“Passive defence is not enough. If we’re going to have a really lasting impact on this issue then we need to make it much harder—and the consequences much more severe—for cyber criminals to exploit the vulnerabilities that will always be there.”
That was the overarching message from Jamie Saunders, director of the National Cyber Crime Unit, speaking at a recent roundtable debate convened by Prospect in partnership with ThreatMetrix.
Titled “Cybercrime: how should we respond to digital threats?” the debate brought together the UK’s leading cyber specialists to discuss threats, risks, management and response.
The nature of the digital threat has changed dramatically in the last decade. Where it was once limited to the four walls of a company office, it now spans a network that includes customers and suppliers. And where once adversaries were ad-hoc and opportunistic, they are now—to quote Cybersecurity and Privacy Hot Topics 2015, a report by PwC—“organised, funded and targeted.”
To put some numbers on this, research by the Office of National Statistics suggests that 4 per cent of the population, around 2.5m people, are subjected to a cybercrime incident each year. These range from the “pretty serious” to the “pretty trivial” but, noted Saunders, “all are distressing to the individual concerned.” There are an estimated 150 serious incidents each year, such as the recent attacks on Talk Talk, JD Wetherspoon and Carphone Warehouse.
“And then on top of that you’ve got the elite cyber criminals. Most are based overseas—Russia, Eastern Europe—and they’re behind probably the highest impact crimes in terms of actual loss,” said Saunders. “There are probably fewer than one hundred operating at that kind of the level. But they are very difficult to identify and even if you do identify them, it’s not easy to disrupt them because they are working out of jurisdictions that maybe aren’t as capable or that we don’t have as deep relationships with.”
The increasing threat volume, in part, reflects growing opportunity. The barrier of entry into criminality is getting lower. “The level of technical skills required is coming down all the time,” said Mike Hulett, head of operations at the National Crime Agency. “You can sit in your bedroom and buy your DDoS—it’s relatively cheap and anonymous.” Typically these tools are available not just on the dark web but on the public web too, as is a secondary market for stolen credentials: means and monetisation both in one place.
DDoS stands for distributed denial of service attack and has been seen conventionally as a means of short-term disruption rather than a cause of long-term harm. However, in another indication of how the nature of cybercrime is changing, DDoS is now often used to mask other, more malicious activities. “DDoS is a diversionary tactic—hammer at the front door, nip in the backdoor,” explained Charlie McMurdie, senior cybercrime advisor at PwC.
Another characteristic of today’s cybercrime is the insider threat: the harm caused by employees, which can often be a result of ignorance and occasionally due to malicious intent. According to one 2015 survey, 73 per cent of breaches were attributed to internal sources in the last 12 months. For Christophe Braun, chief information security officer at UBS Investment Bank, “unauthorised activity of an authorised user is the new frontier,” while for Ben Lindgreen, head of security delivery at Payments UK, the rules and policies many organisations put in place are often a “detriment to getting their job done. So employees bypass it with a USB stick. They have no intention of doing anything malicious but they have malware on their home machine.”
Lindgreen’s example illustrates the view shared by a number of roundtable attendees that cybersecurity is not a technology problem but a people and process problem. Technology vulnerabilities are usually down to process failures such as poor patching and design. And if it is about people and processes then cybersecurity is a leadership and management issue where better governance becomes the cornerstone of threat response.
Vocalink, the payments system company, offers one vivid example of this. It has developed a series of Top Trump-style cards that each features a potential threat actor, his or her motivations and behaviours and recommended measures to counter the dangers. It’s about bringing the threats to life, said Chris Dunne, director of market development and industry relations at Vocalink. “People don’t see a poster after the first day because it becomes wallpaper.”
Despite the focus on people and processes IT still matters, insisted UBS’s Christophe Braun. “A lot of firms have a collection of legacy systems, a result of acquisitions and mergers. The complexity of the technology process is immense. To be able to see the activities is hugely complicated which drives the lead time between the infection and detection.”
Meanwhile, technology plays a role in allowing for the analysis of a growing amount of data collected around user behaviour, potentially illicit activity and breaches. ThreatMetrix is one company that offers these kinds of services. “Some attacks are very simplistic, easy to detect with standard levels of technology,” said VP of products Stephen Topliss. “For example, if I see a single device that is accessing multiple accounts in a short period of time to get money out, it’s a pretty good indicator and pretty quick to react against.”
Other anomalies in behaviour, said Topliss, are less easy to categorise. He recommends a shared intelligence approach. “The more that you collaborate data both across industry but also within a single enterprise across business units, the better.”
Data sharing is not without its complications, however. First, there are concerns that the act of sharing information with law enforcement agencies and others might breach data protection legislation. Jamie Saunders said he was sympathetic to that view but pointed to Section 7 of the Crime and Courts Act that makes allowances for distribution in certain circumstances.
Second, there is often reluctance among victims to report cybercrime for a variety of reasons, said Charlie McMurdie. “Sometimes it’s not a priority for that company, they don’t want the reputational damage or they don’t want the hassle of going to law enforcement.” Mark Camillo, head of cyber at AIG added: “If somebody takes something from my car, [the police] are not going to blame me for that but if a company is hacked then typically it’s their fault in some way— they should have had better security, for example… The risk versus reward is going to be skewed.”
McMurdie said the answer lay in creating standards that a company would need to meet in order to be properly insured against cybercrime. “If my house gets broken into and I haven’t got the right bolts and locks on the doors my insurance doesn’t pay out,” she said by way of comparison. Camillo noted that retailers demonstrating the use of end-to-end encryption to secure point-of-sale terminals were typically enjoying lower insurance premiums.
Another means of ensuring that companies prioritise security is deterrent. The EU Data Protection Regulations, due to be implemented in the next two years, come with the power to fine organisations up to 4 per cent of global annual turnover in the event of a breach. That is enough to focus minds and, said McMurdie, a lot of companies have already put measures in place ahead of implementation.
An effective response to cybercrime, said Jamie Saunders, needed to feature active collaboration between law enforcement and industry. He cited the example of Microsoft’s help to take down the Ramnit botnet last February, an attack that had affected 3.2m computers. “Most botnet takedowns have been in concert with security companies, major IT companies and ISPs,” said Saunders. “We can’t do it alone.”
As a final piece of advice Charlie McMurdie, who led the cybercrime policing response for the 2012 London Olympics, said it was important to be prepared. “There’s one thing about cyber crime, it’s going to happen if it hasn’t already happened. So try and be as prepared as possible. Think about it as much as possible: test it, exercise it, rehearse and practice that response from board level down.”
Saunders, meanwhile made the following plea: “Please make it harder for the cyber criminals by doing cyber hygiene properly—that’s the single most important thing. The second most important thing is that if you’ve been subject to a crime, please report that crime. If crime isn’t reported it’s very hard for us to take action and go against the perpetrator.”
The cybercrime roundtable, in association with ThreatMetrix, took place at Prospect’s London offices on 21 March 2016.