this will increase the potential resources that could be used to address the more serious forms of e-crime. Resources will always be limited and the potential task faced by the police is huge. A single seizure following a referral by CEOP may contain hundreds of hard disks containing hundreds or thousands of gigabytes of data, dozens of mobile phones and other digital devices. These will need to be properly recorded, managed and controlled to preserve the evidence chain, and forensically examined as a matter of urgency as a child’s life may be at risk. Yet each phone examined and each email chain may lead to one or more addresses across the country that must be searched and where similar scale seizures may be required. Resources are soon stretched beyond breaking point.

Recent legislation has promised much but delivered little to aid the combating of e-crime. The Digital Economy Act 2012 has been widely perceived as supporting intellectual property interests and placing the onus of policing on the ISP, while potentially stifling creativity and offering little in the way of protection to the citizen with few barriers to those who wish to avoid the additional restrictions. In effect, the planned legislation has been designed to address the perceived terrorist and organised conventional crime threat, rather than addressing the wider e-crime threat which in an international context may not be within its powers. The election of Police and Crime Commissioners may affect the priority that local Chief Constables give to e-crime but will not increase the available resources. The Strategic Policing power that the Director General of the new National Crime Agency (NCA) will have is a further factor that will influence prioritisation by Chief Constables. The cyber resources of the NCA will be limited and will probably be directed against the highest priority targets.

While the devolved administrations of Scotland2 and Wales3 have introduced schemes to better coordinate the fight against e-crime little progress has been made on a UK scale. Proposed organisational change appears to offer little in the short term to combat the rapid growth in e-crime and provide greater clarity and reassurance to the citizen.

4. Whether there are any gaps in the response to e-crime and, if so, how they should be addressed

The UK response to e-crime presently lacks the clarity and co-ordination seen elsewhere in the world.4 There needs to be greater clarity about the types of e-crime, with a clear definition and understanding of what is criminal, what is civil and where responsibility lies between business and law enforcement. There needs to be a simple well-coordinated process for reporting e-crime with clear lines of responsibility for recording, investigating and where necessary apprehending and prosecuting offenders. We need to move away from any presumption that the banks’ technology is secure and that customers who report fraudulent activity on their accounts are at fault or lying—there have been too many examples of weaknesses in banks’ security for it to be reasonable for the burden of proof to lie with the customer.

There are major problems in investigating crimes and pursuing criminals where the offence originates overseas. The UK does not have the same power to require foreign telecommunication service providers to provide communications and user data that can be required from UK-based companies. Attempts to negotiate bilateral agreements could easily founder because of understandable reluctance to open UK companies’ and citizens’ private data to scrutiny by agencies in countries that may have national interests that are not wholly aligned with the UK’s. Our growing dependency on technology and the magnitude of the threat demands a balance of legislative framework and administrative structures that protect the citizen while supporting e-business and innovation; promoting the UK as a safe well regulated environment in which business can thrive. To achieve this will require a more collaborative approach between the public and private sector in addressing the threat and the acquisition and development of new capabilities and skills by our regulators and law enforcement professionals.

5. Options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use

The massive and growing volumes of personal data held by social networking sites already expose individual users to significant risk. This data can be employed for a wide range of criminal purposes including identity theft, extortion, stalking, and defamation. Our society has embraced a more open and transparent attitude to free expression and personal information. While embracing this culture, individuals need to be aware of the risks they expose themselves to and the level of personal accountability and liability they must accept. They also need to understand the precautions they need to take to minimise their personal exposure to malicious attack. At the same time, all large databases of personal information need to be designed and managed in a way appropriate to the risk to citizens if the data is misused. In general, this should mean that such databases conform to GCHQ guidance for databases handling secret data and, where they do not, the data controller should carry liability for any misuse of the data.

In attempting to address this issue any legislative framework must be perceived as fair, setting the right balance between protecting an individual’s right to privacy and protecting society from irresponsible behaviour. The frequently employed analogy is that of the Highway Code, where a set of laws and best practices have been applied for the common good to protect the users of our roads and the individual must operate within those rules or face legal or commercial penalties. Perhaps we need to capitalise on aspects of this analogy in mounting a national education campaign to improve awareness of our vulnerability to e-crime and correctly assign accountability for protecting our personal data.

Nevertheless, it is essential to recognise the software vulnerabilities that expose computer users to risk, through the propagation of viruses and worms. The capability of seemingly benign attachments, such as pdf files or jpeg pictures to execute malicious code or website attacks such as SQL injection, all result from wholly avoidable mistakes by the developers of the faulty software. It is misguided and ineffective to try to change the natural way in which millions of computer users use their computers without creating sufficient incentive for software manufacturers to create products that do not expose their customers to such serious risks. We would like to see a timetable announced for introducing a Europe-wide measure of liability on manufacturers and importers of faulty software for the damage that these avoidable defects cause. This would build on the precedent set by the Consumer Protection Directive and similar UK legislation and should similarly allow a state-of-the-art defence.

6. The effectiveness of current initiatives to promote awareness of using the internet safely and the implications of peoples’ online behaviours for related public policy

Current national initiatives appear to have been largely ineffective. The “Get safe online”5 joint initiative between the government, law enforcement and leading businesses provides free, independent, user-friendly advice to users that allows them to use the internet confidently, safely and securely. While an excellent concept which was well implemented, it has not been widely promoted and there is little evidence that it has achieved significant engagement with the citizen or commerce. In any case, the guidance cannot address the real sources of vulnerability, as explained above.

BCS has produced the “Personal Data Guardianship Code” and “Top Tips for Security” to better protect personal data and improve computer and internet security. Whilst these have been deployed by a growing number of public and private sector organisations, the impact on the bulk of online users has been minimal.

To enable any new initiatives to succeed requires a co-ordinated, comprehensive, continuing education and change programme aimed at changing peoples’ online behaviours by increasing awareness and creating a safety conscious online society although, as we said earlier, the main source of risk is not, as widely claimed, unsafe behaviour by computer users but, rather, the design flaws and programming errors that make normal, reasonable behaviour unsafe.

Glossary of Terms and Acronyms

pdf—Portable Document Format—A standard for storing documents electronically in a form that is readable on most computer platforms using freely available reader software. File names often end with a “pdf” file extension.

jpeg—Joint Photographic Expert Group—A file format commonly used to electronically store graphical/photographic images. File names often end with a “jpg” file extension.

SQL injection—Structured Query Language. A common database language used to extract or display information held within a database. The injection element refers to a process whereby SQL commands can be inserted within user input strings, such as usernames, addresses or passwords, to exploit system weaknesses that in turn may allow access to the database or operating system in a way that effectively bypasses system security checks and safeguards.

Script kiddies—Usually fall into the category of younger or immature users who unfortunately can often be dangerous exploiters of security vulnerabilities in communications systems such as the Internet or the attached computer based systems. A typical script kiddy uses existing and frequently well known, easy-to-find techniques and programs or scripts to search for and exploit these vulnerabilities. These are often carried out randomly with little regard or perhaps even understanding of the potentially harmful consequences of such actions.

August 2012

1 www.cabinetoffice.gov.uk/resource-library/cost-of-cyber-crime

2 www.ecrimescotland.org.uk

3 www.ecrimewales.com

4 www.coe.int/t/dghl/cooperation/economiccrime/cybercrime/documents/countryprofiles/default_en.asp

5 www.getsafeonline.org/

Prepared 29th July 2013