Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Garry Knight via Creative Commons
Show Hide image

Why Barack Obama was right to release Chelsea Manning

A Presidential act of mercy is good for Manning, but also for the US.

In early 2010, a young US military intelligence analyst on an army base near Baghdad slipped a Lady Gaga CD into a computer and sang along to the music. In fact, the soldier's apparently upbeat mood hid two facts. 

First, the soldier later known as Chelsea Manning was completely alienated from army culture, and the callous way she believed it treated civilians in Iraq. And second, she was quietly erasing the music on her CDs and replacing it with files holding explosive military data, which she would release to the world via Wikileaks. 

To some, Manning is a free speech hero. To others, she is a traitor. President Barack Obama’s decision to commute her 35-year sentence before leaving office has been blasted as “outrageous” by leading Republican Paul Ryan. Other Republican critics argue Obama is rewarding an act that endangered the lives of soldiers and intelligence operatives while giving ammunition to Russia. 

They have a point. Liberals banging the drum against Russia’s leak offensive during the US election cannot simultaneously argue leaks are inherently good. 

But even if you think Manning was deeply misguided in her use of Lady Gaga CDs, there are strong reasons why we should celebrate her release. 

1. She was not judged on the public interest

Manning was motivated by what she believed to be human rights abuses in Iraq, but her public interest defence has never been tested. 

The leaks were undoubtedly of public interest. As Manning said in the podcast she recorded with Amnesty International: “When we made mistakes, planning operations, innocent people died.” 

Thanks to Manning’s leak, we also know about the Vatican hiding sex abuse scandals in Ireland, plus the UK promising to protect US interests during the Chilcot Inquiry. 

In countries such as Germany, Canada and Denmark, whistle blowers in sensitive areas can use a public interest defence. In the US, however, such a defence does not exist – meaning it is impossible for Manning to legally argue her actions were in the public good. 

2. She was deemed worse than rapists and murderers

Her sentence was out of proportion to her crime. Compare her 35-year sentence to that received by William Millay, a young police officer, also in 2013. Caught in the act of trying to sell classified documents to someone he believed was a Russian intelligence officer, he was given 16 years

According to Amnesty International: “Manning’s sentence was much longer than other members of the military convicted of charges such as murder, rape and war crimes, as well as any others who were convicted of leaking classified materials to the public.”

3. Her time in jail was particularly miserable 

Manning’s conditions in jail do nothing to dispel the idea she has been treated extraordinarily harshly. When initially placed in solitary confinement, she needed permission to do anything in her cell, even walking around to exercise. 

When she requested treatment for her gender dysphoria, the military prison’s initial response was a blanket refusal – despite the fact many civilian prisons accept the idea that trans inmates are entitled to hormones. Manning has attempted suicide several times. She finally received permission to receive gender transition surgery in 2016 after a hunger strike

4. Julian Assange can stop acting like a martyr

Internationally, Manning’s continued incarceration was likely to do more harm than good. She has said she is sorry “for hurting the US”. Her worldwide following has turned her into an icon of US hypocrisy on free speech.

Then there's the fact Wikileaks said its founder Julian Assange would agree to be extradited to the US if Manning was released. Now that Manning is months away from freedom, his excuses for staying in the Equadorian London Embassy to avoid Swedish rape allegations are somewhat feebler.  

As for the President - under whose watch Manning was prosecuted - he may be leaving his office with his legacy in peril, but with one stroke of his pen, he has changed a life. Manning, now 29, could have expected to leave prison in her late 50s. Instead, she'll be free before her 30th birthday. And perhaps the Equadorian ambassador will finally get his room back. 

 

Julia Rampen is the editor of The Staggers, The New Statesman's online rolling politics blog. She was previously deputy editor at Mirror Money Online and has worked as a financial journalist for several trade magazines.