Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Photo: Getty
Show Hide image

Like it or hate it, it doesn't matter: Brexit is happening, and we've got to make a success of it

It's time to stop complaining and start campaigning, says Stella Creasy.

A shortage of Marmite, arguments over exporting jam and angry Belgians. And that’s just this month.  As the Canadian trade deal stalls, and the government decides which cottage industry its will pick next as saviour for the nation, the British people are still no clearer getting an answer to what Brexit actually means. And they are also no clearer as to how they can have a say in how that question is answered.

To date there have been three stages to Brexit. The first was ideological: an ever-rising euroscepticism, rooted in a feeling that the costs the compromises working with others require were not comparable to the benefits. It oozed out, almost unnoticed, from its dormant home deep in the Labour left and the Tory right, stoked by Ukip to devastating effect.

The second stage was the campaign of that referendum itself: a focus on immigration over-riding a wider debate about free trade, and underpinned by the tempting and vague claim that, in an unstable, unfair world, control could be taken back. With any deal dependent on the agreement of twenty eight other countries, it has already proved a hollow victory.

For the last few months, these consequences of these two stages have dominated discussion, generating heat, but not light about what happens next. Neither has anything helped to bring back together those who feel their lives are increasingly at the mercy of a political and economic elite and those who fear Britain is retreating from being a world leader to a back water.

Little wonder the analogy most commonly and easily reached for by commentators has been that of a divorce. They speculate our coming separation from our EU partners is going to be messy, combative and rancorous. Trash talk from some - including those in charge of negotiating -  further feeds this perception. That’s why it is time for all sides to push onto Brexit part three: the practical stage. How and when is it actually going to happen?

A more constructive framework to use than marriage is one of a changing business, rather than a changing relationship. Whatever the solid economic benefits of EU membership, the British people decided the social and democratic costs had become too great. So now we must adapt.

Brexit should be as much about innovating in what we make and create as it is about seeking to renew our trading deals with the world. New products must be sought alongside new markets. This doesn’t have to mean cutting corners or cutting jobs, but it does mean being prepared to learn new skills and invest in helping those in industries that are struggling to make this leap to move on. The UK has an incredible and varied set of services and products to offer the world, but will need to focus on what we do well and uniquely here to thrive. This is easier said than done, but can also offer hope. Specialising and skilling up also means we can resist those who want us to jettison hard-won environmental and social protections as an alternative. 

Most accept such a transition will take time. But what is contested is that it will require openness. However, handing the public a done deal - however well mediated - will do little to address the division within our country. Ensuring the best deal in a way that can garner the public support it needs to work requires strong feedback channels. That is why transparency about the government's plans for Brexit is so important. Of course, a balance needs to be struck with the need to protect negotiating positions, but scrutiny by parliament- and by extension the public- will be vital. With so many differing factors at stake and choices to be made, MPs have to be able and willing to bring their constituents into the discussion not just about what Brexit actually entails, but also what kind of country Britain will be during and after the result - and their role in making it happen. 

Those who want to claim the engagement of parliament and the public undermines the referendum result are still in stages one and two of this debate, looking for someone to blame for past injustices, not building a better future for all. Our Marmite may be safe for the moment, but Brexit can’t remain a love it or hate it phenomenon. It’s time for everyone to get practical.