Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Getty
Show Hide image

The Women's March against Trump matters – but only if we keep fighting

We won’t win the battle for progressive ideas if we don’t battle in the first place.

Arron Banks, UKIP-funder, Brexit cheerleader and Gibraltar-based insurance salesman, took time out from Trump's inauguration to tweet me about my role in tomorrow's Women’s March Conservative values are in the ascendancy worldwide. Thankfully your values are finished. . . good”.

Just what about the idea of women and men marching for human rights causes such ill will? The sense it is somehow cheeky to say we will champion equality whoever is in office in America or around the world. After all, if progressives like me have lost the battle of ideas, what difference does it make whether we are marching, holding meetings or just moaning on the internet?

The only anti-democratic perspective is to argue that when someone has lost the argument they have to stop making one. When political parties lose elections they reflect, they listen, they learn but if they stand for something, they don’t disband. The same is true, now, for the broader context. We should not dismiss the necessity to learn, to listen, to reflect on the rise of Trump – or indeed reflect on the rise of the right in the UK  but reject the idea that we have to take a vow of silence if we want to win power again.

To march is not to ignore the challenges progressives face. It is to start to ask what are we prepared to do about it.

Historically, conservatives have had no such qualms about regrouping and remaining steadfast in the confidence they have something worth saying. In contrast, the left has always been good at absolving itself of the need to renew.

We spend our time seeking the perfect candidates, the perfect policy, the perfect campaign, as a precondition for action. It justifies doing nothing except sitting on the sidelines bemoaning the state of society.

We also seem to think that changing the world should be easier than reality suggests. The backlash we are now seeing against progressive policies was inevitable once we appeared to take these gains for granted and became arrogant and exclusive about the inevitability of our worldview. Our values demand the rebalancing of power, whether economic, social or cultural, and that means challenging those who currently have it. We may believe that a more equal world is one in which more will thrive, but that doesn’t mean those with entrenched privilege will give up their favoured status without a fight or that the public should express perpetual gratitude for our efforts via the ballot box either.  

Amongst the conferences, tweets and general rumblings there seem three schools of thought about what to do next. The first is Marxist  as in Groucho revisionism: to rise again we must water down our principles to accommodate where we believe the centre ground of politics to now be. Tone down our ideals in the hope that by such acquiescence we can eventually win back public support for our brand – if not our purpose. The very essence of a hollow victory.

The second is to stick to our guns and stick our heads in the sand, believing that eventually, when World War Three breaks out, the public will come grovelling back to us. To luxuriate in an unwillingness to see we are losing not just elected offices but the fight for our shared future.

But what if there really was a third way? It's not going to be easy, and it requires more than a hashtag or funny t-shirt. It’s about picking ourselves up, dusting ourselves down and starting to renew our call to arms in a way that makes sense for the modern world.

For the avoidance of doubt, if we march tomorrow and then go home satisfied we have made our point then we may as well not have marched at all. But if we march and continue to organise out of the networks we make, well, then that’s worth a Saturday in the cold. After all, we won’t win the battle of ideas, if we don’t battle.

We do have to change the way we work. We do have to have the courage not to live in our echo chambers alone. To go with respect and humility to debate and discuss the future of our communities and of our country.

And we have to come together to show there is a willingness not to ask a few brave souls to do that on their own. Not just at election times, but every day and in every corner of Britain, no matter how difficult it may feel.

Saturday is one part of that process of finding others willing not just to walk a mile with a placard, but to put in the hard yards to win the argument again for progressive values and vision. Maybe no one will show up. Maybe not many will keep going. But whilst there are folk with faith in each other, and in that alternative future, they’ll find a friend in me ready to work with them and will them on  and then Mr Banks really should be worried.