Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Photo: Getty
Show Hide image

The Prevent strategy needs a rethink, not a rebrand

A bad policy by any other name is still a bad policy.

Yesterday the Home Affairs Select Committee published its report on radicalization in the UK. While the focus of the coverage has been on its claim that social media companies like Facebook, Twitter and YouTube are “consciously failing” to combat the promotion of terrorism and extremism, it also reported on Prevent. The report rightly engages with criticism of Prevent, acknowledging how it has affected the Muslim community and calling for it to become more transparent:

“The concerns about Prevent amongst the communities most affected by it must be addressed. Otherwise it will continue to be viewed with suspicion by many, and by some as “toxic”… The government must be more transparent about what it is doing on the Prevent strategy, including by publicising its engagement activities, and providing updates on outcomes, through an easily accessible online portal.”

While this acknowledgement is good news, it is hard to see how real change will occur. As I have written previously, as Prevent has become more entrenched in British society, it has also become more secretive. For example, in August 2013, I lodged FOI requests to designated Prevent priority areas, asking for the most up-to-date Prevent funding information, including what projects received funding and details of any project engaging specifically with far-right extremism. I lodged almost identical requests between 2008 and 2009, all of which were successful. All but one of the 2013 requests were denied.

This denial is significant. Before the 2011 review, the Prevent strategy distributed money to help local authorities fight violent extremism and in doing so identified priority areas based solely on demographics. Any local authority with a Muslim population of at least five per cent was automatically given Prevent funding. The 2011 review pledged to end this. It further promised to expand Prevent to include far-right extremism and stop its use in community cohesion projects. Through these FOI requests I was trying to find out whether or not the 2011 pledges had been met. But with the blanket denial of information, I was left in the dark.

It is telling that the report’s concerns with Prevent are not new and have in fact been highlighted in several reports by the same Home Affairs Select Committee, as well as numerous reports by NGOs. But nothing has changed. In fact, the only change proposed by the report is to give Prevent a new name: Engage. But the problem was never the name. Prevent relies on the premise that terrorism and extremism are inherently connected with Islam, and until this is changed, it will continue to be at best counter-productive, and at worst, deeply discriminatory.

In his evidence to the committee, David Anderson, the independent ombudsman of terrorism legislation, has called for an independent review of the Prevent strategy. This would be a start. However, more is required. What is needed is a radical new approach to counter-terrorism and counter-extremism, one that targets all forms of extremism and that does not stigmatise or stereotype those affected.

Such an approach has been pioneered in the Danish town of Aarhus. Faced with increased numbers of youngsters leaving Aarhus for Syria, police officers made it clear that those who had travelled to Syria were welcome to come home, where they would receive help with going back to school, finding a place to live and whatever else was necessary for them to find their way back to Danish society.  Known as the ‘Aarhus model’, this approach focuses on inclusion, mentorship and non-criminalisation. It is the opposite of Prevent, which has from its very start framed British Muslims as a particularly deviant suspect community.

We need to change the narrative of counter-terrorism in the UK, but a narrative is not changed by a new title. Just as a rose by any other name would smell as sweet, a bad policy by any other name is still a bad policy. While the Home Affairs Select Committee concern about Prevent is welcomed, real action is needed. This will involve actually engaging with the Muslim community, listening to their concerns and not dismissing them as misunderstandings. It will require serious investigation of the damages caused by new Prevent statutory duty, something which the report does acknowledge as a concern.  Finally, real action on Prevent in particular, but extremism in general, will require developing a wide-ranging counter-extremism strategy that directly engages with far-right extremism. This has been notably absent from today’s report, even though far-right extremism is on the rise. After all, far-right extremists make up half of all counter-radicalization referrals in Yorkshire, and 30 per cent of the caseload in the east Midlands.

It will also require changing the way we think about those who are radicalized. The Aarhus model proves that such a change is possible. Radicalization is indeed a real problem, one imagines it will be even more so considering the country’s flagship counter-radicalization strategy remains problematic and ineffective. In the end, Prevent may be renamed a thousand times, but unless real effort is put in actually changing the strategy, it will remain toxic. 

Dr Maria Norris works at London School of Economics and Political Science. She tweets as @MariaWNorris.