Home Affairs CommitteeWritten evidence submitted by the Foundation for Information Policy Research [EC 06]
The Foundation for Information Policy Research (FIPR) is an independent body that studies the interaction between information technology and society. Its goal is to identify technical developments with significant social impact, commission and undertake research into public policy alternatives, and promote public understanding and dialogue between technologists and policy-makers in the UK and Europe.
Last year, the Cabinet Office put its imprimatur on a marketing brochure from Detica claiming that the UK was losing £27 billion a year to cyber-crime. This was greeted with widespread ridicule, whereupon Sir Mark Welland, then Chief Scientific Advisor at the Ministry of Defence, asked us whether we could come up with more defensible numbers. The result was “Measuring the Cost of Cybercrime”, a major study of what’s known and what’s not known about cyber-crime, in the UK and internationally. This was published in June at the Workshop on the Economics of Information Security, the leading peer-reviewed academic conference in the field. The authors included two members of FIPR’s advisory council (Ross Anderson and Richard Clayton) plus industry experts and academics from the UK, the USA, Germany and the Netherlands.
We urge the Committee to read our report, which we include here by reference. Its main points are summarised below.
1.The Committee first wants to know “what e-crime is understood to be and how this affects crime recording”. The EU issued a Communication in 2007 where the definition extended from traditional forms of crime such as fraud and forgery committed over electronic networks, to crimes unique to electronic networks such as service denial attacks. Our report teased this out into three categories. The first, the traditional frauds now conducted electronically, includes tax fraud and welfare fraud as its biggest components by value. The actual crimes here are mostly unchanged from a generation ago, having to do with misrepresentation of circumstances rather than any technical wizardry. The second, which we called “transitional cybercrime”, consists of crimes such as card fraud which existed already but where the modus operandi has changed almost completely. The third, the “pure” cyber-crimes which did not exist before the Internet, range from stranded-traveller and fake escrow scams to extortion via fake antivirus software.
2.The UK government takes a different view. VAT fraud is not seen as cyber-crime despite the fact that all VAT returns are now filed electronically. Most seriously, it has been policy since 2005 to tell fraud victims to report the fraud to their banks first. This had the advantage, from the viewpoint of the Home Office, of making fraud almost disappear as a recorded offence. Yet according to the British Crime Survey UK households are more than twice as likely to be victims of fraud as of “traditional” acquisitive crimes such as burglary and car theft; and according to Eurostat’s 2010 survey, the UK ranks second behind Latvia for fraudulent payment card use and for losses caused by phishing/pharming.
3.The Committee’s second question is “the extent and nature of the threats on which e-crime policy is based and how well they are understood by policy makers”. In our experience, policymakers have a very poor understanding of cyber-crime; it is truly disturbing that the Cabinet Office was willing to co-brand the Detica brochure. Policy appears to be driven by scaremongering from GCHQ and the major suppliers who want the Government to spend ever more money on cyber-war preparations and on surveillance. As for the reality of the threats, we refer the Committee once more to our report.
4.The Committee’s third topic is “the effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change”. As our report makes clear, most of the global law-enforcement response to cybercrime is in the USA, and the rest of the world tends to free ride. The reasons are easy enough to understand and follow directly from cyber-crime’s global nature. Suppose a bad man in St Petersburg sends out a million phishing emails; as London is 1% of the Internet, the Commissioner of the Met will see 10,000 of them in his manor. He will be tempted to say “The FBI will have seen 200,000 of these; let them deal with it.” This classic public goods problem has made it very difficult to sustain cyber-crime enforcement activities in the UK (and in most other countries). Things are made more complex in Britain by the capture of some crime-fighting resources by particular interests; for example, the banks pay most of the budget of the Dedicated Plastic Card and Cheque Unit, which is unsurprisingly perceived to be reluctant to investigate insider frauds seriously.
5.The Committee than asks “whether there are any gaps in the response to e-crime and, if so, how they should be addressed”. The top priority should be arresting cyber-criminals and putting them in jail. A lot of economic damage is done by a small number of gangs, yet many police forces throw up their hands and assume it’s all too difficult. Government has from time to time advocated that users take more care, or that people buy more anti-virus software. Yet these measures are ineffective, inefficient or both (see 7 below). A small additional effort in enforcement could yield much bigger returns. The Government should have given more of the cyber-security budget to the police, and less to GCHQ.
6.The Committee wants “options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use”. When bad things happen to citizens online, the material harm that results usually amounts to disputed transactions on the citizen’s bank or credit-card account. The biggest failing in the UK, of those which could be tackled by legislative means, is in bank regulation: specifically poor consumer protection, the incompetence and indifference of the FSA, and the fact the Financial Ombudsman Service is not up to dealing with the consequences of online and electronic fraud. The problem is not, as is sometimes said, a matter of the burden of proof. British banks found that they could get away with dumping much of the liability for fraud on the customer, by asserting in disputes that their system provided evidence that carried the day on the balance of probabilities. That assertion is routinely accepted by the Ombudsman, and cannot easily be challenged by the customer for want of access to the banks’ systems for expert examination. The few customers with the stomach and resources to make a fight of it in the courts have often found that the bank fold, in order to avoid a precedent, but this has not helped the others. The banks’ greed was exacerbated by ministers’ decision to have people report fraud to the banks rather than the police, in order to minimise the fraud statistics. What Parliament might usefully do here is to hold hearings into the failures of the FSA and the Ombudsman. This could document the problems: citizens have suffered, and the UK has failed to meet its international obligations, in that the Payment Services Directive has not been adequately implemented.
7.The Committee finally asks about “the effectiveness of current initiatives to promote awareness of using the internet safely and the implications of peoples’ online behaviours for related public policy”. A number of ministers have in the past claimed that Internet security could be promoted by raising public awareness. This view is also echoed by banks and software vendors—anyone who seeks to externalise liability for poorly designed systems. However the experience of system engineers is that poor design cannot be fixed by “blame and train” as the strategy is known. This strategy does not even work in environments such as aviation, where the users (pilots) are subject to mandatory and regular retraining and recertification; it is accepted that when safety hazards arise from poor cockpit design, the vendors must change the design rather than blaming pilots for the resulting accidents. It is even less likely to work in the world of consumer electronics and online services, where vendors no longer ship manuals with their products; users are expected to learn to use them through exploration. And while knowledgeable users might mitigate risks, vendors and system operators usually push the wrong way. For example, a good rule for naïve Internet users would be “if you get to a website by clicking on a link, don’t even think of entering a bank password there. If you want to do bank transactions, always go to your bank using a browser bookmark or by typing in the URL directly.” Yet bank marketing departments deluge customers with marketing emails which entreat them to click on links. Against this marketing barrage, government PR can achieve nothing. Legislators should merely ensure that if banks’ poorly-designed systems and risk-encouraging marketing programmes lead to customers losing money to phishing attacks, then the customers must be made good.
Ross Anderson FRS FREng
Professor of Security Engineering, Cambridge University
Chair, Foundation for Information Policy Research