Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Getty
Show Hide image

A swimming pool and a bleeding toe put my medical competency in doubt

Doctors are used to contending with Google. Sometimes the search engine wins. 

The brutal heatwave affecting southern Europe this summer has become known among locals as “Lucifer”. Having just returned from Italy, I fully understand the nickname. An early excursion caused the beginnings of sunstroke, so we abandoned plans to explore the cultural heritage of the Amalfi region and strayed no further than five metres from the hotel pool for the rest of the week.

The children were delighted, particularly my 12-year-old stepdaughter, Gracie, who proceeded to spend hours at a time playing in the water. Towelling herself after one long session, she noticed something odd.

“What’s happened there?” she asked, holding her foot aloft in front of my face.

I inspected the proffered appendage: on the underside of her big toe was an oblong area of glistening red flesh that looked like a chunk of raw steak.

“Did you injure it?”

She shook her head. “It doesn’t hurt at all.”

I shrugged and said she must have grazed it. She wasn’t convinced, pointing out that she would remember if she had done that. She has great faith in plasters, though, and once it was dressed she forgot all about it. I dismissed it, too, assuming it was one of those things.

By the end of the next day, the pulp on the underside of all of her toes looked the same. As the doctor in the family, I felt under some pressure to come up with an explanation. I made up something about burns from the hot paving slabs around the pool. Gracie didn’t say as much, but her look suggested a dawning scepticism over my claims to hold a medical degree.

The next day, Gracie and her new-found holiday playmate, Eve, abruptly terminated a marathon piggy-in-the-middle session in the pool with Eve’s dad. “Our feet are bleeding,” they announced, somewhat incredulously. Sure enough, bright-red blood was flowing, apparently painlessly, from the bottoms of their big toes.

Doctors are used to contending with Google. Often, what patients discover on the internet causes them undue alarm, and our role is to provide context and reassurance. But not infrequently, people come across information that outstrips our knowledge. On my return from our room with fresh supplies of plasters, my wife looked up from her sun lounger with an air of quiet amusement.

“It’s called ‘pool toe’,” she said, handing me her iPhone. The page she had tracked down described the girls’ situation exactly: friction burns, most commonly seen in children, caused by repetitive hopping about on the abrasive floors of swimming pools. Doctors practising in hot countries must see it all the time. I doubt it presents often to British GPs.

I remained puzzled about the lack of pain. The injuries looked bad, but neither Gracie nor Eve was particularly bothered. Here the internet drew a blank, but I suspect it has to do with the “pruning” of our skin that we’re all familiar with after a soak in the bath. This only occurs over the pulps of our fingers and toes. It was once thought to be caused by water diffusing into skin cells, making them swell, but the truth is far more fascinating.

The wrinkling is an active process, triggered by immersion, in which the blood supply to the pulp regions is switched off, causing the skin there to shrink and pucker. This creates the biological equivalent of tyre treads on our fingers and toes and markedly improves our grip – of great evolutionary advantage when grasping slippery fish in a river, or if trying to maintain balance on slick wet rocks.

The flip side of this is much greater friction, leading to abrasion of the skin through repeated micro-trauma. And the lack of blood flow causes nerves to shut down, depriving us of the pain that would otherwise alert us to the ongoing tissue damage. An adaptation that helped our ancestors hunt in rivers proves considerably less use on a modern summer holiday.

I may not have seen much of the local heritage, but the trip to Italy taught me something new all the same. 

This article first appeared in the 17 August 2017 issue of the New Statesman, Trump goes nuclear