Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Getty
Show Hide image

Find the EU renegotiation demands dull? Me too – but they are important

It's an old trick: smother anything in enough jargon and you can avoid being held accountable for it.

I don’t know about you, but I found the details of Britain’s European Union renegotiation demands quite hard to read. Literally. My eye kept gliding past them, in an endless quest for something more interesting in the paragraph ahead. It was as if the word “subsidiarity” had been smeared in grease. I haven’t felt tedium quite like this since I read The Lord of the Rings and found I slid straight past anything written in italics, reasoning that it was probably another interminable Elvish poem. (“The wind was in his flowing hair/The foam about him shone;/Afar they saw him strong and fair/Go riding like a swan.”)

Anyone who writes about politics encounters this; I call it Subclause Syndrome. Smother anything in enough jargon, whirr enough footnotes into the air, and you have a very effective shield for protecting yourself from accountability – better even than gutting the Freedom of Information laws, although the government seems quite keen on that, too. No wonder so much of our political conversation ends up being about personality: if we can’t hope to master all the technicalities, the next best thing is to trust the person to whom we have delegated that job.

Anyway, after 15 cups of coffee, three ice-bucket challenges and a bottle of poppers I borrowed from a Tory MP, I finally made it through. I didn’t feel much more enlightened, though, because there were notable omissions – no mention, thankfully, of rolling back employment protections – and elsewhere there was a touching faith in the power of adding “language” to official documents.

One thing did stand out, however. For months, we have been told that it is a terrible problem that migrants from Europe are sending child benefit to their families back home. In future, the amount that can be claimed will start at zero and it will reach full whack only after four years of working in Britain. Even better, to reduce the alleged “pull factor” of our generous in-work benefits regime, the child benefit rate will be paid on a ratio calculated according to average wages in the home country.

What a waste of time. At the moment, only £30m in child benefit is sent out of the country each year: quite a large sum if you’re doing a whip round for a retirement gift for a colleague, but basically a rounding error in the Department for Work and Pensions budget.

Only 20,000 workers, and 34,000 children, are involved. And yet, apparently, this makes it worth introducing 28 different rates of child benefit to be administered by the DWP. We are given to understand that Iain Duncan Smith thinks this is barmy – and this is a man optimistic enough about his department’s computer systems to predict in 2013 that 4.46 million people would be claiming Universal Credit by now*.

David Cameron’s renegotiation package was comprised exclusively of what Doctor Who fans call handwavium – a magic substance with no obvious physical attributes, which nonetheless helpfully advances the plot. In this case, the renegotiation covers up the fact that the Prime Minister always wanted to argue to stay in Europe, but needed a handy fig leaf to do so.

Brace yourself for a sentence you might not read again in the New Statesman, but this makes me feel sorry for Chris Grayling. He and other Outers in the cabinet have to wait at least two weeks for Cameron to get the demands signed off; all the while, Cameron can subtly make the case for staying in Europe, while they are bound to keep quiet because of collective responsibility.

When that stricture lifts, the high-ranking Eurosceptics will at last be free to make the case they have been sitting on for years. I have three strong beliefs about what will happen next. First, that everyone confidently predicting a paralysing civil war in the Tory ranks is doing so more in hope than expectation. Some on the left feel that if Labour is going to be divided over Trident, it is only fair that the Tories be split down the middle, too. They forget that power, and patronage, are strong solvents: there has already been much muttering about low-level blackmail from the high command, with MPs warned about the dire influence of disloyalty on their career prospects.

Second, the Europe campaign will feature large doses of both sides solemnly advising the other that they need to make “a positive case”. This will be roundly ignored. The Remain team will run a fear campaign based on job losses, access to the single market and “losing our seat at the table”; Leave will run a fear campaign based on the steady advance of whatever collective noun for migrants sounds just the right side of racist. (Current favourite: “hordes”.)

Third, the number of Britons making a decision based on a complete understanding of the renegotiation, and the future terms of our membership, will be vanishingly small. It is simply impossible to read about subsidiarity for more than an hour without lapsing into a coma.

Yet, funnily enough, this isn’t necessarily a bad thing. Just as the absurd complexity of policy frees us to talk instead about character, so the onset of Subclause Syndrome in the EU debate will allow us to ask ourselves a more profound, defining question: what kind of country do we want Britain to be? Polling suggests that very few of us see ourselves as “European” rather than Scottish, or British, but are we a country that feels open and looks outwards, or one that thinks this is the best it’s going to get, and we need to protect what we have? That’s more vital than any subclause. l

* For those of you keeping score at home, Universal Credit is now allegedly going to be implemented by 2021. Incidentally, George Osborne has recently discovered that it’s a great source of handwavium; tax credit cuts have been postponed because UC will render such huge savings that they aren’t needed.

Helen Lewis is deputy editor of the New Statesman. She has presented BBC Radio 4’s Week in Westminster and is a regular panellist on BBC1’s Sunday Politics.

This article first appeared in the 11 February 2016 issue of the New Statesman, The legacy of Europe's worst battle