Home Affairs CommitteeWritten evidence submitted by EMC and RSA [EC 08]

Introduction

1. EMC welcomes the opportunity to contribute to the Home Affairs Select Committee’s important and timely enquiry into e-crime. This response begins with an executive summary followed by a short introduction to EMC, its global reach, and its expertise and capabilities in cyber security, before addressing the committee’s specific questions.

Executive Summary

EMC is one of the world’s major IT infrastructure and services providers and has a significant presence in the cyber security market through its RSA division.

The cyber-crime threat is sophisticated, complex, and rapidly evolving. There is a thriving criminal ecosystem that mirrors the legitimate IT market where criminals can freely buy and sell malicious software and services. This rapidly maturing online black market has led to a tenfold reduction in the cost to access cyber crime tools and services and an increase in the volume and sophistication of attacks seen.

If the UK online environment is to remain safe for citizens, as well as the public and private sectors, there must be continued and increasing efforts to raise awareness of the extent and rapidly evolving nature of the e-crime threat, both in terms of the actors involved and the new threat vectors they are developing. Intelligence must also be shared and best practice spread in a two-way process involving both the public and private sector.

In this era of tight budgets and rapidly evolving threats, new regulations stipulating particular technologies or practices to address cyber threats are not necessarily required, or indeed appropriate. Instead a dynamic, outcome based and technology neutral approach should be encouraged, requiring sectors to collaborate and individual organisations to conduct risk assessments and put appropriate controls in place that are commensurate with the identified risk. In this way organisations will be able to develop and maintain more flexible security programmes, processes, and technologies that can evolve ahead of—or at least alongside—the threat landscape.

About EMC and its Security Division RSA

2. EMC was founded in 1979 and is today one of the world’s major IT companies. It has annual turnover of around $20 billion and employs over 54,000 people worldwide, including around 1,650 in the UK.

3. EMC is a global leader in enabling organisations in both the private and public sector transform their operations and deliver IT as a service. Fundamental to this transformation is cloud computing. Through innovative products and services, EMC accelerates the journey to cloud computing, helping organisations store, manage, protect and analyse one of their most valuable assets—information—in a more agile, trusted and cost-efficient way.

4. This journey to cloud computing supports improved information security because organisations are able to replace the disparate and piecemeal legacy IT systems that are so common today with centralised monitoring, management, compliance, and security solutions. In addition, security is being built into the information infrastructure that makes up the foundation for cloud computing including virtualisation and data storage platforms.

5. Another key priority for EMC is “big data” analytics, which refers to the ability to analyse and gain real time insights on vast data sets of unprecedented scale and formats gathered from various sources. EMC’s big data division Greenplum provides this capability to leading organisations including T-Mobile and Skype, enabling them to gain real time insights on their business and provide a better service to their customers. EMC is increasingly leveraging its expertise in big data to support information security by providing organisations with real-time access to the entirety of information relevant to the detection of security problems.

6. EMC’s security division, RSA, provides security, compliance and risk management solutions for organisations worldwide. RSA helps the world’s leading organisations succeed by solving their most complex and sensitive security challenges so they can safely benefit from the tremendous cost and productivity gains of digital technology and the internet.

7. RSA has been driving innovation in the information security industry for over 25 years. Today, RSA protects the identities of over 250 million people around the world, including, in the UK, the online banking customers of nine out the country’s top 10 retail banks, more than 800 public sector organisations, and 30 defence and aerospace companies. RSA’s technology can be found in BlackBerry devices, PlayStation games consoles, and checks more than five billion URLs per day for malicious activity.

Response to Specific Questions

What e-crime is understood to be, and how this affects crime recording

8. To successfully defend against cyber security threats it is important to understand the actors involved better. The attackers can be categorised into three major classes of cyber adversaries: criminals, non-state actors, and nation states. Each has distinct motives and modus operandi but may, at times, collaborate if their goals align. For the purposes of the committee’s enquiry, this response focusses on the criminal element.

9. Whether loosely affiliated or tightly organised, cyber criminals are out to steal personal information for financial gain. This information can range from an individual’s credit card details and web or corporate logins, to an organisation’s highly confidential plans or data. Indeed the value of personal data to a cyber criminal is much higher than a credit card or bank account number alone. For example, the average selling price of a US credit card on the criminal black market is around $1.50. But when that card is sold with a full identity profile, the value can be up to ten times greater.

10. It is typical to see cyber criminals auctioning “on-demand” access to large numbers of infected computers under their control, and knowledge of “zero-day” exploits of previously unknown software vulnerabilities, on the black market to the highest bidder for use in automated cyber-attacks. Indeed criminal groups are able to purchase all manner of malicious software and services online, including “do-it-yourself” kits to create networks of compromised computers (“botnets”) that then can be used for the mass distribution of “malware” (malicious software) and benign “bulletproof hosting” environments from which to undertake their activities. Today’s malware is incredibly sophisticated—capable of sitting undetected on a user’s machine and stealing personal and financial data, taking over accounts, and sending spam emails to proliferate and infect other users.

11. Unfortunately, as the criminal ecosystem matures, the cost of entry for cyber criminals to access these capabilities continues to fall. Research published by RSA in June 2012 found that the rapidly maturing online black market, which mimics functions seen in the legitimate IT supply chain including manufacturing, purchasing, outsourcing, partnerships, development, sales, distribution, performance optimisation, and customer support, has led to a tenfold reduction in the prices being charged for malicious software and services.1 In 2011, RSA found that roughly one in every 300 emails in circulation contained some element of “phishing”, whereby cyber criminals attempt to acquire sensitive information by posing as a legitimate entity, with 50% of these attacks focussed on financial institutions.2

12. Although the tools available to cyber criminals are becoming increasingly sophisticated, the preferred method by which they exploit these capabilities centres on people. Security professionals have long understood that IT users will click on links they should not and unwittingly install malware hidden through simple ruses. Security professionals have traditionally deployed multiple perimeter controls, such as anti-virus software, firewalls and intrusion detection systems, to help deal with this threat. This process may work well for generic attacks, but not for the most sophisticated malware or zero-day exploits. For example, the Zeus Trojan, the malware most widely used by criminals to target financial institutions, is detected less than 40% of the time by anti-virus software.

13. Similarly, attackers are increasingly gathering intelligence on their targets, sometimes months in advance of an attack, using social media and other means to understand which individuals possess the assets they want, and crucially how to tailor, or “socially engineer”, their attacks to increase their likelihood of success. Indeed cyber attackers prefer using social engineering in this way because in so doing they are able to evade traditional perimeter controls more easily.

The extent and nature of the threats on which e-crime policy is based and how well they are understood by policy makers
The effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change

14. The tripartite distinction to the cyber threat outlined above appears to be well understood by policy makers and is reflected in the UK National Cyber Security Strategy published in November 2011. However RSA’s experience dealing with both the public and private sectors suggests that, while recent policy initiatives such as last year’s National Cyber Security Strategy have advanced government’s understanding of the cyber threat and how best to respond to it, the private sector remains ahead in terms of understanding its scale and maturity, and implementing appropriate measures to deliver advanced security.

15. Research published by RSA’s Anti Fraud Command Centre (AFCC) in July 2012 found that the global volume of phishing attacks seen in the first half of 2012 had increased by 19% compared with the second half of 2011, costing organisations an estimated $687 million in total losses. The UK was among the top 10 countries experiencing phishing attacks over this period.3

16. The AFCC, based in Herzliya, Israel, is one of the most advanced facilities in the world dedicated to fighting international cyber-crime. Established in 2005, the AFCC combines counter-intelligence, threat monitoring, and threat analysis capabilities to neutralise attempts by cyber criminals to steal money and information. Nearly 150 analysts work around the clock, 365 days a year at AFCC, protecting nearly 15,000 private and public sector customers in over 180 countries from cyber security threats and are able to shut down attacks in an industry-record time of five hours.

17. In the first seven years of its operation, AFCC shut down more than 500,000 cyber attacks. But in the first six months of 2012, AFCC shut down an additional 150,000 attacks, at a rate of 1,000 attacks per day. Clearly, the cyber threat is increasing significantly and it is now crucial for all sectors to recognise the dangers involved and respond.

18. If the UK online environment is to remain safe for citizens as well as the public and private sectors, there must be continued and increasing efforts to raise awareness of the extent and rapidly evolving nature of the e-crime threat, both in terms of the actors involved and the new threat vectors they are developing, among senior and mid-level policy makers. Intelligence must also be shared and best practice spread in a two-way process involving both the public and private sector.

19. One successful example of this from the United States is the Financial Services Information Sharing and Analysis Centre (FS-ISAC), which was formed in 1999 and brings together the public and private sector to enhance cooperation and information sharing to combat cyber and physical threats. It is entirely funded by its membership of over 4,200 organisations which include commercial banks and credit unions of all sizes, brokerage firms, insurance companies, payments processors, and over 30 trade associations representing the majority of the US financial services sector, and works closely with relevant federal, state, and local agencies. It acts as a trusted third party, providing anonymity to allow members to submit threat, vulnerability and incident information in a non-attributable and trusted manner so that information that would normally not be shared, is able to be provided, thereby benefiting the whole of the sector.

20. In this era of tight budgets and rapidly evolving threats, new regulations stipulating particular technologies or practices to address cyber threats are not necessarily required, or indeed appropriate. Instead an outcome based, technology neutral approach should be encouraged, requiring sectors to collaborate and individual organisations to conduct risk assessments, and then put controls in place that are appropriate and commensurate with the identified risk.

21. It is necessary, however, for the government to start taking a more proactive approach to tackling e-crime, rather than the largely reactive structures currently in place. One notable exception is the highly successful Child Exploitation and Online Protection Centre which actively seeks to prevent the sexual abuse of children and catch those involved perpetrating these crimes. The government should consider expanding this pre-emptive policing framework to confront other forms of cyber crime head on.

22. The establishment of the National Crime Agency (NCA) next year provides an opportunity to put such pre-emptive structures in pace. As the government prepares for its formation, it must ensure that NCA’s remit, and the boundaries and inter-relationships with other agencies involved with e-rime, are well understood by all. Furthermore, it is imperative for the agencies currently involved in the response to e-crime to continue functioning at their optimum level throughout the transition process to prevent criminals taking advantage of any potential lapses in effectiveness or increased vulnerability.

Whether there are any gaps in the response to e-crime and, if so, how they should be addressed

23. In light of the increasing volume of attacks and rapid pace of change associated with the cyber threat, it is a given that organisations will be in a state of persistent, dynamic, and intelligent threat and disruption. In these circumstances the security dogmas of the past, which rely on an uncoordinated line up of static perimeter defences, can no longer be seen as adequate. Indeed many of the security technologies in common use today across the public and private sector, such as anti-virus software and firewalls, are no longer fit for purpose and offer diminished value in today’s world of advanced threats.

24. Security must evolve to a new more agile, risk-based, and contextual paradigm, that takes advantage of the latest advances such as cloud computing and big data analytics, and is able to meet the challenges posed by today’s dynamic threats and “hyper-extended” world where information is exchanged in more ways and more places than ever before, and people are using the same devices for their work and personal lives, all enabled by technologies such as smartphones and tablets, cloud computing, and social networking.

25. By doing this, organisations will be able to develop and maintain more flexible security programmes, processes, and technologies that can evolve ahead of—or at least alongside—the threat landscape—and not simply protect themselves against “known bad” threats.

Options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use

26. A key barrier hampering the response to e-crime is the fact that organisations that have been targeted by cyber criminals are often reluctant to admit this publicly. This is partly because many organisations fear that doing so will undermine their corporate reputation and the trust placed in them by their customers and stakeholders. Organisations also perceive that the Data Protection Act and other statutes hamper the sharing of effective actionable intelligence with partners, which as outlined above, can be one of the most effective means of combating cyber crime.

27. RSA recently gained first-hand experience of the importance of both these points, and in particular the importance of transparency and sharing information.

28. On 17 March 2011, RSA publicly disclosed that it had detected a targeted, socially engineered, cyber attack on the company’s systems and that certain information related to the RSA SecurID® product had been extracted. RSA immediately developed and published best practices and remediation steps, and proactively reached out to thousands of customers around the world across the public and private sectors to help them implement those steps. Furthermore, RSA worked with the appropriate government agencies and industry bodies in the United States, the United Kingdom and other territories to ensure broad communication of these best practices and remediation steps as well as information about the attack.

29. The attack on RSA has become a valuable lesson that has redoubled the company’s commitment to leading industry efforts to increase understanding of today’s advanced threats while also collaborating with a broader community of stakeholders to better prepare for and mitigate advanced cyber attacks.

30. To counter these challenges, RSA would urge policy makers to consider legislation providing a safe harbour or similar protections for organisations that voluntarily share sensitive threat information with the government and/or the extant industry information sharing and analysis infrastructure. Such an approach could help improve situational awareness and cyber readiness for many organisations while reducing serious concerns about legal risk. Policy makers should also consider the work being undertaken by the insurance industry to provide innovative means of addressing this issue.

31. In relation to the personal data held by social networking sites, as discussed above it is clear that the preferred method of exploitation for cyber attackers centres on people. With social engineering now the number one avenue of attack, the new security perimeter is in fact the human being.

32. In addition to reinforcing the need for better and increased efforts to share best practice and actionable intelligence on the latest threats and how they can be mitigated, this also demonstrates the need for a shift in corporate culture from the old IT security paradigms towards a more agile, risk-based, and contextual approach that is able to cope with the reality of today’s “hyper-extended” world described above.

The effectiveness of current initiatives to promote awareness of using the internet safely and the implications of peoples’ online behaviours for related public policy

33. EMC believes consumer education initiatives such as www.getsafeonline.org are crucial to combating e-crime by raising awareness and sharing the latest information on e-crime threat vectors, and how to combat them, as they evolve. EMC has been heavily involved in developing and driving similar initiatives in other countries, notably www.staysafeonline.org, the US equivalent of Get Safe Online, of which EMC was a founding member. The company’s global experience of such initiatives suggests their effectiveness is maximised when they are inclusive and involve the broadest possible range of public, private, and third sector partners. EMC would therefore encourage Get Safe Online to enable a broader range of stakeholders beyond the current list of established sponsors and partners to contribute to the initiative, including voluntary groups with established links into the youth sector such as The Prince’s Trust. Other private sector partners should also be encouraged to contribute via non-financial means such as by donating staff time and expertise.

34. Finally, the government should consider the tone and positioning of the messages communicated by such educational programmes. Ultimately, the aim should not be to frighten the public or make them think nothing can be done about the cyber threat, and thereby discourage them from enjoying the benefits of today’s digital world. Instead the goal should be to convey a simple and positive set of steps that both adults and children can follow to protect themselves, in a same way as was achieved by previous public information campaigns such as the “Green Cross Code” or “Clunk click Every Trip” campaigns to promote road safety. The US Stop.Think.Connect campaign, of which RSA is a founding partner, is a good example of attempting to educate the public on internet security with a clear and engaging set of messages.4

August 2012