Escaping the “black hole”: how to measure cybercrime

How big a threat is cybercrime to UK industry, and how do we deal with it?

The vast majority of parliamentary committee reports do not prompt headlines containing phrases like “losing the war”, “falling into a black hole”, and “a bigger threat than nuclear attack”. Last week’s Home Affairs Select Committee report on e-crime was a notable exception. For those who make a living fighting cyber-crime, however, the report held very little that would shock. Indeed, my colleague Art Coviello spoke at length to the Committee, and whilst he agreed with their assessment that we weren't winning the battle, he had considerable praise for the way both British business and government were coming together around the challenge.

Now the dust has settled somewhat, it’s worth separating reality from hyperbole, and perhaps considering what might actually be done about the problem. To do so, we should begin on a positive note. The headlines came about because the UK features so high on the list of targets for cyber criminals but, in some ways, this is as reassuring as it is a point of concern. The reason we're such a persistent target of attack is because we have so much worth stealing – financial assets, intellectual property and the type of vibrant dynamic business that generates both. We shouldn’t worry if criminals wish to steal from us, but we must work to limit their chances of success. So, what can we do to thwart the criminals? And how well are we doing currently?

The second question is easy to answer, and the answer is: not too badly. We may not be winning the war, but we’re not losing either – the "black hole" of the report is really a sort of jurisdictive black hole, and it’s unlikely to swallow the nation’s finances any time soon. That’s not, however, to deny the scale of the problem, and the question of how we solve it is undeniably complicated. The issue is a truly global one, and criminals have more weapons at their disposal than ever before.

Cyber-security professionals refer to the "attack surface" to describe how cyber-criminals access their victims and, in the space of the last ten years, this has changed beyond all recognition. When the internet was primarily a means of accessing information, the avenues through which cyber criminals could reach their victims were limited, and so was the extent of their potential gains. Now, with almost any product or service available online, with a plethora of different social networks, and with smartphones and many different devices connected to the internet, there are few limits to the means criminals can employ to steal from organisations and individuals.

No individual or organisation can hope to stand alone against this threat. Companies that wish to defend themselves have little alternative but to collaborate on their response to cyber-crime. The criminals themselves see the value of such a strategy, and their information-sharing networks are extraordinarily effective. At our subsidiary RSA, we maintain cyber-security watch posts around the world, and from these we see criminals exchanging data on the vulnerabilities that allow them to steal money and intellectual property from organisations and individuals.

This is a sophisticated and agile underground economy which feeds parasitically on legitimate commerce, and which lawful businesses cannot hope to curb without concerted action. However, even recent discourse on the issue has not sufficiently stressed the importance of collaboration. For example, the CBI’s otherwise very sensible response to the Committee’s report struck a false note in its suggestion we should be "fighting crime in private". That would be a lonely and unsuccessful fight, and it’s crucial that British businesses are aware of how numerous, how skilled, and how efficiently collaborative cyber-criminals are. No organisation could hope to combat them alone.

However, with a coherent framework for businesses to share information on cyber threats, businesses are well-placed to beat the cyber threat. Many business leaders may shy away from the idea of engaging with their competitors and peers in industry, but strong precedents have already been set in sectors at high risk of cybercrime. Financial services is one of these and, while companies in the industry are more protective of proprietary information than those in almost any other, the scale of the threat is such that a formal means of sharing intelligence is a necessity. In financial services, the eFraudNetwork cybercrime watch service allows companies worldwide to securely share information about cyber-crime, so that once one attempted theft is thwarted, the perpetrators cannot simply move on to try the same methods at another organisation.

Such a network is very effective in curbing fraud and theft, and the good news is that this kind of information sharing is not complex or expensive, and need not negatively impact on the competitive advantages or information privacy of the organisations involved. It is a model that could easily be replicated in other industries. Much work is already being done to achieve this; indeed, RSA will shortly release a cyber-threat intelligence model, which will propose a global industry standard framework for business-to-business information sharing. Last week’s Committee report implied that a political intervention is possible so, however it chooses to do so, the business community should act while it is still able to shape a response according to its own priorities. After all, if there’s one thing that we know about cyber criminals, it’s that they never stop working to improve the methods they use. As the lawless learn to attack more effectively, so the lawful must learn to defend better – and no one organisation can succeed in doing this alone.

James Petter is vice president and managing director of EMC UK&I

Photograph: Getty Images

James Petter is vice president and managing director of  internet services company EMC UK&I.

Photo: Getty
Show Hide image

The three big mistakes the government has made in its Brexit talks

Nicola Sturgeon fears that the UK has no negotiating position at all. It's worse than she thinks. 

It’s fair to say that the first meeting of the government’s Brexit ministers and the leaders of the devolved legislatures did not go well.

Scotland’s Nicola Sturgeon told reporters outside that it had all been “deeply frustrating”, and that it was impossible for her to undermine the United Kingdom’s negotiating position as “I can’t undermine something that doesn’t exist, and at the moment it doesn’t seem to me like there is a UK negotiating strategy”.

To which cynical observers might say: she would, wouldn’t she? It’s in Sturgeon’s interest to paint the Westminster government as clueless and operating in a way that puts Scotland’s interests at risk. Maybe so, but Carwyn Jones, her Welsh opposite number, tends to strike a more conciliatory figure at these events – he’s praised both George Osborne and David Cameron in the past.

So it’s hard not to be alarmed at his statement to the press that there is still “huge uncertainty” about what the British government’s negotiating position. Even Arlene Foster, the first minister in Northern Ireland, whose party, the DUP, is seen as an increasingly reliable ally for the Conservative government, could only really volunteer that “we’re in a negotiation and we will be in a negotiation and it will be complex”.

All of which makes Jeremy Corbyn’s one-liner in the Commons today that the government is pursuing neither hard Brexit nor soft Brexit but “chaotic Brexit” ring true.

It all adds to a growing suspicion that the government’s negotiating strategy might be, as Jacqui Smith once quipped of Ed Miliband’s policy review, something of “a pregnant panda – it's been a very long time in the making and no one's quite sure if there's anything in there anyway”.

That’s not the case – but the reality is not much more comforting. The government has long believed, as Philip Hammond put when being grilled by the House of Lords on the issue:

"There's an intrinsic tension here between democratic accountability of the government and effective negotiation with a third party. Our paramount objective must be to get a good deal for Britain. I am afraid will not be achieved by spelling out our negotiating strategy."

That was echoed by Theresa May in response to Corbyn’s claim that the government has no plan for Brexit:

 “We have a plan, which is not to give out details of the negotiation as they are being negotiated”

Are Hammond and May right? Well, sort of. There is an innate tension between democratic accountability and a good deal, of course. The more is known about what the government’s red lines in negotiations, the higher the price they will have to pay to protect. That’s why, sensibly, Hammond, both as Foreign Secretary during the dying days of David Cameron’s government, and now as Chancellor, has attempted to head off public commitments about the shape of the Brexit deal.

But – and it’s a big but – the government has already shown a great deal of its hand. May made three big reveals about the government’s Brexit strategy it in her conference speech: firstly, she started the clock ticking on when Britain will definitely leave the European Union, by saying she will activate Article 50 no later than 31 March 2017. Secondly, she said that Brexit meant that Britain would control its own borders. And thirdly, she said that Brexit meant that Britain would no longer be subject to the judgements of the European Court of Justice.

The first reveal means that there is no chance that any of 27 remaining nations of the European Union will break ranks and begin informal talks before Article 50 is triggered.

The second reveal makes it clear that Britain will leave the single market, because none of the four freedoms – of goods, services, capital or people – can be negotiated away, not least because of the fear of political contagion within the EU27, as an exit deal which allowed the United Kingdom to maintain the three other freedoms while giving up the fourth would cause increased pressure from Eurosceptics in western Europe.

And the third reveal makes it equally clear that Britain will leave the customs union as there is no way you can be part of a union if you do not wish to accept its legal arbiter.

So the government has already revealed its big priorities and has therefore jacked up the price, meaning that the arguments about not revealing the government’s hand is not as strong as it ideally would be.

The other problem, though, is this: Theresa May’s Brexit objectives cannot be met without a hard Brexit, with the only question the scale of the initial shock. As I’ve written before, there is a sense that the government might be able to “pay to play”, ie, in exchange for continuing to send money to Brussels and to member states, the United Kingdom could maintain a decent standard of access to the single market.

My impression is that the mood in Brussels now makes this very tricky. The tone coming out of Conservative party conference has left goodwill in short supply, meaning that a “pay to play” deal is unlikely. But the other problem is that, by leaving so much of its objectives in the dark, Theresa May is not really laying the groundwork for a situation where she can return to Britain with an exit deal where Britain pays large sums to the European Union for a worse deal than the one it has now. (By the way, that is very much the best case scenario for what she might come back with.) Silence may make for good negotiations in Brussels – but in terms of the negotiation that may follow swiftly after in Westminster, it has entirely the opposite effect. 

Stephen Bush is special correspondent at the New Statesman. His daily briefing, Morning Call, provides a quick and essential guide to British politics.