Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Photo: Getty
Show Hide image

The UK press’s timid reaction to Brexit is in marked contrast to the satire unleashed on Trump

For the BBC, it seems, to question leaving the EU is to be unpatriotic.

Faced with arguably their biggest political-cum-constitutional ­crisis in half a century, the press on either side of the pond has reacted very differently. Confronting a president who, unlike many predecessors, does not merely covertly dislike the press but rages against its supposed mendacity as a purveyor of “fake news”, the fourth estate in the US has had a pretty successful first 150-odd days of the Trump era. The Washington Post has recovered its Watergate mojo – the bloodhound tenacity that brought down Richard Nixon. The Post’s investigations into links between the Kremlin and Donald Trump’s associates and appointees have yielded the scalp of the former security adviser Michael Flynn and led to Attorney General Jeff Sessions recusing himself from all inquiries into Trump-Russia contacts. Few imagine the story will end there.

Meanwhile, the New York Times has cast off its image as “the grey lady” and come out in sharper colours. Commenting on the James Comey memo in an editorial, the Times raised the possibility that Trump was trying to “obstruct justice”, and called on Washington lawmakers to “uphold the constitution”. Trump’s denunciations of the Times as “failing” have acted as commercial “rocket fuel” for the paper, according to its CEO, Mark Thompson: it gained an “astonishing” 308,000 net digital news subscriptions in the first quarter of 2017.

US-based broadcast organisations such as CNN and ABC, once considered slick or bland, have reacted to Trump’s bullying in forthright style. Political satire is thriving, led by Saturday Night Live, with its devastating impersonations of the president by Alec Baldwin and of his press secretary Sean Spicer by the brilliant Melissa McCarthy.

British press reaction to Brexit – an epic constitutional, political and economic mess-up that probably includes a mind-bogglingly destructive self-ejection from a single market and customs union that took decades to construct, a move pushed through by a far-right faction of the Tory party – has been much more muted. The situation is complicated by the cheerleading for Brexit by most of the British tabloids and the Daily Telegraph. There are stirrings of resistance, but even after an election in which Theresa May spectacularly failed to secure a mandate for her hard Brexit, there is a sense, though the criticism of her has been intense, of the media pussy-footing around a government in disarray – not properly interrogating those who still seem to promise that, in relation to Europe, we can have our cake and eat it.

This is especially the case with the BBC, a state broadcaster that proudly proclaims its independence from the government of the day, protected by the famous “arm’s-length” principle. In the case of Brexit, the BBC invoked its concept of “balance” to give equal airtime and weight to Leavers and Remainers. Fair enough, you might say, but according to the economist Simon Wren-Lewis, it ignored a “near-unanimous view among economists that Brexit would hurt the UK economy in the longer term”.

A similar view of “balance” in the past led the BBC to equate views of ­non-scientific climate contrarians, often linked to the fossil-fuel lobby, with those of leading climate scientists. Many BBC Remainer insiders still feel incensed by what they regard as BBC betrayal over Brexit. Although the referendum of 23 June 2016 said nothing about leaving the single market or the customs union, the Today presenter Justin Webb, in a recent interview with Stuart Rose, put it like this: “Staying in the single market, staying in the customs union – [Leave voters would say] you might as well not be leaving. That fundamental position is a matter of democracy.” For the BBC, it seems, to question Brexit is somehow to be unpatriotic.

You might think that an independent, pro-democratic press would question the attempted use of the arcane and archaic “royal prerogative” to enable the ­bypassing of parliament when it came to triggering Article 50, signalling the UK’s departure from the EU. But when the campaigner Gina Miller’s challenge to the government was upheld by the high court, the three ruling judges were attacked on the front page of the Daily Mail as “enemies of the people”. Thomas Jefferson wrote that he would rather have “newspapers without a government” than “a government without newspapers”. It’s a fair guess he wasn’t thinking of newspapers that would brand the judiciary as “enemies of the people”.

It does seem significant that the United States has a written constitution, encapsulating the separation and balance of powers, and explicitly designed by the Founding Fathers to protect the young republic against tyranny. When James Madison drafted the First Amendment he was clear that freedom of the press should be guaranteed to a much higher degree in the republic than it had been in the colonising power, where for centuries, after all, British monarchs and prime ministers have had no qualms about censoring an unruly media.

By contrast, the United Kingdom remains a hybrid of monarchy and democracy, with no explicit protection of press freedom other than the one provided by the common law. The national impulse to bend the knee before the sovereign, to obey and not question authority, remains strangely powerful in Britain, the land of Henry VIII as well as of George Orwell. That the United Kingdom has slipped 11 places in the World Press Freedom Index in the past four years, down to 40th, has rightly occasioned outrage. Yet, even more awkwardly, the United States is three places lower still, at 43rd. Freedom of the press may not be doing quite as well as we imagine in either country.

Harry Eyres is the author of Horace and Me: Life Lessons from an Ancient Poet (2013)

This article first appeared in the 20 July 2017 issue of the New Statesman, The new world disorder