Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Getty
Show Hide image

Leader: The unresolved Eurozone crisis

The continent that once aspired to be a rival superpower to the US is now a byword for decline, and ethnic nationalism and right-wing populism are thriving.

The eurozone crisis was never resolved. It was merely conveniently forgotten. The vote for Brexit, the terrible war in Syria and Donald Trump’s election as US president all distracted from the single currency’s woes. Yet its contradictions endure, a permanent threat to continental European stability and the future cohesion of the European Union.

The resignation of the Italian prime minister Matteo Renzi, following defeat in a constitutional referendum on 4 December, was the moment at which some believed that Europe would be overwhelmed. Among the champions of the No campaign were the anti-euro Five Star Movement (which has led in some recent opinion polls) and the separatist Lega Nord. Opponents of the EU, such as Nigel Farage, hailed the result as a rejection of the single currency.

An Italian exit, if not unthinkable, is far from inevitable, however. The No campaign comprised not only Eurosceptics but pro-Europeans such as the former prime minister Mario Monti and members of Mr Renzi’s liberal-centrist Democratic Party. Few voters treated the referendum as a judgement on the monetary union.

To achieve withdrawal from the euro, the populist Five Star Movement would need first to form a government (no easy task under Italy’s complex multiparty system), then amend the constitution to allow a public vote on Italy’s membership of the currency. Opinion polls continue to show a majority opposed to the return of the lira.

But Europe faces far more immediate dangers. Italy’s fragile banking system has been imperilled by the referendum result and the accompanying fall in investor confidence. In the absence of state aid, the Banca Monte dei Paschi di Siena, the world’s oldest bank, could soon face ruin. Italy’s national debt stands at 132 per cent of GDP, severely limiting its firepower, and its financial sector has amassed $360bn of bad loans. The risk is of a new financial crisis that spreads across the eurozone.

EU leaders’ record to date does not encourage optimism. Seven years after the Greek crisis began, the German government is continuing to advocate the failed path of austerity. On 4 December, Germany’s finance minister, Wolfgang Schäuble, declared that Greece must choose between unpopular “structural reforms” (a euphemism for austerity) or withdrawal from the euro. He insisted that debt relief “would not help” the immiserated country.

Yet the argument that austerity is unsustainable is now heard far beyond the Syriza government. The International Monetary Fund is among those that have demanded “unconditional” debt relief. Under the current bailout terms, Greece’s interest payments on its debt (roughly €330bn) will continually rise, consuming 60 per cent of its budget by 2060. The IMF has rightly proposed an extended repayment period and a fixed interest rate of 1.5 per cent. Faced with German intransigence, it is refusing to provide further funding.

Ever since the European Central Bank president, Mario Draghi, declared in 2012 that he was prepared to do “whatever it takes” to preserve the single currency, EU member states have relied on monetary policy to contain the crisis. This complacent approach could unravel. From the euro’s inception, economists have warned of the dangers of a monetary union that is unmatched by fiscal and political union. The UK, partly for these reasons, wisely rejected membership, but other states have been condemned to stagnation. As Felix Martin writes on page 15, “Italy today is worse off than it was not just in 2007, but in 1997. National output per head has stagnated for 20 years – an astonishing . . . statistic.”

Germany’s refusal to support demand (having benefited from a fixed exchange rate) undermined the principles of European solidarity and shared prosperity. German unemployment has fallen to 4.1 per cent, the lowest level since 1981, but joblessness is at 23.4 per cent in Greece, 19 per cent in Spain and 11.6 per cent in Italy. The youngest have suffered most. Youth unemployment is 46.5 per cent in Greece, 42.6 per cent in Spain and 36.4 per cent in Italy. No social model should tolerate such waste.

“If the euro fails, then Europe fails,” the German chancellor, Angela Merkel, has often asserted. Yet it does not follow that Europe will succeed if the euro survives. The continent that once aspired to be a rival superpower to the US is now a byword for decline, and ethnic nationalism and right-wing populism are thriving. In these circumstances, the surprise has been not voters’ intemperance, but their patience.

This article first appeared in the 08 December 2016 issue of the New Statesman, Brexit to Trump