CONTENTS

politics first | Special Section: Cyber Crime
Andrew
Bingham,
a member of the Culture,
Media and Sport Select
Committee and Conservative
MP for High Peak
ADVERTORIAL
Society must understand
cyber crime to effectively
tackle it
Dr. Adrian Davis, (ISC) 2 Regional Managing Director
– EMEA Region, explains to Marcus Papadopoulos
the actions required to decisively meet the menace of
cyber-crime
100
Cross-border cooperation is crucial
to confronting cyber crime
UK companies earn £1 of every £5 via the internet, and this is predicted
to grow. However, with the emergence of online crime, this raises the
question of how to approach internet security and what the Government
can do to protect UK citizens and businesses.
The internet has created new opportunities for business, education,
communication and leisure. Some surveys attribute internet use for
21 per cent of the GDP growth between 2006 and 2011 in countries
like the UK. If we are to keep using the internet, we must effectively
approach the issue of internet security.
The very nature of the internet has led to a design which lacks borders
and has no central control, leading to amorphous boundaries between
countries – private companies are free to establish international links
and route traffic in any way which is commercially viable.
That freedom has a number of benefits. So, for instance, from a
business perspective, you can establish a presence online and market
your services with little effort. People can share ideas and information
freely - no matter their origin.
A key aspect of the internet is the state of the software industry
and the very applications used across the internet. The industry, itself,
creates a challenge: that of software errors. That is highlighted by the
wide variety of applications in use, ranging from online banking, to
movie streaming and to web browsing.
Unfortunately, each piece of software has potential errors or
problems built in, known as “bugs”. Those are typically unintended
defects in the software which were accidently built in by the designer.
Despite massive investment and wealth generation that comes from
building software, bugs still exist, partly because the authors rarely face
the consequences or an economic loss for poor quality.
Unfortunately, bugs have a darker side beyond simply upsetting
the end user. They often provide a mechanism which allows malicious
people to hack or abuse the software. Hacking software can have
serious consequences; a recent example was the breach of TalkTalk’s
systems in 2015. Errors made in their software exposed 157,000 UK
customers’ personal details.
The openness of the internet, and the prevalence of software
bugs, has led to a rise in internet criminals seeking to exploit this
environment. The Department of Culture, Media and Sport reported that
online banking fraud had cost UK businesses £40 million in 2014 - and
this is increasing.
It is now a fact that a billion dollar bank heist is actually plausible
and could be carried out without the criminals ever setting foot
in the country where the crime took place in. That creates a big
problem for law enforcement: if the perpetrator can cover their tracks
and hide their identity, how do they even know which country they
are in, let alone successfully prosecute them? The cross-border law
enforcement issue is a key challenge facing Governments around
the world.
In November 2015, the then Chancellor George Osborne
announced a £1.9 billion investment in cyber security, including
the establishment of a National Cyber Security Centre. The
principle behind a single central body for managing incidents is
a sensible step, and ensuring that the new organisation has clear
responsibilities is essential for it to be successful.
Unfortunately, the role of internet security is much harder than it
sounds. As highlighted, if you have no borders, and if anyone in the
UK can be directly attacked via the internet, then you cannot throw
up border control. Instead, every company and person online needs
good internet security in place to protect them.
What a central body therefore can do is encourage investment
and improvement of online security. In the United States, a standards
body, the “National Institute for Standards and Technology”, provides
useful information for government departments, businesses and
users. Those standards help to encourage stronger security and
information sharing across the country.
Where a national strategy can also help is awareness of the
issue of internet security. Educating our children in schools is a
valid approach and one that, in the long-run, would ensure that we
have internet security literate consumers and workers within our
businesses.
Finally, the last key area is cross border collaboration. As cyber
crime continues to grow, the ability to track down the perpetrators
and bring them to justice will become more important. Building
strong links with other countries in the world to tackle such issues
through cooperation will become another key task for Britain’s
NCSC.
Q How serious a problem is cyber-crime in the UK?
Any crime is bad for society as a whole. However, cyber-crime has
a different impact in comparison to physical crime. In the cyber
world, assets are not necessarily stolen but value is. For example,
a company is attacked, data on a product is copied and then sold
to another company in the world which then produces the same
product either cheaper or quicker or, indeed, both. Now, that
damages the economy because it means that innovation is rapidly
brought to market without the costs associated with research. So
cyber-crime affects society far more as it can extensively harm
trust in how business is carried out. Further to that, the other side
of cyber-crime is that it is much more efficient than traditional
fraudulent crime; for instance, at the touch of a button, a scam
email can be sent out to tens of thousands of people, whereas
before a scam letter would have to be typed out and then sent in
the post.
Q What are the root causes of breaches in security?
Firstly, the software and systems themselves; for example, there
are, approximately, between 15 and 50 defects per one thousand
lines of code. With as many errors as that in a piece of software,
criminal programmers can find them and use them for fraudulent
purposes. So software vulnerabilities must come under the
spotlight.
Secondly, products and systems are not tested sufficiently
enough hence we do not discover the errors before a product is
put out to be used by companies or individuals.
Thirdly, people make errors. Most people think that computers
are infallible; however, if you press the wrong button, the computer
will do as you tell it to. A classic example of that concerns people
who send out emails without a thought for privacy and put
everyone’s email addresses in the ‘To’ field, instead of the ‘Bcc’
field. It is very difficult to catch that kind of human error.
And fourthly, given how many applications there are in
existence, I do not believe that most people who download them
to their PC or phone have been trained in how to use them safely.
So the skills gap is a major factor in accounting for the dramatic
rise in cyber-crime.
Q Can you explain the strategy of (ISC)2 in approaching
cyber-crime.
As an international professional body, we certify and assure
recognition for the professionals with the skills and instincts
needed to protect companies against cybercrime and other cyber
threats. We are also working hard to fill the increasingly recognised
skills shortage for those professionals. As a profession, we also
talk about prevention or stemming vulnerability, which is all about
educating innovators, systems and software designers and their
business stakeholders to think about how the product is going to
be used and to consider obvious problems within the requirements
gathering, design and development process. So, for instance,
regarding the TalkTalk case in 2015, it would appear that the initial
problem here was caused by something called “SQL injection”.
Now, an SQL injection is a very basic attack and has been known
for at least 10-15 years and can be tested for and solved very
easily. Yet in the case of TalkTalk, the problem was not found. So
until we can stem the vulnerability, until companies recognise the
prevalence of vulnerability, and the need to manage the risks they
present, we are not going to have a firm foundation to work from.
We also share our knowledge to develop digital skills across
society, which involves having as wide an awareness as possible
of the internet and the digital world, coupled with the basic
knowledge of things which should never be done when you are
engaged in this world. An example of that is if you are working in
an airport lounge, you do not write down your password and leave
it around when you leave.
Q Is there anything else which you would like to add?
We are dealing with a fast moving, constantly changing world.
Overall, we have found that people are becoming much more
conscious of cyber security. However, the problem is that the
IT industry is not yet expressing that awareness in terms which
the average member of the public can really understand. Part of
that problem is due to people still not equating cyber-crime with
physical crime. The TalkTalk case, however, is one of a growing
number of cases that has made people think that cyber-crime can
hurt them, and this growing awareness will help organisations like
(ISC)2 and its membership of certified professionals to talk about
it more. In many ways stories like the TalkTalk case have been,
ironically, a godsend as they opened the eyes of businesses and
members of the public to the scourge of cyber-crime. It’s time now
for society to heed the lessons learned.